Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 550a3b5d authored by Steven Moreland's avatar Steven Moreland
Browse files

libbinder fuzzer driver: uid corpus continuity 

I was looking at the coverage for some of our fuzzers, and I
noticed that some paths were only taken with specific UIDs. This
change allows an easily discoverable single bit flip to try a
UID which is guaranteed to exist.

Bug: N/A
Test: run servicemanager_fuzzer for a few minutes
Change-Id: Ib0d8c608ec1fc609fa69f1f5b76e8dc25d548f38
parent 2e2a114d

libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp

+5 −1
Original line number Diff line number Diff line
@@ -33,9 +33,13 @@ void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& p 
            .extraFds = {},

    };



    // Always take so that a perturbation of just the one ConsumeBool byte will always

    // take the same path, but with a different UID. Without this, the fuzzer needs to

    // guess both the change in value and the shift at the same time.

    int64_t maybeSetUid = provider.ConsumeIntegral<int64_t>();

    if (provider.ConsumeBool()) {

        // set calling uid

        IPCThreadState::self()->restoreCallingIdentity(provider.ConsumeIntegral<int64_t>());

        IPCThreadState::self()->restoreCallingIdentity(maybeSetUid);

    }



    while (provider.remaining_bytes() > 0) {