xref: /aosp_15_r20/system/logging/logd/fuzz/serialized_log_buffer_fuzzer.cpp (revision 598139dc91b21518d67c408eaea2644226490971) 
1 /*
2  * Copyright 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <string>
18 
19 #include <android-base/logging.h>
20 
21 #include "../LogReaderList.h"
22 #include "../LogReaderThread.h"
23 #include "../LogStatistics.h"
24 #include "../PruneList.h"
25 #include "../SerializedLogBuffer.h"
26 
27 // We don't want to waste a lot of entropy on messages
28 #define MAX_MSG_LENGTH 5
29 
30 // Tag IDs usually start at 1000, we only want to try 1000 through 1009
31 #define MIN_TAG_ID 1000
32 #define TAG_MOD 10
33 
uidToName(uid_t)34 char* android::uidToName(uid_t) {
35     return strdup("fake");
36 }
37 
38 struct LogInput {
39   public:
40     log_id_t log_id;
41     log_time realtime;
42     uid_t uid;
43     pid_t pid;
44     pid_t tid;
45     unsigned int log_mask;
46 };
47 
write_log_messages(const uint8_t ** pdata,size_t * data_left,LogBuffer * log_buffer,LogStatistics * stats)48 int write_log_messages(const uint8_t** pdata, size_t* data_left, LogBuffer* log_buffer,
49                        LogStatistics* stats) {
50     const uint8_t* data = *pdata;
51     const LogInput* logInput = reinterpret_cast<const LogInput*>(data);
52     data += sizeof(LogInput);
53     *data_left -= sizeof(LogInput);
54 
55     uint32_t tag = MIN_TAG_ID + data[0] % TAG_MOD;
56     uint8_t msg_length = data[1] % MAX_MSG_LENGTH;
57     if (msg_length < 2) {
58         // Not enough data for message
59         return 0;
60     }
61 
62     data += 2 * sizeof(uint8_t);
63     *data_left -= 2 * sizeof(uint8_t);
64 
65     if (*data_left < msg_length) {
66         // Not enough data for tag and message
67         *pdata = data;
68         return 0;
69     }
70 
71     // We need nullterm'd strings
72     char msg[sizeof(uint32_t) + MAX_MSG_LENGTH + sizeof(char)];
73     char* msg_only = msg + sizeof(uint32_t);
74     memcpy(msg, &tag, sizeof(uint32_t));
75     memcpy(msg_only, data, msg_length);
76     msg_only[msg_length] = '\0';
77     data += msg_length;
78     *data_left -= msg_length;
79 
80     // Other elements not in enum.
81     log_id_t log_id = static_cast<log_id_t>(unsigned(logInput->log_id) % (LOG_ID_MAX + 1));
82     log_buffer->Log(log_id, logInput->realtime, logInput->uid, logInput->pid, logInput->tid, msg,
83                     sizeof(uint32_t) + msg_length + 1);
84     stats->Format(logInput->uid, logInput->pid, logInput->log_mask);
85     *pdata = data;
86     return 1;
87 }
88 
89 class NoopWriter : public LogWriter {
90   public:
NoopWriter()91     NoopWriter() : LogWriter(0, true) {}
Write(const logger_entry &,const char *)92     bool Write(const logger_entry&, const char*) override { return true; }
93 
name() const94     std::string name() const override { return "noop_writer"; }
95 };
96 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)97 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
98     // We want a random tag length and a random remaining message length
99     if (data == nullptr || size < sizeof(LogInput) + 2 * sizeof(uint8_t)) {
100         return 0;
101     }
102 
103     android::base::SetMinimumLogSeverity(android::base::ERROR);
104 
105     LogReaderList reader_list;
106     LogTags tags;
107     PruneList prune_list;
108     LogStatistics stats(true, true);
109     std::unique_ptr<LogBuffer> log_buffer;
110     log_buffer.reset(new SerializedLogBuffer(&reader_list, &tags, &stats));
111     size_t data_left = size;
112     const uint8_t** pdata = &data;
113 
114     prune_list.Init(nullptr);
115     // We want to get pruning code to get called.
116     log_id_for_each(i) {
117         log_buffer->SetSize(i, 10000);
118     }
119 
120     while (data_left >= sizeof(LogInput) + 2 * sizeof(uint8_t)) {
121         if (!write_log_messages(pdata, &data_left, log_buffer.get(), &stats)) {
122             return 0;
123         }
124     }
125 
126     // Read out all of the logs.
127     {
128         auto lock = std::unique_lock{logd_lock};
129         std::unique_ptr<LogWriter> test_writer(new NoopWriter());
130         std::unique_ptr<LogReaderThread> log_reader(
131                 new LogReaderThread(log_buffer.get(), &reader_list, std::move(test_writer), true, 0,
132                                     kLogMaskAll, 0, {}, 1, {}));
133         reader_list.AddAndRunThread(std::move(log_reader));
134     }
135 
136     // Wait until the reader has finished.
137     while (true) {
138         usleep(50);
139         auto lock = std::unique_lock{logd_lock};
140         if (reader_list.running_reader_threads().size() == 0) {
141             break;
142         }
143     }
144 
145     log_id_for_each(i) {
146         log_buffer->Clear(i, 0);
147     }
148     return 0;
149 }
150