Loading libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp +8 −1 Original line number Diff line number Diff line Loading @@ -21,6 +21,8 @@ #include <binder/IPCThreadState.h> #include <binder/ProcessState.h> #include <private/android_filesystem_config.h> namespace android { void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) { Loading @@ -40,7 +42,12 @@ void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& p // Always take so that a perturbation of just the one ConsumeBool byte will always // take the same path, but with a different UID. Without this, the fuzzer needs to // guess both the change in value and the shift at the same time. int64_t maybeSetUid = provider.ConsumeIntegral<int64_t>(); int64_t maybeSetUid = provider.PickValueInArray<int64_t>( {static_cast<int64_t>(AID_ROOT) << 32, static_cast<int64_t>(AID_SYSTEM) << 32, provider.ConsumeIntegralInRange<int64_t>(static_cast<int64_t>(AID_ROOT) << 32, static_cast<int64_t>(AID_USER) << 32), provider.ConsumeIntegral<int64_t>()}); if (provider.ConsumeBool()) { // set calling uid IPCThreadState::self()->restoreCallingIdentity(maybeSetUid); Loading libs/binder/tests/parcel_fuzzer/test_fuzzer/TestServiceFuzzer.cpp +20 −0 Original line number Diff line number Diff line Loading @@ -20,6 +20,8 @@ #include <binder/IPCThreadState.h> #include <log/log.h> #include <private/android_filesystem_config.h> using android::binder::Status; namespace android { Loading @@ -29,6 +31,8 @@ enum class CrashType { ON_PLAIN, ON_BINDER, ON_KNOWN_UID, ON_SYSTEM_AID, ON_ROOT_AID, }; // This service is to verify that fuzzService is functioning properly Loading @@ -48,6 +52,18 @@ public: } break; } case CrashType::ON_SYSTEM_AID: { if (IPCThreadState::self()->getCallingUid() == AID_SYSTEM) { LOG_ALWAYS_FATAL("Expected crash, AID_SYSTEM."); } break; } case CrashType::ON_ROOT_AID: { if (IPCThreadState::self()->getCallingUid() == AID_ROOT) { LOG_ALWAYS_FATAL("Expected crash, AID_ROOT."); } break; } default: break; } Loading Loading @@ -99,6 +115,10 @@ extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) { gCrashType = CrashType::ON_PLAIN; } else if (arg == "KNOWN_UID") { gCrashType = CrashType::ON_KNOWN_UID; } else if (arg == "AID_SYSTEM") { gCrashType = CrashType::ON_SYSTEM_AID; } else if (arg == "AID_ROOT") { gCrashType = CrashType::ON_ROOT_AID; } else if (arg == "BINDER") { gCrashType = CrashType::ON_BINDER; } else { Loading libs/binder/tests/parcel_fuzzer/test_fuzzer/run_fuzz_service_test.sh +1 −1 Original line number Diff line number Diff line Loading @@ -27,7 +27,7 @@ then exit 1 fi for CRASH_TYPE in PLAIN KNOWN_UID BINDER; do for CRASH_TYPE in PLAIN KNOWN_UID AID_SYSTEM AID_ROOT BINDER; do echo "INFO: Running fuzzer : test_service_fuzzer_should_crash $CRASH_TYPE" ./test_service_fuzzer_should_crash "$CRASH_TYPE" -max_total_time=30 &>"$FUZZER_OUT" Loading Loading
libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp +8 −1 Original line number Diff line number Diff line Loading @@ -21,6 +21,8 @@ #include <binder/IPCThreadState.h> #include <binder/ProcessState.h> #include <private/android_filesystem_config.h> namespace android { void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) { Loading @@ -40,7 +42,12 @@ void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& p // Always take so that a perturbation of just the one ConsumeBool byte will always // take the same path, but with a different UID. Without this, the fuzzer needs to // guess both the change in value and the shift at the same time. int64_t maybeSetUid = provider.ConsumeIntegral<int64_t>(); int64_t maybeSetUid = provider.PickValueInArray<int64_t>( {static_cast<int64_t>(AID_ROOT) << 32, static_cast<int64_t>(AID_SYSTEM) << 32, provider.ConsumeIntegralInRange<int64_t>(static_cast<int64_t>(AID_ROOT) << 32, static_cast<int64_t>(AID_USER) << 32), provider.ConsumeIntegral<int64_t>()}); if (provider.ConsumeBool()) { // set calling uid IPCThreadState::self()->restoreCallingIdentity(maybeSetUid); Loading
libs/binder/tests/parcel_fuzzer/test_fuzzer/TestServiceFuzzer.cpp +20 −0 Original line number Diff line number Diff line Loading @@ -20,6 +20,8 @@ #include <binder/IPCThreadState.h> #include <log/log.h> #include <private/android_filesystem_config.h> using android::binder::Status; namespace android { Loading @@ -29,6 +31,8 @@ enum class CrashType { ON_PLAIN, ON_BINDER, ON_KNOWN_UID, ON_SYSTEM_AID, ON_ROOT_AID, }; // This service is to verify that fuzzService is functioning properly Loading @@ -48,6 +52,18 @@ public: } break; } case CrashType::ON_SYSTEM_AID: { if (IPCThreadState::self()->getCallingUid() == AID_SYSTEM) { LOG_ALWAYS_FATAL("Expected crash, AID_SYSTEM."); } break; } case CrashType::ON_ROOT_AID: { if (IPCThreadState::self()->getCallingUid() == AID_ROOT) { LOG_ALWAYS_FATAL("Expected crash, AID_ROOT."); } break; } default: break; } Loading Loading @@ -99,6 +115,10 @@ extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) { gCrashType = CrashType::ON_PLAIN; } else if (arg == "KNOWN_UID") { gCrashType = CrashType::ON_KNOWN_UID; } else if (arg == "AID_SYSTEM") { gCrashType = CrashType::ON_SYSTEM_AID; } else if (arg == "AID_ROOT") { gCrashType = CrashType::ON_ROOT_AID; } else if (arg == "BINDER") { gCrashType = CrashType::ON_BINDER; } else { Loading
libs/binder/tests/parcel_fuzzer/test_fuzzer/run_fuzz_service_test.sh +1 −1 Original line number Diff line number Diff line Loading @@ -27,7 +27,7 @@ then exit 1 fi for CRASH_TYPE in PLAIN KNOWN_UID BINDER; do for CRASH_TYPE in PLAIN KNOWN_UID AID_SYSTEM AID_ROOT BINDER; do echo "INFO: Running fuzzer : test_service_fuzzer_should_crash $CRASH_TYPE" ./test_service_fuzzer_should_crash "$CRASH_TYPE" -max_total_time=30 &>"$FUZZER_OUT" Loading
