/*
 * Copyright (C) 2021 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <BufferAllocator/BufferAllocator.h>
#include <android-base/unique_fd.h>
#include <apploader_ipc.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <trusty/coverage/coverage.h>
#include <trusty/fuzz/counters.h>
#include <trusty/fuzz/utils.h>
#include <trusty/tipc.h>
#include <unistd.h>
#include <iostream>

using android::base::unique_fd;
using android::trusty::coverage::CoverageRecord;
using android::trusty::fuzz::ExtraCounters;
using android::trusty::fuzz::TrustyApp;

#define TIPC_DEV "/dev/trusty-ipc-dev0"
#define APPLOADER_PORT "com.android.trusty.apploader"
#define APPLOADER_MODULE_NAME "apploader.syms.elf"

/* Apploader TA's UUID is 081ba88f-f1ee-452e-b5e8-a7e9ef173a97 */
static struct uuid apploader_uuid = {
        0x081ba88f,
        0xf1ee,
        0x452e,
        {0xb5, 0xe8, 0xa7, 0xe9, 0xef, 0x17, 0x3a, 0x97},
};

static inline uintptr_t RoundPageUp(uintptr_t val) {
    return (val + (PAGE_SIZE - 1)) & ~(PAGE_SIZE - 1);
}

static bool SendLoadMsg(int chan, int dma_buf, size_t dma_buf_size) {
    apploader_header hdr = {
            .cmd = APPLOADER_CMD_LOAD_APPLICATION,
    };
    apploader_load_app_req req = {
            .package_size = static_cast<uint64_t>(dma_buf_size),
    };
    iovec iov[] = {
            {
                    .iov_base = &hdr,
                    .iov_len = sizeof(hdr),
            },
            {
                    .iov_base = &req,
                    .iov_len = sizeof(req),
            },
    };
    trusty_shm shm = {
            .fd = dma_buf,
            .transfer = TRUSTY_SHARE,
    };

    int rc = tipc_send(chan, iov, 2, &shm, 1);
    if (rc != static_cast<int>(sizeof(hdr) + sizeof(req))) {
        std::cerr << "Failed to send request" << std::endl;
        return false;
    }

    apploader_resp resp;
    rc = read(chan, &resp, sizeof(resp));
    if (rc != static_cast<int>(sizeof(resp))) {
        std::cerr << "Failed to receive response" << std::endl;
        return false;
    }

    return true;
}

static CoverageRecord record(TIPC_DEV, &apploader_uuid, APPLOADER_MODULE_NAME);

extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
    auto ret = record.Open();
    if (!ret.ok()) {
        std::cerr << ret.error() << std::endl;
        exit(-1);
    }
    return 0;
}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
    ExtraCounters counters(&record);
    counters.Reset();

    android::trusty::fuzz::TrustyApp ta(TIPC_DEV, APPLOADER_PORT);
    auto ret = ta.Connect();
    if (!ret.ok()) {
        std::cerr << ret.error() << std::endl;
        android::trusty::fuzz::Abort();
    }

    uint64_t shm_len = size ? RoundPageUp(size) : PAGE_SIZE;
    BufferAllocator alloc;
    unique_fd dma_buf(alloc.Alloc(kDmabufSystemHeapName, shm_len));
    if (dma_buf < 0) {
        std::cerr << "Failed to create dmabuf of size: " << shm_len << std::endl;
        android::trusty::fuzz::Abort();
    }

    void* shm_base = mmap(0, shm_len, PROT_READ | PROT_WRITE, MAP_SHARED, dma_buf, 0);
    if (shm_base == MAP_FAILED) {
        std::cerr << "Failed to mmap() dmabuf" << std::endl;
        android::trusty::fuzz::Abort();
    }

    memcpy(shm_base, data, size);

    bool success = SendLoadMsg(*ta.GetRawFd(), dma_buf, shm_len);
    if (!success) {
        std::cerr << "Failed to send load message" << std::endl;
        android::trusty::fuzz::Abort();
    }

    munmap(shm_base, shm_len);
    return 0;
}