Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b9067b8a authored by Devin Moore's avatar Devin Moore Committed by Android (Google) Code Review
Browse files

Merge changes I01f5f1d5,I65aa5ebd,I67746d7f into main 

* changes:
  binder_parcel_fuzzer: close FDs in unflatten
  Check for leaking FDs in binder_parcel_fuzzer
  Add errno to CHECK_EQ log
parents e789c58d 01c9cdc1

libs/binder/tests/parcel_fuzzer/binder.cpp

+5 −1
Original line number Diff line number Diff line
@@ -62,13 +62,17 @@ public: 
        FUZZ_LOG() << "should not reach";

        abort();

    }

    status_t unflatten(void const*& buffer, size_t& size, int const*& /*fds*/, size_t& /*count*/) {

    status_t unflatten(void const*& buffer, size_t& size, int const*& fds, size_t& count) {

        for (size_t i = 0; i < count; i++) {

            close(fds[i]);

        }

        if (size < sizeof(mValue)) {

            return android::NO_MEMORY;

        }

        android::FlattenableUtils::read(buffer, size, mValue);

        return android::OK;

    }



private:

    int32_t mValue = 0xFEEDBEEF;

};

libs/binder/tests/parcel_fuzzer/main.cpp

+13 −2
Original line number Diff line number Diff line
@@ -28,10 +28,11 @@ 
#include <fuzzbinder/random_parcel.h>

#include <fuzzer/FuzzedDataProvider.h>



#include <cstdlib>

#include <ctime>

#include <sys/resource.h>

#include <sys/time.h>

#include <cstdlib>

#include <ctime>

#include <filesystem>



#include "../../Utils.h"
@@ -157,12 +158,21 @@ static AIBinder_Class* kNothingClass = 
        AIBinder_Class_define("nothing", NothingClass_onCreate, NothingClass_onDestroy,

                              NothingClass_onTransact);



static long numFds() {

    return std::distance(std::filesystem::directory_iterator("/proc/self/fd"),

                         std::filesystem::directory_iterator{});

}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

    if (size <= 1) return 0;  // no use



    // avoid timeouts, see b/142617274, b/142473153

    if (size > 50000) return 0;



    struct rlimit limit{};

    CHECK_EQ(0, getrlimit(RLIMIT_NOFILE, &limit));

    uint64_t maxFds = limit.rlim_cur;

    int initialFds = numFds();



    FuzzedDataProvider provider = FuzzedDataProvider(data, size);



    const std::function<void(FuzzedDataProvider&&)> fuzzBackend[] = {
@@ -209,5 +219,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 


    provider.PickValueInArray(fuzzBackend)(std::move(provider));



    CHECK_EQ(initialFds, numFds()) << "FDs are being leaked";

    return 0;

}

libs/binder/tests/parcel_fuzzer/random_fd.cpp

+2 −1
Original line number Diff line number Diff line
@@ -55,7 +55,8 @@ std::vector<unique_fd> getRandomFds(FuzzedDataProvider* provider) { 
                 // TODO(b/236812909): also test blocking

                 if (true) flags |= O_NONBLOCK;



                 CHECK_EQ(0, pipe2(pipefds, flags)) << flags;

                 CHECK_EQ(0, pipe2(pipefds, flags))

                         << "flags: " << flags << ", errno: " << strerror(errno);



                 if (provider->ConsumeBool()) std::swap(pipefds[0], pipefds[1]);