Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 87816ee5 authored by Devin Moore's avatar Devin Moore
Browse files

random_parcel: don't always make a parcel view when filling a random parcel 

RandomParcelOptions needs to outlive the parcel because it is holding
the reference to the parcel that the view represents. Right now, this
isn't always the case.
This CL introduces a way to declare when views are OK to create.

Flag: TEST_ONLY
Test: servicemanager_fuzzer
Bug: 421008884
Change-Id: Iee0e24a50e2ac7dcedc11d47b6a9678fd5220817
parent 21a888ee

libs/binder/tests/parcel_fuzzer/include_random_parcel/fuzzbinder/random_parcel.h

+6 −1
Original line number Diff line number Diff line
@@ -29,7 +29,12 @@ struct RandomParcelOptions { 
    std::vector<sp<IBinder>> extraBinders;

    std::vector<binder::unique_fd> extraFds;



    // internal state owned by fillRandomParcel, for Parcel views

    // Only use extraParcels when this is true. This object needs to outlive

    // the views

    bool viewParcel = false;

    // internal state owned by fillRandomParcel, for Parcel views.

    // This can only be used if this RandomParcelOptions objects is guaranteed

    // to outlive the views.

    std::vector<std::unique_ptr<Parcel>> extraParcels;

};

libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp

+1 −0
Original line number Diff line number Diff line
@@ -59,6 +59,7 @@ void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& p 
    RandomParcelOptions options{

            .extraBinders = binders,

            .extraFds = {},

            .viewParcel = true,

    };



    // Reserved bytes so that we don't have to change fuzzers and seed corpus if

libs/binder/tests/parcel_fuzzer/random_parcel.cpp

+2 −2
Original line number Diff line number Diff line
@@ -49,7 +49,7 @@ void fillRandomParcel(Parcel* outputParcel, FuzzedDataProvider&& provider, 
    });



    Parcel* p;

    if (resultShouldBeView) {

    if (options->viewParcel && resultShouldBeView) {

        options->extraParcels.push_back(std::make_unique<Parcel>());

        // held for duration of test, so that view will be valid

        p = options->extraParcels[options->extraParcels.size() - 1].get();
@@ -60,7 +60,7 @@ void fillRandomParcel(Parcel* outputParcel, FuzzedDataProvider&& provider, 
    // must be last guard, so outputParcel gets setup as view before

    // other guards

    auto viewify_guard = binder::impl::make_scope_guard([&]() {

        if (resultShouldBeView) {

        if (options->viewParcel && resultShouldBeView) {

            outputParcel->makeDangerousViewOf(p);

        }

    });