diff options
3 files changed, 32 insertions, 8 deletions
diff --git a/libs/binder/rust/tests/parcel_fuzzer/random_parcel/src/lib.rs b/libs/binder/rust/tests/parcel_fuzzer/random_parcel/src/lib.rs index 1bbd6742f2..896b78f488 100644 --- a/libs/binder/rust/tests/parcel_fuzzer/random_parcel/src/lib.rs +++ b/libs/binder/rust/tests/parcel_fuzzer/random_parcel/src/lib.rs @@ -35,10 +35,26 @@ pub fn create_random_parcel(fuzzer_data: &[u8]) -> Parcel { /// This API automatically fuzzes provided service pub fn fuzz_service(binder: &mut SpIBinder, fuzzer_data: &[u8]) { - let ptr = binder.as_native_mut() as *mut c_void; + let mut binders = [binder]; + fuzz_multiple_services(&mut binders, fuzzer_data); +} + +/// This API automatically fuzzes provided services +pub fn fuzz_multiple_services(binders: &mut [&mut SpIBinder], fuzzer_data: &[u8]) { + let mut cppBinders = vec![]; + for binder in binders.iter_mut() { + let ptr = binder.as_native_mut() as *mut c_void; + cppBinders.push(ptr); + } + unsafe { - // Safety: `SpIBinder::as_native_mut` and `slice::as_ptr` always + // Safety: `Vec::as_mut_ptr` and `slice::as_ptr` always // return valid pointers. - fuzzRustService(ptr, fuzzer_data.as_ptr(), fuzzer_data.len()); + fuzzRustService( + cppBinders.as_mut_ptr(), + cppBinders.len(), + fuzzer_data.as_ptr(), + fuzzer_data.len(), + ); } } diff --git a/libs/binder/rust/tests/parcel_fuzzer/random_parcel/wrappers/RandomParcelWrapper.hpp b/libs/binder/rust/tests/parcel_fuzzer/random_parcel/wrappers/RandomParcelWrapper.hpp index 831bd5660c..cfdd2abd05 100644 --- a/libs/binder/rust/tests/parcel_fuzzer/random_parcel/wrappers/RandomParcelWrapper.hpp +++ b/libs/binder/rust/tests/parcel_fuzzer/random_parcel/wrappers/RandomParcelWrapper.hpp @@ -21,5 +21,5 @@ extern "C" { void createRandomParcel(void* aParcel, const uint8_t* data, size_t len); // This API is used by fuzzers to automatically fuzz aidl services - void fuzzRustService(void* binder, const uint8_t* data, size_t len); -}
\ No newline at end of file + void fuzzRustService(void** binders, size_t numBinders, const uint8_t* data, size_t len); +} diff --git a/libs/binder/tests/parcel_fuzzer/libbinder_ndk_driver.cpp b/libs/binder/tests/parcel_fuzzer/libbinder_ndk_driver.cpp index 0b0ca34586..84b9ff684f 100644 --- a/libs/binder/tests/parcel_fuzzer/libbinder_ndk_driver.cpp +++ b/libs/binder/tests/parcel_fuzzer/libbinder_ndk_driver.cpp @@ -22,6 +22,9 @@ // and APEX users, but we need access to it to fuzz. #include "../../ndk/ibinder_internal.h" +using android::IBinder; +using android::sp; + namespace android { void fuzzService(const std::vector<ndk::SpAIBinder>& binders, FuzzedDataProvider&& provider) { @@ -41,9 +44,14 @@ void fuzzService(AIBinder* binder, FuzzedDataProvider&& provider) { extern "C" { // This API is used by fuzzers to automatically fuzz aidl services -void fuzzRustService(void* binder, const uint8_t* data, size_t len) { - AIBinder* aiBinder = static_cast<AIBinder*>(binder); +void fuzzRustService(void** binders, size_t numBinders, const uint8_t* data, size_t len) { + std::vector<sp<IBinder>> cppBinders; + for (size_t binderIndex = 0; binderIndex < numBinders; ++binderIndex) { + AIBinder* aiBinder = static_cast<AIBinder*>(binders[binderIndex]); + cppBinders.push_back(aiBinder->getBinder()); + } + FuzzedDataProvider provider(data, len); - android::fuzzService(aiBinder, std::move(provider)); + android::fuzzService(cppBinders, std::move(provider)); } } // extern "C" |