Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 32d3b956 authored by Pawan Wagh's avatar Pawan Wagh Committed by Automerger Merge Worker
Browse files

Merge "Rust API to fuzz multiple binders" into main am: e9eea16c am: 4f0008f5 

Original change: https://android-review.googlesource.com/c/platform/frameworks/native/+/2729454



Change-Id: I080b4a40d08d33e1f208cac86eb3a4b2d5a0fb7f
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents 87692440 4f0008f5

libs/binder/rust/tests/parcel_fuzzer/random_parcel/src/lib.rs

+19 −3
Original line number Diff line number Diff line
@@ -35,10 +35,26 @@ pub fn create_random_parcel(fuzzer_data: &[u8]) -> Parcel { 


/// This API automatically fuzzes provided service

pub fn fuzz_service(binder: &mut SpIBinder, fuzzer_data: &[u8]) {

    let mut binders = [binder];

    fuzz_multiple_services(&mut binders, fuzzer_data);

}



/// This API automatically fuzzes provided services

pub fn fuzz_multiple_services(binders: &mut [&mut SpIBinder], fuzzer_data: &[u8]) {

    let mut cppBinders = vec![];

    for binder in binders.iter_mut() {

        let ptr = binder.as_native_mut() as *mut c_void;

        cppBinders.push(ptr);

    }



    unsafe {

        // Safety: `SpIBinder::as_native_mut` and `slice::as_ptr` always

        // Safety: `Vec::as_mut_ptr` and `slice::as_ptr` always

        // return valid pointers.

        fuzzRustService(ptr, fuzzer_data.as_ptr(), fuzzer_data.len());

        fuzzRustService(

            cppBinders.as_mut_ptr(),

            cppBinders.len(),

            fuzzer_data.as_ptr(),

            fuzzer_data.len(),

        );

    }

}

libs/binder/rust/tests/parcel_fuzzer/random_parcel/wrappers/RandomParcelWrapper.hpp

+2 −2
Original line number Diff line number Diff line
@@ -21,5 +21,5 @@ extern "C" { 
    void createRandomParcel(void* aParcel, const uint8_t* data, size_t len);



    // This API is used by fuzzers to automatically fuzz aidl services

    void fuzzRustService(void* binder, const uint8_t* data, size_t len);

    void fuzzRustService(void** binders, size_t numBinders, const uint8_t* data, size_t len);

}

libs/binder/tests/parcel_fuzzer/libbinder_ndk_driver.cpp

+11 −3
Original line number Diff line number Diff line
@@ -22,6 +22,9 @@ 
// and APEX users, but we need access to it to fuzz.

#include "../../ndk/ibinder_internal.h"



using android::IBinder;

using android::sp;



namespace android {



void fuzzService(const std::vector<ndk::SpAIBinder>& binders, FuzzedDataProvider&& provider) {
@@ -41,9 +44,14 @@ void fuzzService(AIBinder* binder, FuzzedDataProvider&& provider) { 


extern "C" {

// This API is used by fuzzers to automatically fuzz aidl services

void fuzzRustService(void* binder, const uint8_t* data, size_t len) {

    AIBinder* aiBinder = static_cast<AIBinder*>(binder);

void fuzzRustService(void** binders, size_t numBinders, const uint8_t* data, size_t len) {

    std::vector<sp<IBinder>> cppBinders;

    for (size_t binderIndex = 0; binderIndex < numBinders; ++binderIndex) {

        AIBinder* aiBinder = static_cast<AIBinder*>(binders[binderIndex]);

        cppBinders.push_back(aiBinder->getBinder());

    }



    FuzzedDataProvider provider(data, len);

    android::fuzzService(aiBinder, std::move(provider));

    android::fuzzService(cppBinders, std::move(provider));

}

} // extern "C"