1# Fuzzers for libinit 2 3## Table of contents 4+ [init_parser_fuzzer](#InitParser) 5+ [init_property_fuzzer](#InitProperty) 6+ [init_ueventHandler_fuzzer](#InitUeventHandler) 7 8# <a name="InitParser"></a> Fuzzer for InitParser 9 10InitParser supports the following parameters: 111. ValidPathNames (parameter name: "kValidPaths") 122. ValidParseInputs (parameter name: "kValidInputs") 13 14| Parameter| Valid Values| Configured Value| 15|------------- |-------------| ----- | 16|`kValidPaths`| 0.`/system/etc/init/hw/init.rc`,<br/> 1.`/system/etc/init` |Value obtained from FuzzedDataProvider| 17|`kValidInputs`| 0.`{"","cpu", "10", "10"}`,<br/> 1.`{"","RLIM_CPU", "10", "10"}`,<br/> 2.`{"","12", "unlimited", "10"}`,<br/> 3.`{"","13", "-1", "10"}`,<br/> 4.`{"","14", "10", "unlimited"}`,<br/> 5.`{"","15", "10", "-1"}` |Value obtained from FuzzedDataProvider| 18 19#### Steps to run 201. Build the fuzzer 21``` 22 $ mm -j$(nproc) init_parser_fuzzer 23``` 242. Run on device 25``` 26 $ adb sync data 27 $ adb shell /data/fuzz/arm64/init_parser_fuzzer/init_parser_fuzzer 28``` 29 30# <a name="InitProperty"></a> Fuzzer for InitProperty 31 32InitProperty supports the following parameters: 33 PropertyType (parameter name: "PropertyType") 34 35| Parameter| Valid Values |Configured Value| 36|-------------|----------|----- | 37|`PropertyType`| 0.`STRING`,<br/> 1.`BOOL`,<br/> 2.`INT`,<br/> 3.`UINT`,<br/> 4.`DOUBLE`,<br/> 5.`SIZE`,<br/>6.`ENUM`,<br/>7.`RANDOM`|Value obtained from FuzzedDataProvider| 38 39#### Steps to run 401. Build the fuzzer 41``` 42 $ mm -j$(nproc) init_property_fuzzer 43``` 442. Run on device 45``` 46 $ adb sync data 47 $ adb shell /data/fuzz/arm64/init_property_fuzzer/init_property_fuzzer 48``` 49 50# <a name="InitUeventHandler"></a> Fuzzer for InitUeventHandler 51 52##### Maximize code coverage 53The configuration parameters are not hardcoded, but instead selected based on 54incoming data. This ensures more code paths are reached by the fuzzer. 55 56InitUeventHandler supports the following parameters: 571. Major (parameter name: `major`) 582. Minor (parameter name: `minor`) 593. PartitionNum (parameter name: `partition_num`) 604. Uid (parameter name: `uid`) 615. Gid (parameter name: `gid`) 626. Action (parameter name: `action`) 637. Path (parameter name: `path`) 648. Subsystem (parameter name: `subsystem`) 659. PartitionName (parameter name: `partition_name`) 6610. DeviceName (parameter name: `device_name`) 6711. Modalias (parameter name: `modalias`) 6812. DevPath (parameter name: `devPath`) 6913. HandlerPath (parameter name: `handlerPath`) 70 71| Parameter| Valid Values| Configured Value| 72|------------- |-------------| ----- | 73| `major` | `UINT32_MIN` to `UINT32_MAX` | Value obtained from FuzzedDataProvider| 74| `minor` | `UINT32_MIN` to `UINT32_MAX` | Value obtained from FuzzedDataProvider| 75| `partition_num ` | `UINT32_MIN` to `UINT32_MAX` | Value obtained from FuzzedDataProvider| 76| `uid` | `UINT32_MIN` to `UINT32_MAX` | Value obtained from FuzzedDataProvider| 77| `gid` | `UINT32_MIN` to `UINT32_MAX` | Value obtained from FuzzedDataProvider| 78| `action` | `String` | Value obtained from FuzzedDataProvider| 79| `path` | `String` | Value obtained from FuzzedDataProvider| 80| `subsystem` | `String` | Value obtained from FuzzedDataProvider| 81| `partition_name` | `String` | Value obtained from FuzzedDataProvider| 82| `device_name` | `String` | Value obtained from FuzzedDataProvider| 83| `modalias` | `String` | Value obtained from FuzzedDataProvider| 84| `devPath` | `String` | Value obtained from FuzzedDataProvider| 85| `handlerPath` | `String` | Value obtained from FuzzedDataProvider| 86 87This also ensures that the plugin is always deterministic for any given input. 88 89#### Steps to run 901. Build the fuzzer 91``` 92$ mm -j$(nproc) init_ueventHandler_fuzzer 93``` 942. Run on device 95``` 96$ adb sync data 97$ adb shell /data/fuzz/arm64/init_ueventHandler_fuzzer/init_ueventHandler_fuzzer 98``` 99