Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 90d04b64 authored by Pawan Wagh's avatar Pawan Wagh Committed by Automerger Merge Worker
Browse files

Merge "Fuzzing readFromParcel method for AIDL generated parcelables. Three... 

Merge "Fuzzing readFromParcel method for AIDL generated parcelables. Three parcelabels with no data fields, single data field and multiple data fields are added in these changes. Parcelables are fuzzed using binder parcel fuzzer." am: 227e5fcd

Original change: https://android-review.googlesource.com/c/platform/frameworks/native/+/2150273



Change-Id: I22c070e18d1dd455fbe776d0ec83988af6fb0bb3
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents d0a3d20a 227e5fcd

libs/binder/tests/parcel_fuzzer/Android.bp

+18 −0
Original line number Diff line number Diff line
@@ -7,6 +7,22 @@ package { 
    default_applicable_licenses: ["frameworks_native_license"],

}



aidl_interface {

    name: "binderReadParcelIface",

    host_supported: true,

    unstable: true,

    srcs: [

        "EmptyParcelable.aidl",

        "SingleDataParcelable.aidl",

        "GenericDataParcelable.aidl",

    ],

    backend: {

        java: {

            enabled: false,

        },

    },

}



cc_fuzz {

    name: "binder_parcel_fuzzer",

    host_supported: true,
@@ -29,6 +45,8 @@ cc_fuzz { 
        "libcutils",

        "libhidlbase",

        "liblog",

        "binderReadParcelIface-cpp",

        "binderReadParcelIface-ndk",

    ],



    target: {

libs/binder/tests/parcel_fuzzer/EmptyParcelable.aidl

0 → 100644
+18 −0
Original line number Diff line number Diff line 
/*

 * Copyright (C) 2022 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */



parcelable EmptyParcelable{

}
 
 No newline at end of file

libs/binder/tests/parcel_fuzzer/GenericDataParcelable.aidl

0 → 100644
+24 −0
Original line number Diff line number Diff line 
/*

 * Copyright (C) 2022 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */



parcelable GenericDataParcelable {

    int data;

    float majorVersion;

    float minorVersion;

    IBinder binder;

    ParcelFileDescriptor fileDescriptor;

    int[] array;

}
 
 No newline at end of file

libs/binder/tests/parcel_fuzzer/SingleDataParcelable.aidl

0 → 100644
+19 −0
Original line number Diff line number Diff line 
/*

 * Copyright (C) 2022 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */



parcelable SingleDataParcelable{

   int data;

}
 
 No newline at end of file

libs/binder/tests/parcel_fuzzer/binder.cpp

+21 −0
Original line number Diff line number Diff line
@@ -16,6 +16,9 @@ 
#define FUZZ_LOG_TAG "binder"



#include "binder.h"

#include "EmptyParcelable.h"

#include "GenericDataParcelable.h"

#include "SingleDataParcelable.h"

#include "util.h"



#include <android-base/hex.h>
@@ -354,6 +357,24 @@ std::vector<ParcelRead<::android::Parcel>> BINDER_PARCEL_READ_FUNCTIONS { 
        status_t status = p.compareDataInRange(thisOffset, p, otherOffset, length, &result);

        FUZZ_LOG() << " status: " << status  << " result: " << result;

    },

    [] (const ::android::Parcel& p, FuzzedDataProvider& /*provider*/) {

        FUZZ_LOG() << "about to call readFromParcel() with status for EmptyParcelable";

        EmptyParcelable emptyParcelable{};

        status_t status = emptyParcelable.readFromParcel(&p);

        FUZZ_LOG() << " status: " << status;

    },

    [] (const ::android::Parcel& p , FuzzedDataProvider& /*provider*/) {

        FUZZ_LOG() << "about to call readFromParcel() with status for SingleDataParcelable";

        SingleDataParcelable singleDataParcelable;

        status_t status = singleDataParcelable.readFromParcel(&p);

        FUZZ_LOG() <<" status: " << status;

    },

    [] (const ::android::Parcel& p, FuzzedDataProvider& /*provider*/) {

        FUZZ_LOG() << "about to call readFromParcel() with status for GenericDataParcelable";

        GenericDataParcelable genericDataParcelable;

        status_t status = genericDataParcelable.readFromParcel(&p);

        FUZZ_LOG() <<" status: " << status;

    },

};

// clang-format on

#pragma clang diagnostic pop