Merge "Adding multiple fuzzers for libbinder." am: 88b26359 am: a10d4327...

               include/powermanager/

               libs/binder/fuzzer/

               libs/binder/ndk/

               libs/binder/tests/fuzzers/

               libs/binderthreadstate/

               libs/graphicsenv/

               libs/gui/

//

// Copyright (C) 2020 The Android Open Source Project

//

// Licensed under the Apache License, Version 2.0 (the "License");

// you may not use this file except in compliance with the License.

// You may obtain a copy of the License at

//

//      http://www.apache.org/licenses/LICENSE-2.0

//

// Unless required by applicable law or agreed to in writing, software

// distributed under the License is distributed on an "AS IS" BASIS,

// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

// See the License for the specific language governing permissions and

// limitations under the License.

//

cc_defaults {

    name: "binder_fuzz_defaults",

    host_supported: true,

    cflags: [

        "-Wall",

        "-Werror",

    ],

    shared_libs: [

        "libbinder",

        "libutils",

        "libbase",

    ],

}

cc_fuzz {

    name: "binder_binderFuzz",

    defaults: ["binder_fuzz_defaults"],

    srcs: ["BinderFuzz.cpp"],

}

cc_fuzz {

    name: "binder_bpBinderFuzz",

    defaults: ["binder_fuzz_defaults"],

    host_supported: false,

    srcs: ["BpBinderFuzz.cpp"],

}

cc_fuzz {

    name: "binder_persistableBundleFuzz",

    defaults: ["binder_fuzz_defaults"],

    srcs: ["PersistableBundleFuzz.cpp"],

}

cc_fuzz {

    name: "binder_stabilityFuzz",

    defaults: ["binder_fuzz_defaults"],

    srcs: ["StabilityFuzz.cpp"],

}

cc_fuzz {

    name: "binder_statusFuzz",

    defaults: ["binder_fuzz_defaults"],

    srcs: ["StatusFuzz.cpp"],

}

cc_fuzz {

    name: "binder_textOutputFuzz",

    defaults: ["binder_fuzz_defaults"],

    srcs: ["TextOutputFuzz.cpp"],

}

/*

 * Copyright (C) 2020 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#include <BinderFuzzFunctions.h>

#include <IBinderFuzzFunctions.h>

#include <commonFuzzHelpers.h>

#include <fuzzer/FuzzedDataProvider.h>

#include <binder/Binder.h>

namespace android {

// Fuzzer entry point.

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {

    FuzzedDataProvider fdp(data, size);

    sp<BBinder> bbinder = new BBinder();

    // To prevent memory from running out from calling too many add item operations.

    const uint32_t MAX_RUNS = 2048;

    uint32_t count = 0;

    while (fdp.remaining_bytes() > 0 && count++ < MAX_RUNS) {

        if (fdp.ConsumeBool()) {

            callArbitraryFunction(&fdp, gBBinderOperations, bbinder);

        } else {

            callArbitraryFunction(&fdp, gIBinderOperations,

                                  reinterpret_cast<IBinder *>(bbinder.get()));

        }

    }

    return 0;

}

} // namespace android

/*

 * Copyright 2020 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#pragma once

#include <IBinderFuzzFunctions.h>

#include <fuzzer/FuzzedDataProvider.h>

#include <binder/Binder.h>

#include <binder/IBinder.h>

#include <binder/Parcel.h>

#include <stdint.h>

#include <atomic>

namespace android {

/* This is a vector of lambda functions the fuzzer will pull from.

 *  This is done so new functions can be added to the fuzzer easily

 *  without requiring modifications to the main fuzzer file. This also

 *  allows multiple fuzzers to include this file, if functionality is needed.

 */

static const std::vector<std::function<void(FuzzedDataProvider*, const sp<BBinder>&)>>

        gBBinderOperations = {[](FuzzedDataProvider*, const sp<BBinder>& bbinder) -> void {

                                  bbinder->isRequestingSid();

                              },

                              [](FuzzedDataProvider* fdp, const sp<BBinder>& bbinder) -> void {

                                  bool request_sid = fdp->ConsumeBool();

                                  bbinder->setRequestingSid(request_sid);

                              },

                              [](FuzzedDataProvider*, const sp<BBinder>& bbinder) -> void {

                                  bbinder->getExtension();

                              },

                              [](FuzzedDataProvider*, const sp<BBinder>& bbinder) -> void {

                                  static IBinder* extension = nullptr;

                                  bbinder->setExtension(extension);

                              },

                              [](FuzzedDataProvider* fdp, const sp<BBinder>& bbinder) -> void {

                                  int priority;

                                  int policy = fdp->ConsumeIntegralInRange<int>(0, 2);

                                  if (policy == 0) {

                                      priority = fdp->ConsumeIntegralInRange<int>(-20, 19);

                                  } else {

                                      priority = fdp->ConsumeIntegralInRange<int>(1, 99);

                                  }

                                  bbinder->setMinSchedulerPolicy(policy, priority);

                              },

                              [](FuzzedDataProvider*, const sp<BBinder>& bbinder) -> void {

                                  bbinder->getMinSchedulerPolicy();

                              },

                              [](FuzzedDataProvider*, const sp<BBinder>& bbinder) -> void {

                                  bbinder->getMinSchedulerPriority();

                              },

                              [](FuzzedDataProvider*, const sp<BBinder>& bbinder) -> void {

                                  bbinder->getDebugPid();

                              }};

} // namespace android

/*

 * Copyright (C) 2020 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#include <BpBinderFuzzFunctions.h>

#include <IBinderFuzzFunctions.h>

#include <commonFuzzHelpers.h>

#include <fuzzer/FuzzedDataProvider.h>

#include <binder/BpBinder.h>

#include <binder/IServiceManager.h>

namespace android {

// Fuzzer entry point.

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {

    FuzzedDataProvider fdp(data, size);

    // TODO: In the future it would be more effective to fork a new process and then pass a BBinder

    // to your process. Right now this is not implemented because it would involved fuzzing IPC on a

    // forked process, and libfuzzer will not be able to handle code coverage. This would lead to

    // crashes that are not easy to diagnose.

    int32_t handle = fdp.ConsumeIntegralInRange<int32_t>(0, 1024);

    sp<BpBinder> bpbinder = BpBinder::create(handle);

    if (bpbinder == nullptr) return 0;

    // To prevent memory from running out from calling too many add item operations.

    const uint32_t MAX_RUNS = 2048;

    uint32_t count = 0;

    sp<IBinder::DeathRecipient> s_recipient = new FuzzDeathRecipient();

    while (fdp.remaining_bytes() > 0 && count++ < MAX_RUNS) {

        if (fdp.ConsumeBool()) {

            callArbitraryFunction(&fdp, gBPBinderOperations, bpbinder, s_recipient);

        } else {

            callArbitraryFunction(&fdp, gIBinderOperations, bpbinder.get());

        }

    }

    return 0;

}

} // namespace android