Loading libs/binder/rust/tests/parcel_fuzzer/random_parcel/src/lib.rs +19 −3 Original line number Diff line number Diff line Loading @@ -35,10 +35,26 @@ pub fn create_random_parcel(fuzzer_data: &[u8]) -> Parcel { /// This API automatically fuzzes provided service pub fn fuzz_service(binder: &mut SpIBinder, fuzzer_data: &[u8]) { let mut binders = [binder]; fuzz_multiple_services(&mut binders, fuzzer_data); } /// This API automatically fuzzes provided services pub fn fuzz_multiple_services(binders: &mut [&mut SpIBinder], fuzzer_data: &[u8]) { let mut cppBinders = vec![]; for binder in binders.iter_mut() { let ptr = binder.as_native_mut() as *mut c_void; cppBinders.push(ptr); } unsafe { // Safety: `SpIBinder::as_native_mut` and `slice::as_ptr` always // Safety: `Vec::as_mut_ptr` and `slice::as_ptr` always // return valid pointers. fuzzRustService(ptr, fuzzer_data.as_ptr(), fuzzer_data.len()); fuzzRustService( cppBinders.as_mut_ptr(), cppBinders.len(), fuzzer_data.as_ptr(), fuzzer_data.len(), ); } } libs/binder/rust/tests/parcel_fuzzer/random_parcel/wrappers/RandomParcelWrapper.hpp +2 −2 Original line number Diff line number Diff line Loading @@ -21,5 +21,5 @@ extern "C" { void createRandomParcel(void* aParcel, const uint8_t* data, size_t len); // This API is used by fuzzers to automatically fuzz aidl services void fuzzRustService(void* binder, const uint8_t* data, size_t len); void fuzzRustService(void** binders, size_t numBinders, const uint8_t* data, size_t len); } libs/binder/tests/parcel_fuzzer/libbinder_ndk_driver.cpp +11 −3 Original line number Diff line number Diff line Loading @@ -22,6 +22,9 @@ // and APEX users, but we need access to it to fuzz. #include "../../ndk/ibinder_internal.h" using android::IBinder; using android::sp; namespace android { void fuzzService(const std::vector<ndk::SpAIBinder>& binders, FuzzedDataProvider&& provider) { Loading @@ -41,9 +44,14 @@ void fuzzService(AIBinder* binder, FuzzedDataProvider&& provider) { extern "C" { // This API is used by fuzzers to automatically fuzz aidl services void fuzzRustService(void* binder, const uint8_t* data, size_t len) { AIBinder* aiBinder = static_cast<AIBinder*>(binder); void fuzzRustService(void** binders, size_t numBinders, const uint8_t* data, size_t len) { std::vector<sp<IBinder>> cppBinders; for (size_t binderIndex = 0; binderIndex < numBinders; ++binderIndex) { AIBinder* aiBinder = static_cast<AIBinder*>(binders[binderIndex]); cppBinders.push_back(aiBinder->getBinder()); } FuzzedDataProvider provider(data, len); android::fuzzService(aiBinder, std::move(provider)); android::fuzzService(cppBinders, std::move(provider)); } } // extern "C" Loading
libs/binder/rust/tests/parcel_fuzzer/random_parcel/src/lib.rs +19 −3 Original line number Diff line number Diff line Loading @@ -35,10 +35,26 @@ pub fn create_random_parcel(fuzzer_data: &[u8]) -> Parcel { /// This API automatically fuzzes provided service pub fn fuzz_service(binder: &mut SpIBinder, fuzzer_data: &[u8]) { let mut binders = [binder]; fuzz_multiple_services(&mut binders, fuzzer_data); } /// This API automatically fuzzes provided services pub fn fuzz_multiple_services(binders: &mut [&mut SpIBinder], fuzzer_data: &[u8]) { let mut cppBinders = vec![]; for binder in binders.iter_mut() { let ptr = binder.as_native_mut() as *mut c_void; cppBinders.push(ptr); } unsafe { // Safety: `SpIBinder::as_native_mut` and `slice::as_ptr` always // Safety: `Vec::as_mut_ptr` and `slice::as_ptr` always // return valid pointers. fuzzRustService(ptr, fuzzer_data.as_ptr(), fuzzer_data.len()); fuzzRustService( cppBinders.as_mut_ptr(), cppBinders.len(), fuzzer_data.as_ptr(), fuzzer_data.len(), ); } }
libs/binder/rust/tests/parcel_fuzzer/random_parcel/wrappers/RandomParcelWrapper.hpp +2 −2 Original line number Diff line number Diff line Loading @@ -21,5 +21,5 @@ extern "C" { void createRandomParcel(void* aParcel, const uint8_t* data, size_t len); // This API is used by fuzzers to automatically fuzz aidl services void fuzzRustService(void* binder, const uint8_t* data, size_t len); void fuzzRustService(void** binders, size_t numBinders, const uint8_t* data, size_t len); }
libs/binder/tests/parcel_fuzzer/libbinder_ndk_driver.cpp +11 −3 Original line number Diff line number Diff line Loading @@ -22,6 +22,9 @@ // and APEX users, but we need access to it to fuzz. #include "../../ndk/ibinder_internal.h" using android::IBinder; using android::sp; namespace android { void fuzzService(const std::vector<ndk::SpAIBinder>& binders, FuzzedDataProvider&& provider) { Loading @@ -41,9 +44,14 @@ void fuzzService(AIBinder* binder, FuzzedDataProvider&& provider) { extern "C" { // This API is used by fuzzers to automatically fuzz aidl services void fuzzRustService(void* binder, const uint8_t* data, size_t len) { AIBinder* aiBinder = static_cast<AIBinder*>(binder); void fuzzRustService(void** binders, size_t numBinders, const uint8_t* data, size_t len) { std::vector<sp<IBinder>> cppBinders; for (size_t binderIndex = 0; binderIndex < numBinders; ++binderIndex) { AIBinder* aiBinder = static_cast<AIBinder*>(binders[binderIndex]); cppBinders.push_back(aiBinder->getBinder()); } FuzzedDataProvider provider(data, len); android::fuzzService(aiBinder, std::move(provider)); android::fuzzService(cppBinders, std::move(provider)); } } // extern "C"
