Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 706d5dc9 authored by Pawan Wagh's avatar Pawan Wagh Committed by Automerger Merge Worker
Browse files

Merge "Set AID_SYSTEM, AID_ROOT in fuzzService" into main am: b8bc8bb9 am:... 

Merge "Set AID_SYSTEM, AID_ROOT in fuzzService" into main am: b8bc8bb9 am: 07bc50bc am: e83571b6 am: 3c0da775

Original change: https://android-review.googlesource.com/c/platform/frameworks/native/+/2656837



Change-Id: I602299fca6df77ef9419a5a76a13d9144e06ca1f
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents 8b1b3216 3c0da775

libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp

+8 −1
Original line number Diff line number Diff line
@@ -21,6 +21,8 @@ 
#include <binder/IPCThreadState.h>

#include <binder/ProcessState.h>



#include <private/android_filesystem_config.h>



namespace android {



void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) {
@@ -40,7 +42,12 @@ void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& p 
    // Always take so that a perturbation of just the one ConsumeBool byte will always

    // take the same path, but with a different UID. Without this, the fuzzer needs to

    // guess both the change in value and the shift at the same time.

    int64_t maybeSetUid = provider.ConsumeIntegral<int64_t>();

    int64_t maybeSetUid = provider.PickValueInArray<int64_t>(

            {static_cast<int64_t>(AID_ROOT) << 32, static_cast<int64_t>(AID_SYSTEM) << 32,

             provider.ConsumeIntegralInRange<int64_t>(static_cast<int64_t>(AID_ROOT) << 32,

                                                      static_cast<int64_t>(AID_USER) << 32),

             provider.ConsumeIntegral<int64_t>()});



    if (provider.ConsumeBool()) {

        // set calling uid

        IPCThreadState::self()->restoreCallingIdentity(maybeSetUid);

libs/binder/tests/parcel_fuzzer/test_fuzzer/TestServiceFuzzer.cpp

+20 −0
Original line number Diff line number Diff line
@@ -20,6 +20,8 @@ 
#include <binder/IPCThreadState.h>

#include <log/log.h>



#include <private/android_filesystem_config.h>



using android::binder::Status;



namespace android {
@@ -29,6 +31,8 @@ enum class CrashType { 
    ON_PLAIN,

    ON_BINDER,

    ON_KNOWN_UID,

    ON_SYSTEM_AID,

    ON_ROOT_AID,

};



// This service is to verify that fuzzService is functioning properly
@@ -48,6 +52,18 @@ public: 
                }

                break;

            }

            case CrashType::ON_SYSTEM_AID: {

                if (IPCThreadState::self()->getCallingUid() == AID_SYSTEM) {

                    LOG_ALWAYS_FATAL("Expected crash, AID_SYSTEM.");

                }

                break;

            }

            case CrashType::ON_ROOT_AID: {

                if (IPCThreadState::self()->getCallingUid() == AID_ROOT) {

                    LOG_ALWAYS_FATAL("Expected crash, AID_ROOT.");

                }

                break;

            }

            default:

                break;

        }
@@ -99,6 +115,10 @@ extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) { 
        gCrashType = CrashType::ON_PLAIN;

    } else if (arg == "KNOWN_UID") {

        gCrashType = CrashType::ON_KNOWN_UID;

    } else if (arg == "AID_SYSTEM") {

        gCrashType = CrashType::ON_SYSTEM_AID;

    } else if (arg == "AID_ROOT") {

        gCrashType = CrashType::ON_ROOT_AID;

    } else if (arg == "BINDER") {

        gCrashType = CrashType::ON_BINDER;

    } else {

libs/binder/tests/parcel_fuzzer/test_fuzzer/run_fuzz_service_test.sh

+1 −1
Original line number Diff line number Diff line
@@ -27,7 +27,7 @@ then 
    exit 1

fi



for CRASH_TYPE in PLAIN KNOWN_UID BINDER; do

for CRASH_TYPE in PLAIN KNOWN_UID AID_SYSTEM AID_ROOT BINDER; do

    echo "INFO: Running fuzzer : test_service_fuzzer_should_crash $CRASH_TYPE"



    ./test_service_fuzzer_should_crash "$CRASH_TYPE" -max_total_time=30 &>"$FUZZER_OUT"