1 /*
2  * Copyright (C) 2022 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <MtpDevHandle.h>
18 #include <MtpPacketFuzzerUtils.h>
19 #include <MtpRequestPacket.h>
20 #include <fstream>
21 #include <functional>
22 #include <fuzzer/FuzzedDataProvider.h>
23 
24 using namespace android;
25 
26 std::string kMtpDevPath = "/dev/mtp_usb";
27 constexpr int32_t kMaxBytes = 100000;
28 
29 class MtpRequestPacketFuzzer : MtpPacketFuzzerUtils {
30   public:
MtpRequestPacketFuzzer(const uint8_t * data,size_t size)31     MtpRequestPacketFuzzer(const uint8_t* data, size_t size) : mFdp(data, size) {
32         mUsbDevFsUrb = (struct usbdevfs_urb*)malloc(sizeof(struct usbdevfs_urb) +
33                                                    sizeof(struct usbdevfs_iso_packet_desc));
34     };
~MtpRequestPacketFuzzer()35     ~MtpRequestPacketFuzzer() { free(mUsbDevFsUrb); };
36     void process();
37 
38   private:
39     FuzzedDataProvider mFdp;
40     void makeFile(std::string s);
41 };
42 
process()43 void MtpRequestPacketFuzzer::process() {
44     MtpRequestPacket mtpRequestPacket;
45     while (mFdp.remaining_bytes() > 0) {
46         auto mtpRequestAPI = mFdp.PickValueInArray<const std::function<void()>>({
47                 [&]() {
48                     mtpRequestPacket.allocate(mFdp.ConsumeIntegralInRange(kMinSize, kMaxSize));
49                 },
50                 [&]() { mtpRequestPacket.reset(); },
51                 [&]() {
52                     MtpDevHandle handle;
53                     makeFile(kMtpDevPath);
54                     handle.start(mFdp.ConsumeBool());
55                     std::vector<uint8_t> data = mFdp.ConsumeBytes<uint8_t>(
56                             mFdp.ConsumeIntegralInRange<size_t>(kMinSize, kMaxSize));
57                     handle.write(data.data(), data.size());
58                     mtpRequestPacket.read(&handle);
59                     handle.close();
60                     remove(kMtpDevPath.c_str());
61                 },
62                 [&]() {
63                     fillFilePath(&mFdp);
64                     int32_t fd = memfd_create(mPath.c_str(), MFD_ALLOW_SEALING);
65                     fillUsbRequest(fd, &mFdp);
66                     mUsbRequest.dev = usb_device_new(mPath.c_str(), fd);
67                     mtpRequestPacket.write(&mUsbRequest);
68                     usb_device_close(mUsbRequest.dev);
69                 },
70         });
71         mtpRequestAPI();
72     }
73 }
74 
makeFile(std::string s)75 void MtpRequestPacketFuzzer::makeFile(std::string s) {
76     std::ofstream out;
77     out.open(s, std::ios::binary | std::ofstream::trunc);
78     for (int32_t idx = 0; idx < mFdp.ConsumeIntegralInRange<int32_t>(kMinSize, kMaxSize); ++idx) {
79         out << mFdp.ConsumeRandomLengthString(kMaxBytes) << "\n";
80     }
81     out.close();
82 }
83 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)84 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
85     MtpRequestPacketFuzzer mtpRequestPacketFuzzer(data, size);
86     mtpRequestPacketFuzzer.process();
87     return 0;
88 }
89