Loading libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp +35 −62 Original line number Diff line number Diff line Loading @@ -43,11 +43,8 @@ void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& p } while (provider.remaining_bytes() > 0) { provider.PickValueInArray<std::function<void()>>({ [&]() { // Most of the AIDL services will have small set of transaction codes. uint32_t code = provider.ConsumeBool() ? provider.ConsumeIntegral<uint32_t>() uint32_t code = provider.ConsumeBool() ? provider.ConsumeIntegral<uint32_t>() : provider.ConsumeIntegralInRange<uint32_t>(0, 100); uint32_t flags = provider.ConsumeIntegral<uint32_t>(); Parcel data; Loading @@ -56,9 +53,7 @@ void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& p data.setServiceFuzzing(); sp<IBinder> target = options.extraBinders.at( provider.ConsumeIntegralInRange<size_t>(0, options.extraBinders.size() - 1)); provider.ConsumeIntegralInRange<size_t>(0, options.extraBinders.size() - 1)); options.writeHeader = [&target](Parcel* p, FuzzedDataProvider& provider) { // most code will be behind checks that the head of the Parcel // is exactly this, so make it easier for fuzzers to reach this Loading @@ -69,8 +64,7 @@ void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& p std::vector<uint8_t> subData = provider.ConsumeBytes<uint8_t>( provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes())); fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()), &options); fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()), &options); Parcel reply; // for increased fuzz coverage Loading @@ -88,27 +82,6 @@ void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& p for (size_t i = 0; i < retFds.size(); i++) { options.extraFds.push_back(base::unique_fd(dup(retFds[i]))); } }, [&]() { if (options.extraFds.size() == 0) { return; } uint32_t toDelete = provider.ConsumeIntegralInRange<uint32_t>(0, options.extraFds.size() - 1); options.extraFds.erase(options.extraFds.begin() + toDelete); }, [&]() { if (options.extraBinders.size() <= 1) { return; } uint32_t toDelete = provider.ConsumeIntegralInRange<uint32_t>(0, options.extraBinders.size() - 1); options.extraBinders.erase(options.extraBinders.begin() + toDelete); }, })(); } // invariants Loading Loading
libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp +35 −62 Original line number Diff line number Diff line Loading @@ -43,11 +43,8 @@ void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& p } while (provider.remaining_bytes() > 0) { provider.PickValueInArray<std::function<void()>>({ [&]() { // Most of the AIDL services will have small set of transaction codes. uint32_t code = provider.ConsumeBool() ? provider.ConsumeIntegral<uint32_t>() uint32_t code = provider.ConsumeBool() ? provider.ConsumeIntegral<uint32_t>() : provider.ConsumeIntegralInRange<uint32_t>(0, 100); uint32_t flags = provider.ConsumeIntegral<uint32_t>(); Parcel data; Loading @@ -56,9 +53,7 @@ void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& p data.setServiceFuzzing(); sp<IBinder> target = options.extraBinders.at( provider.ConsumeIntegralInRange<size_t>(0, options.extraBinders.size() - 1)); provider.ConsumeIntegralInRange<size_t>(0, options.extraBinders.size() - 1)); options.writeHeader = [&target](Parcel* p, FuzzedDataProvider& provider) { // most code will be behind checks that the head of the Parcel // is exactly this, so make it easier for fuzzers to reach this Loading @@ -69,8 +64,7 @@ void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& p std::vector<uint8_t> subData = provider.ConsumeBytes<uint8_t>( provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes())); fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()), &options); fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()), &options); Parcel reply; // for increased fuzz coverage Loading @@ -88,27 +82,6 @@ void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& p for (size_t i = 0; i < retFds.size(); i++) { options.extraFds.push_back(base::unique_fd(dup(retFds[i]))); } }, [&]() { if (options.extraFds.size() == 0) { return; } uint32_t toDelete = provider.ConsumeIntegralInRange<uint32_t>(0, options.extraFds.size() - 1); options.extraFds.erase(options.extraFds.begin() + toDelete); }, [&]() { if (options.extraBinders.size() <= 1) { return; } uint32_t toDelete = provider.ConsumeIntegralInRange<uint32_t>(0, options.extraBinders.size() - 1); options.extraBinders.erase(options.extraBinders.begin() + toDelete); }, })(); } // invariants Loading
