Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ea9ed86e authored by Steven Moreland's avatar Steven Moreland
Browse files

binder_parcel_fuzzer: fuzz parcle types separately 

Before, binder, hwbinder, and binder_ndk parcels were always checked
against the same instuctions/data. However, because we are using guided
fuzzing, an interesting case for one parcel is highly likely to be a
waste of time for the other parcels. By only fuzzing one at a time, we
give the fuzzing engine the ability to focus in on individual parcel
implementations.

Bug: 131861045
Test: binder_parcel_fuzzer (and verify all backends are hit)
Change-Id: Ifd3e75828e68eb55d7cebfd3b40a31b0192c9991
parent e8a57c14

libs/binder/fuzzer/main.cpp

+19 −6
Original line number Diff line number Diff line
@@ -51,12 +51,25 @@ void doFuzz( 
}



void fuzz(uint8_t options, const std::vector<uint8_t>& input, const std::vector<uint8_t>& instructions) {

    (void) options;



    // although they will do completely different things, might as well fuzz both

    doFuzz<::android::hardware::Parcel>(HWBINDER_PARCEL_READ_FUNCTIONS, input, instructions);

    uint8_t parcelType = options & 0x3;



    switch (parcelType) {

        case 0x0:

            doFuzz<::android::hardware::Parcel>(HWBINDER_PARCEL_READ_FUNCTIONS, input,

                                                instructions);

            break;

        case 0x1:

            doFuzz<::android::Parcel>(BINDER_PARCEL_READ_FUNCTIONS, input, instructions);

            break;

        case 0x2:

            doFuzz<NdkParcelAdapter>(BINDER_NDK_PARCEL_READ_FUNCTIONS, input, instructions);

            break;

        case 0x3:

            /*reserved for future use*/

            break;

        default:

            LOG_ALWAYS_FATAL("unknown parcel type %d", static_cast<int>(parcelType));

    }

}



extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {