Symaptic: os/kernelhwsrv/kerneltest/f32test/loader/security/t

sl@0	1	// Copyright (c) 2008-2009 Nokia Corporation and/or its subsidiary(-ies).
sl@0	2	// All rights reserved.
sl@0	3	// This component and the accompanying materials are made available
sl@0	4	// under the terms of the License "Eclipse Public License v1.0"
sl@0	5	// which accompanies this distribution, and is available
sl@0	6	// at the URL "http://www.eclipse.org/legal/epl-v10.html".
sl@0	7	//
sl@0	8	// Initial Contributors:
sl@0	9	// Nokia Corporation - initial contribution.
sl@0	10	//
sl@0	11	// Contributors:
sl@0	12	//
sl@0	13	// Description:
sl@0	14	// f32test\loader\security\t_fuzzldr.cpp
sl@0	15	//
sl@0	16	//
sl@0	17
sl@0	18	#define __E32TEST_EXTENSION__
sl@0	19	#include <e32test.h>
sl@0	20	#include <e32svr.h>
sl@0	21	#include <e32uid.h>
sl@0	22	#include <f32file.h>
sl@0	23	#include <f32image.h>
sl@0	24	#include "t_hash.h"
sl@0	25
sl@0	26	// Fuzzing parameters
sl@0	27
sl@0	28	const TInt KFuzzImages = 5;
sl@0	29	const TInt KRandomFieldIterations = 8;
sl@0	30	const TTimeIntervalMicroSeconds32 KDllTimeout = 10 * 1000000;
sl@0	31
sl@0	32	#define FUZZFIELD(OBJ, NAME) { (const TText)(L ## #OBJ L"." L ## #NAME), sizeof(((OBJ)8)->NAME), _FOFF(OBJ, NAME) }
sl@0	33	#define DUMBFIELD(NAME, SIZE, OFFSET) { (const TText*)L ## NAME, SIZE, OFFSET }
sl@0	34	#define FUZZEND { NULL, 0, 0 }
sl@0	35
sl@0	36	struct SFuzzField
sl@0	37	{
sl@0	38	const TText* name;
sl@0	39	TInt size;
sl@0	40	TInt offset;
sl@0	41	};
sl@0	42
sl@0	43	const SFuzzField HeaderFields[] =
sl@0	44	{
sl@0	45	FUZZFIELD(E32ImageHeaderV, iUid1),
sl@0	46	FUZZFIELD(E32ImageHeaderV, iUid2),
sl@0	47	FUZZFIELD(E32ImageHeaderV, iUid3),
sl@0	48	FUZZFIELD(E32ImageHeaderV, iUidChecksum),
sl@0	49	FUZZFIELD(E32ImageHeaderV, iSignature),
sl@0	50	FUZZFIELD(E32ImageHeaderV, iHeaderCrc),
sl@0	51	FUZZFIELD(E32ImageHeaderV, iModuleVersion),
sl@0	52	FUZZFIELD(E32ImageHeaderV, iCompressionType),
sl@0	53	FUZZFIELD(E32ImageHeaderV, iToolsVersion.iMajor),
sl@0	54	FUZZFIELD(E32ImageHeaderV, iToolsVersion.iMinor),
sl@0	55	FUZZFIELD(E32ImageHeaderV, iToolsVersion.iBuild),
sl@0	56	FUZZFIELD(E32ImageHeaderV, iTimeLo),
sl@0	57	FUZZFIELD(E32ImageHeaderV, iTimeHi),
sl@0	58	FUZZFIELD(E32ImageHeaderV, iFlags),
sl@0	59	FUZZFIELD(E32ImageHeaderV, iCodeSize),
sl@0	60	FUZZFIELD(E32ImageHeaderV, iDataSize),
sl@0	61	FUZZFIELD(E32ImageHeaderV, iHeapSizeMin),
sl@0	62	FUZZFIELD(E32ImageHeaderV, iHeapSizeMax),
sl@0	63	FUZZFIELD(E32ImageHeaderV, iStackSize),
sl@0	64	FUZZFIELD(E32ImageHeaderV, iBssSize),
sl@0	65	FUZZFIELD(E32ImageHeaderV, iEntryPoint),
sl@0	66	FUZZFIELD(E32ImageHeaderV, iCodeBase),
sl@0	67	FUZZFIELD(E32ImageHeaderV, iDataBase),
sl@0	68	FUZZFIELD(E32ImageHeaderV, iDllRefTableCount),
sl@0	69	FUZZFIELD(E32ImageHeaderV, iExportDirOffset),
sl@0	70	FUZZFIELD(E32ImageHeaderV, iExportDirCount),
sl@0	71	FUZZFIELD(E32ImageHeaderV, iTextSize),
sl@0	72	FUZZFIELD(E32ImageHeaderV, iCodeOffset),
sl@0	73	FUZZFIELD(E32ImageHeaderV, iDataOffset),
sl@0	74	FUZZFIELD(E32ImageHeaderV, iImportOffset),
sl@0	75	FUZZFIELD(E32ImageHeaderV, iCodeRelocOffset),
sl@0	76	FUZZFIELD(E32ImageHeaderV, iDataRelocOffset),
sl@0	77	FUZZFIELD(E32ImageHeaderV, iProcessPriority),
sl@0	78	FUZZFIELD(E32ImageHeaderV, iCpuIdentifier),
sl@0	79	FUZZFIELD(E32ImageHeaderV, iUncompressedSize),
sl@0	80	FUZZFIELD(E32ImageHeaderV, iS.iSecureId),
sl@0	81	FUZZFIELD(E32ImageHeaderV, iS.iVendorId),
sl@0	82	FUZZFIELD(E32ImageHeaderV, iS.iCaps.iCaps[0]),
sl@0	83	FUZZFIELD(E32ImageHeaderV, iS.iCaps.iCaps[1]),
sl@0	84	FUZZFIELD(E32ImageHeaderV, iExceptionDescriptor),
sl@0	85	FUZZFIELD(E32ImageHeaderV, iSpare2),
sl@0	86	FUZZFIELD(E32ImageHeaderV, iExportDescSize),
sl@0	87	FUZZFIELD(E32ImageHeaderV, iExportDescType),
sl@0	88	FUZZFIELD(E32ImageHeaderV, iExportDesc[0]),
sl@0	89	FUZZEND
sl@0	90	};
sl@0	91
sl@0	92	const SFuzzField ImportSectionFields[] =
sl@0	93	{
sl@0	94	FUZZFIELD(E32ImportSection, iSize),
sl@0	95	FUZZEND
sl@0	96	};
sl@0	97
sl@0	98	const SFuzzField ImportBlockFields[] =
sl@0	99	{
sl@0	100	FUZZFIELD(E32ImportBlock, iOffsetOfDllName), // we should fuzz the string also
sl@0	101	FUZZFIELD(E32ImportBlock, iNumberOfImports),
sl@0	102	FUZZEND
sl@0	103	};
sl@0	104
sl@0	105	const SFuzzField ImportEntryFields[] =
sl@0	106	{
sl@0	107	DUMBFIELD("import", 4, 0),
sl@0	108	FUZZEND
sl@0	109	};
sl@0	110
sl@0	111	const SFuzzField RelocSectionFields[] =
sl@0	112	{
sl@0	113	FUZZFIELD(E32RelocSection, iSize),
sl@0	114	FUZZFIELD(E32RelocSection, iNumberOfRelocs),
sl@0	115	FUZZEND
sl@0	116	};
sl@0	117
sl@0	118	const SFuzzField RelocBlockFields[] =
sl@0	119	{
sl@0	120	FUZZFIELD(E32RelocBlock, iPageOffset),
sl@0	121	FUZZFIELD(E32RelocBlock, iBlockSize),
sl@0	122	FUZZEND
sl@0	123	};
sl@0	124
sl@0	125	const SFuzzField RelocEntryFields[] =
sl@0	126	{
sl@0	127	DUMBFIELD("reloc", 2, 0),
sl@0	128	FUZZEND
sl@0	129	};
sl@0	130
sl@0	131	const SFuzzField ExportEntryFields[] =
sl@0	132	{
sl@0	133	DUMBFIELD("export", 4, 0),
sl@0	134	FUZZEND
sl@0	135	};
sl@0	136
sl@0	137	const SFuzzField CompressedDataFields[] =
sl@0	138	{
sl@0	139	DUMBFIELD("data1", 4, 0),
sl@0	140	DUMBFIELD("data2", 4, 4),
sl@0	141	DUMBFIELD("data3", 4, 16),
sl@0	142	DUMBFIELD("data4", 4, 64),
sl@0	143	DUMBFIELD("data5", 4, 256),
sl@0	144	DUMBFIELD("data6", 4, 1024),
sl@0	145	DUMBFIELD("data7", 4, 4096),
sl@0	146	FUZZEND
sl@0	147	};
sl@0	148
sl@0	149	// Values to try for different sizes, signed here but can be interpreted as either
sl@0	150	// each will also try the smaller sizes' values
sl@0	151	const TInt8 Values8[] = { KMinTInt8, -100, -10, -2, -1, 0, 1, 2, 10, 100, KMaxTInt8 };
sl@0	152	const TInt Values8Count = sizeof(Values8)/sizeof(TInt8);
sl@0	153	const TInt16 Values16[] = { KMinTInt16, -10000, -256, -255, 128, 255, 256, 10000, KMaxTInt16 };
sl@0	154	const TInt Values16Count = sizeof(Values16)/sizeof(TInt16);
sl@0	155	const TInt32 Values32[] = { KMinTInt32, -1000000000, -65536, -65535, 32768, 65535, 65536, 268435455, 268435456, 1000000000, KMaxTInt32 };
sl@0	156	const TInt Values32Count = sizeof(Values32)/sizeof(TInt32);
sl@0	157	const TInt ValuesCount[] = { 0, Values8Count, Values8Count+Values16Count, 0, Values8Count+Values16Count+Values32Count };
sl@0	158	const TInt Offsets[] = { 1, 2, 4, 16, -1, -2, -4, -16 };
sl@0	159	const TInt OffsetsCount = sizeof(Offsets)/sizeof(TInt);
sl@0	160
sl@0	161	// Regular boring definitions and stuff
sl@0	162
sl@0	163	RTest test(_L("T_FUZZLDR"));
sl@0	164	RFs TheFs;
sl@0	165	CFileMan* FileMan;
sl@0	166
sl@0	167	_LIT(KOrigDir, "Z:\\sys\\bin\\");
sl@0	168	_LIT(KSysBin, ":\\sys\\bin\\");
sl@0	169	_LIT(KSysHash, ":\\sys\\hash\\");
sl@0	170	_LIT(KImageName, "fuzzv");
sl@0	171	_LIT(KExeExt, ".exe");
sl@0	172	_LIT(KDllExt, ".dll");
sl@0	173	_LIT(KMyself, "t_fuzzldr");
sl@0	174	_LIT(KSlaveArg, "-l ");
sl@0	175
sl@0	176	TFileName Provided;
sl@0	177	TFileName Original;
sl@0	178	TFileName Current;
sl@0	179	TFileName Hash;
sl@0	180	TFileName HashDir;
sl@0	181	TBool LoadDll;
sl@0	182	RFile File;
sl@0	183	RTimer Timer;
sl@0	184	TUint8* Target;
sl@0	185	E32ImageHeaderV* Header;
sl@0	186	E32ImageHeaderV* CleanHeader;
sl@0	187	CSHA1* Hasher;
sl@0	188
sl@0	189	TInt FileSize;
sl@0	190	TInt OutFileSize;
sl@0	191	TUint8* CleanFileData;
sl@0	192	TPtr8 CleanFileDes(CleanFileData, 0);
sl@0	193	TUint8* FileData;
sl@0	194	TPtr8 FileDes(FileData, 0);
sl@0	195	TUint8* EndOfFile;
sl@0	196	TChar Drive = '?', InternalDrive = '?', RemovableDrive = '?';
sl@0	197
sl@0	198	TBool Verbose;
sl@0	199	TBool Forever = EFalse;
sl@0	200	TUint32 Seed = 0;
sl@0	201	typedef void (TFieldFuzzer)(const SFuzzField, TInt);
sl@0	202
sl@0	203	enum SetMode {
sl@0	204	ESetLiteral,
sl@0	205	ESetOffset,
sl@0	206	ESetRandom,
sl@0	207	ESetXor,
sl@0	208	};
sl@0	209
sl@0	210	enum ValueMode {
sl@0	211	EValLiteral,
sl@0	212	EValOffset,
sl@0	213	EValRandom,
sl@0	214	EValXor,
sl@0	215	EValList,
sl@0	216	EValOffsetList,
sl@0	217	};
sl@0	218
sl@0	219
sl@0	220	TUint32 Rand()
sl@0	221	{
sl@0	222	Seed *= 69069;
sl@0	223	Seed += 5;
sl@0	224	return Seed;
sl@0	225	}
sl@0	226
sl@0	227
sl@0	228	TUint32 Rand(TUint32 aLimit)
sl@0	229	{
sl@0	230	TUint64 temp = (TUint64)Rand() * (TUint64)aLimit;
sl@0	231	return (TUint32)(temp>>32);
sl@0	232	}
sl@0	233
sl@0	234
sl@0	235	void PrepareName(TInt aNum, TBool aDll)
sl@0	236	{
sl@0	237	Original = KOrigDir;
sl@0	238	Original += KImageName;
sl@0	239	Original.AppendNum(aNum);
sl@0	240	Original += aDll ? KDllExt : KExeExt;
sl@0	241	Current.Zero();
sl@0	242	Current.Append(Drive);
sl@0	243	Current += KSysBin;
sl@0	244	Current += KImageName;
sl@0	245	Current.AppendNum(aNum);
sl@0	246	Current += aDll ? KDllExt : KExeExt;
sl@0	247	Hash = HashDir;
sl@0	248	Hash += KImageName;
sl@0	249	Hash.AppendNum(aNum);
sl@0	250	Hash += aDll ? KDllExt : KExeExt;
sl@0	251	}
sl@0	252
sl@0	253
sl@0	254	void PrepareProvidedName()
sl@0	255	{
sl@0	256	Original = KOrigDir;
sl@0	257	Original += Provided;
sl@0	258	Current.Zero();
sl@0	259	Current.Append(Drive);
sl@0	260	Current += KSysBin;
sl@0	261	Current += Provided;
sl@0	262	Hash = HashDir;
sl@0	263	Hash += Provided;
sl@0	264	}
sl@0	265
sl@0	266
sl@0	267	void MakeCleanCopy()
sl@0	268	{
sl@0	269	Mem::Copy(FileData, CleanFileData, FileSize);
sl@0	270	}
sl@0	271
sl@0	272
sl@0	273	void LoadCleanFile()
sl@0	274	{
sl@0	275	test_KErrNone(File.Open(TheFs, Original, EFileRead));
sl@0	276	test_KErrNone(File.Size(FileSize));
sl@0	277	OutFileSize = FileSize;
sl@0	278	CleanFileData = new TUint8[FileSize];
sl@0	279	test_NotNull(CleanFileData);
sl@0	280	FileData = new TUint8[FileSize];
sl@0	281	EndOfFile = FileData + FileSize;
sl@0	282	test_NotNull(FileData);
sl@0	283	CleanFileDes.Set(CleanFileData, 0, FileSize);
sl@0	284	test_KErrNone(File.Read(CleanFileDes));
sl@0	285	File.Close();
sl@0	286	Header = (E32ImageHeaderV*)FileData;
sl@0	287	CleanHeader = (E32ImageHeaderV*)CleanFileData;
sl@0	288	FileDes.Set(FileData, FileSize, FileSize);
sl@0	289	MakeCleanCopy();
sl@0	290	test(CleanHeader->iUid1==(TUint32)KExecutableImageUidValue \|\| CleanHeader->iUid1==(TUint32)KDynamicLibraryUidValue);
sl@0	291	LoadDll = CleanHeader->iUid1==(TUint32)KDynamicLibraryUidValue;
sl@0	292	}
sl@0	293
sl@0	294
sl@0	295	void DoneFile()
sl@0	296	{
sl@0	297	delete[] FileData;
sl@0	298	delete[] CleanFileData;
sl@0	299	}
sl@0	300
sl@0	301
sl@0	302	void RecalcChecksums()
sl@0	303	{
sl@0	304	if (Header->iUidChecksum == CleanHeader->iUidChecksum)
sl@0	305	{
sl@0	306	TUidType uids = (const TUidType)Header;
sl@0	307	TCheckedUid chkuid(uids);
sl@0	308	const TUint32* pChkUid = (const TUint32*)&chkuid;
sl@0	309	Header->iUidChecksum = pChkUid[3];
sl@0	310	}
sl@0	311	if (Header->iHeaderCrc == CleanHeader->iHeaderCrc)
sl@0	312	{
sl@0	313	Header->iHeaderCrc = KImageCrcInitialiser;
sl@0	314	TUint32 crc = 0;
sl@0	315	Mem::Crc32(crc, Header, sizeof(E32ImageHeaderV));
sl@0	316	Header->iHeaderCrc = crc;
sl@0	317	}
sl@0	318	}
sl@0	319
sl@0	320
sl@0	321	void Load()
sl@0	322	{
sl@0	323	RecalcChecksums();
sl@0	324	test_KErrNone(File.Replace(TheFs, Current, EFileWrite));
sl@0	325	test_KErrNone(File.Write(FileDes, OutFileSize));
sl@0	326	test_KErrNone(File.Flush());
sl@0	327	File.Close();
sl@0	328	if (Drive == RemovableDrive)
sl@0	329	{
sl@0	330	TPtrC8 data(FileData, OutFileSize);
sl@0	331	Hasher->Reset();
sl@0	332	Hasher->Update(data);
sl@0	333	TBuf8<SHA1_HASH> hashVal = Hasher->Final();
sl@0	334	test_KErrNone(File.Replace(TheFs, Hash, EFileWrite));
sl@0	335	test_KErrNone(File.Write(hashVal));
sl@0	336	test_KErrNone(File.Flush());
sl@0	337	File.Close();
sl@0	338	}
sl@0	339	RProcess p;
sl@0	340	TInt r;
sl@0	341	if (LoadDll)
sl@0	342	{
sl@0	343	TFileName args;
sl@0	344	args.Copy(KSlaveArg);
sl@0	345	args.Append(Current);
sl@0	346	test_KErrNone(p.Create(KMyself, args));
sl@0	347	TRequestStatus logon, rendez, timeout;
sl@0	348	p.Logon(logon);
sl@0	349	p.Rendezvous(rendez);
sl@0	350	p.Resume();
sl@0	351	User::WaitForRequest(rendez);
sl@0	352	test(rendez==KErrNone);
sl@0	353	Timer.After(timeout, KDllTimeout);
sl@0	354	User::WaitForRequest(logon, timeout);
sl@0	355	if (logon == KRequestPending)
sl@0	356	{
sl@0	357	p.Kill(0);
sl@0	358	User::WaitForRequest(logon);
sl@0	359	}
sl@0	360	else
sl@0	361	{
sl@0	362	Timer.Cancel();
sl@0	363	User::WaitForRequest(timeout);
sl@0	364	}
sl@0	365	p.Close();
sl@0	366	// we don't check the return code as passing it back makes the log output
sl@0	367	// super spammy with KPANIC on - it prints for every nonzero return code.
sl@0	368	if (Verbose) test.Printf(_L("\n"));
sl@0	369	}
sl@0	370	else
sl@0	371	{
sl@0	372	r = p.Create(Current, KNullDesC);
sl@0	373	if (r==KErrNone)
sl@0	374	p.Kill(0);
sl@0	375	if (Verbose) test.Printf(_L("=> %d\n"), r);
sl@0	376	}
sl@0	377	p.Close();
sl@0	378	}
sl@0	379
sl@0	380
sl@0	381	template <typename T> void SetFieldTo(const SFuzzField* aField, T aSetTo, SetMode aMode)
sl@0	382	{
sl@0	383	T* field = (T*)(Target + aField->offset);
sl@0	384	if ((TUint8*)field >= EndOfFile)
sl@0	385	{
sl@0	386	if (Verbose) test.Printf(_L("skipping, eof "));
sl@0	387	return;
sl@0	388	}
sl@0	389	if (aMode == ESetOffset)
sl@0	390	aSetTo += *field;
sl@0	391	else if (aMode == ESetRandom)
sl@0	392	aSetTo = (T)Rand();
sl@0	393	else if (aMode == ESetXor)
sl@0	394	aSetTo ^= *field;
sl@0	395	*field = aSetTo;
sl@0	396	if (Verbose) test.Printf(_L("%d "), aSetTo);
sl@0	397	}
sl@0	398
sl@0	399
sl@0	400	void SetField(const SFuzzField* aField, TInt aValue, ValueMode aMode)
sl@0	401	{
sl@0	402	if (aMode < EValList)
sl@0	403	{
sl@0	404	switch(aField->size)
sl@0	405	{
sl@0	406	case 1:
sl@0	407	SetFieldTo<TInt8>(aField, aValue, (SetMode)aMode);
sl@0	408	break;
sl@0	409	case 2:
sl@0	410	SetFieldTo<TInt16>(aField, aValue, (SetMode)aMode);
sl@0	411	break;
sl@0	412	case 4:
sl@0	413	SetFieldTo<TInt32>(aField, aValue, (SetMode)aMode);
sl@0	414	break;
sl@0	415	}
sl@0	416	}
sl@0	417	else if (aMode == EValList)
sl@0	418	{
sl@0	419	switch(aField->size)
sl@0	420	{
sl@0	421	case 1:
sl@0	422	SetFieldTo<TInt8>(aField, Values8[aValue], ESetLiteral);
sl@0	423	break;
sl@0	424	case 2:
sl@0	425	if (aValue < ValuesCount[1])
sl@0	426	SetFieldTo<TInt16>(aField, Values8[aValue], ESetLiteral);
sl@0	427	else
sl@0	428	SetFieldTo<TInt16>(aField, Values16[aValue-ValuesCount[1]], ESetLiteral);
sl@0	429	break;
sl@0	430	case 4:
sl@0	431	if (aValue < ValuesCount[1])
sl@0	432	SetFieldTo<TInt32>(aField, Values8[aValue], ESetLiteral);
sl@0	433	else if (aValue < ValuesCount[2])
sl@0	434	SetFieldTo<TInt32>(aField, Values16[aValue-ValuesCount[1]], ESetLiteral);
sl@0	435	else
sl@0	436	SetFieldTo<TInt32>(aField, Values32[aValue-ValuesCount[2]], ESetLiteral);
sl@0	437	break;
sl@0	438	}
sl@0	439	}
sl@0	440	else if (aMode == EValOffsetList)
sl@0	441	{
sl@0	442	switch(aField->size)
sl@0	443	{
sl@0	444	case 1:
sl@0	445	SetFieldTo<TInt8>(aField, Offsets[aValue], ESetOffset);
sl@0	446	break;
sl@0	447	case 2:
sl@0	448	SetFieldTo<TInt16>(aField, Offsets[aValue], ESetOffset);
sl@0	449	break;
sl@0	450	case 4:
sl@0	451	SetFieldTo<TInt32>(aField, Offsets[aValue], ESetOffset);
sl@0	452	break;
sl@0	453	}
sl@0	454	}
sl@0	455	}
sl@0	456
sl@0	457
sl@0	458	void FuzzFieldsDeterministically(const SFuzzField* aFields, TInt aOffset)
sl@0	459	{
sl@0	460	Target = FileData + aOffset;
sl@0	461
sl@0	462	TInt f = -1;
sl@0	463	while (aFields[++f].name)
sl@0	464	{
sl@0	465	test.Printf(_L("FIELD: %s ...\n"), aFields[f].name);
sl@0	466	TInt v;
sl@0	467	if (Verbose) test.Next(_L("Using preset values"));
sl@0	468	for (v = 0; v < ValuesCount[aFields[f].size]; ++v)
sl@0	469	{
sl@0	470	MakeCleanCopy();
sl@0	471	SetField(&aFields[f], v, EValList);
sl@0	472	Load();
sl@0	473	}
sl@0	474	if (Verbose) test.Next(_L("Using preset offsets"));
sl@0	475	for (v = 0; v < OffsetsCount; ++v)
sl@0	476	{
sl@0	477	MakeCleanCopy();
sl@0	478	SetField(&aFields[f], v, EValOffsetList);
sl@0	479	Load();
sl@0	480	}
sl@0	481	if (Verbose) test.Next(_L("Flipping single bits"));
sl@0	482	for (v = 0; v < aFields[f].size*8; ++v)
sl@0	483	{
sl@0	484	MakeCleanCopy();
sl@0	485	SetField(&aFields[f], 1<<v, EValXor);
sl@0	486	Load();
sl@0	487	}
sl@0	488	if (Verbose) test.Next(_L("Inverting"));
sl@0	489	MakeCleanCopy();
sl@0	490	SetField(&aFields[f], 0xffffffffu, EValXor);
sl@0	491	Load();
sl@0	492
sl@0	493	// things that are offsets all go below, pointless on
sl@0	494	// narrow fields
sl@0	495	if (aFields[f].size == 4)
sl@0	496	{
sl@0	497	if (Verbose) test.Next(_L("Using filesize relative values"));
sl@0	498	for (v = FileSize-4; v <= FileSize+4; ++v)
sl@0	499	{
sl@0	500	MakeCleanCopy();
sl@0	501	SetField(&aFields[f], v, EValLiteral);
sl@0	502	Load();
sl@0	503	}
sl@0	504	if (Verbose) test.Next(_L("Using code-end relative values"));
sl@0	505	TInt codeend = CleanHeader->iCodeSize + CleanHeader->iCodeOffset;
sl@0	506	for (v = codeend-4; v <= codeend+4; ++v)
sl@0	507	{
sl@0	508	MakeCleanCopy();
sl@0	509	SetField(&aFields[f], v, EValLiteral);
sl@0	510	Load();
sl@0	511	}
sl@0	512	}
sl@0	513	}
sl@0	514	}
sl@0	515
sl@0	516
sl@0	517	void FuzzFieldsRandomly(const SFuzzField* aFields, TInt aOffset)
sl@0	518	{
sl@0	519	Target = FileData + aOffset;
sl@0	520
sl@0	521	TInt f = 0;
sl@0	522	while (aFields[f].name)
sl@0	523	{
sl@0	524	test.Printf(_L("FIELD: %s ... (random)\n"), aFields[f].name);
sl@0	525	TInt v;
sl@0	526	for (v = 0; v < KRandomFieldIterations; ++v)
sl@0	527	{
sl@0	528	MakeCleanCopy();
sl@0	529	SetField(&aFields[f], 0, EValRandom);
sl@0	530	Load();
sl@0	531	}
sl@0	532	f++;
sl@0	533	}
sl@0	534	}
sl@0	535
sl@0	536
sl@0	537	void FuzzBlockRandomly(TInt aOffset, TInt aSize)
sl@0	538	{
sl@0	539	SFuzzField field;
sl@0	540	field.size = 1;
sl@0	541	Target = FileData + aOffset;
sl@0	542
sl@0	543	test.Printf(_L("FIELD: random words in data\n"));
sl@0	544	TInt v;
sl@0	545	for (v = 0; v < KRandomFieldIterations * 4; ++v)
sl@0	546	{
sl@0	547	MakeCleanCopy();
sl@0	548	field.offset = Rand(aSize);
sl@0	549	if (Verbose) test.Printf(_L("@ %d, "), field.offset);
sl@0	550	SetField(&field, 0, EValRandom);
sl@0	551	Load();
sl@0	552	}
sl@0	553	}
sl@0	554
sl@0	555
sl@0	556	void FuzzFile(TBool aRandom)
sl@0	557	{
sl@0	558	TTime before, after;
sl@0	559	before.UniversalTime();
sl@0	560	LoadCleanFile();
sl@0	561
sl@0	562	TFieldFuzzer FuzzFields = aRandom ? FuzzFieldsRandomly : FuzzFieldsDeterministically;
sl@0	563
sl@0	564	// E32ImageHeader
sl@0	565	FuzzFields(HeaderFields, 0);
sl@0	566
sl@0	567	if (CleanHeader->iCompressionType == KFormatNotCompressed)
sl@0	568	{
sl@0	569	// import table
sl@0	570	TInt offset = CleanHeader->iImportOffset;
sl@0	571	if (offset != 0)
sl@0	572	{
sl@0	573	FuzzFields(ImportSectionFields, offset);
sl@0	574	offset += sizeof(E32ImportSection);
sl@0	575	FuzzFields(ImportBlockFields, offset);
sl@0	576	offset += sizeof(E32ImportBlock);
sl@0	577	FuzzFields(ImportEntryFields, offset);
sl@0	578	}
sl@0	579
sl@0	580	// code relocations
sl@0	581	offset = CleanHeader->iCodeRelocOffset;
sl@0	582	if (offset != 0)
sl@0	583	{
sl@0	584	FuzzFields(RelocSectionFields, offset);
sl@0	585	offset += sizeof(E32RelocSection);
sl@0	586	FuzzFields(RelocBlockFields, offset);
sl@0	587	offset += sizeof(E32RelocBlock);
sl@0	588	FuzzFields(RelocEntryFields, offset);
sl@0	589	}
sl@0	590
sl@0	591	// data relocations
sl@0	592	offset = CleanHeader->iDataRelocOffset;
sl@0	593	if (offset != 0)
sl@0	594	{
sl@0	595	FuzzFields(RelocSectionFields, offset);
sl@0	596	offset += sizeof(E32RelocSection);
sl@0	597	FuzzFields(RelocBlockFields, offset);
sl@0	598	offset += sizeof(E32RelocBlock);
sl@0	599	FuzzFields(RelocEntryFields, offset);
sl@0	600	}
sl@0	601
sl@0	602	// export table
sl@0	603	offset = CleanHeader->iExportDirOffset;
sl@0	604	if (offset != 0)
sl@0	605	{
sl@0	606	FuzzFields(ExportEntryFields, offset);
sl@0	607	}
sl@0	608	}
sl@0	609	else
sl@0	610	{
sl@0	611	if (aRandom)
sl@0	612	{
sl@0	613	// random bits of the compressed data
sl@0	614	FuzzBlockRandomly(CleanHeader->iCodeOffset, FileSize - CleanHeader->iCodeOffset);
sl@0	615	}
sl@0	616	else
sl@0	617	{
sl@0	618	// arbitrary bits of the compressed data
sl@0	619	FuzzFields(CompressedDataFields, CleanHeader->iCodeOffset);
sl@0	620	}
sl@0	621	}
sl@0	622
sl@0	623	DoneFile();
sl@0	624	after.UniversalTime();
sl@0	625	TTimeIntervalSeconds interval;
sl@0	626	after.SecondsFrom(before, interval);
sl@0	627	test.Printf(_L("Took %d seconds\n"), interval.Int());
sl@0	628	}
sl@0	629
sl@0	630
sl@0	631	void FuzzTruncateTo(TInt size)
sl@0	632	{
sl@0	633	OutFileSize = size - 4;
sl@0	634	if (Verbose) test.Printf(_L("%d "), OutFileSize);
sl@0	635	Load();
sl@0	636	OutFileSize = size - 1;
sl@0	637	if (Verbose) test.Printf(_L("%d "), OutFileSize);
sl@0	638	Load();
sl@0	639	if (size == FileSize)
sl@0	640	return;
sl@0	641	OutFileSize = size;
sl@0	642	if (Verbose) test.Printf(_L("%d "), OutFileSize);
sl@0	643	Load();
sl@0	644	OutFileSize = size + 1;
sl@0	645	if (Verbose) test.Printf(_L("%d "), OutFileSize);
sl@0	646	Load();
sl@0	647	OutFileSize = size + 4;
sl@0	648	if (Verbose) test.Printf(_L("%d "), OutFileSize);
sl@0	649	Load();
sl@0	650	}
sl@0	651
sl@0	652
sl@0	653	void FuzzTruncate()
sl@0	654	{
sl@0	655	TTime before, after;
sl@0	656	before.UniversalTime();
sl@0	657	LoadCleanFile();
sl@0	658
sl@0	659	FuzzTruncateTo(CleanHeader->iCodeOffset);
sl@0	660	if (CleanHeader->iCompressionType == KFormatNotCompressed)
sl@0	661	FuzzTruncateTo(CleanHeader->iCodeOffset+CleanHeader->iCodeSize);
sl@0	662	FuzzTruncateTo(FileSize);
sl@0	663
sl@0	664	DoneFile();
sl@0	665	after.UniversalTime();
sl@0	666	TTimeIntervalSeconds interval;
sl@0	667	after.SecondsFrom(before, interval);
sl@0	668	test.Printf(_L("Took %d seconds\n"), interval.Int());
sl@0	669	}
sl@0	670
sl@0	671
sl@0	672	void FuzzAllTestImages()
sl@0	673	{
sl@0	674	TInt i;
sl@0	675	Drive = InternalDrive;
sl@0	676	test.Next(_L("Fuzzing deterministically"));
sl@0	677	for (i=1; i<=KFuzzImages; ++i)
sl@0	678	{
sl@0	679	test.Next(_L("Next binary..."));
sl@0	680	test.Printf(_L("Fuzzing exe %d\n"), i);
sl@0	681	PrepareName(i, EFalse);
sl@0	682	FuzzFile(EFalse);
sl@0	683	if(i==5)
sl@0	684	continue; // DLL 5 doesn't exist because toolchain doesn't like DLLs with no exports
sl@0	685	test.Next(_L("Next binary..."));
sl@0	686	test.Printf(_L("Fuzzing dll %d\n"), i);
sl@0	687	PrepareName(i, ETrue);
sl@0	688	FuzzFile(EFalse);
sl@0	689	}
sl@0	690	Drive = RemovableDrive;
sl@0	691	test.Next(_L("Fuzzing deterministically on removable media"));
sl@0	692	for (i=1; i<=KFuzzImages; ++i)
sl@0	693	{
sl@0	694	test.Next(_L("Next binary..."));
sl@0	695	test.Printf(_L("Fuzzing exe %d\n"), i);
sl@0	696	PrepareName(i, EFalse);
sl@0	697	FuzzFile(EFalse);
sl@0	698	if(i==5)
sl@0	699	continue; // DLL 5 doesn't exist because toolchain doesn't like DLLs with no exports
sl@0	700	test.Next(_L("Next binary..."));
sl@0	701	test.Printf(_L("Fuzzing dll %d\n"), i);
sl@0	702	PrepareName(i, ETrue);
sl@0	703	FuzzFile(EFalse);
sl@0	704	}
sl@0	705	Drive = InternalDrive;
sl@0	706	test.Next(_L("Fuzzing by truncation"));
sl@0	707	for (i=1; i<=KFuzzImages; ++i)
sl@0	708	{
sl@0	709	test.Next(_L("Next binary..."));
sl@0	710	test.Printf(_L("Fuzzing exe %d\n"), i);
sl@0	711	PrepareName(i, EFalse);
sl@0	712	FuzzTruncate();
sl@0	713	if(i==5)
sl@0	714	continue; // DLL 5 doesn't exist because toolchain doesn't like DLLs with no exports
sl@0	715	test.Next(_L("Next binary..."));
sl@0	716	test.Printf(_L("Fuzzing dll %d\n"), i);
sl@0	717	PrepareName(i, ETrue);
sl@0	718	FuzzTruncate();
sl@0	719	}
sl@0	720	Drive = RemovableDrive;
sl@0	721	test.Next(_L("Fuzzing by truncation on removable media"));
sl@0	722	for (i=1; i<=KFuzzImages; ++i)
sl@0	723	{
sl@0	724	test.Next(_L("Next binary..."));
sl@0	725	test.Printf(_L("Fuzzing exe %d\n"), i);
sl@0	726	PrepareName(i, EFalse);
sl@0	727	FuzzTruncate();
sl@0	728	if(i==5)
sl@0	729	continue; // DLL 5 doesn't exist because toolchain doesn't like DLLs with no exports
sl@0	730	test.Next(_L("Next binary..."));
sl@0	731	test.Printf(_L("Fuzzing dll %d\n"), i);
sl@0	732	PrepareName(i, ETrue);
sl@0	733	FuzzTruncate();
sl@0	734	}
sl@0	735	test.Next(_L("Fuzzing randomly"));
sl@0	736	do
sl@0	737	{
sl@0	738	for (i=1; i<=KFuzzImages; ++i)
sl@0	739	{
sl@0	740	Drive = InternalDrive;
sl@0	741	test.Next(_L("Next binary..."));
sl@0	742	test.Printf(_L("Fuzzing exe %d\n"), i);
sl@0	743	PrepareName(i, EFalse);
sl@0	744	FuzzFile(ETrue);
sl@0	745	if(i==5)
sl@0	746	continue; // DLL 5 doesn't exist because toolchain doesn't like DLLs with no exports
sl@0	747	test.Next(_L("Next binary..."));
sl@0	748	test.Printf(_L("Fuzzing dll %d\n"), i);
sl@0	749	PrepareName(i, ETrue);
sl@0	750	FuzzFile(ETrue);
sl@0	751	Drive = RemovableDrive;
sl@0	752	test.Next(_L("Next binary..."));
sl@0	753	test.Printf(_L("Fuzzing exe %d on removable media\n"), i);
sl@0	754	PrepareName(i, EFalse);
sl@0	755	FuzzFile(ETrue);
sl@0	756	if(i==5)
sl@0	757	continue; // DLL 5 doesn't exist because toolchain doesn't like DLLs with no exports
sl@0	758	test.Next(_L("Next binary..."));
sl@0	759	test.Printf(_L("Fuzzing dll %d on removable media\n"), i);
sl@0	760	PrepareName(i, ETrue);
sl@0	761	FuzzFile(ETrue);
sl@0	762	}
sl@0	763	}
sl@0	764	while (Forever);
sl@0	765	}
sl@0	766
sl@0	767
sl@0	768	void FuzzProvidedImage()
sl@0	769	{
sl@0	770	test.Printf(_L("Fuzzing file %S\n"), &Provided);
sl@0	771	PrepareProvidedName();
sl@0	772	Drive = InternalDrive;
sl@0	773	test.Next(_L("Fuzzing deterministically"));
sl@0	774	FuzzFile(EFalse);
sl@0	775	Drive = RemovableDrive;
sl@0	776	test.Next(_L("Fuzzing deterministically on removable media"));
sl@0	777	FuzzFile(EFalse);
sl@0	778	test.Next(_L("Fuzzing by truncation"));
sl@0	779	FuzzTruncate();
sl@0	780	Drive = RemovableDrive;
sl@0	781	test.Next(_L("Fuzzing by truncation on removable media"));
sl@0	782	FuzzTruncate();
sl@0	783	test.Next(_L("Fuzzing randomly"));
sl@0	784	do
sl@0	785	{
sl@0	786	Drive = InternalDrive;
sl@0	787	test.Next(_L("Internal drive"));
sl@0	788	FuzzFile(ETrue);
sl@0	789	Drive = RemovableDrive;
sl@0	790	test.Next(_L("Removable drive"));
sl@0	791	FuzzFile(ETrue);
sl@0	792	}
sl@0	793	while (Forever);
sl@0	794	}
sl@0	795
sl@0	796
sl@0	797	GLDEF_C TInt E32Main()
sl@0	798	{
sl@0	799	// default to verbose unless the fasttest trace flag is on
sl@0	800	Verbose = (UserSvr::DebugMask(2)&0x00000002) == 0;
sl@0	801
sl@0	802	TFileName cmd;
sl@0	803	User::CommandLine(cmd);
sl@0	804	TLex lex(cmd);
sl@0	805	FOREVER
sl@0	806	{
sl@0	807	lex.SkipSpace();
sl@0	808	if (lex.Eos())
sl@0	809	break;
sl@0	810	TChar next = lex.Peek();
sl@0	811	if (next == '-' \|\| next == '/')
sl@0	812	{
sl@0	813	// option
sl@0	814	lex.Inc();
sl@0	815	switch(lex.Get())
sl@0	816	{
sl@0	817	case 'v':
sl@0	818	Verbose = ETrue;
sl@0	819	break;
sl@0	820	case 'q':
sl@0	821	Verbose = EFalse;
sl@0	822	break;
sl@0	823	case 'l':
sl@0	824	{
sl@0	825	// being used as a slave to load a DLL
sl@0	826	TPtrC libname(lex.NextToken());
sl@0	827	RLibrary l;
sl@0	828	RProcess::Rendezvous(KErrNone);
sl@0	829	l.Load(libname);
sl@0	830	return KErrNone;
sl@0	831	}
sl@0	832	case 's':
sl@0	833	// random seed
sl@0	834	lex.SkipSpace();
sl@0	835	test_KErrNone(lex.Val(Seed, EHex));
sl@0	836	test.Printf(_L("Using supplied random seed %08x\n"), Seed);
sl@0	837	break;
sl@0	838	case 'f':
sl@0	839	// run forever
sl@0	840	Forever = ETrue;
sl@0	841	break;
sl@0	842	}
sl@0	843	}
sl@0	844	else
sl@0	845	{
sl@0	846	// filename, at least i assume it is :)
sl@0	847	Provided.Copy(lex.NextToken());
sl@0	848	}
sl@0	849	}
sl@0	850
sl@0	851	test.Title();
sl@0	852	test.Next(_L("Setup"));
sl@0	853	__UHEAP_MARK;
sl@0	854	CTrapCleanup* cleanup;
sl@0	855	cleanup=CTrapCleanup::New();
sl@0	856
sl@0	857	if (Seed == 0)
sl@0	858	{
sl@0	859	TTime time;
sl@0	860	time.UniversalTime();
sl@0	861	Seed = (TUint32)time.Int64();
sl@0	862	test.Printf(_L("Random seed is %08x\n"), Seed);
sl@0	863	}
sl@0	864
sl@0	865	test_KErrNone(TheFs.Connect());
sl@0	866	test_TRAP(FileMan=CFileMan::NewL(TheFs));
sl@0	867	test_KErrNone(Timer.CreateLocal());
sl@0	868	test_TRAP(Hasher=CSHA1::NewL());
sl@0	869	HashDir.Append(TheFs.GetSystemDriveChar());
sl@0	870	HashDir.Append(KSysHash);
sl@0	871	TInt r = TheFs.MkDirAll(HashDir);
sl@0	872	test(r == KErrNone \|\| r == KErrAlreadyExists);
sl@0	873
sl@0	874	// Find some interesting drives
sl@0	875	for (TInt driveno = EDriveA; driveno <= EDriveZ; ++driveno)
sl@0	876	{
sl@0	877	TDriveInfo di;
sl@0	878	test_KErrNone(TheFs.Drive(di, driveno));
sl@0	879	if (di.iType == EMediaNotPresent)
sl@0	880	continue;
sl@0	881	TChar drivechar;
sl@0	882	test_KErrNone(TheFs.DriveToChar(driveno, drivechar));
sl@0	883	if ((di.iDriveAtt & KDriveAttInternal) && InternalDrive == '?')
sl@0	884	InternalDrive = drivechar;
sl@0	885	else if ((di.iDriveAtt & KDriveAttRemovable) && RemovableDrive == '?')
sl@0	886	RemovableDrive = drivechar;
sl@0	887	else
sl@0	888	continue;
sl@0	889
sl@0	890	TFileName fn;
sl@0	891	fn.Append(drivechar);
sl@0	892	fn.Append(KSysBin);
sl@0	893	TheFs.MkDirAll(fn);
sl@0	894	test(r == KErrNone \|\| r == KErrAlreadyExists);
sl@0	895	}
sl@0	896	test.Printf(_L("Using %c as internal drive, %c as removable\n"), (TUint)InternalDrive, (TUint)RemovableDrive);
sl@0	897
sl@0	898	// Turn off evil lazy dll unloading
sl@0	899	RLoader l;
sl@0	900	test_KErrNone(l.Connect());
sl@0	901	test_KErrNone(l.CancelLazyDllUnload());
sl@0	902	l.Close();
sl@0	903
sl@0	904	test.Start(_L("Fuzzing loader"));
sl@0	905	if (Provided.Length() == 0)
sl@0	906	FuzzAllTestImages();
sl@0	907	else
sl@0	908	FuzzProvidedImage();
sl@0	909	test.End();
sl@0	910
sl@0	911	delete Hasher;
sl@0	912	Timer.Close();
sl@0	913	delete FileMan;
sl@0	914	TheFs.Close();
sl@0	915	test.Close();
sl@0	916	delete cleanup;
sl@0	917	__UHEAP_MARKEND;
sl@0	918	return KErrNone;
sl@0	919	}
sl@0	920
sl@0	921

author	sl
	Tue, 10 Jun 2014 14:32:02 +0200
changeset 1	260cb5ec6c19
permissions	-rw-r--r--