Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 06e367be authored by Steven Moreland's avatar Steven Moreland
Browse files

binder_parcel_fuzzer: remove rlimit 

Originally I was going for a model where too big of allocations are
actually sent to malloc and they fail, but this wasn't really a good
plan:
- allocations which are near the maximum can cause arbitrary threads
  to fail even if they allocate just one byte
- Android doesn't use C++ exceptions and the libbinder API freezes
  its use of std::vector. I was looking at forking libc++ to fix
  that, but it's overkill
- rlimit doesn't play well with crash_dump* in Android or with the
  fuzzing infrastructure (prevents crash stack from happening)

Instead, going with this model of only making "reasonable" allocations
to begin with (reject too-big allocations without letting them fail).

This is probably not the "best way" to do things or the best way to
design a programming language environment (C++), but it works!

Bug: 131868573
Test: binder_parcel_fuzzer for a few minutes
Change-Id: Ie487b34e3277edecbf4d913dc1a42a3e82b5cd42
parent d2e8a8ea

libs/binder/tests/parcel_fuzzer/main.cpp

+0 −20
Original line number Diff line number Diff line
@@ -95,25 +95,7 @@ void doFuzz(const char* backend, const std::vector<ParcelRead<P>>& reads, 
    }

}



size_t getHardMemoryLimit() {

    struct rlimit limit;

    CHECK(0 == getrlimit(RLIMIT_AS, &limit)) << errno;

    return limit.rlim_max;

}



void setMemoryLimit(size_t cur, size_t max) {

    const struct rlimit kLimit = {

       .rlim_cur = cur,

       .rlim_max = max,

    };

    CHECK(0 == setrlimit(RLIMIT_AS, &kLimit)) << errno;

}



extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

    static constexpr size_t kMemLimit = 1 * 1024 * 1024;

    size_t hardLimit = getHardMemoryLimit();

    setMemoryLimit(std::min(kMemLimit, hardLimit), hardLimit);



    if (size <= 1) return 0;  // no use



    // avoid timeouts, see b/142617274, b/142473153
@@ -138,7 +120,5 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 


    provider.PickValueInArray(fuzzBackend)(std::move(provider));



    setMemoryLimit(hardLimit, hardLimit);



    return 0;

}