Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6065c057 authored by Steven Moreland's avatar Steven Moreland
Browse files

libbinder fuzzer: print data from inplace reads 

To make sure there are no OOB reads for these two cases.

Bug: 131861045
Test: binder_parcel_fuzzer
Change-Id: Id58fc8e8e72c6fc1c88734794382c1138ffd36f6
parent 6d81393c

libs/binder/fuzzer/binder.cpp

+3 −2
Original line number Diff line number Diff line
@@ -125,7 +125,7 @@ std::vector<ParcelRead<::android::Parcel>> BINDER_PARCEL_READ_FUNCTIONS { 
    [] (const ::android::Parcel& p, uint8_t len) {

        FUZZ_LOG() << "about to readInplace";

        const void* r = p.readInplace(len);

        FUZZ_LOG() << "readInplace done. pointer: " << r;

        FUZZ_LOG() << "readInplace done. pointer: " << r << " bytes: " << hexString(r, len);

    },

    PARCEL_READ_OPT_STATUS(int32_t, readInt32),

    PARCEL_READ_OPT_STATUS(uint32_t, readUint32),
@@ -152,7 +152,8 @@ std::vector<ParcelRead<::android::Parcel>> BINDER_PARCEL_READ_FUNCTIONS { 
        FUZZ_LOG() << "about to readString16Inplace";

        size_t outLen = 0;

        const char16_t* str = p.readString16Inplace(&outLen);

        FUZZ_LOG() << "readString16Inplace: " << (str ? "non-null" : "null") << " size: " << outLen;

        FUZZ_LOG() << "readString16Inplace: " << hexString(str, sizeof(char16_t) * outLen)

                   << " size: " << outLen;

    },

    PARCEL_READ_WITH_STATUS(android::sp<android::IBinder>, readStrongBinder),

    PARCEL_READ_WITH_STATUS(android::sp<android::IBinder>, readNullableStrongBinder),

libs/binder/fuzzer/util.cpp

+9 −3
Original line number Diff line number Diff line
@@ -21,11 +21,17 @@ 
#include <iomanip>

#include <sstream>



std::string hexString(const std::vector<uint8_t>& hash) {

std::string hexString(const void* bytes, size_t len) {

    if (bytes == nullptr) return "<null>";



    std::ostringstream s;

    s << std::hex << std::setfill('0');

    for (uint8_t i : hash) {

        s << std::setw(2) << static_cast<int>(i);

    for (size_t i = 0; i < len; i++) {

        s << std::setw(2) << static_cast<int>(

            static_cast<const uint8_t*>(bytes)[i]);

    }

    return s.str();

}

std::string hexString(const std::vector<uint8_t>& bytes) {

    return hexString(bytes.data(), bytes.size());

}

libs/binder/fuzzer/util.h

+2 −1
Original line number Diff line number Diff line
@@ -45,4 +45,5 @@ private: 
    std::stringstream mOs;

};



std::string hexString(const std::vector<uint8_t>& hash);
 
std::string hexString(const void* bytes, size_t len);

std::string hexString(const std::vector<uint8_t>& bytes);