Adding fuzzer to verify fuzzService functionality

Adding a TestService which crashes and adding a fuzzer to fuzz this service. Whenever fuzzService is modified, this fuzzer should be run. It usually crashes in first few seconds. This fuzzer won't run on the infra Test: m test_service_fuzzer_should_crash && out/host/linux-x86/fuzz/x86_64/test_service_fuzzer_should_crash/test_service_fuzzer_should_crash Test: m test_service_fuzzer_should_crash && adb sync data && adb shell /data/fuzz/x86_64/test_service_fuzzer_should_crash/test_service_fuzzer_should_crash Bug: 282239388 Change-Id: I6b0da6a9dcf9708be5a6df2315c58b0bd38fbf9a
author: Pawan Wagh <waghpawan@google.com> 2023-05-19 18:24:14 +0000
committer: Pawan Wagh <waghpawan@google.com> 2023-05-19 22:52:56 +0000
commit: 94134f25fef9f2fd7bff29148514a9eef9328c09 (patch)
tree: 486987b1ac51b8f51432a19fabe77421230fc086
parent: 855810c4e9c2e03d025d47f75ba199586af791d5 (diff)
3 files changed, 117 insertions, 0 deletions
diff --git a/libs/binder/tests/parcel_fuzzer/test_fuzzer/Android.bp b/libs/binder/tests/parcel_fuzzer/test_fuzzer/Android.bp
new file mode 100644
index 0000000000..28da285128
--- /dev/null
+++ b/libs/binder/tests/parcel_fuzzer/test_fuzzer/Android.bp
@@ -0,0 +1,42 @@
+package {
+    default_applicable_licenses: ["frameworks_native_license"],
+}
+
+aidl_interface {
+    name: "testServiceIface",
+    host_supported: true,
+    unstable: true,
+    srcs: [
+        "ITestService.aidl",
+    ],
+    backend: {
+        java: {
+            enabled: true,
+            platform_apis: true,
+        },
+        rust: {
+            enabled: true,
+        },
+    },
+}
+
+// Adding this fuzzer to test the fuzzService functionality
+cc_fuzz {
+    name: "test_service_fuzzer_should_crash",
+    defaults: [
+        "service_fuzzer_defaults",
+    ],
+    static_libs: [
+        "liblog",
+        "testServiceIface-cpp",
+    ],
+    host_supported: true,
+    srcs: ["TestServiceFuzzer.cpp"],
+    fuzz_config: {
+        triage_assignee: "waghpawan@google.com",
+
+        // This fuzzer should be used only test fuzzService locally
+        fuzz_on_haiku_host: false,
+        fuzz_on_haiku_device: false,
+    },
+}
diff --git a/libs/binder/tests/parcel_fuzzer/test_fuzzer/ITestService.aidl b/libs/binder/tests/parcel_fuzzer/test_fuzzer/ITestService.aidl
new file mode 100644
index 0000000000..3eadc02387
--- /dev/null
+++ b/libs/binder/tests/parcel_fuzzer/test_fuzzer/ITestService.aidl
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+interface ITestService {
+
+    void setIntData(int input);
+
+    void setCharData(char input);
+
+    void setBooleanData(boolean input);
+}
+\ No newline at end of file
diff --git a/libs/binder/tests/parcel_fuzzer/test_fuzzer/TestServiceFuzzer.cpp b/libs/binder/tests/parcel_fuzzer/test_fuzzer/TestServiceFuzzer.cpp
new file mode 100644
index 0000000000..8907ea0c54
--- /dev/null
+++ b/libs/binder/tests/parcel_fuzzer/test_fuzzer/TestServiceFuzzer.cpp
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <BnTestService.h>
+#include <fuzzbinder/libbinder_driver.h>
+
+#include <log/log.h>
+
+using android::fuzzService;
+using android::sp;
+using android::binder::Status;
+
+namespace android {
+// This service is to verify that fuzzService is functioning properly
+class TestService : public BnTestService {
+public:
+    Status setIntData(int /*input*/) {
+        LOG_ALWAYS_FATAL("Expected crash in setIntData");
+        return Status::ok();
+    }
+
+    Status setCharData(char16_t /*input*/) {
+        LOG_ALWAYS_FATAL("Expected crash in setCharData");
+        return Status::ok();
+    }
+
+    Status setBooleanData(bool /*input*/) {
+        LOG_ALWAYS_FATAL("Expected crash in setBooleanData");
+        return Status::ok();
+    }
+};
+} // namespace android
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+    auto service = sp<android::TestService>::make();
+    fuzzService(service, FuzzedDataProvider(data, size));
+    return 0;
+}
author	Pawan Wagh <waghpawan@google.com>	2023-05-19 18:24:14 +0000
committer	Pawan Wagh <waghpawan@google.com>	2023-05-19 22:52:56 +0000
commit	94134f25fef9f2fd7bff29148514a9eef9328c09 (patch)
tree	486987b1ac51b8f51432a19fabe77421230fc086
parent	855810c4e9c2e03d025d47f75ba199586af791d5 (diff)