diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 14:29:10 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 14:29:10 +0000 |
commit | 2aa4a82499d4becd2284cdb482213d541b8804dd (patch) | |
tree | b80bf8bf13c3766139fbacc530efd0dd9d54394c /tools/fuzzing/ipc | |
parent | Initial commit. (diff) | |
download | firefox-2aa4a82499d4becd2284cdb482213d541b8804dd.tar.xz firefox-2aa4a82499d4becd2284cdb482213d541b8804dd.zip |
Adding upstream version 86.0.1.upstream/86.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tools/fuzzing/ipc')
-rw-r--r-- | tools/fuzzing/ipc/ProtocolFuzzer.cpp | 37 | ||||
-rw-r--r-- | tools/fuzzing/ipc/ProtocolFuzzer.h | 114 | ||||
-rw-r--r-- | tools/fuzzing/ipc/moz.build | 27 |
3 files changed, 178 insertions, 0 deletions
diff --git a/tools/fuzzing/ipc/ProtocolFuzzer.cpp b/tools/fuzzing/ipc/ProtocolFuzzer.cpp new file mode 100644 index 0000000000..e2d7aae96d --- /dev/null +++ b/tools/fuzzing/ipc/ProtocolFuzzer.cpp @@ -0,0 +1,37 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "mozilla/layers/CompositorBridgeParent.h" + +#include "ProtocolFuzzer.h" + +namespace mozilla { +namespace ipc { + +nsTArray<nsCString> LoadIPCMessageBlacklist(const char* aPath) { + nsTArray<nsCString> blacklist; + if (aPath) { + nsresult result = Faulty::ReadFile(aPath, blacklist); + MOZ_RELEASE_ASSERT(result == NS_OK); + } + return blacklist; +} + +mozilla::dom::ContentParent* ProtocolFuzzerHelper::CreateContentParent( + const nsACString& aRemoteType) { + auto* cp = new mozilla::dom::ContentParent(aRemoteType); + // TODO: this duplicates MessageChannel::Open + cp->GetIPCChannel()->mWorkerThread = GetCurrentSerialEventTarget(); + cp->GetIPCChannel()->mMonitor = new RefCountedMonitor(); + return cp; +} + +void ProtocolFuzzerHelper::CompositorBridgeParentSetup() { + mozilla::layers::CompositorBridgeParent::Setup(); +} + +} // namespace ipc +} // namespace mozilla diff --git a/tools/fuzzing/ipc/ProtocolFuzzer.h b/tools/fuzzing/ipc/ProtocolFuzzer.h new file mode 100644 index 0000000000..f57852038a --- /dev/null +++ b/tools/fuzzing/ipc/ProtocolFuzzer.h @@ -0,0 +1,114 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef mozilla_ipc_ProtocolFuzzer_h +#define mozilla_ipc_ProtocolFuzzer_h + +#include "chrome/common/ipc_message.h" + +#include "mozilla/RefPtr.h" +#include "mozilla/UniquePtrExtensions.h" +#include "mozilla/dom/ContentParent.h" + +namespace mozilla { +namespace ipc { + +class ProtocolFuzzerHelper { + public: + static mozilla::dom::ContentParent* CreateContentParent( + const nsACString& aRemoteType); + + static void CompositorBridgeParentSetup(); + + static void AddShmemToProtocol(IToplevelProtocol* aProtocol, + Shmem::SharedMemory* aSegment, int32_t aId) { + MOZ_ASSERT(!aProtocol->mShmemMap.Contains(aId), + "Don't insert with an existing ID"); + aProtocol->mShmemMap.Put(aId, aSegment); + } + + static void RemoveShmemFromProtocol(IToplevelProtocol* aProtocol, + int32_t aId) { + aProtocol->mShmemMap.Remove(aId); + } +}; + +template <typename T> +void FuzzProtocol(T* aProtocol, const uint8_t* aData, size_t aSize, + const nsTArray<nsCString>& aIgnoredMessageTypes) { + while (true) { + uint32_t msg_size = + IPC::Message::MessageSize(reinterpret_cast<const char*>(aData), + reinterpret_cast<const char*>(aData) + aSize); + if (msg_size == 0 || msg_size > aSize) { + break; + } + IPC::Message m(reinterpret_cast<const char*>(aData), msg_size); + aSize -= msg_size; + aData += msg_size; + + // We ignore certain message types + if (aIgnoredMessageTypes.Contains(m.name())) { + continue; + } + + uint8_t num_shmems = 0; + if (aSize) { + num_shmems = *aData; + aData++; + aSize--; + + for (uint32_t i = 0; i < num_shmems; i++) { + if (aSize < sizeof(uint16_t)) { + break; + } + size_t shmem_size = *reinterpret_cast<const uint16_t*>(aData); + aData += sizeof(uint16_t); + aSize -= sizeof(uint16_t); + + if (shmem_size > aSize) { + break; + } + RefPtr<Shmem::SharedMemory> segment( + Shmem::Alloc(Shmem::PrivateIPDLCaller(), shmem_size, + SharedMemory::TYPE_BASIC, false)); + if (!segment) { + break; + } + + Shmem shmem(Shmem::PrivateIPDLCaller(), segment.get(), i + 1); + memcpy(shmem.get<uint8_t>(), aData, shmem_size); + ProtocolFuzzerHelper::AddShmemToProtocol( + aProtocol, segment.forget().take(), i + 1); + + aData += shmem_size; + aSize -= shmem_size; + } + } + // TODO: attach |m.header().num_fds| file descriptors to |m|. MVP can be + // empty files, next implementation maybe read a length header from |data| + // and then that many bytes. + + if (m.is_sync()) { + UniquePtr<IPC::Message> reply; + aProtocol->OnMessageReceived(m, *getter_Transfers(reply)); + } else { + aProtocol->OnMessageReceived(m); + } + for (uint32_t i = 0; i < num_shmems; i++) { + Shmem::SharedMemory* segment = aProtocol->LookupSharedMemory(i + 1); + Shmem::Dealloc(Shmem::PrivateIPDLCaller(), segment); + ProtocolFuzzerHelper::RemoveShmemFromProtocol(aProtocol, i + 1); + } + } +} + +nsTArray<nsCString> LoadIPCMessageBlacklist(const char* aPath); + +} // namespace ipc +} // namespace mozilla + +#endif diff --git a/tools/fuzzing/ipc/moz.build b/tools/fuzzing/ipc/moz.build new file mode 100644 index 0000000000..fce506a227 --- /dev/null +++ b/tools/fuzzing/ipc/moz.build @@ -0,0 +1,27 @@ +# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +Library("fuzzer-ipc-protocol") + +LOCAL_INCLUDES += [ + "/dom/base", + "/dom/ipc", +] + +SOURCES += [ + "ProtocolFuzzer.cpp", +] + +EXPORTS += [ + "ProtocolFuzzer.h", +] + +include("/ipc/chromium/chromium-config.mozbuild") + +FINAL_LIBRARY = "xul" + +# Add libFuzzer configuration directives +include("/tools/fuzzing/libfuzzer-config.mozbuild") |