Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit eb7d75b2 authored by Steven Moreland's avatar Steven Moreland Committed by Automerger Merge Worker
Browse files

Merge "fuzz_service_test: test restore calling ID" am: b32659ce am:... 

Merge "fuzz_service_test: test restore calling ID" am: b32659ce am: 0f43c4d0 am: b9ef1c57 am: 88311717 am: 93850164

Original change: https://android-review.googlesource.com/c/platform/frameworks/native/+/2645266



Change-Id: I738e0dede8af11c2b662046733abf18040421fa6
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents 077726d8 93850164

libs/binder/tests/parcel_fuzzer/test_fuzzer/ITestService.aidl

+3 −1
Original line number Original line Diff line number Diff line
@@ -21,4 +21,6 @@ interface ITestService { 
    void setCharData(char input);

    void setCharData(char input);





    void setBooleanData(boolean input);

    void setBooleanData(boolean input);



    void setService(ITestService service);

}
 
}

libs/binder/tests/parcel_fuzzer/test_fuzzer/TestServiceFuzzer.cpp

+77 −10
Original line number Original line Diff line number Diff line
@@ -17,35 +17,102 @@ 
#include <BnTestService.h>

#include <BnTestService.h>

#include <fuzzbinder/libbinder_driver.h>

#include <fuzzbinder/libbinder_driver.h>





#include <binder/IPCThreadState.h>

#include <log/log.h>

#include <log/log.h>





using android::fuzzService;

using android::sp;

using android::binder::Status;

using android::binder::Status;





namespace android {

namespace android {



enum class CrashType {

    NONE,

    ON_PLAIN,

    ON_BINDER,

    ON_KNOWN_UID,

};



// This service is to verify that fuzzService is functioning properly

// This service is to verify that fuzzService is functioning properly

class TestService : public BnTestService {

class TestService : public BnTestService {

public:

public:

    Status setIntData(int /*input*/) {

    TestService(CrashType crash) : mCrash(crash) {}

        LOG_ALWAYS_FATAL("Expected crash in setIntData");



    void onData() {

        switch (mCrash) {

            case CrashType::ON_PLAIN: {

                LOG_ALWAYS_FATAL("Expected crash, PLAIN.");

                break;

            }

            case CrashType::ON_KNOWN_UID: {

                if (IPCThreadState::self()->getCallingUid() == getuid()) {

                    LOG_ALWAYS_FATAL("Expected crash, KNOWN_UID.");

                }

                break;

            }

            default:

                break;

        }

    }



    Status setIntData(int /*input*/) override {

        onData();

        return Status::ok();

        return Status::ok();

    }

    }





    Status setCharData(char16_t /*input*/) {

    Status setCharData(char16_t /*input*/) override {

        LOG_ALWAYS_FATAL("Expected crash in setCharData");

        onData();

        return Status::ok();

        return Status::ok();

    }

    }





    Status setBooleanData(bool /*input*/) {

    Status setBooleanData(bool /*input*/) override {

        LOG_ALWAYS_FATAL("Expected crash in setBooleanData");

        onData();

        return Status::ok();

    }



    Status setService(const sp<ITestService>& service) override {

        onData();

        if (mCrash == CrashType::ON_BINDER && service != nullptr) {

            LOG_ALWAYS_FATAL("Expected crash, BINDER.");

        }

        return Status::ok();

        return Status::ok();

    }

    }



private:

    CrashType mCrash;

};

};

} // namespace android



CrashType gCrashType = CrashType::NONE;



extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {

    if (*argc < 2) {

        printf("You must specify at least one argument\n");

        exit(0); // success because this is a crash test

    }



    std::string arg = std::string((*argv)[1]);



    // ignore first argument, because we consume it

    (*argv)[1] = (*argv[0]);

    (*argc)--;

    (*argv)++;



    if (arg == "PLAIN") {

        gCrashType = CrashType::ON_PLAIN;

    } else if (arg == "KNOWN_UID") {

        gCrashType = CrashType::ON_KNOWN_UID;

    } else if (arg == "BINDER") {

        gCrashType = CrashType::ON_BINDER;

    } else {

        printf("INVALID ARG\n");

        exit(0); // success because this is a crash test

    }



    return 0;

}





extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

    auto service = sp<android::TestService>::make();

    auto service = sp<TestService>::make(gCrashType);

    fuzzService(service, FuzzedDataProvider(data, size));

    fuzzService(service, FuzzedDataProvider(data, size));

    return 0;

    return 0;

}

}



} // namespace android

libs/binder/tests/parcel_fuzzer/test_fuzzer/run_fuzz_service_test.sh

100644 → 100755
+13 −11
Original line number Original line Diff line number Diff line
@@ -27,12 +27,13 @@ then 
    exit 1

    exit 1

fi

fi





echo "INFO: Running fuzzer : test_service_fuzzer_should_crash"

for CRASH_TYPE in PLAIN KNOWN_UID BINDER; do

    echo "INFO: Running fuzzer : test_service_fuzzer_should_crash $CRASH_TYPE"





./test_service_fuzzer_should_crash -max_total_time=30 &>${FUZZER_OUT}

    ./test_service_fuzzer_should_crash "$CRASH_TYPE" -max_total_time=30 &>"$FUZZER_OUT"





    echo "INFO: Searching fuzzer output for expected crashes"

    echo "INFO: Searching fuzzer output for expected crashes"

if grep -q "Expected crash in set" ${FUZZER_OUT};

    if grep -q "Expected crash, $CRASH_TYPE." "$FUZZER_OUT"

    then

    then

        echo -e "${color_success}Success: Found expected crash. fuzzService test successful!"

        echo -e "${color_success}Success: Found expected crash. fuzzService test successful!"

    else

    else
@@ -40,3 +41,4 @@ else 
        echo "${color_reset}"

        echo "${color_reset}"

        exit 1

        exit 1

    fi

    fi

done