| // Copyright 2021 Google Inc. All rights reserved. |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| package fuzz |
| |
| // This file contains the common code for compiling C/C++ and Rust fuzzers for Android. |
| |
| import ( |
| "encoding/json" |
| "fmt" |
| "sort" |
| "strings" |
| |
| "github.com/google/blueprint/proptools" |
| |
| "android/soong/android" |
| ) |
| |
| type Lang string |
| |
| const ( |
| Cc Lang = "cc" |
| Rust Lang = "rust" |
| Java Lang = "java" |
| ) |
| |
| type Framework string |
| |
| const ( |
| AFL Framework = "afl" |
| LibFuzzer Framework = "libfuzzer" |
| Jazzer Framework = "jazzer" |
| UnknownFramework Framework = "unknownframework" |
| ) |
| |
| var BoolDefault = proptools.BoolDefault |
| |
| type FuzzModule struct { |
| android.ModuleBase |
| android.DefaultableModuleBase |
| android.ApexModuleBase |
| } |
| |
| type FuzzPackager struct { |
| Packages android.Paths |
| FuzzTargets map[string]bool |
| SharedLibInstallStrings []string |
| } |
| |
| type FileToZip struct { |
| SourceFilePath android.Path |
| DestinationPathPrefix string |
| DestinationPath string |
| } |
| |
| type ArchOs struct { |
| HostOrTarget string |
| Arch string |
| Dir string |
| } |
| |
| type Vector string |
| |
| const ( |
| unknown_access_vector Vector = "unknown_access_vector" |
| // The code being fuzzed is reachable from a remote source, or using data |
| // provided by a remote source. For example: media codecs process media files |
| // from the internet, SMS processing handles remote message data. |
| // See |
| // https://source.android.com/docs/security/overview/updates-resources#local-vs-remote |
| // for an explanation of what's considered "remote." |
| remote = "remote" |
| // The code being fuzzed can only be reached locally, such as from an |
| // installed app. As an example, if it's fuzzing a Binder interface, it's |
| // assumed that you'd need a local app to make arbitrary Binder calls. |
| // And the app that's calling the fuzzed code does not require any privileges; |
| // any 3rd party app could make these calls. |
| local_no_privileges_required = "local_no_privileges_required" |
| // The code being fuzzed can only be called locally, and the calling process |
| // requires additional permissions that prevent arbitrary 3rd party apps from |
| // calling the code. For instance: this requires a privileged or signature |
| // permission to reach, or SELinux restrictions prevent the untrusted_app |
| // domain from calling it. |
| local_privileges_required = "local_privileges_required" |
| // The code is only callable on a PC host, not on a production Android device. |
| // For instance, this is fuzzing code used during the build process, or |
| // tooling that does not exist on a user's actual Android device. |
| host_access = "host_access" |
| // The code being fuzzed is only reachable if the user has enabled Developer |
| // Options, or has enabled a persistent Developer Options setting. |
| local_with_developer_options = "local_with_developer_options" |
| ) |
| |
| func (vector Vector) isValidVector() bool { |
| switch vector { |
| case "", |
| unknown_access_vector, |
| remote, |
| local_no_privileges_required, |
| local_privileges_required, |
| host_access, |
| local_with_developer_options: |
| return true |
| } |
| return false |
| } |
| |
| type ServicePrivilege string |
| |
| const ( |
| unknown_service_privilege ServicePrivilege = "unknown_service_privilege" |
| // The code being fuzzed runs on a Secure Element. This has access to some |
| // of the most privileged data on the device, such as authentication keys. |
| // Not all devices have a Secure Element. |
| secure_element = "secure_element" |
| // The code being fuzzed runs in the TEE. The TEE is designed to be resistant |
| // to a compromised kernel, and stores sensitive data. |
| trusted_execution = "trusted_execution" |
| // The code being fuzzed has privileges beyond what arbitrary 3rd party apps |
| // have. For instance, it's running as the System UID, or it's in an SELinux |
| // domain that's able to perform calls that can't be made by 3rd party apps. |
| privileged = "privileged" |
| // The code being fuzzed is equivalent to a 3rd party app. It runs in the |
| // untrusted_app SELinux domain, or it only has privileges that are equivalent |
| // to what a 3rd party app could have. |
| unprivileged = "unprivileged" |
| // The code being fuzzed is significantly constrained, and even if it's |
| // compromised, it has significant restrictions that prevent it from |
| // performing most actions. This is significantly more restricted than |
| // UNPRIVILEGED. An example is the isolatedProcess=true setting in a 3rd |
| // party app. Or a process that's very restricted by SELinux, such as |
| // anything in the mediacodec SELinux domain. |
| constrained = "constrained" |
| // The code being fuzzed always has Negligible Security Impact. Even |
| // arbitrary out of bounds writes and full code execution would not be |
| // considered a security vulnerability. This typically only makes sense if |
| // FuzzedCodeUsage is set to FUTURE_VERSION or EXPERIMENTAL, and if |
| // AutomaticallyRouteTo is set to ALWAYS_NSI. |
| nsi = "nsi" |
| // The code being fuzzed only runs on a PC host, not on a production Android |
| // device. For instance, the fuzzer is fuzzing code used during the build |
| // process, or tooling that does not exist on a user's actual Android device. |
| host_only = "host_only" |
| ) |
| |
| func (service_privilege ServicePrivilege) isValidServicePrivilege() bool { |
| switch service_privilege { |
| case "", |
| unknown_service_privilege, |
| secure_element, |
| trusted_execution, |
| privileged, |
| unprivileged, |
| constrained, |
| nsi, |
| host_only: |
| return true |
| } |
| return false |
| } |
| |
| type UsePlatformLibs string |
| |
| const ( |
| unknown_use_platform_libs UsePlatformLibs = "unknown_use_platform_libs" |
| // Use the native libraries on the device, typically in /system directory |
| use_platform_libs = "use_platform_libs" |
| // Do not use any native libraries (ART will not be initialized) |
| use_none = "use_none" |
| ) |
| |
| func (use_platform_libs UsePlatformLibs) isValidUsePlatformLibs() bool { |
| switch use_platform_libs { |
| case "", |
| unknown_use_platform_libs, |
| use_platform_libs, |
| use_none: |
| return true |
| } |
| return false |
| } |
| |
| type UserData string |
| |
| const ( |
| unknown_user_data UserData = "unknown_user_data" |
| // The process being fuzzed only handles data from a single user, or from a |
| // single process or app. It's possible the process shuts down before |
| // handling data from another user/process/app, or it's possible the process |
| // only ever handles one user's/process's/app's data. As an example, some |
| // print spooler processes are started for a single document and terminate |
| // when done, so each instance only handles data from a single user/app. |
| single_user = "single_user" |
| // The process handles data from multiple users, or from multiple other apps |
| // or processes. Media processes, for instance, can handle media requests |
| // from multiple different apps without restarting. Wi-Fi and network |
| // processes handle data from multiple users, and processes, and apps. |
| multi_user = "multi_user" |
| ) |
| |
| func (user_data UserData) isValidUserData() bool { |
| switch user_data { |
| case "", |
| unknown_user_data, |
| single_user, |
| multi_user: |
| return true |
| } |
| return false |
| } |
| |
| type FuzzedCodeUsage string |
| |
| const ( |
| undefined FuzzedCodeUsage = "undefined" |
| unknown = "unknown" |
| // The code being fuzzed exists in a shipped version of Android and runs on |
| // devices in production. |
| shipped = "shipped" |
| // The code being fuzzed is not yet in a shipping version of Android, but it |
| // will be at some point in the future. |
| future_version = "future_version" |
| // The code being fuzzed is not in a shipping version of Android, and there |
| // are no plans to ship it in the future. |
| experimental = "experimental" |
| ) |
| |
| func (fuzzed_code_usage FuzzedCodeUsage) isValidFuzzedCodeUsage() bool { |
| switch fuzzed_code_usage { |
| case "", |
| undefined, |
| unknown, |
| shipped, |
| future_version, |
| experimental: |
| return true |
| } |
| return false |
| } |
| |
| type AutomaticallyRouteTo string |
| |
| const ( |
| undefined_routing AutomaticallyRouteTo = "undefined_routing" |
| // Automatically route this to the Android Automotive security team for |
| // assessment. |
| android_automotive = "android_automotive" |
| // This should not be used in fuzzer configurations. It is used internally |
| // by Severity Assigner to flag memory leak reports. |
| memory_leak = "memory_leak" |
| // Route this vulnerability to our Ittiam vendor team for assessment. |
| ittiam = "ittiam" |
| // Reports from this fuzzer are always NSI (see the NSI ServicePrivilegeEnum |
| // value for additional context). It is not possible for this code to ever |
| // have a security vulnerability. |
| always_nsi = "always_nsi" |
| // Route this vulnerability to AIDL team for assessment. |
| aidl = "aidl" |
| ) |
| |
| func (automatically_route_to AutomaticallyRouteTo) isValidAutomaticallyRouteTo() bool { |
| switch automatically_route_to { |
| case "", |
| undefined_routing, |
| android_automotive, |
| memory_leak, |
| ittiam, |
| always_nsi, |
| aidl: |
| return true |
| } |
| return false |
| } |
| |
| func IsValidConfig(fuzzModule FuzzPackagedModule, moduleName string) bool { |
| var config = fuzzModule.FuzzProperties.Fuzz_config |
| if config != nil { |
| if !config.Vector.isValidVector() { |
| panic(fmt.Errorf("Invalid vector in fuzz config in %s", moduleName)) |
| } |
| |
| if !config.Service_privilege.isValidServicePrivilege() { |
| panic(fmt.Errorf("Invalid service_privilege in fuzz config in %s", moduleName)) |
| } |
| |
| if !config.Users.isValidUserData() { |
| panic(fmt.Errorf("Invalid users (user_data) in fuzz config in %s", moduleName)) |
| } |
| |
| if !config.Fuzzed_code_usage.isValidFuzzedCodeUsage() { |
| panic(fmt.Errorf("Invalid fuzzed_code_usage in fuzz config in %s", moduleName)) |
| } |
| |
| if !config.Automatically_route_to.isValidAutomaticallyRouteTo() { |
| panic(fmt.Errorf("Invalid automatically_route_to in fuzz config in %s", moduleName)) |
| } |
| |
| if !config.Use_platform_libs.isValidUsePlatformLibs() { |
| panic(fmt.Errorf("Invalid use_platform_libs in fuzz config in %s", moduleName)) |
| } |
| } |
| return true |
| } |
| |
| type FuzzConfig struct { |
| // Email address of people to CC on bugs or contact about this fuzz target. |
| Cc []string `json:"cc,omitempty"` |
| // A brief description of what the fuzzed code does. |
| Description string `json:"description,omitempty"` |
| // Whether the code being fuzzed is remotely accessible or requires privileges |
| // to access locally. |
| Vector Vector `json:"vector,omitempty"` |
| // How privileged the service being fuzzed is. |
| Service_privilege ServicePrivilege `json:"service_privilege,omitempty"` |
| // Whether the service being fuzzed handles data from multiple users or only |
| // a single one. |
| Users UserData `json:"users,omitempty"` |
| // Specifies the use state of the code being fuzzed. This state factors into |
| // how an issue is handled. |
| Fuzzed_code_usage FuzzedCodeUsage `json:"fuzzed_code_usage,omitempty"` |
| // Comment describing how we came to these settings for this fuzzer. |
| Config_comment string |
| // Which team to route this to, if it should be routed automatically. |
| Automatically_route_to AutomaticallyRouteTo `json:"automatically_route_to,omitempty"` |
| // Can third party/untrusted apps supply data to fuzzed code. |
| Untrusted_data *bool `json:"untrusted_data,omitempty"` |
| // When code was released or will be released. |
| Production_date string `json:"production_date,omitempty"` |
| // Prevents critical service functionality like phone calls, bluetooth, etc. |
| Critical *bool `json:"critical,omitempty"` |
| // Specify whether to enable continuous fuzzing on devices. Defaults to true. |
| Fuzz_on_haiku_device *bool `json:"fuzz_on_haiku_device,omitempty"` |
| // Specify whether to enable continuous fuzzing on host. Defaults to true. |
| Fuzz_on_haiku_host *bool `json:"fuzz_on_haiku_host,omitempty"` |
| // Component in Google's bug tracking system that bugs should be filed to. |
| Componentid *int64 `json:"componentid,omitempty"` |
| // Hotlist(s) in Google's bug tracking system that bugs should be marked with. |
| Hotlists []string `json:"hotlists,omitempty"` |
| // Specify whether this fuzz target was submitted by a researcher. Defaults |
| // to false. |
| Researcher_submitted *bool `json:"researcher_submitted,omitempty"` |
| // Specify who should be acknowledged for CVEs in the Android Security |
| // Bulletin. |
| Acknowledgement []string `json:"acknowledgement,omitempty"` |
| // Additional options to be passed to libfuzzer when run in Haiku. |
| Libfuzzer_options []string `json:"libfuzzer_options,omitempty"` |
| // Additional options to be passed to HWASAN when running on-device in Haiku. |
| Hwasan_options []string `json:"hwasan_options,omitempty"` |
| // Additional options to be passed to HWASAN when running on host in Haiku. |
| Asan_options []string `json:"asan_options,omitempty"` |
| // If there's a Java fuzzer with JNI, a different version of Jazzer would |
| // need to be added to the fuzzer package than one without JNI |
| IsJni *bool `json:"is_jni,omitempty"` |
| // List of modules for monitoring coverage drops in directories (e.g. "libicu") |
| Target_modules []string `json:"target_modules,omitempty"` |
| // Specifies a bug assignee to replace default ISE assignment |
| Triage_assignee string `json:"triage_assignee,omitempty"` |
| // Specifies libs used to initialize ART (java only, 'use_none' for no initialization) |
| Use_platform_libs UsePlatformLibs `json:"use_platform_libs,omitempty"` |
| // Specifies whether fuzz target should check presubmitted code changes for crashes. |
| // Defaults to false. |
| Use_for_presubmit *bool `json:"use_for_presubmit,omitempty"` |
| // Specify which paths to exclude from fuzzing coverage reports |
| Exclude_paths_from_reports []string `json:"exclude_paths_from_reports,omitempty"` |
| } |
| |
| type FuzzFrameworks struct { |
| Afl *bool |
| Libfuzzer *bool |
| Jazzer *bool |
| } |
| |
| type FuzzProperties struct { |
| // Optional list of seed files to be installed to the fuzz target's output |
| // directory. |
| Corpus []string `android:"path"` |
| // Optional list of data files to be installed to the fuzz target's output |
| // directory. Directory structure relative to the module is preserved. |
| Data []string `android:"path"` |
| // Optional dictionary to be installed to the fuzz target's output directory. |
| Dictionary *string `android:"path"` |
| // Define the fuzzing frameworks this fuzz target can be built for. If |
| // empty then the fuzz target will be available to be built for all fuzz |
| // frameworks available |
| Fuzzing_frameworks *FuzzFrameworks |
| // Config for running the target on fuzzing infrastructure. |
| Fuzz_config *FuzzConfig |
| } |
| |
| type FuzzPackagedModule struct { |
| FuzzProperties FuzzProperties |
| Dictionary android.Path |
| Corpus android.Paths |
| Config android.Path |
| Data android.Paths |
| } |
| |
| func GetFramework(ctx android.LoadHookContext, lang Lang) Framework { |
| framework := ctx.Config().Getenv("FUZZ_FRAMEWORK") |
| |
| if lang == Cc { |
| switch strings.ToLower(framework) { |
| case "": |
| return LibFuzzer |
| case "libfuzzer": |
| return LibFuzzer |
| case "afl": |
| return AFL |
| } |
| } else if lang == Rust { |
| return LibFuzzer |
| } else if lang == Java { |
| return Jazzer |
| } |
| |
| ctx.ModuleErrorf(fmt.Sprintf("%s is not a valid fuzzing framework for %s", framework, lang)) |
| return UnknownFramework |
| } |
| |
| func IsValidFrameworkForModule(targetFramework Framework, lang Lang, moduleFrameworks *FuzzFrameworks) bool { |
| if targetFramework == UnknownFramework { |
| return false |
| } |
| |
| if moduleFrameworks == nil { |
| return true |
| } |
| |
| switch targetFramework { |
| case LibFuzzer: |
| return proptools.BoolDefault(moduleFrameworks.Libfuzzer, true) |
| case AFL: |
| return proptools.BoolDefault(moduleFrameworks.Afl, true) |
| case Jazzer: |
| return proptools.BoolDefault(moduleFrameworks.Jazzer, true) |
| default: |
| panic("%s is not supported as a fuzz framework") |
| } |
| } |
| |
| func IsValid(ctx android.ConfigAndErrorContext, fuzzModule FuzzModule) bool { |
| // Discard ramdisk + vendor_ramdisk + recovery modules, they're duplicates of |
| // fuzz targets we're going to package anyway. |
| if !fuzzModule.Enabled(ctx) || fuzzModule.InRamdisk() || fuzzModule.InVendorRamdisk() || fuzzModule.InRecovery() { |
| return false |
| } |
| |
| // Discard modules that are in an unavailable namespace. |
| if !fuzzModule.ExportedToMake() { |
| return false |
| } |
| |
| return true |
| } |
| |
| func (s *FuzzPackager) PackageArtifacts(ctx android.SingletonContext, module android.Module, fuzzModule FuzzPackagedModule, archDir android.OutputPath, builder *android.RuleBuilder) []FileToZip { |
| // Package the corpora into a zipfile. |
| var files []FileToZip |
| if fuzzModule.Corpus != nil { |
| corpusZip := archDir.Join(ctx, module.Name()+"_seed_corpus.zip") |
| command := builder.Command().BuiltTool("soong_zip"). |
| Flag("-j"). |
| FlagWithOutput("-o ", corpusZip) |
| rspFile := corpusZip.ReplaceExtension(ctx, "rsp") |
| command.FlagWithRspFileInputList("-r ", rspFile, fuzzModule.Corpus) |
| files = append(files, FileToZip{SourceFilePath: corpusZip}) |
| } |
| |
| // Package the data into a zipfile. |
| if fuzzModule.Data != nil { |
| dataZip := archDir.Join(ctx, module.Name()+"_data.zip") |
| command := builder.Command().BuiltTool("soong_zip"). |
| FlagWithOutput("-o ", dataZip) |
| for _, f := range fuzzModule.Data { |
| intermediateDir := strings.TrimSuffix(f.String(), f.Rel()) |
| command.FlagWithArg("-C ", intermediateDir) |
| command.FlagWithInput("-f ", f) |
| } |
| files = append(files, FileToZip{SourceFilePath: dataZip}) |
| } |
| |
| // The dictionary. |
| if fuzzModule.Dictionary != nil { |
| files = append(files, FileToZip{SourceFilePath: fuzzModule.Dictionary}) |
| } |
| |
| // Additional fuzz config. |
| if fuzzModule.Config != nil && IsValidConfig(fuzzModule, module.Name()) { |
| files = append(files, FileToZip{SourceFilePath: fuzzModule.Config}) |
| } |
| |
| return files |
| } |
| |
| func (s *FuzzPackager) BuildZipFile(ctx android.SingletonContext, module android.Module, fuzzModule FuzzPackagedModule, files []FileToZip, builder *android.RuleBuilder, archDir android.OutputPath, archString string, hostOrTargetString string, archOs ArchOs, archDirs map[ArchOs][]FileToZip) ([]FileToZip, bool) { |
| fuzzZip := archDir.Join(ctx, module.Name()+".zip") |
| |
| command := builder.Command().BuiltTool("soong_zip"). |
| Flag("-j"). |
| FlagWithOutput("-o ", fuzzZip) |
| |
| for _, file := range files { |
| if file.DestinationPathPrefix != "" { |
| command.FlagWithArg("-P ", file.DestinationPathPrefix) |
| } else { |
| command.Flag("-P ''") |
| } |
| if file.DestinationPath != "" { |
| command.FlagWithArg("-e ", file.DestinationPath) |
| } |
| command.FlagWithInput("-f ", file.SourceFilePath) |
| } |
| |
| builder.Build("create-"+fuzzZip.String(), |
| "Package "+module.Name()+" for "+archString+"-"+hostOrTargetString) |
| |
| if config := fuzzModule.FuzzProperties.Fuzz_config; config != nil { |
| if strings.Contains(hostOrTargetString, "host") && !BoolDefault(config.Fuzz_on_haiku_host, true) { |
| return archDirs[archOs], false |
| } else if !strings.Contains(hostOrTargetString, "host") && !BoolDefault(config.Fuzz_on_haiku_device, true) { |
| return archDirs[archOs], false |
| } |
| } |
| |
| s.FuzzTargets[module.Name()] = true |
| archDirs[archOs] = append(archDirs[archOs], FileToZip{SourceFilePath: fuzzZip}) |
| |
| return archDirs[archOs], true |
| } |
| |
| func (f *FuzzConfig) String() string { |
| b, err := json.Marshal(f) |
| if err != nil { |
| panic(err) |
| } |
| |
| return string(b) |
| } |
| |
| func (s *FuzzPackager) CreateFuzzPackage(ctx android.SingletonContext, archDirs map[ArchOs][]FileToZip, fuzzType Lang, pctx android.PackageContext) { |
| var archOsList []ArchOs |
| for archOs := range archDirs { |
| archOsList = append(archOsList, archOs) |
| } |
| sort.Slice(archOsList, func(i, j int) bool { return archOsList[i].Dir < archOsList[j].Dir }) |
| |
| for _, archOs := range archOsList { |
| filesToZip := archDirs[archOs] |
| arch := archOs.Arch |
| hostOrTarget := archOs.HostOrTarget |
| builder := android.NewRuleBuilder(pctx, ctx) |
| zipFileName := "fuzz-" + hostOrTarget + "-" + arch + ".zip" |
| if fuzzType == Rust { |
| zipFileName = "fuzz-rust-" + hostOrTarget + "-" + arch + ".zip" |
| } |
| if fuzzType == Java { |
| zipFileName = "fuzz-java-" + hostOrTarget + "-" + arch + ".zip" |
| } |
| |
| outputFile := android.PathForOutput(ctx, zipFileName) |
| |
| s.Packages = append(s.Packages, outputFile) |
| |
| command := builder.Command().BuiltTool("soong_zip"). |
| Flag("-j"). |
| FlagWithOutput("-o ", outputFile). |
| Flag("-L 0") // No need to try and re-compress the zipfiles. |
| |
| for _, fileToZip := range filesToZip { |
| if fileToZip.DestinationPathPrefix != "" { |
| command.FlagWithArg("-P ", fileToZip.DestinationPathPrefix) |
| } else { |
| command.Flag("-P ''") |
| } |
| command.FlagWithInput("-f ", fileToZip.SourceFilePath) |
| |
| } |
| builder.Build("create-fuzz-package-"+arch+"-"+hostOrTarget, |
| "Create fuzz target packages for "+arch+"-"+hostOrTarget) |
| } |
| } |
| |
| func (s *FuzzPackager) PreallocateSlice(ctx android.MakeVarsContext, targets string) { |
| fuzzTargets := make([]string, 0, len(s.FuzzTargets)) |
| for target, _ := range s.FuzzTargets { |
| fuzzTargets = append(fuzzTargets, target) |
| } |
| |
| sort.Strings(fuzzTargets) |
| ctx.Strict(targets, strings.Join(fuzzTargets, " ")) |
| } |