Loading libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp +60 −34 Original line number Diff line number Diff line Loading @@ -37,8 +37,11 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) { } while (provider.remaining_bytes() > 0) { provider.PickValueInArray<std::function<void()>>({ [&]() { // Most of the AIDL services will have small set of transaction codes. uint32_t code = provider.ConsumeBool() ? provider.ConsumeIntegral<uint32_t>() uint32_t code = provider.ConsumeBool() ? provider.ConsumeIntegral<uint32_t>() : provider.ConsumeIntegralInRange<uint32_t>(0, 100); uint32_t flags = provider.ConsumeIntegral<uint32_t>(); Parcel data; Loading @@ -46,7 +49,9 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) { data.setEnforceNoDataAvail(provider.ConsumeBool()); sp<IBinder> target = options.extraBinders.at( provider.ConsumeIntegralInRange<size_t>(0, options.extraBinders.size() - 1)); provider.ConsumeIntegralInRange<size_t>(0, options.extraBinders.size() - 1)); options.writeHeader = [&target](Parcel* p, FuzzedDataProvider& provider) { // most code will be behind checks that the head of the Parcel // is exactly this, so make it easier for fuzzers to reach this Loading @@ -57,7 +62,8 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) { std::vector<uint8_t> subData = provider.ConsumeBytes<uint8_t>( provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes())); fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()), &options); fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()), &options); Parcel reply; // for increased fuzz coverage Loading @@ -74,10 +80,30 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) { for (size_t i = 0; i < retFds.size(); i++) { options.extraFds.push_back(base::unique_fd(dup(retFds[i]))); } }, [&]() { if (options.extraFds.size() == 0) { return; } uint32_t toDelete = provider.ConsumeIntegralInRange<uint32_t>(0, options.extraFds.size() - 1); options.extraFds.erase(options.extraFds.begin() + toDelete); }, [&]() { if (options.extraBinders.size() <= 1) { return; } uint32_t toDelete = provider.ConsumeIntegralInRange<uint32_t>(0, options.extraBinders.size() - 1); options.extraBinders.erase(options.extraBinders.begin() + toDelete); }, })(); } // invariants auto ps = ProcessState::selfOrNull(); if (ps) { CHECK_EQ(0, ps->getThreadPoolMaxTotalThreadCount()) Loading Loading
libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp +60 −34 Original line number Diff line number Diff line Loading @@ -37,8 +37,11 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) { } while (provider.remaining_bytes() > 0) { provider.PickValueInArray<std::function<void()>>({ [&]() { // Most of the AIDL services will have small set of transaction codes. uint32_t code = provider.ConsumeBool() ? provider.ConsumeIntegral<uint32_t>() uint32_t code = provider.ConsumeBool() ? provider.ConsumeIntegral<uint32_t>() : provider.ConsumeIntegralInRange<uint32_t>(0, 100); uint32_t flags = provider.ConsumeIntegral<uint32_t>(); Parcel data; Loading @@ -46,7 +49,9 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) { data.setEnforceNoDataAvail(provider.ConsumeBool()); sp<IBinder> target = options.extraBinders.at( provider.ConsumeIntegralInRange<size_t>(0, options.extraBinders.size() - 1)); provider.ConsumeIntegralInRange<size_t>(0, options.extraBinders.size() - 1)); options.writeHeader = [&target](Parcel* p, FuzzedDataProvider& provider) { // most code will be behind checks that the head of the Parcel // is exactly this, so make it easier for fuzzers to reach this Loading @@ -57,7 +62,8 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) { std::vector<uint8_t> subData = provider.ConsumeBytes<uint8_t>( provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes())); fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()), &options); fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()), &options); Parcel reply; // for increased fuzz coverage Loading @@ -74,10 +80,30 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) { for (size_t i = 0; i < retFds.size(); i++) { options.extraFds.push_back(base::unique_fd(dup(retFds[i]))); } }, [&]() { if (options.extraFds.size() == 0) { return; } uint32_t toDelete = provider.ConsumeIntegralInRange<uint32_t>(0, options.extraFds.size() - 1); options.extraFds.erase(options.extraFds.begin() + toDelete); }, [&]() { if (options.extraBinders.size() <= 1) { return; } uint32_t toDelete = provider.ConsumeIntegralInRange<uint32_t>(0, options.extraBinders.size() - 1); options.extraBinders.erase(options.extraBinders.begin() + toDelete); }, })(); } // invariants auto ps = ProcessState::selfOrNull(); if (ps) { CHECK_EQ(0, ps->getThreadPoolMaxTotalThreadCount()) Loading
