summaryrefslogtreecommitdiff
path: root/libs
diff options
context:
space:
mode:
author Pawan Wagh <waghpawan@google.com> 2023-05-13 00:01:43 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2023-05-13 00:01:43 +0000
commitf8a18bee9825d44f07dc6ee234da5367a1d9ca4f (patch)
tree0060d7bdf9eaa19eeb8e8073a167261de84a6469 /libs
parent888f52f05c0b73b954acd4320c35728cf1bb81e3 (diff)
parent0f30f020f1677b280aa4e82de5e3c12bc5b12691 (diff)
Merge "Delete fds and binders in fuzzService" am: 0f30f020f1
Original change: https://android-review.googlesource.com/c/platform/frameworks/native/+/2586465 Change-Id: I47d2fac9802b5fe6074ac934b7b092c096b9db93 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
Diffstat (limited to 'libs')
-rw-r--r--libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp94
1 files changed, 60 insertions, 34 deletions
diff --git a/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp b/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp
index 8bef33f2ca..488a09ed83 100644
--- a/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp
+++ b/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp
@@ -37,47 +37,73 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) {
}
while (provider.remaining_bytes() > 0) {
- // Most of the AIDL services will have small set of transaction codes.
- uint32_t code = provider.ConsumeBool() ? provider.ConsumeIntegral<uint32_t>()
- : provider.ConsumeIntegralInRange<uint32_t>(0, 100);
- uint32_t flags = provider.ConsumeIntegral<uint32_t>();
- Parcel data;
- // for increased fuzz coverage
- data.setEnforceNoDataAvail(provider.ConsumeBool());
+ provider.PickValueInArray<std::function<void()>>({
+ [&]() {
+ // Most of the AIDL services will have small set of transaction codes.
+ uint32_t code = provider.ConsumeBool()
+ ? provider.ConsumeIntegral<uint32_t>()
+ : provider.ConsumeIntegralInRange<uint32_t>(0, 100);
+ uint32_t flags = provider.ConsumeIntegral<uint32_t>();
+ Parcel data;
+ // for increased fuzz coverage
+ data.setEnforceNoDataAvail(provider.ConsumeBool());
- sp<IBinder> target = options.extraBinders.at(
- provider.ConsumeIntegralInRange<size_t>(0, options.extraBinders.size() - 1));
- options.writeHeader = [&target](Parcel* p, FuzzedDataProvider& provider) {
- // most code will be behind checks that the head of the Parcel
- // is exactly this, so make it easier for fuzzers to reach this
- if (provider.ConsumeBool()) {
- p->writeInterfaceToken(target->getInterfaceDescriptor());
- }
- };
+ sp<IBinder> target = options.extraBinders.at(
+ provider.ConsumeIntegralInRange<size_t>(0,
+ options.extraBinders.size() -
+ 1));
+ options.writeHeader = [&target](Parcel* p, FuzzedDataProvider& provider) {
+ // most code will be behind checks that the head of the Parcel
+ // is exactly this, so make it easier for fuzzers to reach this
+ if (provider.ConsumeBool()) {
+ p->writeInterfaceToken(target->getInterfaceDescriptor());
+ }
+ };
- std::vector<uint8_t> subData = provider.ConsumeBytes<uint8_t>(
- provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes()));
- fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()), &options);
+ std::vector<uint8_t> subData = provider.ConsumeBytes<uint8_t>(
+ provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes()));
+ fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()),
+ &options);
- Parcel reply;
- // for increased fuzz coverage
- reply.setEnforceNoDataAvail(provider.ConsumeBool());
- (void)target->transact(code, data, &reply, flags);
+ Parcel reply;
+ // for increased fuzz coverage
+ reply.setEnforceNoDataAvail(provider.ConsumeBool());
+ (void)target->transact(code, data, &reply, flags);
- // feed back in binders and fds that are returned from the service, so that
- // we can fuzz those binders, and use the fds and binders to feed back into
- // the binders
- auto retBinders = reply.debugReadAllStrongBinders();
- options.extraBinders.insert(options.extraBinders.end(), retBinders.begin(),
- retBinders.end());
- auto retFds = reply.debugReadAllFileDescriptors();
- for (size_t i = 0; i < retFds.size(); i++) {
- options.extraFds.push_back(base::unique_fd(dup(retFds[i])));
- }
+ // feed back in binders and fds that are returned from the service, so that
+ // we can fuzz those binders, and use the fds and binders to feed back into
+ // the binders
+ auto retBinders = reply.debugReadAllStrongBinders();
+ options.extraBinders.insert(options.extraBinders.end(), retBinders.begin(),
+ retBinders.end());
+ auto retFds = reply.debugReadAllFileDescriptors();
+ for (size_t i = 0; i < retFds.size(); i++) {
+ options.extraFds.push_back(base::unique_fd(dup(retFds[i])));
+ }
+ },
+ [&]() {
+ if (options.extraFds.size() == 0) {
+ return;
+ }
+ uint32_t toDelete =
+ provider.ConsumeIntegralInRange<uint32_t>(0,
+ options.extraFds.size() - 1);
+ options.extraFds.erase(options.extraFds.begin() + toDelete);
+ },
+ [&]() {
+ if (options.extraBinders.size() <= 1) {
+ return;
+ }
+ uint32_t toDelete =
+ provider.ConsumeIntegralInRange<uint32_t>(0,
+ options.extraBinders.size() -
+ 1);
+ options.extraBinders.erase(options.extraBinders.begin() + toDelete);
+ },
+ })();
}
// invariants
-
auto ps = ProcessState::selfOrNull();
if (ps) {
CHECK_EQ(0, ps->getThreadPoolMaxTotalThreadCount())
generated by cgit v1.2.3-59-g8ed1b (git 2.39.0) at 2026-01-14 04:43:50 +0000