summaryrefslogtreecommitdiffstats
path: root/tools/fuzzing/ipc
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 14:29:10 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 14:29:10 +0000
commit2aa4a82499d4becd2284cdb482213d541b8804dd (patch)
treeb80bf8bf13c3766139fbacc530efd0dd9d54394c /tools/fuzzing/ipc
parentInitial commit. (diff)
downloadfirefox-2aa4a82499d4becd2284cdb482213d541b8804dd.tar.xz
firefox-2aa4a82499d4becd2284cdb482213d541b8804dd.zip
Adding upstream version 86.0.1.upstream/86.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tools/fuzzing/ipc')
-rw-r--r--tools/fuzzing/ipc/ProtocolFuzzer.cpp37
-rw-r--r--tools/fuzzing/ipc/ProtocolFuzzer.h114
-rw-r--r--tools/fuzzing/ipc/moz.build27
3 files changed, 178 insertions, 0 deletions
diff --git a/tools/fuzzing/ipc/ProtocolFuzzer.cpp b/tools/fuzzing/ipc/ProtocolFuzzer.cpp
new file mode 100644
index 0000000000..e2d7aae96d
--- /dev/null
+++ b/tools/fuzzing/ipc/ProtocolFuzzer.cpp
@@ -0,0 +1,37 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "mozilla/layers/CompositorBridgeParent.h"
+
+#include "ProtocolFuzzer.h"
+
+namespace mozilla {
+namespace ipc {
+
+nsTArray<nsCString> LoadIPCMessageBlacklist(const char* aPath) {
+ nsTArray<nsCString> blacklist;
+ if (aPath) {
+ nsresult result = Faulty::ReadFile(aPath, blacklist);
+ MOZ_RELEASE_ASSERT(result == NS_OK);
+ }
+ return blacklist;
+}
+
+mozilla::dom::ContentParent* ProtocolFuzzerHelper::CreateContentParent(
+ const nsACString& aRemoteType) {
+ auto* cp = new mozilla::dom::ContentParent(aRemoteType);
+ // TODO: this duplicates MessageChannel::Open
+ cp->GetIPCChannel()->mWorkerThread = GetCurrentSerialEventTarget();
+ cp->GetIPCChannel()->mMonitor = new RefCountedMonitor();
+ return cp;
+}
+
+void ProtocolFuzzerHelper::CompositorBridgeParentSetup() {
+ mozilla::layers::CompositorBridgeParent::Setup();
+}
+
+} // namespace ipc
+} // namespace mozilla
diff --git a/tools/fuzzing/ipc/ProtocolFuzzer.h b/tools/fuzzing/ipc/ProtocolFuzzer.h
new file mode 100644
index 0000000000..f57852038a
--- /dev/null
+++ b/tools/fuzzing/ipc/ProtocolFuzzer.h
@@ -0,0 +1,114 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_ipc_ProtocolFuzzer_h
+#define mozilla_ipc_ProtocolFuzzer_h
+
+#include "chrome/common/ipc_message.h"
+
+#include "mozilla/RefPtr.h"
+#include "mozilla/UniquePtrExtensions.h"
+#include "mozilla/dom/ContentParent.h"
+
+namespace mozilla {
+namespace ipc {
+
+class ProtocolFuzzerHelper {
+ public:
+ static mozilla::dom::ContentParent* CreateContentParent(
+ const nsACString& aRemoteType);
+
+ static void CompositorBridgeParentSetup();
+
+ static void AddShmemToProtocol(IToplevelProtocol* aProtocol,
+ Shmem::SharedMemory* aSegment, int32_t aId) {
+ MOZ_ASSERT(!aProtocol->mShmemMap.Contains(aId),
+ "Don't insert with an existing ID");
+ aProtocol->mShmemMap.Put(aId, aSegment);
+ }
+
+ static void RemoveShmemFromProtocol(IToplevelProtocol* aProtocol,
+ int32_t aId) {
+ aProtocol->mShmemMap.Remove(aId);
+ }
+};
+
+template <typename T>
+void FuzzProtocol(T* aProtocol, const uint8_t* aData, size_t aSize,
+ const nsTArray<nsCString>& aIgnoredMessageTypes) {
+ while (true) {
+ uint32_t msg_size =
+ IPC::Message::MessageSize(reinterpret_cast<const char*>(aData),
+ reinterpret_cast<const char*>(aData) + aSize);
+ if (msg_size == 0 || msg_size > aSize) {
+ break;
+ }
+ IPC::Message m(reinterpret_cast<const char*>(aData), msg_size);
+ aSize -= msg_size;
+ aData += msg_size;
+
+ // We ignore certain message types
+ if (aIgnoredMessageTypes.Contains(m.name())) {
+ continue;
+ }
+
+ uint8_t num_shmems = 0;
+ if (aSize) {
+ num_shmems = *aData;
+ aData++;
+ aSize--;
+
+ for (uint32_t i = 0; i < num_shmems; i++) {
+ if (aSize < sizeof(uint16_t)) {
+ break;
+ }
+ size_t shmem_size = *reinterpret_cast<const uint16_t*>(aData);
+ aData += sizeof(uint16_t);
+ aSize -= sizeof(uint16_t);
+
+ if (shmem_size > aSize) {
+ break;
+ }
+ RefPtr<Shmem::SharedMemory> segment(
+ Shmem::Alloc(Shmem::PrivateIPDLCaller(), shmem_size,
+ SharedMemory::TYPE_BASIC, false));
+ if (!segment) {
+ break;
+ }
+
+ Shmem shmem(Shmem::PrivateIPDLCaller(), segment.get(), i + 1);
+ memcpy(shmem.get<uint8_t>(), aData, shmem_size);
+ ProtocolFuzzerHelper::AddShmemToProtocol(
+ aProtocol, segment.forget().take(), i + 1);
+
+ aData += shmem_size;
+ aSize -= shmem_size;
+ }
+ }
+ // TODO: attach |m.header().num_fds| file descriptors to |m|. MVP can be
+ // empty files, next implementation maybe read a length header from |data|
+ // and then that many bytes.
+
+ if (m.is_sync()) {
+ UniquePtr<IPC::Message> reply;
+ aProtocol->OnMessageReceived(m, *getter_Transfers(reply));
+ } else {
+ aProtocol->OnMessageReceived(m);
+ }
+ for (uint32_t i = 0; i < num_shmems; i++) {
+ Shmem::SharedMemory* segment = aProtocol->LookupSharedMemory(i + 1);
+ Shmem::Dealloc(Shmem::PrivateIPDLCaller(), segment);
+ ProtocolFuzzerHelper::RemoveShmemFromProtocol(aProtocol, i + 1);
+ }
+ }
+}
+
+nsTArray<nsCString> LoadIPCMessageBlacklist(const char* aPath);
+
+} // namespace ipc
+} // namespace mozilla
+
+#endif
diff --git a/tools/fuzzing/ipc/moz.build b/tools/fuzzing/ipc/moz.build
new file mode 100644
index 0000000000..fce506a227
--- /dev/null
+++ b/tools/fuzzing/ipc/moz.build
@@ -0,0 +1,27 @@
+# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+Library("fuzzer-ipc-protocol")
+
+LOCAL_INCLUDES += [
+ "/dom/base",
+ "/dom/ipc",
+]
+
+SOURCES += [
+ "ProtocolFuzzer.cpp",
+]
+
+EXPORTS += [
+ "ProtocolFuzzer.h",
+]
+
+include("/ipc/chromium/chromium-config.mozbuild")
+
+FINAL_LIBRARY = "xul"
+
+# Add libFuzzer configuration directives
+include("/tools/fuzzing/libfuzzer-config.mozbuild")