1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
// Copyright 2019 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "2api.h"
#include "2common.h"
#include "2misc.h"
#include "2nvstorage.h"
#include "2rsa.h"
#include "2rsa_private.h"
#include "2secdata.h"
#include "vboot_test.h"
static struct vb2_context *ctx;
static uint8_t workbuf[VB2_FIRMWARE_WORKBUF_RECOMMENDED_SIZE]
__attribute__((aligned(VB2_WORKBUF_ALIGN)));
static struct {
struct vb2_gbb_header h;
uint8_t rootkey[4096];
} gbb;
static const uint8_t *mock_keyblock;
static size_t mock_keyblock_size;
/* Limit exposure of code for which we didn't set up the environment right. */
void vb2api_fail(struct vb2_context *c, uint8_t reason, uint8_t subcode)
{
return;
}
struct vb2_gbb_header *vb2_get_gbb(struct vb2_context *c)
{
return &gbb.h;
}
vb2_error_t vb2ex_read_resource(struct vb2_context *c,
enum vb2_resource_index index, uint32_t offset,
void *buf, uint32_t size)
{
const void *rbase;
size_t rsize;
switch (index) {
case VB2_RES_GBB:
rbase = &gbb;
rsize = sizeof(gbb);
break;
case VB2_RES_FW_VBLOCK:
rbase = mock_keyblock;
rsize = mock_keyblock_size;
break;
default:
return VB2_ERROR_EX_READ_RESOURCE_INDEX;
}
if (offset > rsize || rsize - offset < size)
return VB2_ERROR_EX_READ_RESOURCE_SIZE;
memcpy(buf, rbase + offset, size);
return VB2_SUCCESS;
}
/* Pretend that signature checks always succeed so the fuzzer can cover more. */
vb2_error_t vb2_check_padding(const uint8_t *sig,
const struct vb2_public_key *key)
{
return VB2_SUCCESS;
}
vb2_error_t vb2_safe_memcmp(const void *s1, const void *s2, size_t size)
{
return VB2_SUCCESS;
}
int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size);
int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
/* Initialize fuzzing inputs. */
if (size < sizeof(gbb.rootkey))
return 0;
memset(&gbb.h, 0, sizeof(gbb.h));
gbb.h.rootkey_offset = gbb.rootkey - (uint8_t *)&gbb;
gbb.h.rootkey_size = sizeof(gbb.rootkey);
memcpy(gbb.rootkey, data, sizeof(gbb.rootkey));
mock_keyblock = data + sizeof(gbb.rootkey);
mock_keyblock_size = size - sizeof(gbb.rootkey);
/* Set up data structures needed by the tested function. */
if (vb2api_init(workbuf, sizeof(workbuf), &ctx))
abort();
vb2_nv_init(ctx);
vb2api_secdata_firmware_create(ctx);
vb2api_secdata_kernel_create(ctx);
if (vb2_secdata_firmware_init(ctx) || vb2_secdata_kernel_init(ctx))
abort();
/* Run function to test. */
vb2_load_fw_keyblock(ctx);
return 0;
}
|
