Limit number of fds written in parcel

Certain input sequence causes fuzzers to pick a single fd from getRandomFd and write it to parcel. Check object count before writing more fds and binders in parcel. Test: m incidentd_service_fuzzer && adb sync data && adb shell /data/fuzz/x86_64/incidentd_service_fuzzer/incidentd_service_fuzzer -runs=1000 Test: atest fuzz_service_test Test: atest binderRecordReplayTest Bug: 296516864 Change-Id: I84359a7128fde359828c26ea43ac2559d1236708
author: Pawan Wagh <waghpawan@google.com> 2023-10-23 17:08:05 +0000
committer: Pawan Wagh <waghpawan@google.com> 2023-10-23 21:31:59 +0000
commit: 851dbb83f9f3de3064c0e4293246f1388cdddcb4 (patch)
tree: 9e4575b681f0641d95d12918b6b6f2b7aec5a290 /libs
parent: eafadb3b873bc639017459e67b24debada9d9961 (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/libs/binder/tests/parcel_fuzzer/random_parcel.cpp b/libs/binder/tests/parcel_fuzzer/random_parcel.cpp
index f0beed234b..f367b419af 100644
--- a/libs/binder/tests/parcel_fuzzer/random_parcel.cpp
+++ b/libs/binder/tests/parcel_fuzzer/random_parcel.cpp
@@ -66,6 +66,11 @@ void fillRandomParcel(Parcel* p, FuzzedDataProvider&& provider, RandomParcelOpti
                 },
                 // write FD
                 [&]() {
+                    // b/296516864 - Limit number of objects written to a parcel.
+                    if (p->objectsCount() > 100) {
+                        return;
+                    }
+
                     if (options->extraFds.size() > 0 && provider.ConsumeBool()) {
                         const base::unique_fd& fd = options->extraFds.at(
                                 provider.ConsumeIntegralInRange<size_t>(0,
@@ -82,7 +87,6 @@ void fillRandomParcel(Parcel* p, FuzzedDataProvider&& provider, RandomParcelOpti
                         CHECK(OK ==
                               p->writeFileDescriptor(fds.begin()->release(),
                                                      true /*takeOwnership*/));
-
                         options->extraFds.insert(options->extraFds.end(),
                                                  std::make_move_iterator(fds.begin() + 1),
                                                  std::make_move_iterator(fds.end()));
@@ -90,6 +94,11 @@ void fillRandomParcel(Parcel* p, FuzzedDataProvider&& provider, RandomParcelOpti
                 },
                 // write binder
                 [&]() {
+                    // b/296516864 - Limit number of objects written to a parcel.
+                    if (p->objectsCount() > 100) {
+                        return;
+                    }
+
                     sp<IBinder> binder;
                     if (options->extraBinders.size() > 0 && provider.ConsumeBool()) {
                         binder = options->extraBinders.at(
author	Pawan Wagh <waghpawan@google.com>	2023-10-23 17:08:05 +0000
committer	Pawan Wagh <waghpawan@google.com>	2023-10-23 21:31:59 +0000
commit	851dbb83f9f3de3064c0e4293246f1388cdddcb4 (patch)
tree	9e4575b681f0641d95d12918b6b6f2b7aec5a290 /libs
parent	eafadb3b873bc639017459e67b24debada9d9961 (diff)