1 /*
2 * Copyright 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <fcntl.h>
18 #include <fuzzer/FuzzedDataProvider.h>
19 #include "osi/include/alarm.h"
20 #include "osi/include/semaphore.h"
21
22 #include "common/message_loop_thread.h"
23
24 using base::Closure;
25 using base::TimeDelta;
26 using bluetooth::common::MessageLoopThread;
27
28 #define MAX_CONCURRENT_ALARMS 25
29 #define MAX_BUFFER_LEN 4096
30 #define MAX_ALARM_DURATION 25
31
32 static semaphore_t* semaphore;
33 static int cb_counter;
34 static MessageLoopThread* thread = new MessageLoopThread("fake main thread");
35
get_main_thread()36 bluetooth::common::MessageLoopThread* get_main_thread() { return thread; }
37
cb(void * data)38 static void cb(void* data) {
39 ++cb_counter;
40 semaphore_post(semaphore);
41 }
42
setup()43 void setup() {
44 cb_counter = 0;
45 semaphore = semaphore_new(0);
46 }
teardown()47 void teardown() { semaphore_free(semaphore); }
48
fuzz_init_alarm(FuzzedDataProvider * dataProvider)49 alarm_t* fuzz_init_alarm(FuzzedDataProvider* dataProvider) {
50 size_t name_len =
51 dataProvider->ConsumeIntegralInRange<size_t>(0, MAX_BUFFER_LEN);
52 std::vector<char> alarm_name_vect =
53 dataProvider->ConsumeBytesWithTerminator<char>(name_len, '\0');
54 char* alarm_name = alarm_name_vect.data();
55
56 // Determine if our alarm will be periodic
57 if (dataProvider->ConsumeBool()) {
58 return alarm_new_periodic(alarm_name);
59 } else {
60 return alarm_new(alarm_name);
61 }
62 }
63
fuzz_set_alarm(alarm_t * alarm,uint64_t interval,alarm_callback_t cb,FuzzedDataProvider * dataProvider)64 bool fuzz_set_alarm(alarm_t* alarm, uint64_t interval, alarm_callback_t cb,
65 FuzzedDataProvider* dataProvider) {
66 // Generate a random buffer (or null)
67 void* data_buffer = nullptr;
68 size_t buff_len =
69 dataProvider->ConsumeIntegralInRange<size_t>(1, MAX_BUFFER_LEN);
70 if (buff_len == 0) {
71 return false;
72 }
73
74 // allocate our space
75 std::vector<uint8_t> data_vector =
76 dataProvider->ConsumeBytes<uint8_t>(buff_len);
77 data_buffer = data_vector.data();
78
79 // Make sure alarm is non-null
80 if (alarm) {
81 // Should this alarm be regular or on mloop?
82 if (dataProvider->ConsumeBool()) {
83 alarm_set_on_mloop(alarm, interval, cb, data_buffer);
84 } else {
85 alarm_set(alarm, interval, cb, data_buffer);
86 }
87 }
88
89 return true;
90 }
91
LLVMFuzzerTestOneInput(const uint8_t * Data,size_t Size)92 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) {
93 // Init our wrapper
94 FuzzedDataProvider dataProvider(Data, Size);
95
96 // Perform setup
97 setup();
98
99 alarm_t* alarm = nullptr;
100 // Should our alarm be valid or null?
101 if (dataProvider.ConsumeBool()) {
102 // Init our alarm
103 alarm = fuzz_init_alarm(&dataProvider);
104 }
105
106 // Set up the alarm & cancel
107 // Alarm must be non-null, or set() will trigger assert
108 if (alarm) {
109 if (!fuzz_set_alarm(alarm, MAX_ALARM_DURATION, cb, &dataProvider)) {
110 return 0;
111 }
112 alarm_cancel(alarm);
113 }
114
115 // Check if scheduled
116 alarm_is_scheduled(alarm);
117
118 if (alarm) {
119 // Set up another set of alarms & let these ones run
120 int num_alarms =
121 dataProvider.ConsumeIntegralInRange<uint8_t>(0, MAX_CONCURRENT_ALARMS);
122 for (int i = 0; i < num_alarms; i++) {
123 uint64_t interval =
124 dataProvider.ConsumeIntegralInRange<uint64_t>(0, MAX_ALARM_DURATION);
125 if (fuzz_set_alarm(alarm, interval, cb, &dataProvider)) {
126 return 0;
127 }
128 alarm_get_remaining_ms(alarm);
129 }
130
131 // Wait for them to complete
132 for (int i = 1; i <= num_alarms; i++) {
133 semaphore_wait(semaphore);
134 }
135 }
136
137 // Free the alarm object
138 alarm_free(alarm);
139
140 // dump debug data to /dev/null
141 int debug_fd = open("/dev/null", O_RDWR);
142 alarm_debug_dump(debug_fd);
143
144 // Cleanup
145 alarm_cleanup();
146
147 // Perform teardown
148 teardown();
149
150 return 0;
151 }
152