1 /* 2 * Copyright (C) 2022 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at: 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 * 16 */ 17 #ifndef __AUTOMOTIVE_CAN_V1_0_FUZZER_H__ 18 #define __AUTOMOTIVE_CAN_V1_0_FUZZER_H__ 19 #include <CanController.h> 20 #include <android/hidl/manager/1.2/IServiceManager.h> 21 #include <fuzzer/FuzzedDataProvider.h> 22 #include <hidl-utils/hidl-utils.h> 23 24 namespace android::hardware::automotive::can::V1_0::implementation::fuzzer { 25 26 using ::android::sp; 27 28 struct CanMessageListener : public can::V1_0::ICanMessageListener { 29 DISALLOW_COPY_AND_ASSIGN(CanMessageListener); 30 CanMessageListenerCanMessageListener31 CanMessageListener() {} 32 onReceiveCanMessageListener33 virtual Return<void> onReceive(const can::V1_0::CanMessage& msg) override { 34 std::unique_lock<std::mutex> lock(mMessagesGuard); 35 mMessages.push_back(msg); 36 mMessagesUpdated.notify_one(); 37 return {}; 38 } 39 ~CanMessageListenerCanMessageListener40 virtual ~CanMessageListener() { 41 if (mCloseHandle) { 42 mCloseHandle->close(); 43 } 44 } 45 assignCloseHandleCanMessageListener46 void assignCloseHandle(sp<ICloseHandle> closeHandle) { mCloseHandle = closeHandle; } 47 48 private: 49 sp<ICloseHandle> mCloseHandle; 50 51 std::mutex mMessagesGuard; 52 std::condition_variable mMessagesUpdated GUARDED_BY(mMessagesGuard); 53 std::vector<can::V1_0::CanMessage> mMessages GUARDED_BY(mMessagesGuard); 54 }; 55 56 struct Bus { 57 DISALLOW_COPY_AND_ASSIGN(Bus); 58 BusBus59 Bus(sp<ICanController> controller, const ICanController::BusConfig& config) 60 : mIfname(config.name), mController(controller) { 61 const auto result = controller->upInterface(config); 62 const auto manager = hidl::manager::V1_2::IServiceManager::getService(); 63 const auto service = manager->get(ICanBus::descriptor, config.name); 64 mBus = ICanBus::castFrom(service); 65 } 66 ~BusBus67 virtual ~Bus() { reset(); } 68 resetBus69 void reset() { 70 mBus.clear(); 71 if (mController) { 72 mController->downInterface(mIfname); 73 mController.clear(); 74 } 75 } 76 77 ICanBus* operator->() const { return mBus.get(); } getBus78 sp<ICanBus> get() { return mBus; } 79 listenBus80 sp<CanMessageListener> listen(const hidl_vec<CanMessageFilter>& filter) { 81 sp<CanMessageListener> listener = sp<CanMessageListener>::make(); 82 83 if (!mBus) { 84 return listener; 85 } 86 Result result; 87 sp<ICloseHandle> closeHandle; 88 mBus->listen(filter, listener, hidl_utils::fill(&result, &closeHandle)).assertOk(); 89 listener->assignCloseHandle(closeHandle); 90 91 return listener; 92 } 93 sendBus94 void send(const CanMessage& msg) { 95 if (!mBus) { 96 return; 97 } 98 mBus->send(msg); 99 } 100 101 private: 102 const std::string mIfname; 103 sp<ICanController> mController; 104 sp<ICanBus> mBus; 105 }; 106 107 class CanFuzzer { 108 public: ~CanFuzzer()109 ~CanFuzzer() { deInit(); } 110 bool init(); 111 void process(const uint8_t* data, size_t size); 112 void deInit(); 113 114 private: 115 Bus makeBus(); 116 hidl_vec<hidl_string> getBusNames(); 117 void getSupportedInterfaceTypes(); 118 void invokeBus(); 119 void invokeUpInterface(); 120 void invokeDownInterface(); 121 FuzzedDataProvider* mFuzzedDataProvider = nullptr; 122 sp<CanController> mCanController = nullptr; 123 hidl_vec<hidl_string> mBusNames = {}; 124 unsigned mLastInterface = 0; 125 }; 126 } // namespace android::hardware::automotive::can::V1_0::implementation::fuzzer 127 128 #endif // __AUTOMOTIVE_CAN_V1_0_FUZZER_H__ 129