diff options
Diffstat (limited to 'fuzzing')
| -rw-r--r-- | fuzzing/Android.bp | 1 | ||||
| -rw-r--r-- | fuzzing/corpus/crash-a5b94d95681291f3057eea7f0233c8f1529b2f59 | bin | 0 -> 1369 bytes | |||
| -rw-r--r-- | fuzzing/corpus/hardy-octopus | bin | 0 -> 1171 bytes | |||
| -rw-r--r-- | fuzzing/corpus/header-truncated | bin | 0 -> 40 bytes | |||
| -rw-r--r-- | fuzzing/corpus/header-v-1 | bin | 0 -> 40 bytes | |||
| -rw-r--r-- | fuzzing/corpus/header-v0 | bin | 0 -> 40 bytes | |||
| -rw-r--r-- | fuzzing/corpus/meson-g12a-sei510-android.dtb | bin | 0 -> 1363 bytes | |||
| -rw-r--r-- | fuzzing/corpus/oob_by_one | bin | 0 -> 256 bytes | |||
| -rw-r--r-- | fuzzing/libfdt_fuzzer.c | 40 |
9 files changed, 41 insertions, 0 deletions
diff --git a/fuzzing/Android.bp b/fuzzing/Android.bp index 5c22cb4..857c611 100644 --- a/fuzzing/Android.bp +++ b/fuzzing/Android.bp @@ -19,3 +19,4 @@ cc_fuzz { }, host_supported: true, } + diff --git a/fuzzing/corpus/crash-a5b94d95681291f3057eea7f0233c8f1529b2f59 b/fuzzing/corpus/crash-a5b94d95681291f3057eea7f0233c8f1529b2f59 Binary files differnew file mode 100644 index 0000000..dbab42e --- /dev/null +++ b/fuzzing/corpus/crash-a5b94d95681291f3057eea7f0233c8f1529b2f59 diff --git a/fuzzing/corpus/hardy-octopus b/fuzzing/corpus/hardy-octopus Binary files differnew file mode 100644 index 0000000..81615e9 --- /dev/null +++ b/fuzzing/corpus/hardy-octopus diff --git a/fuzzing/corpus/header-truncated b/fuzzing/corpus/header-truncated Binary files differnew file mode 100644 index 0000000..1db29d8 --- /dev/null +++ b/fuzzing/corpus/header-truncated diff --git a/fuzzing/corpus/header-v-1 b/fuzzing/corpus/header-v-1 Binary files differnew file mode 100644 index 0000000..a773d07 --- /dev/null +++ b/fuzzing/corpus/header-v-1 diff --git a/fuzzing/corpus/header-v0 b/fuzzing/corpus/header-v0 Binary files differnew file mode 100644 index 0000000..f22ec6a --- /dev/null +++ b/fuzzing/corpus/header-v0 diff --git a/fuzzing/corpus/meson-g12a-sei510-android.dtb b/fuzzing/corpus/meson-g12a-sei510-android.dtb Binary files differnew file mode 100644 index 0000000..317175d --- /dev/null +++ b/fuzzing/corpus/meson-g12a-sei510-android.dtb diff --git a/fuzzing/corpus/oob_by_one b/fuzzing/corpus/oob_by_one Binary files differnew file mode 100644 index 0000000..216523c --- /dev/null +++ b/fuzzing/corpus/oob_by_one diff --git a/fuzzing/libfdt_fuzzer.c b/fuzzing/libfdt_fuzzer.c index 89fe3c2..48b50aa 100644 --- a/fuzzing/libfdt_fuzzer.c +++ b/fuzzing/libfdt_fuzzer.c @@ -59,6 +59,19 @@ static bool phandle_is_valid(uint32_t phandle) { return phandle != 0 && phandle != UINT32_MAX; } +static void walk_node_properties(const void *device_tree, int node) { + int property, len = 0; + + fdt_for_each_property_offset(property, device_tree, node) { + const struct fdt_property *prop = fdt_get_property_by_offset(device_tree, + property, &len); + if (!prop) + continue; + check_mem(prop->data, fdt32_to_cpu(prop->len)); + } +} + + static void walk_device_tree(const void *device_tree, int parent_node) { int len = 0; const char *node_name = fdt_get_name(device_tree, parent_node, &len); @@ -72,6 +85,8 @@ static void walk_device_tree(const void *device_tree, int parent_node) { assert(node >= 0); // it should at least find parent_node } + walk_node_properties(device_tree, parent_node); + // recursively walk the node's children for (int node = fdt_first_subnode(device_tree, parent_node); node >= 0; node = fdt_next_subnode(device_tree, node)) { @@ -92,3 +107,28 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { return 0; } + +#ifdef AFL_STANDALONE +/* Entry point suitable for direct afl-fuzz invocation */ +int main(int argc, char *argv[]) { + uint8_t data[1024 * 1024]; + + if (argc != 2) { + fprintf(stderr, "missing argument\n"); + return EXIT_FAILURE; + } + + FILE *f = fopen(argv[1], "r"); + if (!f) { + perror("fopen() failed"); + return EXIT_FAILURE; + } + + size_t size = fread(data, 1, sizeof(data), f); + + fclose(f); + + return LLVMFuzzerTestOneInput(data, size); +} +#endif + |