Loading PREUPLOAD.cfg +1 −0 Original line number Diff line number Diff line Loading @@ -8,6 +8,7 @@ clang_format = --commit ${PREUPLOAD_COMMIT} --style file --extensions c,h,cc,cpp include/input/ libs/binder/fuzzer/ libs/binder/ndk/ libs/binder/tests/fuzzers/ libs/binderthreadstate/ libs/graphicsenv/ libs/gui/ Loading libs/binder/tests/fuzzers/Android.bp 0 → 100644 +66 −0 Original line number Diff line number Diff line // // Copyright (C) 2020 The Android Open Source Project // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // cc_defaults { name: "binder_fuzz_defaults", host_supported: true, cflags: [ "-Wall", "-Werror", ], shared_libs: [ "libbinder", "libutils", "libbase", ], } cc_fuzz { name: "binder_binderFuzz", defaults: ["binder_fuzz_defaults"], srcs: ["BinderFuzz.cpp"], } cc_fuzz { name: "binder_bpBinderFuzz", defaults: ["binder_fuzz_defaults"], host_supported: false, srcs: ["BpBinderFuzz.cpp"], } cc_fuzz { name: "binder_persistableBundleFuzz", defaults: ["binder_fuzz_defaults"], srcs: ["PersistableBundleFuzz.cpp"], } cc_fuzz { name: "binder_stabilityFuzz", defaults: ["binder_fuzz_defaults"], srcs: ["StabilityFuzz.cpp"], } cc_fuzz { name: "binder_statusFuzz", defaults: ["binder_fuzz_defaults"], srcs: ["StatusFuzz.cpp"], } cc_fuzz { name: "binder_textOutputFuzz", defaults: ["binder_fuzz_defaults"], srcs: ["TextOutputFuzz.cpp"], } libs/binder/tests/fuzzers/BinderFuzz.cpp 0 → 100644 +46 −0 Original line number Diff line number Diff line /* * Copyright (C) 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include <BinderFuzzFunctions.h> #include <IBinderFuzzFunctions.h> #include <commonFuzzHelpers.h> #include <fuzzer/FuzzedDataProvider.h> #include <binder/Binder.h> namespace android { // Fuzzer entry point. extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FuzzedDataProvider fdp(data, size); sp<BBinder> bbinder = new BBinder(); // To prevent memory from running out from calling too many add item operations. const uint32_t MAX_RUNS = 2048; uint32_t count = 0; while (fdp.remaining_bytes() > 0 && count++ < MAX_RUNS) { if (fdp.ConsumeBool()) { callArbitraryFunction(&fdp, gBBinderOperations, bbinder); } else { callArbitraryFunction(&fdp, gIBinderOperations, reinterpret_cast<IBinder *>(bbinder.get())); } } return 0; } } // namespace android libs/binder/tests/fuzzers/BinderFuzzFunctions.h 0 → 100644 +70 −0 Original line number Diff line number Diff line /* * Copyright 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #pragma once #include <IBinderFuzzFunctions.h> #include <fuzzer/FuzzedDataProvider.h> #include <binder/Binder.h> #include <binder/IBinder.h> #include <binder/Parcel.h> #include <stdint.h> #include <atomic> namespace android { /* This is a vector of lambda functions the fuzzer will pull from. * This is done so new functions can be added to the fuzzer easily * without requiring modifications to the main fuzzer file. This also * allows multiple fuzzers to include this file, if functionality is needed. */ static const std::vector<std::function<void(FuzzedDataProvider*, const sp<BBinder>&)>> gBBinderOperations = {[](FuzzedDataProvider*, const sp<BBinder>& bbinder) -> void { bbinder->isRequestingSid(); }, [](FuzzedDataProvider* fdp, const sp<BBinder>& bbinder) -> void { bool request_sid = fdp->ConsumeBool(); bbinder->setRequestingSid(request_sid); }, [](FuzzedDataProvider*, const sp<BBinder>& bbinder) -> void { bbinder->getExtension(); }, [](FuzzedDataProvider*, const sp<BBinder>& bbinder) -> void { static IBinder* extension = nullptr; bbinder->setExtension(extension); }, [](FuzzedDataProvider* fdp, const sp<BBinder>& bbinder) -> void { int priority; int policy = fdp->ConsumeIntegralInRange<int>(0, 2); if (policy == 0) { priority = fdp->ConsumeIntegralInRange<int>(-20, 19); } else { priority = fdp->ConsumeIntegralInRange<int>(1, 99); } bbinder->setMinSchedulerPolicy(policy, priority); }, [](FuzzedDataProvider*, const sp<BBinder>& bbinder) -> void { bbinder->getMinSchedulerPolicy(); }, [](FuzzedDataProvider*, const sp<BBinder>& bbinder) -> void { bbinder->getMinSchedulerPriority(); }, [](FuzzedDataProvider*, const sp<BBinder>& bbinder) -> void { bbinder->getDebugPid(); }}; } // namespace android libs/binder/tests/fuzzers/BpBinderFuzz.cpp 0 → 100644 +54 −0 Original line number Diff line number Diff line /* * Copyright (C) 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include <BpBinderFuzzFunctions.h> #include <IBinderFuzzFunctions.h> #include <commonFuzzHelpers.h> #include <fuzzer/FuzzedDataProvider.h> #include <binder/BpBinder.h> #include <binder/IServiceManager.h> namespace android { // Fuzzer entry point. extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FuzzedDataProvider fdp(data, size); // TODO: In the future it would be more effective to fork a new process and then pass a BBinder // to your process. Right now this is not implemented because it would involved fuzzing IPC on a // forked process, and libfuzzer will not be able to handle code coverage. This would lead to // crashes that are not easy to diagnose. int32_t handle = fdp.ConsumeIntegralInRange<int32_t>(0, 1024); sp<BpBinder> bpbinder = BpBinder::create(handle); if (bpbinder == nullptr) return 0; // To prevent memory from running out from calling too many add item operations. const uint32_t MAX_RUNS = 2048; uint32_t count = 0; sp<IBinder::DeathRecipient> s_recipient = new FuzzDeathRecipient(); while (fdp.remaining_bytes() > 0 && count++ < MAX_RUNS) { if (fdp.ConsumeBool()) { callArbitraryFunction(&fdp, gBPBinderOperations, bpbinder, s_recipient); } else { callArbitraryFunction(&fdp, gIBinderOperations, bpbinder.get()); } } return 0; } } // namespace android Loading
PREUPLOAD.cfg +1 −0 Original line number Diff line number Diff line Loading @@ -8,6 +8,7 @@ clang_format = --commit ${PREUPLOAD_COMMIT} --style file --extensions c,h,cc,cpp include/input/ libs/binder/fuzzer/ libs/binder/ndk/ libs/binder/tests/fuzzers/ libs/binderthreadstate/ libs/graphicsenv/ libs/gui/ Loading
libs/binder/tests/fuzzers/Android.bp 0 → 100644 +66 −0 Original line number Diff line number Diff line // // Copyright (C) 2020 The Android Open Source Project // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // cc_defaults { name: "binder_fuzz_defaults", host_supported: true, cflags: [ "-Wall", "-Werror", ], shared_libs: [ "libbinder", "libutils", "libbase", ], } cc_fuzz { name: "binder_binderFuzz", defaults: ["binder_fuzz_defaults"], srcs: ["BinderFuzz.cpp"], } cc_fuzz { name: "binder_bpBinderFuzz", defaults: ["binder_fuzz_defaults"], host_supported: false, srcs: ["BpBinderFuzz.cpp"], } cc_fuzz { name: "binder_persistableBundleFuzz", defaults: ["binder_fuzz_defaults"], srcs: ["PersistableBundleFuzz.cpp"], } cc_fuzz { name: "binder_stabilityFuzz", defaults: ["binder_fuzz_defaults"], srcs: ["StabilityFuzz.cpp"], } cc_fuzz { name: "binder_statusFuzz", defaults: ["binder_fuzz_defaults"], srcs: ["StatusFuzz.cpp"], } cc_fuzz { name: "binder_textOutputFuzz", defaults: ["binder_fuzz_defaults"], srcs: ["TextOutputFuzz.cpp"], }
libs/binder/tests/fuzzers/BinderFuzz.cpp 0 → 100644 +46 −0 Original line number Diff line number Diff line /* * Copyright (C) 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include <BinderFuzzFunctions.h> #include <IBinderFuzzFunctions.h> #include <commonFuzzHelpers.h> #include <fuzzer/FuzzedDataProvider.h> #include <binder/Binder.h> namespace android { // Fuzzer entry point. extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FuzzedDataProvider fdp(data, size); sp<BBinder> bbinder = new BBinder(); // To prevent memory from running out from calling too many add item operations. const uint32_t MAX_RUNS = 2048; uint32_t count = 0; while (fdp.remaining_bytes() > 0 && count++ < MAX_RUNS) { if (fdp.ConsumeBool()) { callArbitraryFunction(&fdp, gBBinderOperations, bbinder); } else { callArbitraryFunction(&fdp, gIBinderOperations, reinterpret_cast<IBinder *>(bbinder.get())); } } return 0; } } // namespace android
libs/binder/tests/fuzzers/BinderFuzzFunctions.h 0 → 100644 +70 −0 Original line number Diff line number Diff line /* * Copyright 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #pragma once #include <IBinderFuzzFunctions.h> #include <fuzzer/FuzzedDataProvider.h> #include <binder/Binder.h> #include <binder/IBinder.h> #include <binder/Parcel.h> #include <stdint.h> #include <atomic> namespace android { /* This is a vector of lambda functions the fuzzer will pull from. * This is done so new functions can be added to the fuzzer easily * without requiring modifications to the main fuzzer file. This also * allows multiple fuzzers to include this file, if functionality is needed. */ static const std::vector<std::function<void(FuzzedDataProvider*, const sp<BBinder>&)>> gBBinderOperations = {[](FuzzedDataProvider*, const sp<BBinder>& bbinder) -> void { bbinder->isRequestingSid(); }, [](FuzzedDataProvider* fdp, const sp<BBinder>& bbinder) -> void { bool request_sid = fdp->ConsumeBool(); bbinder->setRequestingSid(request_sid); }, [](FuzzedDataProvider*, const sp<BBinder>& bbinder) -> void { bbinder->getExtension(); }, [](FuzzedDataProvider*, const sp<BBinder>& bbinder) -> void { static IBinder* extension = nullptr; bbinder->setExtension(extension); }, [](FuzzedDataProvider* fdp, const sp<BBinder>& bbinder) -> void { int priority; int policy = fdp->ConsumeIntegralInRange<int>(0, 2); if (policy == 0) { priority = fdp->ConsumeIntegralInRange<int>(-20, 19); } else { priority = fdp->ConsumeIntegralInRange<int>(1, 99); } bbinder->setMinSchedulerPolicy(policy, priority); }, [](FuzzedDataProvider*, const sp<BBinder>& bbinder) -> void { bbinder->getMinSchedulerPolicy(); }, [](FuzzedDataProvider*, const sp<BBinder>& bbinder) -> void { bbinder->getMinSchedulerPriority(); }, [](FuzzedDataProvider*, const sp<BBinder>& bbinder) -> void { bbinder->getDebugPid(); }}; } // namespace android
libs/binder/tests/fuzzers/BpBinderFuzz.cpp 0 → 100644 +54 −0 Original line number Diff line number Diff line /* * Copyright (C) 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include <BpBinderFuzzFunctions.h> #include <IBinderFuzzFunctions.h> #include <commonFuzzHelpers.h> #include <fuzzer/FuzzedDataProvider.h> #include <binder/BpBinder.h> #include <binder/IServiceManager.h> namespace android { // Fuzzer entry point. extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { FuzzedDataProvider fdp(data, size); // TODO: In the future it would be more effective to fork a new process and then pass a BBinder // to your process. Right now this is not implemented because it would involved fuzzing IPC on a // forked process, and libfuzzer will not be able to handle code coverage. This would lead to // crashes that are not easy to diagnose. int32_t handle = fdp.ConsumeIntegralInRange<int32_t>(0, 1024); sp<BpBinder> bpbinder = BpBinder::create(handle); if (bpbinder == nullptr) return 0; // To prevent memory from running out from calling too many add item operations. const uint32_t MAX_RUNS = 2048; uint32_t count = 0; sp<IBinder::DeathRecipient> s_recipient = new FuzzDeathRecipient(); while (fdp.remaining_bytes() > 0 && count++ < MAX_RUNS) { if (fdp.ConsumeBool()) { callArbitraryFunction(&fdp, gBPBinderOperations, bpbinder, s_recipient); } else { callArbitraryFunction(&fdp, gIBinderOperations, bpbinder.get()); } } return 0; } } // namespace android
