Merge changes Idf197043,Iafb61b9e am: 50861777d5 am: 74bc76fa1f

Original change: https://android-review.googlesource.com/c/platform/frameworks/native/+/2027087 Change-Id: I0538bf05e9842b79c5f041dde033d74eb3151c94
author: Steven Moreland <smoreland@google.com> 2022-03-16 17:45:04 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2022-03-16 17:45:04 +0000
commit: aeaa1086c84fb0f6ab2663de40b4abf4ed684e91 (patch)
tree: f4e4598c21be209196d750b01e7d2fb4a0ea1de9
parent: a83e726a6b8f44ee01275141ffa5f74adf9c4d40 (diff)
parent: 74bc76fa1f0ab4dec8fb58aa2bc0ed540e1b2f60 (diff)
3 files changed, 30 insertions, 12 deletions
diff --git a/libs/binder/tests/parcel_fuzzer/include_random_parcel/fuzzbinder/random_parcel.h b/libs/binder/tests/parcel_fuzzer/include_random_parcel/fuzzbinder/random_parcel.h
index 749bf212e6..633626ca44 100644
--- a/libs/binder/tests/parcel_fuzzer/include_random_parcel/fuzzbinder/random_parcel.h
+++ b/libs/binder/tests/parcel_fuzzer/include_random_parcel/fuzzbinder/random_parcel.h
@@ -19,13 +19,18 @@
 #include <binder/Parcel.h>
 #include <fuzzer/FuzzedDataProvider.h>
 
+#include <functional>
+
 namespace android {
 /**
  * Fill parcel data, including some random binder objects and FDs
+ *
+ * p - the Parcel to fill
+ * provider - takes ownership and completely consumes provider
+ * writeHeader - optional function to write a specific header once the format of the parcel is
+ *     picked (for instance, to write an interface header)
  */
-void fillRandomParcel(Parcel* p, FuzzedDataProvider&& provider);
-/**
- * Fill parcel data, but don't fill any objects.
- */
-void fillRandomParcelData(Parcel* p, FuzzedDataProvider&& provider);
+void fillRandomParcel(
+        Parcel* p, FuzzedDataProvider&& provider,
+        std::function<void(Parcel* p, FuzzedDataProvider& provider)> writeHeader = nullptr);
 } // namespace android
diff --git a/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp b/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp
index e849c9bbce..be39bb9195 100644
--- a/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp
+++ b/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp
@@ -27,7 +27,14 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) {
 
         std::vector<uint8_t> subData = provider.ConsumeBytes<uint8_t>(
                 provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes()));
-        fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()));
+        fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()),
+                         [&binder](Parcel* p, FuzzedDataProvider& provider) {
+                             // most code will be behind checks that the head of the Parcel
+                             // is exactly this, so make it easier for fuzzers to reach this
+                             if (provider.ConsumeBool()) {
+                                 p->writeInterfaceToken(binder->getInterfaceDescriptor());
+                             }
+                         });
 
         Parcel reply;
         (void)binder->transact(code, data, &reply, flags);
diff --git a/libs/binder/tests/parcel_fuzzer/random_parcel.cpp b/libs/binder/tests/parcel_fuzzer/random_parcel.cpp
index 8bf04ccae0..cfabc1e6b5 100644
--- a/libs/binder/tests/parcel_fuzzer/random_parcel.cpp
+++ b/libs/binder/tests/parcel_fuzzer/random_parcel.cpp
@@ -34,15 +34,26 @@ private:
     String16 mDescriptor;
 };
 
-void fillRandomParcel(Parcel* p, FuzzedDataProvider&& provider) {
+static void fillRandomParcelData(Parcel* p, FuzzedDataProvider&& provider) {
+    std::vector<uint8_t> data = provider.ConsumeBytes<uint8_t>(provider.remaining_bytes());
+    CHECK(OK == p->write(data.data(), data.size()));
+}
+
+void fillRandomParcel(Parcel* p, FuzzedDataProvider&& provider,
+                      std::function<void(Parcel* p, FuzzedDataProvider& provider)> writeHeader) {
     if (provider.ConsumeBool()) {
         auto session = RpcSession::make(RpcTransportCtxFactoryRaw::make());
         CHECK_EQ(OK, session->addNullDebuggingClient());
         p->markForRpc(session);
+
+        writeHeader(p, provider);
+
         fillRandomParcelData(p, std::move(provider));
         return;
     }
 
+    writeHeader(p, provider);
+
     while (provider.remaining_bytes() > 0) {
         auto fillFunc = provider.PickValueInArray<const std::function<void()>>({
                 // write data
@@ -85,9 +96,4 @@ void fillRandomParcel(Parcel* p, FuzzedDataProvider&& provider) {
     }
 }
 
-void fillRandomParcelData(Parcel* p, FuzzedDataProvider&& provider) {
-    std::vector<uint8_t> data = provider.ConsumeBytes<uint8_t>(provider.remaining_bytes());
-    CHECK(OK == p->write(data.data(), data.size()));
-}
-
 } // namespace android
author	Steven Moreland <smoreland@google.com>	2022-03-16 17:45:04 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2022-03-16 17:45:04 +0000
commit	aeaa1086c84fb0f6ab2663de40b4abf4ed684e91 (patch)
tree	f4e4598c21be209196d750b01e7d2fb4a0ea1de9
parent	a83e726a6b8f44ee01275141ffa5f74adf9c4d40 (diff)
parent	74bc76fa1f0ab4dec8fb58aa2bc0ed540e1b2f60 (diff)