diff options
Diffstat (limited to 'fuzz/cr50_fuzz.c')
-rw-r--r-- | fuzz/cr50_fuzz.c | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/fuzz/cr50_fuzz.c b/fuzz/cr50_fuzz.c new file mode 100644 index 0000000000..ccf99172d6 --- /dev/null +++ b/fuzz/cr50_fuzz.c @@ -0,0 +1,68 @@ +/* Copyright 2018 The Chromium OS Authors. All rights reserved. + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + * + * Fuzzer for the TPM2 and vendor specific Cr50 commands. + */ + +#include <stdint.h> +#include <stdlib.h> +#include <unistd.h> + +#include "fuzz_config.h" +#include "nvmem.h" +#include "nvmem_vars.h" +#include "persistence.h" +#include "pinweaver.h" + +#define NVMEM_TPM_SIZE ((sizeof((struct nvmem_partition *)0)->buffer) \ + - NVMEM_CR50_SIZE) + +uint32_t nvmem_user_sizes[NVMEM_NUM_USERS] = { + NVMEM_TPM_SIZE, + NVMEM_CR50_SIZE +}; + +void rand_bytes(void *buffer, size_t len) +{ + size_t x = 0; + + for (; x < len; ++x) + ((uint8_t *)buffer)[x] = rand(); +} + +void get_storage_seed(void *buf, size_t *len) +{ + memset(buf, 0x77, *len); +} + +void run_test(void) +{ +} + +static void assign_pw_field_from_bytes(const uint8_t *data, unsigned int size, + uint8_t *destination, size_t dest_size) +{ + if (size >= dest_size) { + memcpy(destination, data, dest_size); + } else { + memcpy(destination, data, size); + memset(destination + size, 0, dest_size - size); + } +} + +/* Prevent this from being stack allocated. */ +static uint8_t tpm_io_buffer[PW_MAX_MESSAGE_SIZE]; + +int test_fuzz_one_input(const uint8_t *data, unsigned int size) +{ + struct merkle_tree_t merkle_tree = {}; + struct pw_request_t *request = (struct pw_request_t *)tpm_io_buffer; + struct pw_response_t *response = (struct pw_response_t *)tpm_io_buffer; + + memset(__host_flash, 0xff, sizeof(__host_flash)); + pinweaver_init(); + assign_pw_field_from_bytes(data, size, tpm_io_buffer, sizeof(tpm_io_buffer)); + pw_handle_request(&merkle_tree, request, response); + return 0; +} |