Merge "Skipping enforceNoDataAvail in fuzzService" am: 84af7ae353 am: 77d868a476 (9de12854) · Commits · e / os / platform_frameworks_native

libs/binder/Parcel.cpp

+9 −0

Original line number	Diff line number	Diff line
		@@ -966,7 +966,15 @@ bool Parcel::enforceInterface(const char16_t* interface,
		}
		}

		void Parcel::setEnforceNoDataAvail(bool enforceNoDataAvail) {
		mEnforceNoDataAvail = enforceNoDataAvail;
		}

		binder::Status Parcel::enforceNoDataAvail() const {
		if (!mEnforceNoDataAvail) {
		return binder::Status::ok();
		}

		const auto n = dataAvail();
		if (n == 0) {
		return binder::Status::ok();
		@@ -3077,6 +3085,7 @@ void Parcel::initState()
		mAllowFds = true;
		mDeallocZero = false;
		mOwner = nullptr;
		mEnforceNoDataAvail = true;
		}

		void Parcel::scanForFds() const {

+6 −0

Original line number	Diff line number	Diff line
		@@ -150,6 +150,9 @@ public:
		// Returns Status(EX_BAD_PARCELABLE) when the Parcel is not consumed.
		binder::Status enforceNoDataAvail() const;

		// This Api is used by fuzzers to skip dataAvail checks.
		void setEnforceNoDataAvail(bool enforceNoDataAvail);

		void freeData();

		size_t objectsCount() const;
		@@ -1329,6 +1332,9 @@ private:
		// data to be overridden with zero when deallocated
		mutable bool mDeallocZero;

		// Set this to false to skip dataAvail checks.
		bool mEnforceNoDataAvail;

		release_func mOwner;

		size_t mReserved;

+4 −0

Original line number	Diff line number	Diff line
		@@ -34,6 +34,8 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) {
		uint32_t code = provider.ConsumeIntegral<uint32_t>();
		uint32_t flags = provider.ConsumeIntegral<uint32_t>();
		Parcel data;
		// for increased fuzz coverage
		data.setEnforceNoDataAvail(provider.ConsumeBool());

		sp<IBinder> target = options.extraBinders.at(
		provider.ConsumeIntegralInRange<size_t>(0, options.extraBinders.size() - 1));
		@@ -50,6 +52,8 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) {
		fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()), &options);

		Parcel reply;
		// for increased fuzz coverage
		reply.setEnforceNoDataAvail(provider.ConsumeBool());
		(void)target->transact(code, data, &reply, flags);

		// feed back in binders and fds that are returned from the service, so that