Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit aff7e0ad authored by Pawan Wagh's avatar Pawan Wagh
Browse files

Call set* functions while filling random parcel 

Adding calls to SetDataPosition, SetDataCapacity and SetDataSize
when writing data to random parcel.

Test: m binder_parcel_fuzzer && adb sync data && adb shell /data/fuzz/arm64/binder_parcel_fuzzer/binder_parcel_fuzzer
Flag: EXEMPT test only
Bug: 404632935
Change-Id: Id00087bf2b2a8f40525d3805dc20c7248e3c5d34
parent c0f7b2f7

libs/binder/tests/parcel_fuzzer/main.cpp

+5 −1
Original line number Diff line number Diff line
@@ -103,7 +103,11 @@ void doReadFuzz(const char* backend, const std::vector<ParcelRead<P>>& reads, 
    CHECK_LE(reads.size(), 255u) << reads.size();



    FUZZ_LOG() << "doReadFuzz backend: " << backend;



    if (p.data() != nullptr) {

        FUZZ_LOG() << "input: " << HexString(p.data(), p.dataSize());

    }



    FUZZ_LOG() << "instructions: " << HexString(instructions.data(), instructions.size());



    FuzzedDataProvider instructionsProvider(instructions.data(), instructions.size());

libs/binder/tests/parcel_fuzzer/random_parcel.cpp

+24 −0
Original line number Diff line number Diff line
@@ -41,6 +41,7 @@ void fillRandomParcel(Parcel* outputParcel, FuzzedDataProvider&& provider, 
    const bool resultShouldBeView = fuzzerParcelOptions & 1;

    const bool resultShouldBeRpc = fuzzerParcelOptions & 2;

    const bool resultShouldMarkSensitive = fuzzerParcelOptions & 4;

    const bool resultRandomSet = fuzzerParcelOptions & 8;



    auto sensitivity_guard = binder::impl::make_scope_guard([&]() {

        if (resultShouldMarkSensitive) {
@@ -87,6 +88,12 @@ void fillRandomParcel(Parcel* outputParcel, FuzzedDataProvider&& provider, 
        options->writeHeader(p, provider);

    }



    std::vector<uint8_t> instructionData;

    if (resultRandomSet) {

        size_t dataSize = provider.ConsumeIntegralInRange<size_t>(0, 100);

        instructionData = provider.ConsumeBytes<uint8_t>(dataSize);

    }



    while (provider.remaining_bytes() > 0) {

        auto fillFunc = provider.PickValueInArray<const std::function<void()>>({

                // write data
@@ -149,6 +156,23 @@ void fillRandomParcel(Parcel* outputParcel, FuzzedDataProvider&& provider, 


        fillFunc();

    }



    if (resultRandomSet) {

        auto value = 0;

        FuzzedDataProvider setInstructionsProvider(instructionData.data(), instructionData.size());

        while (setInstructionsProvider.remaining_bytes() > 0) {

            if (setInstructionsProvider.ConsumeBool()) {

                value = setInstructionsProvider.ConsumeIntegralInRange<size_t>(0, 2048);

            }

            auto setRandomValue =

                    setInstructionsProvider.PickValueInArray<const std::function<void()>>({

                            [&]() { p->setDataCapacity(value); },

                            [&]() { p->setDataPosition(value); },

                            [&]() { p->setDataSize(value); },

                    });

            setRandomValue();

        }

    }

}



} // namespace android