Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 85c87b13 authored by Pawan Wagh's avatar Pawan Wagh
Browse files

Fuzz java parcel surfaces 

Adding a fuzzer for java backend of the parcel.
Test: m java_binder_parcel_fuzzer && ./jazzer_helper.sh --fuzz_target
      java_binder_parcel_fuzzer --target_class parcelfuzzer.ParcelFuzzer
Bug: 232439254

Change-Id: I6ebebb810d707d23a6e4ad9dab1fb51a80f96f69
parent e5a82fc9

core/java/Android.bp

+1 −0
Original line number Diff line number Diff line
@@ -432,6 +432,7 @@ filegroup { 
        "android/os/IInterface.java",

        "android/os/Binder.java",

        "android/os/IBinder.java",

        "android/os/Parcelable.java",

    ],

}

core/tests/fuzzers/FuzzService/FuzzBinder.java

+4 −4
Original line number Diff line number Diff line
@@ -34,12 +34,12 @@ public class FuzzBinder { 
        fuzzServiceInternal(binder, data);

    }



    // This API creates random parcel object

    public static void createRandomParcel(Parcel parcel, byte[] data) {

        getRandomParcel(parcel, data);

    // This API fills parcel object

    public static void fillRandomParcel(Parcel parcel, byte[] data) {

        fillParcelInternal(parcel, data);

    }



    private static native void fuzzServiceInternal(IBinder binder, byte[] data);

    private static native void getRandomParcel(Parcel parcel, byte[] data);

    private static native void fillParcelInternal(Parcel parcel, byte[] data);

    private static native int registerNatives();

}

core/tests/fuzzers/FuzzService/random_parcel_jni.cpp

+1 −1
Original line number Diff line number Diff line
@@ -38,7 +38,7 @@ JNIEXPORT jint JNICALL Java_randomparcel_FuzzBinder_registerNatives(JNIEnv* env) 
    return registerFrameworkNatives(env);

}



JNIEXPORT void JNICALL Java_randomparcel_FuzzBinder_getRandomParcel(JNIEnv *env, jobject thiz, jobject jparcel, jbyteArray fuzzData) {

JNIEXPORT void JNICALL Java_randomparcel_FuzzBinder_fillParcelInternal(JNIEnv *env, jobject thiz, jobject jparcel, jbyteArray fuzzData) {

    size_t len = static_cast<size_t>(env->GetArrayLength(fuzzData));

    uint8_t data[len];

    env->GetByteArrayRegion(fuzzData, 0, len, reinterpret_cast<jbyte*>(data));

core/tests/fuzzers/FuzzService/random_parcel_jni.h

+1 −1
Original line number Diff line number Diff line
@@ -24,5 +24,5 @@ extern "C" { 
    // Function from AndroidRuntime

    jint registerFrameworkNatives(JNIEnv* env);



    JNIEXPORT void JNICALL Java_randomparcel_FuzzBinder_getRandomParcel(JNIEnv *env, jobject thiz, jobject parcel, jbyteArray fuzzData);

    JNIEXPORT void JNICALL Java_randomparcel_FuzzBinder_fillParcelInternal(JNIEnv *env, jobject thiz, jobject parcel, jbyteArray fuzzData);

}

core/tests/fuzzers/ParcelFuzzer/Android.bp

0 → 100644
+40 −0
Original line number Diff line number Diff line 
package {

    default_applicable_licenses: ["frameworks_base_license"],

}



java_fuzz {

    name: "java_binder_parcel_fuzzer",

    srcs: [

        "ParcelFuzzer.java",

        "ReadUtils.java",

        "FuzzUtils.java",

        "FuzzOperation.java",

        "ReadOperation.java",

        ":framework-core-sources-for-fuzzers",

    ],

    static_libs: [

        "jazzer",

        "random_parcel_lib",

        "binderReadParcelIface-java",

    ],

    jni_libs: [

        "librandom_parcel_jni",

        "libc++",

        "libandroid_runtime",

    ],

    libs: [

        "framework",

        "unsupportedappusage",

        "ext",

        "framework-res",

    ],

    native_bridge_supported: true,

    fuzz_config: {

        cc: [

            "smoreland@google.com",

            "waghpawan@google.com",

        ],

        // Adds bugs to hotlist "AIDL fuzzers bugs" on buganizer

        hotlists: ["4637097"],

    },

}