Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 66f2b3e0 authored by Treehugger Robot's avatar Treehugger Robot Committed by Automerger Merge Worker
Browse files

Merge changes from topic "fuzz_service_transact_codes" into main am:... 

Merge changes from topic "fuzz_service_transact_codes" into main am: 449a7fd2 am: 0f14f52f am: 180f95b4 am: c3ca71e4 am: bdf14238

Original change: https://android-review.googlesource.com/c/platform/frameworks/native/+/2708153



Change-Id: I3e3d294e144262467c8c01f3e113b564a10122bf
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents ebc66d2b bdf14238

libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp

+9 −2
Original line number Diff line number Diff line
@@ -60,8 +60,15 @@ void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& p 


    while (provider.remaining_bytes() > 0) {

        // Most of the AIDL services will have small set of transaction codes.

        uint32_t code = provider.ConsumeBool() ? provider.ConsumeIntegral<uint32_t>()

                                               : provider.ConsumeIntegralInRange<uint32_t>(0, 100);

        // TODO(b/295942369) : Add remaining transact codes from IBinder.h

        uint32_t code = provider.ConsumeBool()

                ? provider.ConsumeIntegral<uint32_t>()

                : provider.PickValueInArray<int64_t>(

                          {provider.ConsumeIntegralInRange<uint32_t>(0, 100),

                           IBinder::DUMP_TRANSACTION, IBinder::PING_TRANSACTION,

                           IBinder::SHELL_COMMAND_TRANSACTION, IBinder::INTERFACE_TRANSACTION,

                           IBinder::SYSPROPS_TRANSACTION, IBinder::EXTENSION_TRANSACTION,

                           IBinder::TWEET_TRANSACTION, IBinder::LIKE_TRANSACTION});

        uint32_t flags = provider.ConsumeIntegral<uint32_t>();

        Parcel data;

        // for increased fuzz coverage

libs/binder/tests/parcel_fuzzer/test_fuzzer/TestServiceFuzzer.cpp

+16 −0
Original line number Diff line number Diff line
@@ -33,6 +33,8 @@ enum class CrashType { 
    ON_KNOWN_UID,

    ON_SYSTEM_AID,

    ON_ROOT_AID,

    ON_DUMP_TRANSACT,

    ON_SHELL_CMD_TRANSACT,

};



// This service is to verify that fuzzService is functioning properly
@@ -92,6 +94,16 @@ public: 
        return Status::ok();

    }



    status_t onTransact(uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags) override {

        if (mCrash == CrashType::ON_DUMP_TRANSACT && code == DUMP_TRANSACTION) {

            LOG_ALWAYS_FATAL("Expected crash, DUMP.");

        } else if (mCrash == CrashType::ON_SHELL_CMD_TRANSACT &&

                   code == SHELL_COMMAND_TRANSACTION) {

            LOG_ALWAYS_FATAL("Expected crash, SHELL_CMD.");

        }

        return BnTestService::onTransact(code, data, reply, flags);

    }



private:

    CrashType mCrash;

};
@@ -121,6 +133,10 @@ extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) { 
        gCrashType = CrashType::ON_ROOT_AID;

    } else if (arg == "BINDER") {

        gCrashType = CrashType::ON_BINDER;

    } else if (arg == "DUMP") {

        gCrashType = CrashType::ON_DUMP_TRANSACT;

    } else if (arg == "SHELL_CMD") {

        gCrashType = CrashType::ON_SHELL_CMD_TRANSACT;

    } else {

        printf("INVALID ARG\n");

        exit(0); // success because this is a crash test

libs/binder/tests/parcel_fuzzer/test_fuzzer/run_fuzz_service_test.sh

+1 −1
Original line number Diff line number Diff line
@@ -27,7 +27,7 @@ then 
    exit 1

fi



for CRASH_TYPE in PLAIN KNOWN_UID AID_SYSTEM AID_ROOT BINDER; do

for CRASH_TYPE in PLAIN KNOWN_UID AID_SYSTEM AID_ROOT BINDER DUMP SHELL_CMD; do

    echo "INFO: Running fuzzer : test_service_fuzzer_should_crash $CRASH_TYPE"



    ./test_service_fuzzer_should_crash "$CRASH_TYPE" -max_total_time=30 &>"$FUZZER_OUT"