xref: /aosp_15_r20/system/nfc/src/fuzzers/integration/fakes/hal_fakes.cc (revision 7eba2f3b06c51ae21384f6a4f14577b668a869b3) 
1 #include "hal_fakes.h"
2 
3 #include <android-base/logging.h>
4 #include <android-base/stringprintf.h>
5 
6 #include "nci_defs.h"
7 
8 FakeHal* g_fake_hal;
9 
FakeHal()10 FakeHal::FakeHal() : hal_callback_(nullptr), data_callback_(nullptr) {
11   CHECK(!g_fake_hal);
12   g_fake_hal = this;
13 }
14 
~FakeHal()15 FakeHal::~FakeHal() { g_fake_hal = nullptr; }
16 
FuzzedOpen(tHAL_NFC_CBACK * p_hal_cback,tHAL_NFC_DATA_CBACK * p_data_cback)17 void FakeHal::FuzzedOpen(tHAL_NFC_CBACK* p_hal_cback,
18                          tHAL_NFC_DATA_CBACK* p_data_cback) {
19   hal_callback_ = p_hal_cback;
20   data_callback_ = p_data_cback;
21 }
22 
FuzzedClose()23 void FakeHal::FuzzedClose() {
24   hal_callback_ = nullptr;
25   data_callback_ = nullptr;
26 }
27 
SimulateHALEvent(uint8_t event,tHAL_NFC_STATUS status)28 void FakeHal::SimulateHALEvent(uint8_t event, tHAL_NFC_STATUS status) {
29   if (!hal_callback_) {
30     return;
31   }
32 
33   hal_callback_(event, status);
34 }
35 
SimulatePacketArrival(uint8_t mt,uint8_t pbf,uint8_t gid,uint8_t opcode,uint8_t * data,size_t size)36 void FakeHal::SimulatePacketArrival(uint8_t mt, uint8_t pbf, uint8_t gid,
37                                     uint8_t opcode, uint8_t* data,
38                                     size_t size) {
39   if (!data_callback_) {
40     return;
41   }
42 
43   if (size > 255) {
44     return;
45   }
46 
47   static uint8_t buffer[255 + 3];
48 
49   buffer[0] = (mt << NCI_MT_SHIFT) | (pbf << NCI_PBF_SHIFT) | gid;
50   buffer[1] = (mt == NCI_MT_DATA) ? 0 : opcode;
51   buffer[2] = static_cast<uint8_t>(size);
52   memcpy(&buffer[3], data, size);
53 
54   data_callback_(size + 3, buffer);
55 }
56 
FuzzedOpen(tHAL_NFC_CBACK * p_hal_cback,tHAL_NFC_DATA_CBACK * p_data_cback)57 void FuzzedOpen(tHAL_NFC_CBACK* p_hal_cback,
58                 tHAL_NFC_DATA_CBACK* p_data_cback) {
59   g_fake_hal->FuzzedOpen(p_hal_cback, p_data_cback);
60 }
61 
FuzzedClose()62 void FuzzedClose() { g_fake_hal->FuzzedClose(); }
63 
FuzzedCoreInitialized(uint16_t,uint8_t *)64 void FuzzedCoreInitialized(uint16_t, uint8_t*) {}
65 
FuzzedWrite(uint16_t size,uint8_t *)66 void FuzzedWrite(uint16_t size, uint8_t*) {
67   // Note: compromised firmware can observe writes to the HAL
68   LOG(VERBOSE) << android::base::StringPrintf("Got a write of %d bytes", size);
69 }
70 
FuzzedPrediscover()71 bool FuzzedPrediscover() { return false; }
72 
FuzzedControlGranted()73 void FuzzedControlGranted() {}
74 
75 tHAL_NFC_ENTRY fuzzed_hal_entry = {
76     .open = FuzzedOpen,
77     .close = FuzzedClose,
78     .core_initialized = FuzzedCoreInitialized,
79     .write = FuzzedWrite,
80     .prediscover = FuzzedPrediscover,
81     .control_granted = FuzzedControlGranted,
82 };
83