Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 82eb33b0 authored by Steven Moreland's avatar Steven Moreland Committed by Automerger Merge Worker
Browse files

Merge "libbinder_ndk: fwd fuzzing status to NDK binders" am: 8a04aa9e am:... 

Merge "libbinder_ndk: fwd fuzzing status to NDK binders" am: 8a04aa9e am: 86189160 am: 3128270e am: c2b66331

Original change: https://android-review.googlesource.com/c/platform/frameworks/native/+/2645199



Change-Id: Id3d32b70b105355ec07c226752316aa00c53d272
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents 84e05eea c2b66331

libs/binder/Parcel.cpp

+4 −0
Original line number Diff line number Diff line
@@ -992,6 +992,10 @@ void Parcel::setServiceFuzzing() { 
    mServiceFuzzing = true;

}



bool Parcel::isServiceFuzzing() const {

    return mServiceFuzzing;

}



binder::Status Parcel::enforceNoDataAvail() const {

    if (!mEnforceNoDataAvail) {

        return binder::Status::ok();

libs/binder/include/binder/Parcel.h

+1 −0
Original line number Diff line number Diff line
@@ -152,6 +152,7 @@ public: 
    // When fuzzing, we want to remove certain ABI checks that cause significant

    // lost coverage, and we also want to avoid logs that cost too much to write.

    void setServiceFuzzing();

    bool isServiceFuzzing() const;



    void                freeData();

libs/binder/ndk/ibinder.cpp

+1 −1
Original line number Diff line number Diff line
@@ -137,7 +137,7 @@ bool AIBinder::associateClass(const AIBinder_Class* clazz) { 
    // since it's an error condition. Do the comparison after we take the lock and

    // check the pointer equality fast path. By always taking the lock, it's also

    // more flake-proof. However, the check is not dependent on the lock.

    if (descriptor != newDescriptor) {

    if (descriptor != newDescriptor && !(asABpBinder() && asABpBinder()->isServiceFuzzing())) {

        if (getBinder()->isBinderAlive()) {

            LOG(ERROR) << __func__ << ": Expecting binder to have class '" << newDescriptor

                       << "' but descriptor is actually '" << SanitizeString(descriptor) << "'.";

libs/binder/ndk/ibinder_internal.h

+4 −0
Original line number Diff line number Diff line
@@ -104,10 +104,14 @@ struct ABpBinder : public AIBinder { 
    ::android::sp<::android::IBinder> getBinder() override { return mRemote; }

    ABpBinder* asABpBinder() override { return this; }



    bool isServiceFuzzing() const { return mServiceFuzzing; }

    void setServiceFuzzing() { mServiceFuzzing = true; }



   private:

    friend android::sp<ABpBinder>;

    explicit ABpBinder(const ::android::sp<::android::IBinder>& binder);

    ::android::sp<::android::IBinder> mRemote;

    bool mServiceFuzzing = false;

};



struct AIBinder_Class {

libs/binder/ndk/parcel.cpp

+7 −0
Original line number Diff line number Diff line
@@ -270,6 +270,13 @@ binder_status_t AParcel_readStrongBinder(const AParcel* parcel, AIBinder** binde 
    }

    sp<AIBinder> ret = ABpBinder::lookupOrCreateFromBinder(readBinder);

    AIBinder_incStrong(ret.get());



    if (ret.get() != nullptr && parcel->get()->isServiceFuzzing()) {

        if (auto bp = ret->asABpBinder(); bp != nullptr) {

            bp->setServiceFuzzing();

        }

    }



    *binder = ret.get();

    return PruneStatusT(status);

}