Merge "Revert "Delete fds and binders in fuzzService"" am: cc95c107be am:... (c4a56e2c) · Commits · e / os / android_frameworks_native

libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp

+35 −62

Original line number	Original line	Diff line number	Diff line
	@@ -43,11 +43,8 @@ void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& p
	}		}

	while (provider.remaining_bytes() > 0) {		while (provider.remaining_bytes() > 0) {
	provider.PickValueInArray<std::function<void()>>({
	[&]() {
	// Most of the AIDL services will have small set of transaction codes.		// Most of the AIDL services will have small set of transaction codes.
	uint32_t code = provider.ConsumeBool()		uint32_t code = provider.ConsumeBool() ? provider.ConsumeIntegral<uint32_t>()
	? provider.ConsumeIntegral<uint32_t>()
	: provider.ConsumeIntegralInRange<uint32_t>(0, 100);		: provider.ConsumeIntegralInRange<uint32_t>(0, 100);
	uint32_t flags = provider.ConsumeIntegral<uint32_t>();		uint32_t flags = provider.ConsumeIntegral<uint32_t>();
	Parcel data;		Parcel data;
	@@ -56,9 +53,7 @@ void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& p
	data.setServiceFuzzing();		data.setServiceFuzzing();

	sp<IBinder> target = options.extraBinders.at(		sp<IBinder> target = options.extraBinders.at(
	provider.ConsumeIntegralInRange<size_t>(0,		provider.ConsumeIntegralInRange<size_t>(0, options.extraBinders.size() - 1));
	options.extraBinders.size() -
	1));
	options.writeHeader = [&target](Parcel* p, FuzzedDataProvider& provider) {		options.writeHeader = [&target](Parcel* p, FuzzedDataProvider& provider) {
	// most code will be behind checks that the head of the Parcel		// most code will be behind checks that the head of the Parcel
	// is exactly this, so make it easier for fuzzers to reach this		// is exactly this, so make it easier for fuzzers to reach this
	@@ -69,8 +64,7 @@ void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& p

	std::vector<uint8_t> subData = provider.ConsumeBytes<uint8_t>(		std::vector<uint8_t> subData = provider.ConsumeBytes<uint8_t>(
	provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes()));		provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes()));
	fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()),		fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()), &options);
	&options);

	Parcel reply;		Parcel reply;
	// for increased fuzz coverage		// for increased fuzz coverage
	@@ -88,27 +82,6 @@ void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& p
	for (size_t i = 0; i < retFds.size(); i++) {		for (size_t i = 0; i < retFds.size(); i++) {
	options.extraFds.push_back(base::unique_fd(dup(retFds[i])));		options.extraFds.push_back(base::unique_fd(dup(retFds[i])));
	}		}
	},
	[&]() {
	if (options.extraFds.size() == 0) {
	return;
	}
	uint32_t toDelete =
	provider.ConsumeIntegralInRange<uint32_t>(0,
	options.extraFds.size() - 1);
	options.extraFds.erase(options.extraFds.begin() + toDelete);
	},
	[&]() {
	if (options.extraBinders.size() <= 1) {
	return;
	}
	uint32_t toDelete =
	provider.ConsumeIntegralInRange<uint32_t>(0,
	options.extraBinders.size() -
	1);
	options.extraBinders.erase(options.extraBinders.begin() + toDelete);
	},
	})();
	}		}

	// invariants		// invariants