Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 104654ae authored by Pawan Wagh's avatar Pawan Wagh
Browse files

Skipping enforceNoDataAvail in fuzzService 

Adding API to skip dataAvail check and using it in
fuzzService.

Bug: 241848255
Test: m binderUnitTest &&
      out/host/linux-x86/nativetest64/binderUnitTest/binderUnitTest
Test: m servicemanager_fuzzer &&
      out/host/linux-x86/fuzz/x86_64/servicemanager_fuzzer/servicemanager_fuzzer
Change-Id: Ib43936ff4a7dca4a036d34b3e475d553f3d21be2
parent a8c0dd74

libs/binder/Parcel.cpp

+9 −0
Original line number Diff line number Diff line
@@ -966,7 +966,15 @@ bool Parcel::enforceInterface(const char16_t* interface, 
    }

}



void Parcel::setEnforceNoDataAvail(bool enforceNoDataAvail) {

    mEnforceNoDataAvail = enforceNoDataAvail;

}



binder::Status Parcel::enforceNoDataAvail() const {

    if (!mEnforceNoDataAvail) {

        return binder::Status::ok();

    }



    const auto n = dataAvail();

    if (n == 0) {

        return binder::Status::ok();
@@ -3077,6 +3085,7 @@ void Parcel::initState() 
    mAllowFds = true;

    mDeallocZero = false;

    mOwner = nullptr;

    mEnforceNoDataAvail = true;

}



void Parcel::scanForFds() const {

libs/binder/include/binder/Parcel.h

+6 −0
Original line number Diff line number Diff line
@@ -150,6 +150,9 @@ public: 
    // Returns Status(EX_BAD_PARCELABLE) when the Parcel is not consumed.

    binder::Status enforceNoDataAvail() const;



    // This Api is used by fuzzers to skip dataAvail checks.

    void setEnforceNoDataAvail(bool enforceNoDataAvail);



    void                freeData();



    size_t              objectsCount() const;
@@ -1329,6 +1332,9 @@ private: 
    // data to be overridden with zero when deallocated

    mutable bool        mDeallocZero;



    // Set this to false to skip dataAvail checks.

    bool mEnforceNoDataAvail;



    release_func        mOwner;



    size_t mReserved;

libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp

+4 −0
Original line number Diff line number Diff line
@@ -34,6 +34,8 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) { 
        uint32_t code = provider.ConsumeIntegral<uint32_t>();

        uint32_t flags = provider.ConsumeIntegral<uint32_t>();

        Parcel data;

        // for increased fuzz coverage

        data.setEnforceNoDataAvail(provider.ConsumeBool());



        sp<IBinder> target = options.extraBinders.at(

                provider.ConsumeIntegralInRange<size_t>(0, options.extraBinders.size() - 1));
@@ -50,6 +52,8 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) { 
        fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()), &options);



        Parcel reply;

        // for increased fuzz coverage

        reply.setEnforceNoDataAvail(provider.ConsumeBool());

        (void)target->transact(code, data, &reply, flags);



        // feed back in binders and fds that are returned from the service, so that