1 /*
2  * Copyright (C) 2022 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <MtpDevHandle.h>
18 #include <MtpPacket.h>
19 #include <MtpPacketFuzzerUtils.h>
20 #include <functional>
21 #include <fuzzer/FuzzedDataProvider.h>
22 #include <mtp.h>
23 
24 using namespace android;
25 
26 class MtpPacketFuzzer : MtpPacketFuzzerUtils {
27   public:
MtpPacketFuzzer(const uint8_t * data,size_t size)28     MtpPacketFuzzer(const uint8_t* data, size_t size) : mFdp(data, size) {
29         mUsbDevFsUrb = (struct usbdevfs_urb*)malloc(sizeof(struct usbdevfs_urb) +
30                                                    sizeof(struct usbdevfs_iso_packet_desc));
31     };
~MtpPacketFuzzer()32     ~MtpPacketFuzzer() { free(mUsbDevFsUrb); };
33     void process();
34 
35   private:
36     FuzzedDataProvider mFdp;
37 };
38 
process()39 void MtpPacketFuzzer::process() {
40     MtpPacket mtpPacket(mFdp.ConsumeIntegralInRange<size_t>(MTP_CONTAINER_HEADER_SIZE,
41                                                             kMaxSize)); /*bufferSize*/
42     while (mFdp.remaining_bytes() > 0) {
43         auto mtpPacketAPI = mFdp.PickValueInArray<const std::function<void()>>({
44                 [&]() {
45                     mtpPacket.allocate(mFdp.ConsumeIntegralInRange<size_t>(kMinSize, kMaxSize));
46                 },
47                 [&]() { mtpPacket.reset(); },
48                 [&]() { mtpPacket.getContainerType(); },
49                 [&]() { mtpPacket.getContainerCode(); },
50                 [&]() { mtpPacket.dump(); },
51                 [&]() { mtpPacket.getTransactionID(); },
52                 [&]() {
53                     mtpPacket.setContainerCode(
54                             mFdp.ConsumeIntegralInRange<int32_t>(kMinSize, kMaxSize));
55                 },
56                 [&]() {
57                     mtpPacket.setTransactionID(
58                             mFdp.ConsumeIntegralInRange<int32_t>(kMinSize, kMaxSize));
59                 },
60                 [&]() {
61                     mtpPacket.getParameter(
62                             mFdp.ConsumeIntegralInRange<int32_t>(kMinSize, kMaxSize));
63                 },
64                 [&]() {
65                     mtpPacket.setParameter(
66                             mFdp.ConsumeIntegralInRange<int32_t>(kMinSize, kMaxSize),
67                             mFdp.ConsumeIntegralInRange<int32_t>(kMinSize, kMaxSize));
68                 },
69                 [&]() {
70                     MtpPacket testMtpPacket(
71                             mFdp.ConsumeIntegralInRange<int32_t>(kMinSize, kMaxSize));
72                     testMtpPacket.copyFrom(mtpPacket);
73                 },
74                 [&]() {
75                     fillFilePath(&mFdp);
76                     int32_t fd = memfd_create(mPath.c_str(), MFD_ALLOW_SEALING);
77                     fillUsbRequest(fd, &mFdp);
78                     mUsbRequest.dev = usb_device_new(mPath.c_str(), fd);
79                     mtpPacket.transfer(&mUsbRequest);
80                     usb_device_close(mUsbRequest.dev);
81                 },
82         });
83         mtpPacketAPI();
84     }
85 }
86 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)87 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
88     MtpPacketFuzzer mtpPacketFuzzer(data, size);
89     mtpPacketFuzzer.process();
90     return 0;
91 }
92