Loading libs/binder/Parcel.cpp +4 −0 Original line number Original line Diff line number Diff line Loading @@ -992,6 +992,10 @@ void Parcel::setServiceFuzzing() { mServiceFuzzing = true; mServiceFuzzing = true; } } bool Parcel::isServiceFuzzing() const { return mServiceFuzzing; } binder::Status Parcel::enforceNoDataAvail() const { binder::Status Parcel::enforceNoDataAvail() const { if (!mEnforceNoDataAvail) { if (!mEnforceNoDataAvail) { return binder::Status::ok(); return binder::Status::ok(); Loading libs/binder/include/binder/Parcel.h +1 −0 Original line number Original line Diff line number Diff line Loading @@ -152,6 +152,7 @@ public: // When fuzzing, we want to remove certain ABI checks that cause significant // When fuzzing, we want to remove certain ABI checks that cause significant // lost coverage, and we also want to avoid logs that cost too much to write. // lost coverage, and we also want to avoid logs that cost too much to write. void setServiceFuzzing(); void setServiceFuzzing(); bool isServiceFuzzing() const; void freeData(); void freeData(); Loading libs/binder/ndk/ibinder.cpp +1 −1 Original line number Original line Diff line number Diff line Loading @@ -137,7 +137,7 @@ bool AIBinder::associateClass(const AIBinder_Class* clazz) { // since it's an error condition. Do the comparison after we take the lock and // since it's an error condition. Do the comparison after we take the lock and // check the pointer equality fast path. By always taking the lock, it's also // check the pointer equality fast path. By always taking the lock, it's also // more flake-proof. However, the check is not dependent on the lock. // more flake-proof. However, the check is not dependent on the lock. if (descriptor != newDescriptor) { if (descriptor != newDescriptor && !(asABpBinder() && asABpBinder()->isServiceFuzzing())) { if (getBinder()->isBinderAlive()) { if (getBinder()->isBinderAlive()) { LOG(ERROR) << __func__ << ": Expecting binder to have class '" << newDescriptor LOG(ERROR) << __func__ << ": Expecting binder to have class '" << newDescriptor << "' but descriptor is actually '" << SanitizeString(descriptor) << "'."; << "' but descriptor is actually '" << SanitizeString(descriptor) << "'."; Loading libs/binder/ndk/ibinder_internal.h +4 −0 Original line number Original line Diff line number Diff line Loading @@ -104,10 +104,14 @@ struct ABpBinder : public AIBinder { ::android::sp<::android::IBinder> getBinder() override { return mRemote; } ::android::sp<::android::IBinder> getBinder() override { return mRemote; } ABpBinder* asABpBinder() override { return this; } ABpBinder* asABpBinder() override { return this; } bool isServiceFuzzing() const { return mServiceFuzzing; } void setServiceFuzzing() { mServiceFuzzing = true; } private: private: friend android::sp<ABpBinder>; friend android::sp<ABpBinder>; explicit ABpBinder(const ::android::sp<::android::IBinder>& binder); explicit ABpBinder(const ::android::sp<::android::IBinder>& binder); ::android::sp<::android::IBinder> mRemote; ::android::sp<::android::IBinder> mRemote; bool mServiceFuzzing = false; }; }; struct AIBinder_Class { struct AIBinder_Class { Loading libs/binder/ndk/parcel.cpp +7 −0 Original line number Original line Diff line number Diff line Loading @@ -270,6 +270,13 @@ binder_status_t AParcel_readStrongBinder(const AParcel* parcel, AIBinder** binde } } sp<AIBinder> ret = ABpBinder::lookupOrCreateFromBinder(readBinder); sp<AIBinder> ret = ABpBinder::lookupOrCreateFromBinder(readBinder); AIBinder_incStrong(ret.get()); AIBinder_incStrong(ret.get()); if (ret.get() != nullptr && parcel->get()->isServiceFuzzing()) { if (auto bp = ret->asABpBinder(); bp != nullptr) { bp->setServiceFuzzing(); } } *binder = ret.get(); *binder = ret.get(); return PruneStatusT(status); return PruneStatusT(status); } } Loading Loading
libs/binder/Parcel.cpp +4 −0 Original line number Original line Diff line number Diff line Loading @@ -992,6 +992,10 @@ void Parcel::setServiceFuzzing() { mServiceFuzzing = true; mServiceFuzzing = true; } } bool Parcel::isServiceFuzzing() const { return mServiceFuzzing; } binder::Status Parcel::enforceNoDataAvail() const { binder::Status Parcel::enforceNoDataAvail() const { if (!mEnforceNoDataAvail) { if (!mEnforceNoDataAvail) { return binder::Status::ok(); return binder::Status::ok(); Loading
libs/binder/include/binder/Parcel.h +1 −0 Original line number Original line Diff line number Diff line Loading @@ -152,6 +152,7 @@ public: // When fuzzing, we want to remove certain ABI checks that cause significant // When fuzzing, we want to remove certain ABI checks that cause significant // lost coverage, and we also want to avoid logs that cost too much to write. // lost coverage, and we also want to avoid logs that cost too much to write. void setServiceFuzzing(); void setServiceFuzzing(); bool isServiceFuzzing() const; void freeData(); void freeData(); Loading
libs/binder/ndk/ibinder.cpp +1 −1 Original line number Original line Diff line number Diff line Loading @@ -137,7 +137,7 @@ bool AIBinder::associateClass(const AIBinder_Class* clazz) { // since it's an error condition. Do the comparison after we take the lock and // since it's an error condition. Do the comparison after we take the lock and // check the pointer equality fast path. By always taking the lock, it's also // check the pointer equality fast path. By always taking the lock, it's also // more flake-proof. However, the check is not dependent on the lock. // more flake-proof. However, the check is not dependent on the lock. if (descriptor != newDescriptor) { if (descriptor != newDescriptor && !(asABpBinder() && asABpBinder()->isServiceFuzzing())) { if (getBinder()->isBinderAlive()) { if (getBinder()->isBinderAlive()) { LOG(ERROR) << __func__ << ": Expecting binder to have class '" << newDescriptor LOG(ERROR) << __func__ << ": Expecting binder to have class '" << newDescriptor << "' but descriptor is actually '" << SanitizeString(descriptor) << "'."; << "' but descriptor is actually '" << SanitizeString(descriptor) << "'."; Loading
libs/binder/ndk/ibinder_internal.h +4 −0 Original line number Original line Diff line number Diff line Loading @@ -104,10 +104,14 @@ struct ABpBinder : public AIBinder { ::android::sp<::android::IBinder> getBinder() override { return mRemote; } ::android::sp<::android::IBinder> getBinder() override { return mRemote; } ABpBinder* asABpBinder() override { return this; } ABpBinder* asABpBinder() override { return this; } bool isServiceFuzzing() const { return mServiceFuzzing; } void setServiceFuzzing() { mServiceFuzzing = true; } private: private: friend android::sp<ABpBinder>; friend android::sp<ABpBinder>; explicit ABpBinder(const ::android::sp<::android::IBinder>& binder); explicit ABpBinder(const ::android::sp<::android::IBinder>& binder); ::android::sp<::android::IBinder> mRemote; ::android::sp<::android::IBinder> mRemote; bool mServiceFuzzing = false; }; }; struct AIBinder_Class { struct AIBinder_Class { Loading
libs/binder/ndk/parcel.cpp +7 −0 Original line number Original line Diff line number Diff line Loading @@ -270,6 +270,13 @@ binder_status_t AParcel_readStrongBinder(const AParcel* parcel, AIBinder** binde } } sp<AIBinder> ret = ABpBinder::lookupOrCreateFromBinder(readBinder); sp<AIBinder> ret = ABpBinder::lookupOrCreateFromBinder(readBinder); AIBinder_incStrong(ret.get()); AIBinder_incStrong(ret.get()); if (ret.get() != nullptr && parcel->get()->isServiceFuzzing()) { if (auto bp = ret->asABpBinder(); bp != nullptr) { bp->setServiceFuzzing(); } } *binder = ret.get(); *binder = ret.get(); return PruneStatusT(status); return PruneStatusT(status); } } Loading
