1# Fuzzers for libmtp 2 3## Table of contents 4+ [mtp_fuzzer](#MtpServer) 5+ [mtp_host_property_fuzzer](#MtpHostProperty) 6+ [mtp_device_property_fuzzer](#MtpDeviceProperty) 7+ [mtp_handle_fuzzer](#MtpHandle) 8+ [mtp_packet_fuzzer](#MtpPacket) 9 + [mtp_device_fuzzer](#MtpDevice) 10+ [mtp_request_packet_fuzzer](#MtpRequestPacket) 11+ [mtp_event_packet_fuzzer](#MtpEventPacket) 12+ [mtp_response_packet_fuzzer](#MtpResponsePacket) 13+ [mtp_data_packet_fuzzer](#MtpDataPacket) 14 15# <a name="MtpServer"></a> Fuzzer for MtpServer 16 17MtpServer supports the following parameters: 181. PacketData (parameter name: "packetData") 19 20| Parameter| Valid Values |Configured Value| 21|-------------|----------|----- | 22|`packetData`| `String` |Value obtained from FuzzedDataProvider| 23 24#### Steps to run 251. Build the fuzzer 26``` 27 $ mm -j$(nproc) mtp_fuzzer 28``` 292. Run on device 30``` 31 $ adb sync data 32 $ adb shell /data/fuzz/arm64/mtp_fuzzer/mtp_fuzzer corpus/ -dict=mtp_fuzzer.dict 33``` 34 35# <a name="MtpHostProperty"></a> Fuzzer for MtpHostProperty 36 37MtpHostProperty supports the following parameters: 381. Feasible Type (parameter name: "kFeasibleTypes") 392. UrbPacket Division Mode (parameter name: "kUrbPacketDivisionModes") 40 41| Parameter| Valid Values |Configured Value| 42|-------------|----------|----- | 43| `kFeasibleType`| 1. `MTP_TYPE_UNDEFINED`, 2. `MTP_TYPE_INT8`, 3.`MTP_TYPE_UINT8`, 4.`MTP_TYPE_INT16`, 5.`MTP_TYPE_UINT16`, 6.`MTP_TYPE_INT32`, 7.`MTP_TYPE_UINT32`, 8.`MTP_TYPE_INT64`, 9.`MTP_TYPE_UINT64`, 10.`MTP_TYPE_INT128`, 11.`MTP_TYPE_UINT128`, 12.`MTP_TYPE_AINT8`, 13.`MTP_TYPE_AUINT8`, 14.`MTP_TYPE_AINT16`, 15.`MTP_TYPE_AUINT16`, 16.`MTP_TYPE_AINT32`, 17.`MTP_TYPE_AUINT32`, 18.`MTP_TYPE_AINT64`, 19.`MTP_TYPE_AUINT64`, 20.`MTP_TYPE_AINT128`, 21.`MTP_TYPE_AUINT128`, 22.`MTP_TYPE_STR`,| Value obtained from FuzzedDataProvider| 44|`kUrbPacketDivisionMode`| 1. `FIRST_PACKET_ONLY_HEADER`, 2. `FIRST_PACKET_HAS_PAYLOAD`, |Value obtained from FuzzedDataProvider| 45 46#### Steps to run 471. Build the fuzzer 48``` 49 $ mm -j$(nproc) mtp_host_property_fuzzer 50``` 512. Run on device 52``` 53 $ adb sync data 54 $ adb shell /data/fuzz/arm64/mtp_host_property_fuzzer/mtp_host_property_fuzzer 55``` 56 57# <a name="MtpDeviceProperty"></a> Fuzzer for MtpDeviceProperty 58 59MtpDeviceProperty supports the following parameters: 601. Feasible Type (parameter name: "kFeasibleType") 61 62| Parameter| Valid Values |Configured Value| 63|-------------|----------|----- | 64| `kFeasibleType`| 1. `MTP_TYPE_UNDEFINED`, 2. `MTP_TYPE_INT8`, 3.`MTP_TYPE_UINT8`, 4.`MTP_TYPE_INT16`, 5.`MTP_TYPE_UINT16`, 6.`MTP_TYPE_INT32`, 7.`MTP_TYPE_UINT32`, 8.`MTP_TYPE_INT64`, 9.`MTP_TYPE_UINT64`, 10.`MTP_TYPE_INT128`, 11.`MTP_TYPE_UINT128`, 12.`MTP_TYPE_AINT8`, 13.`MTP_TYPE_AUINT8`, 14.`MTP_TYPE_AINT16`, 15.`MTP_TYPE_AUINT16`, 16.`MTP_TYPE_AINT32`, 17.`MTP_TYPE_AUINT32`, 18.`MTP_TYPE_AINT64`, 19.`MTP_TYPE_AUINT64`, 20.`MTP_TYPE_AINT128`, 21.`MTP_TYPE_AUINT128`, 22.`MTP_TYPE_STR`,| Value obtained from FuzzedDataProvider| 65 66#### Steps to run 671. Build the fuzzer 68``` 69 $ mm -j$(nproc) mtp_device_property_fuzzer 70``` 712. Run on device 72``` 73 $ adb sync data 74 $ adb shell /data/fuzz/arm64/mtp_device_property_fuzzer/mtp_device_property_fuzzer 75``` 76 77# <a name="MtpHandle"></a>Fuzzer for MtpHandle 78 79#### Steps to run 801. Build the fuzzer 81``` 82 $ mm -j$(nproc) mtp_handle_fuzzer 83``` 842. Run on device 85``` 86 $ adb sync data 87 $ adb shell /data/fuzz/arm64/mtp_handle_fuzzer/mtp_handle_fuzzer 88``` 89 90# <a name="MtpPacket"></a> Fuzzer for MtpPacket 91 92MtpPacket supports the following parameters: 931. bufferSize (parameter name: "size") 94 95| Parameter| Valid Values |Configured Value| 96|-------------|----------|----- | 97|`bufferSize`| Integer `1` to `1000`, |Value obtained from FuzzedDataProvider| 98 99#### Steps to run 1001. Build the fuzzer 101``` 102 $ mm -j$(nproc) mtp_packet_fuzzer 103``` 1042. Run on device 105``` 106 $ adb sync data 107 $ adb shell /data/fuzz/arm64/mtp_packet_fuzzer/mtp_packet_fuzzer 108``` 109 110# <a name="MtpDevice"></a> Fuzzer for MtpDevice 111 112MtpDevice supports the following parameters: 1131. Device Name (parameter name: "deviceName") 114 115| Parameter| Valid Values |Configured Value| 116|-------------|----------|----- | 117|`deviceName`| `String` |Value obtained from FuzzedDataProvider| 118 119#### Steps to run 1201. Build the fuzzer 121``` 122 $ mm -j$(nproc) mtp_device_fuzzer 123``` 1242. Run on device 125``` 126 $ adb sync data 127 $ adb shell /data/fuzz/arm64/mtp_device_fuzzer/mtp_device_fuzzer 128``` 129 130# <a name="MtpRequestPacket"></a> Fuzzer for MtpRequestPacket 131 132MtpRequestPacket supports the following parameters: 1331. Data (parameter name: "data") 134 135| Parameter| Valid Values |Configured Value| 136|-------------|----------|----- | 137|`data`| Vector of positive Integer |Value obtained from FuzzedDataProvider| 138 139#### Steps to run 1401. Build the fuzzer 141``` 142 $ mm -j$(nproc) mtp_request_packet_fuzzer 143``` 1442. Run on device 145``` 146 $ adb sync data 147 $ adb shell /data/fuzz/arm64/mtp_request_packet_fuzzer/mtp_request_packet_fuzzer 148``` 149 150# <a name="MtpEventPacket"></a> Fuzzer for MtpEventPacket 151 152MtpEventPacket supports the following parameters: 1531. Size (parameter name: "size") 154 155| Parameter| Valid Values |Configured Value| 156|-------------|----------|----- | 157|`size`| Integer `1` to `1000`, |Value obtained from FuzzedDataProvider| 158 159#### Steps to run 1601. Build the fuzzer 161``` 162 $ mm -j$(nproc) mtp_event_packet_fuzzer 163``` 1642. Run on device 165``` 166 $ adb sync data 167 $ adb shell /data/fuzz/arm64/mtp_event_packet_fuzzer/mtp_event_packet_fuzzer 168``` 169 170# <a name="MtpResponsePacket"></a> Fuzzer for MtpResponsePacket 171 172MtpResponsePacket supports the following parameters: 1731. Size (parameter name: "size") 174 175| Parameter| Valid Values |Configured Value| 176|-------------|----------|----- | 177|`size`| Integer `1` to `1000`, |Value obtained from FuzzedDataProvider| 178 179#### Steps to run 1801. Build the fuzzer 181``` 182 $ mm -j$(nproc) mtp_response_packet_fuzzer 183``` 1842. Run on device 185``` 186 $ adb sync data 187 $ adb shell /data/fuzz/arm64/mtp_response_packet_fuzzer/mtp_response_packet_fuzzer 188``` 189 190# <a name="MtpDataPacket"></a> Fuzzer for MtpDataPacket 191 192MtpDataPacket supports the following parameters: 1931. UrbPacket Division Mode (parameter name: "kUrbPacketDivisionModes") 1942. Size (parameter name: "size") 195 196| Parameter| Valid Values |Configured Value| 197|-------------|----------|----- | 198|`kUrbPacketDivisionMode`| 1. `FIRST_PACKET_ONLY_HEADER`, 2. `FIRST_PACKET_HAS_PAYLOAD`, |Value obtained from FuzzedDataProvider| 199|`size`| Integer `1` to `1000`, |Value obtained from FuzzedDataProvider| 200 201#### Steps to run 2021. Build the fuzzer 203``` 204 $ mm -j$(nproc) mtp_data_packet_fuzzer 205``` 2062. Run on device 207``` 208 $ adb sync data 209 $ adb shell /data/fuzz/arm64/mtp_data_packet_fuzzer/mtp_data_packet_fuzzer 210``` 211