1 /* 2 * Copyright 2020 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #pragma once 18 19 #include "hci/command_interface.h" 20 #include "hci/hci_layer.h" 21 #include "os/fuzz/dev_null_queue.h" 22 #include "os/fuzz/fuzz_inject_queue.h" 23 #include "os/log.h" 24 25 #include <fuzzer/FuzzedDataProvider.h> 26 #include "fuzz/helpers.h" 27 28 namespace bluetooth { 29 namespace hci { 30 namespace fuzz { 31 32 template <typename T> 33 class FuzzCommandInterface : public CommandInterface<T> { 34 public: EnqueueCommand(std::unique_ptr<T> command,common::ContextualOnceCallback<void (hci::CommandCompleteView)> on_complete)35 void EnqueueCommand(std::unique_ptr<T> command, 36 common::ContextualOnceCallback<void(hci::CommandCompleteView)> on_complete) override {} 37 EnqueueCommand(std::unique_ptr<T> command,common::ContextualOnceCallback<void (hci::CommandStatusView)> on_status)38 void EnqueueCommand(std::unique_ptr<T> command, 39 common::ContextualOnceCallback<void(hci::CommandStatusView)> on_status) override {} 40 }; 41 42 class FuzzHciLayer : public HciLayer { 43 public: TurnOnAutoReply(FuzzedDataProvider * fdp)44 void TurnOnAutoReply(FuzzedDataProvider* fdp) { 45 auto_reply_fdp = fdp; 46 } 47 TurnOffAutoReply()48 void TurnOffAutoReply() { 49 auto_reply_fdp = nullptr; 50 } 51 EnqueueCommand(std::unique_ptr<hci::CommandBuilder> command,common::ContextualOnceCallback<void (hci::CommandCompleteView)> on_complete)52 void EnqueueCommand( 53 std::unique_ptr<hci::CommandBuilder> command, 54 common::ContextualOnceCallback<void(hci::CommandCompleteView)> on_complete) override { 55 on_command_complete_ = std::move(on_complete); 56 if (auto_reply_fdp != nullptr) { 57 injectCommandComplete(bluetooth::fuzz::GetArbitraryBytes(auto_reply_fdp)); 58 } 59 } 60 EnqueueCommand(std::unique_ptr<CommandBuilder> command,common::ContextualOnceCallback<void (hci::CommandStatusView)> on_status)61 void EnqueueCommand( 62 std::unique_ptr<CommandBuilder> command, 63 common::ContextualOnceCallback<void(hci::CommandStatusView)> on_status) override { 64 on_command_status_ = std::move(on_status); 65 if (auto_reply_fdp != nullptr) { 66 injectCommandStatus(bluetooth::fuzz::GetArbitraryBytes(auto_reply_fdp)); 67 } 68 } 69 GetAclQueueEnd()70 common::BidiQueueEnd<hci::AclBuilder, hci::AclView>* GetAclQueueEnd() override { 71 return acl_queue_.GetUpEnd(); 72 } 73 GetIsoQueueEnd()74 common::BidiQueueEnd<hci::IsoBuilder, hci::IsoView>* GetIsoQueueEnd() override { 75 return iso_queue_.GetUpEnd(); 76 } 77 GetScoQueueEnd()78 common::BidiQueueEnd<hci::ScoBuilder, hci::ScoView>* GetScoQueueEnd() override { 79 return sco_queue_.GetUpEnd(); 80 } 81 RegisterEventHandler(hci::EventCode event,common::ContextualCallback<void (hci::EventView)> handler)82 void RegisterEventHandler(hci::EventCode event, common::ContextualCallback<void(hci::EventView)> handler) override { 83 event_handlers_[event] = handler; 84 } 85 UnregisterEventHandler(hci::EventCode event)86 void UnregisterEventHandler(hci::EventCode event) override { 87 auto it = event_handlers_.find(event); 88 if (it != event_handlers_.end()) { 89 event_handlers_.erase(it); 90 } 91 } 92 RegisterLeEventHandler(hci::SubeventCode event,common::ContextualCallback<void (hci::LeMetaEventView)> handler)93 void RegisterLeEventHandler(hci::SubeventCode event, 94 common::ContextualCallback<void(hci::LeMetaEventView)> handler) override { 95 le_event_handlers_[event] = handler; 96 } 97 UnregisterLeEventHandler(hci::SubeventCode event)98 void UnregisterLeEventHandler(hci::SubeventCode event) override { 99 auto it = le_event_handlers_.find(event); 100 if (it != le_event_handlers_.end()) { 101 le_event_handlers_.erase(it); 102 } 103 } 104 105 hci::SecurityInterface* GetSecurityInterface(common::ContextualCallback<void(hci::EventView)> event_handler) override; 106 107 hci::LeSecurityInterface* GetLeSecurityInterface( 108 common::ContextualCallback<void(hci::LeMetaEventView)> event_handler) override; 109 110 hci::AclConnectionInterface* GetAclConnectionInterface( 111 common::ContextualCallback<void(hci::EventView)> event_handler, 112 common::ContextualCallback<void(uint16_t, hci::ErrorCode)> on_disconnect, 113 common::ContextualCallback<void(hci::ErrorCode hci_status, uint16_t, uint8_t, uint16_t, uint16_t)> 114 on_read_remote_version) override; PutAclConnectionInterface()115 void PutAclConnectionInterface() override {} 116 117 hci::LeAclConnectionInterface* GetLeAclConnectionInterface( 118 common::ContextualCallback<void(hci::LeMetaEventView)> event_handler, 119 common::ContextualCallback<void(uint16_t, hci::ErrorCode)> on_disconnect, 120 common::ContextualCallback<void(hci::ErrorCode hci_status, uint16_t, uint8_t, uint16_t, uint16_t)> 121 on_read_remote_version) override; PutLeAclConnectionInterface()122 void PutLeAclConnectionInterface() override {} 123 124 hci::LeAdvertisingInterface* GetLeAdvertisingInterface( 125 common::ContextualCallback<void(hci::LeMetaEventView)> event_handler) override; 126 127 hci::LeScanningInterface* GetLeScanningInterface( 128 common::ContextualCallback<void(hci::LeMetaEventView)> event_handler) override; 129 130 hci::LeIsoInterface* GetLeIsoInterface(common::ContextualCallback<void(LeMetaEventView)> event_handler) override; 131 132 void injectArbitrary(FuzzedDataProvider& fdp); 133 ToString()134 std::string ToString() const override { 135 return "FuzzHciLayer"; 136 } 137 138 static const ModuleFactory Factory; 139 140 protected: ListDependencies(ModuleList * list)141 void ListDependencies(ModuleList* list) const override {} 142 void Start() override; 143 void Stop() override; 144 145 private: 146 void injectAclData(std::vector<uint8_t> data); 147 148 void injectCommandComplete(std::vector<uint8_t> data); 149 void injectCommandStatus(std::vector<uint8_t> data); 150 151 void injectEvent(FuzzedDataProvider& fdp); 152 void injectLeEvent(FuzzedDataProvider& fdp); 153 154 void injectSecurityEvent(std::vector<uint8_t> data); 155 void injectLeSecurityEvent(std::vector<uint8_t> data); 156 157 void injectAclEvent(std::vector<uint8_t> data); 158 void injectAclDisconnect(FuzzedDataProvider& fdp); 159 void injectLeAclEvent(std::vector<uint8_t> data); 160 void injectLeAclDisconnect(FuzzedDataProvider& fdp); 161 162 void injectLeAdvertisingEvent(std::vector<uint8_t> data); 163 164 void injectLeScanningEvent(std::vector<uint8_t> data); 165 void injectLeIsoEvent(std::vector<uint8_t> data); 166 167 FuzzedDataProvider* auto_reply_fdp; 168 169 common::BidiQueue<hci::AclView, hci::AclBuilder> acl_queue_{3}; 170 common::BidiQueue<hci::ScoView, hci::ScoBuilder> sco_queue_{3}; 171 common::BidiQueue<hci::IsoView, hci::IsoBuilder> iso_queue_{3}; 172 os::fuzz::DevNullQueue<AclBuilder>* acl_dev_null_; 173 os::fuzz::FuzzInjectQueue<AclView>* acl_inject_; 174 175 FuzzCommandInterface<AclCommandBuilder> acl_connection_interface_{}; 176 FuzzCommandInterface<AclCommandBuilder> le_acl_connection_interface_{}; 177 FuzzCommandInterface<SecurityCommandBuilder> security_interface_{}; 178 FuzzCommandInterface<LeSecurityCommandBuilder> le_security_interface_{}; 179 FuzzCommandInterface<LeAdvertisingCommandBuilder> le_advertising_interface_{}; 180 FuzzCommandInterface<LeScanningCommandBuilder> le_scanning_interface_{}; 181 FuzzCommandInterface<LeIsoCommandBuilder> le_iso_interface_{}; 182 183 common::ContextualOnceCallback<void(hci::CommandCompleteView)> on_command_complete_; 184 common::ContextualOnceCallback<void(hci::CommandStatusView)> on_command_status_; 185 186 std::map<hci::EventCode, common::ContextualCallback<void(hci::EventView)>> event_handlers_; 187 std::map<hci::SubeventCode, common::ContextualCallback<void(hci::LeMetaEventView)>> le_event_handlers_; 188 189 common::ContextualCallback<void(hci::EventView)> security_event_handler_; 190 common::ContextualCallback<void(hci::LeMetaEventView)> le_security_event_handler_; 191 common::ContextualCallback<void(hci::EventView)> acl_event_handler_; 192 common::ContextualCallback<void(uint16_t, hci::ErrorCode)> acl_on_disconnect_; 193 common::ContextualCallback<void(hci::LeMetaEventView)> le_acl_event_handler_; 194 common::ContextualCallback<void(uint16_t, hci::ErrorCode)> le_acl_on_disconnect_; 195 common::ContextualCallback<void(hci::LeMetaEventView)> le_advertising_event_handler_; 196 common::ContextualCallback<void(hci::LeMetaEventView)> le_scanning_event_handler_; 197 common::ContextualCallback<void(hci::LeMetaEventView)> le_iso_event_handler_; 198 }; 199 200 } // namespace fuzz 201 } // namespace hci 202 } // namespace bluetooth 203