Merge "Delete fds and binders in fuzzService" am: 0f30f020f1 am: f8a18bee98 (8d0da902) · Commits · e / os / platform_frameworks_native

libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp

+60 −34

Original line number	Diff line number	Diff line
		@@ -37,8 +37,11 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) {
		}

		while (provider.remaining_bytes() > 0) {
		provider.PickValueInArray<std::function<void()>>({
		[&]() {
		// Most of the AIDL services will have small set of transaction codes.
		uint32_t code = provider.ConsumeBool() ? provider.ConsumeIntegral<uint32_t>()
		uint32_t code = provider.ConsumeBool()
		? provider.ConsumeIntegral<uint32_t>()
		: provider.ConsumeIntegralInRange<uint32_t>(0, 100);
		uint32_t flags = provider.ConsumeIntegral<uint32_t>();
		Parcel data;
		@@ -46,7 +49,9 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) {
		data.setEnforceNoDataAvail(provider.ConsumeBool());

		sp<IBinder> target = options.extraBinders.at(
		provider.ConsumeIntegralInRange<size_t>(0, options.extraBinders.size() - 1));
		provider.ConsumeIntegralInRange<size_t>(0,
		options.extraBinders.size() -
		1));
		options.writeHeader = [&target](Parcel* p, FuzzedDataProvider& provider) {
		// most code will be behind checks that the head of the Parcel
		// is exactly this, so make it easier for fuzzers to reach this
		@@ -57,7 +62,8 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) {

		std::vector<uint8_t> subData = provider.ConsumeBytes<uint8_t>(
		provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes()));
		fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()), &options);
		fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()),
		&options);

		Parcel reply;
		// for increased fuzz coverage
		@@ -74,10 +80,30 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) {
		for (size_t i = 0; i < retFds.size(); i++) {
		options.extraFds.push_back(base::unique_fd(dup(retFds[i])));
		}
		},
		[&]() {
		if (options.extraFds.size() == 0) {
		return;
		}
		uint32_t toDelete =
		provider.ConsumeIntegralInRange<uint32_t>(0,
		options.extraFds.size() - 1);
		options.extraFds.erase(options.extraFds.begin() + toDelete);
		},
		[&]() {
		if (options.extraBinders.size() <= 1) {
		return;
		}
		uint32_t toDelete =
		provider.ConsumeIntegralInRange<uint32_t>(0,
		options.extraBinders.size() -
		1);
		options.extraBinders.erase(options.extraBinders.begin() + toDelete);
		},
		})();
		}

		// invariants

		auto ps = ProcessState::selfOrNull();
		if (ps) {
		CHECK_EQ(0, ps->getThreadPoolMaxTotalThreadCount())