1 /* 2 * Copyright 2020 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #pragma once 18 19 #include <fuzzer/FuzzedDataProvider.h> 20 21 #include <vector> 22 23 #include "fuzz/helpers.h" 24 #include "hci/class_of_device.h" 25 #include "hci/command_interface.h" 26 #include "hci/hci_layer.h" 27 #include "os/fuzz/dev_null_queue.h" 28 #include "os/fuzz/fuzz_inject_queue.h" 29 30 namespace bluetooth { 31 namespace hci { 32 namespace fuzz { 33 34 template <typename T> 35 class FuzzCommandInterface : public CommandInterface<T> { 36 public: EnqueueCommand(std::unique_ptr<T>,common::ContextualOnceCallback<void (hci::CommandCompleteView)>)37 void EnqueueCommand( 38 std::unique_ptr<T> /* command */, 39 common::ContextualOnceCallback<void(hci::CommandCompleteView)> /* on_complete */) 40 override {} 41 EnqueueCommand(std::unique_ptr<T>,common::ContextualOnceCallback<void (hci::CommandStatusView)>)42 void EnqueueCommand( 43 std::unique_ptr<T> /* command */, 44 common::ContextualOnceCallback<void(hci::CommandStatusView)> /* on_status */) override {} 45 EnqueueCommand(std::unique_ptr<T>,common::ContextualOnceCallback<void (hci::CommandStatusOrCompleteView)>)46 void EnqueueCommand( 47 std::unique_ptr<T> /* command */, 48 common::ContextualOnceCallback< 49 void(hci::CommandStatusOrCompleteView)> /* on_status_or_complete */) override {} 50 }; 51 52 class FuzzHciLayer : public HciLayer { 53 public: TurnOnAutoReply(FuzzedDataProvider * fdp)54 void TurnOnAutoReply(FuzzedDataProvider* fdp) { auto_reply_fdp = fdp; } 55 TurnOffAutoReply()56 void TurnOffAutoReply() { auto_reply_fdp = nullptr; } 57 EnqueueCommand(std::unique_ptr<hci::CommandBuilder>,common::ContextualOnceCallback<void (hci::CommandCompleteView)> on_complete)58 void EnqueueCommand( 59 std::unique_ptr<hci::CommandBuilder> /* command */, 60 common::ContextualOnceCallback<void(hci::CommandCompleteView)> on_complete) override { 61 on_command_complete_ = std::move(on_complete); 62 if (auto_reply_fdp != nullptr) { 63 injectCommandComplete(bluetooth::fuzz::GetArbitraryBytes(auto_reply_fdp)); 64 } 65 } 66 EnqueueCommand(std::unique_ptr<CommandBuilder>,common::ContextualOnceCallback<void (hci::CommandStatusView)> on_status)67 void EnqueueCommand( 68 std::unique_ptr<CommandBuilder> /* command */, 69 common::ContextualOnceCallback<void(hci::CommandStatusView)> on_status) override { 70 on_command_status_ = std::move(on_status); 71 if (auto_reply_fdp != nullptr) { 72 injectCommandStatus(bluetooth::fuzz::GetArbitraryBytes(auto_reply_fdp)); 73 } 74 } 75 GetAclQueueEnd()76 common::BidiQueueEnd<hci::AclBuilder, hci::AclView>* GetAclQueueEnd() override { 77 return acl_queue_.GetUpEnd(); 78 } 79 GetIsoQueueEnd()80 common::BidiQueueEnd<hci::IsoBuilder, hci::IsoView>* GetIsoQueueEnd() override { 81 return iso_queue_.GetUpEnd(); 82 } 83 GetScoQueueEnd()84 common::BidiQueueEnd<hci::ScoBuilder, hci::ScoView>* GetScoQueueEnd() override { 85 return sco_queue_.GetUpEnd(); 86 } 87 RegisterEventHandler(hci::EventCode event,common::ContextualCallback<void (hci::EventView)> handler)88 void RegisterEventHandler(hci::EventCode event, 89 common::ContextualCallback<void(hci::EventView)> handler) override { 90 event_handlers_[event] = handler; 91 } 92 UnregisterEventHandler(hci::EventCode event)93 void UnregisterEventHandler(hci::EventCode event) override { 94 auto it = event_handlers_.find(event); 95 if (it != event_handlers_.end()) { 96 event_handlers_.erase(it); 97 } 98 } 99 RegisterLeEventHandler(hci::SubeventCode event,common::ContextualCallback<void (hci::LeMetaEventView)> handler)100 void RegisterLeEventHandler( 101 hci::SubeventCode event, 102 common::ContextualCallback<void(hci::LeMetaEventView)> handler) override { 103 le_event_handlers_[event] = handler; 104 } 105 UnregisterLeEventHandler(hci::SubeventCode event)106 void UnregisterLeEventHandler(hci::SubeventCode event) override { 107 auto it = le_event_handlers_.find(event); 108 if (it != le_event_handlers_.end()) { 109 le_event_handlers_.erase(it); 110 } 111 } 112 113 hci::SecurityInterface* GetSecurityInterface( 114 common::ContextualCallback<void(hci::EventView)> event_handler) override; 115 116 hci::LeSecurityInterface* GetLeSecurityInterface( 117 common::ContextualCallback<void(hci::LeMetaEventView)> event_handler) override; 118 119 hci::AclConnectionInterface* GetAclConnectionInterface( 120 common::ContextualCallback<void(hci::EventView)> event_handler, 121 common::ContextualCallback<void(uint16_t, hci::ErrorCode)> on_disconnect, 122 common::ContextualCallback<void(Address, ClassOfDevice)> on_connection_request, 123 common::ContextualCallback<void(hci::ErrorCode hci_status, uint16_t, uint8_t, uint16_t, 124 uint16_t)> 125 on_read_remote_version) override; PutAclConnectionInterface()126 void PutAclConnectionInterface() override {} 127 128 hci::LeAclConnectionInterface* GetLeAclConnectionInterface( 129 common::ContextualCallback<void(hci::LeMetaEventView)> event_handler, 130 common::ContextualCallback<void(uint16_t, hci::ErrorCode)> on_disconnect, 131 common::ContextualCallback<void(hci::ErrorCode hci_status, uint16_t, uint8_t, uint16_t, 132 uint16_t)> 133 on_read_remote_version) override; PutLeAclConnectionInterface()134 void PutLeAclConnectionInterface() override {} 135 136 hci::LeAdvertisingInterface* GetLeAdvertisingInterface( 137 common::ContextualCallback<void(hci::LeMetaEventView)> event_handler) override; 138 139 hci::LeScanningInterface* GetLeScanningInterface( 140 common::ContextualCallback<void(hci::LeMetaEventView)> event_handler) override; 141 142 hci::LeIsoInterface* GetLeIsoInterface( 143 common::ContextualCallback<void(LeMetaEventView)> event_handler) override; 144 145 hci::DistanceMeasurementInterface* GetDistanceMeasurementInterface( 146 common::ContextualCallback<void(hci::LeMetaEventView)> event_handler) override; 147 148 void injectArbitrary(FuzzedDataProvider& fdp); 149 ToString()150 std::string ToString() const override { return "FuzzHciLayer"; } 151 152 static const ModuleFactory Factory; 153 154 protected: ListDependencies(ModuleList *)155 void ListDependencies(ModuleList* /* list */) const override {} 156 void Start() override; 157 void Stop() override; 158 159 private: 160 void injectAclData(std::vector<uint8_t> data); 161 162 void injectCommandComplete(std::vector<uint8_t> data); 163 void injectCommandStatus(std::vector<uint8_t> data); 164 165 void injectEvent(FuzzedDataProvider& fdp); 166 void injectLeEvent(FuzzedDataProvider& fdp); 167 168 void injectSecurityEvent(std::vector<uint8_t> data); 169 void injectLeSecurityEvent(std::vector<uint8_t> data); 170 171 void injectAclEvent(std::vector<uint8_t> data); 172 void injectAclDisconnect(FuzzedDataProvider& fdp); 173 void injectLeAclEvent(std::vector<uint8_t> data); 174 void injectLeAclDisconnect(FuzzedDataProvider& fdp); 175 176 void injectLeAdvertisingEvent(std::vector<uint8_t> data); 177 178 void injectLeScanningEvent(std::vector<uint8_t> data); 179 void injectLeIsoEvent(std::vector<uint8_t> data); 180 181 FuzzedDataProvider* auto_reply_fdp; 182 183 common::BidiQueue<hci::AclView, hci::AclBuilder> acl_queue_{3}; 184 common::BidiQueue<hci::ScoView, hci::ScoBuilder> sco_queue_{3}; 185 common::BidiQueue<hci::IsoView, hci::IsoBuilder> iso_queue_{3}; 186 os::fuzz::DevNullQueue<AclBuilder>* acl_dev_null_; 187 os::fuzz::FuzzInjectQueue<AclView>* acl_inject_; 188 189 FuzzCommandInterface<AclCommandBuilder> acl_connection_interface_{}; 190 FuzzCommandInterface<AclCommandBuilder> le_acl_connection_interface_{}; 191 FuzzCommandInterface<SecurityCommandBuilder> security_interface_{}; 192 FuzzCommandInterface<LeSecurityCommandBuilder> le_security_interface_{}; 193 FuzzCommandInterface<LeAdvertisingCommandBuilder> le_advertising_interface_{}; 194 FuzzCommandInterface<LeScanningCommandBuilder> le_scanning_interface_{}; 195 FuzzCommandInterface<LeIsoCommandBuilder> le_iso_interface_{}; 196 FuzzCommandInterface<DistanceMeasurementCommandBuilder> distance_measurement_interface_{}; 197 198 common::ContextualOnceCallback<void(hci::CommandCompleteView)> on_command_complete_; 199 common::ContextualOnceCallback<void(hci::CommandStatusView)> on_command_status_; 200 201 std::map<hci::EventCode, common::ContextualCallback<void(hci::EventView)>> event_handlers_; 202 std::map<hci::SubeventCode, common::ContextualCallback<void(hci::LeMetaEventView)>> 203 le_event_handlers_; 204 205 common::ContextualCallback<void(hci::EventView)> security_event_handler_; 206 common::ContextualCallback<void(hci::LeMetaEventView)> le_security_event_handler_; 207 common::ContextualCallback<void(hci::EventView)> acl_event_handler_; 208 common::ContextualCallback<void(uint16_t, hci::ErrorCode)> acl_on_disconnect_; 209 common::ContextualCallback<void(hci::LeMetaEventView)> le_acl_event_handler_; 210 common::ContextualCallback<void(uint16_t, hci::ErrorCode)> le_acl_on_disconnect_; 211 common::ContextualCallback<void(hci::LeMetaEventView)> le_advertising_event_handler_; 212 common::ContextualCallback<void(hci::LeMetaEventView)> le_scanning_event_handler_; 213 common::ContextualCallback<void(hci::LeMetaEventView)> le_iso_event_handler_; 214 }; 215 216 } // namespace fuzz 217 } // namespace hci 218 } // namespace bluetooth 219