Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6724137c authored by Treehugger Robot's avatar Treehugger Robot Committed by Automerger Merge Worker
Browse files

Merge "Add meta transactions in fuzzService" into main am: 6dfc509a 

Original change: https://android-review.googlesource.com/c/platform/frameworks/native/+/3508834



Change-Id: I5edc07bf0d0d15d0f9575717382f139cdea00520
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents fbc03c98 6dfc509a

libs/binder/tests/parcel_fuzzer/Android.bp

+3 −0
Original line number Diff line number Diff line
@@ -109,6 +109,9 @@ cc_library_static { 
        "libcutils",

        "libutils",

    ],

    header_libs: [

        "libaidl_transactions",

    ],

    local_include_dirs: ["include_random_parcel"],

    export_include_dirs: ["include_random_parcel"],

}

libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp

+25 −10
Original line number Diff line number Diff line
@@ -13,6 +13,8 @@ 
 * See the License for the specific language governing permissions and

 * limitations under the License.

 */



#include <aidl/transaction_ids.h>

#include <fuzzbinder/libbinder_driver.h>



#include <fuzzbinder/random_parcel.h>
@@ -31,6 +33,28 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) { 
    fuzzService(std::vector<sp<IBinder>>{binder}, std::move(provider));

}



uint32_t getCode(FuzzedDataProvider& provider) {

    if (provider.ConsumeBool()) {

        return provider.ConsumeIntegral<uint32_t>();

    }



    // Most of the AIDL services will have small set of transaction codes.

    if (provider.ConsumeBool()) {

        return provider.ConsumeIntegralInRange<uint32_t>(0, 100);

    }



    if (provider.ConsumeBool()) {

        return provider.PickValueInArray<uint32_t>(

                {IBinder::DUMP_TRANSACTION, IBinder::PING_TRANSACTION,

                 IBinder::SHELL_COMMAND_TRANSACTION, IBinder::INTERFACE_TRANSACTION,

                 IBinder::SYSPROPS_TRANSACTION, IBinder::EXTENSION_TRANSACTION,

                 IBinder::TWEET_TRANSACTION, IBinder::LIKE_TRANSACTION});

    }



    return provider.ConsumeIntegralInRange<uint32_t>(aidl::kLastMetaMethodId,

                                                     aidl::kFirstMetaMethodId);

}



void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& provider) {

    RandomParcelOptions options{

            .extraBinders = binders,
@@ -61,16 +85,7 @@ void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& p 
    }



    while (provider.remaining_bytes() > 0) {

        // Most of the AIDL services will have small set of transaction codes.

        // TODO(b/295942369) : Add remaining transact codes from IBinder.h

        uint32_t code = provider.ConsumeBool() ? provider.ConsumeIntegral<uint32_t>()

                : provider.ConsumeBool()

                ? provider.ConsumeIntegralInRange<uint32_t>(0, 100)

                : provider.PickValueInArray<uint32_t>(

                          {IBinder::DUMP_TRANSACTION, IBinder::PING_TRANSACTION,

                           IBinder::SHELL_COMMAND_TRANSACTION, IBinder::INTERFACE_TRANSACTION,

                           IBinder::SYSPROPS_TRANSACTION, IBinder::EXTENSION_TRANSACTION,

                           IBinder::TWEET_TRANSACTION, IBinder::LIKE_TRANSACTION});

        uint32_t code = getCode(provider);

        uint32_t flags = provider.ConsumeIntegral<uint32_t>();

        Parcel data;

        // for increased fuzz coverage