Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9004a82d authored by Pawan Wagh's avatar Pawan Wagh
Browse files

Rust API to fuzz multiple binders 

Adding rust wrapper fuzz_multiple_services so that multiple binders can be fuzzed together.

Test: m keystore_service_fuzzer && adb sync data && adb shell
/data/fuzz/$(get_build_var
TARGET_ARCH)/keystore_service_fuzzer/keystore_service_fuzzer -runs=1000
Bug: 296464642

Change-Id: I2392141a53fbf38aba84074ab6f6e14574a151fa
parent 4d322774

libs/binder/rust/tests/parcel_fuzzer/random_parcel/src/lib.rs

+19 −3
Original line number Diff line number Diff line
@@ -35,10 +35,26 @@ pub fn create_random_parcel(fuzzer_data: &[u8]) -> Parcel { 


/// This API automatically fuzzes provided service

pub fn fuzz_service(binder: &mut SpIBinder, fuzzer_data: &[u8]) {

    let mut binders = [binder];

    fuzz_multiple_services(&mut binders, fuzzer_data);

}



/// This API automatically fuzzes provided services

pub fn fuzz_multiple_services(binders: &mut [&mut SpIBinder], fuzzer_data: &[u8]) {

    let mut cppBinders = vec![];

    for binder in binders.iter_mut() {

        let ptr = binder.as_native_mut() as *mut c_void;

        cppBinders.push(ptr);

    }



    unsafe {

        // Safety: `SpIBinder::as_native_mut` and `slice::as_ptr` always

        // Safety: `Vec::as_mut_ptr` and `slice::as_ptr` always

        // return valid pointers.

        fuzzRustService(ptr, fuzzer_data.as_ptr(), fuzzer_data.len());

        fuzzRustService(

            cppBinders.as_mut_ptr(),

            cppBinders.len(),

            fuzzer_data.as_ptr(),

            fuzzer_data.len(),

        );

    }

}

libs/binder/rust/tests/parcel_fuzzer/random_parcel/wrappers/RandomParcelWrapper.hpp

+2 −2
Original line number Diff line number Diff line
@@ -21,5 +21,5 @@ extern "C" { 
    void createRandomParcel(void* aParcel, const uint8_t* data, size_t len);



    // This API is used by fuzzers to automatically fuzz aidl services

    void fuzzRustService(void* binder, const uint8_t* data, size_t len);

    void fuzzRustService(void** binders, size_t numBinders, const uint8_t* data, size_t len);

}

libs/binder/tests/parcel_fuzzer/libbinder_ndk_driver.cpp

+11 −3
Original line number Diff line number Diff line
@@ -22,6 +22,9 @@ 
// and APEX users, but we need access to it to fuzz.

#include "../../ndk/ibinder_internal.h"



using android::IBinder;

using android::sp;



namespace android {



void fuzzService(const std::vector<ndk::SpAIBinder>& binders, FuzzedDataProvider&& provider) {
@@ -41,9 +44,14 @@ void fuzzService(AIBinder* binder, FuzzedDataProvider&& provider) { 


extern "C" {

// This API is used by fuzzers to automatically fuzz aidl services

void fuzzRustService(void* binder, const uint8_t* data, size_t len) {

    AIBinder* aiBinder = static_cast<AIBinder*>(binder);

void fuzzRustService(void** binders, size_t numBinders, const uint8_t* data, size_t len) {

    std::vector<sp<IBinder>> cppBinders;

    for (size_t binderIndex = 0; binderIndex < numBinders; ++binderIndex) {

        AIBinder* aiBinder = static_cast<AIBinder*>(binders[binderIndex]);

        cppBinders.push_back(aiBinder->getBinder());

    }



    FuzzedDataProvider provider(data, len);

    android::fuzzService(aiBinder, std::move(provider));

    android::fuzzService(cppBinders, std::move(provider));

}

} // extern "C"