diff options
3 files changed, 30 insertions, 12 deletions
diff --git a/libs/binder/tests/parcel_fuzzer/include_random_parcel/fuzzbinder/random_parcel.h b/libs/binder/tests/parcel_fuzzer/include_random_parcel/fuzzbinder/random_parcel.h index 749bf212e6..633626ca44 100644 --- a/libs/binder/tests/parcel_fuzzer/include_random_parcel/fuzzbinder/random_parcel.h +++ b/libs/binder/tests/parcel_fuzzer/include_random_parcel/fuzzbinder/random_parcel.h @@ -19,13 +19,18 @@ #include <binder/Parcel.h> #include <fuzzer/FuzzedDataProvider.h> +#include <functional> + namespace android { /** * Fill parcel data, including some random binder objects and FDs + * + * p - the Parcel to fill + * provider - takes ownership and completely consumes provider + * writeHeader - optional function to write a specific header once the format of the parcel is + * picked (for instance, to write an interface header) */ -void fillRandomParcel(Parcel* p, FuzzedDataProvider&& provider); -/** - * Fill parcel data, but don't fill any objects. - */ -void fillRandomParcelData(Parcel* p, FuzzedDataProvider&& provider); +void fillRandomParcel( + Parcel* p, FuzzedDataProvider&& provider, + std::function<void(Parcel* p, FuzzedDataProvider& provider)> writeHeader = nullptr); } // namespace android diff --git a/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp b/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp index e849c9bbce..be39bb9195 100644 --- a/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp +++ b/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp @@ -27,7 +27,14 @@ void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) { std::vector<uint8_t> subData = provider.ConsumeBytes<uint8_t>( provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes())); - fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size())); + fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()), + [&binder](Parcel* p, FuzzedDataProvider& provider) { + // most code will be behind checks that the head of the Parcel + // is exactly this, so make it easier for fuzzers to reach this + if (provider.ConsumeBool()) { + p->writeInterfaceToken(binder->getInterfaceDescriptor()); + } + }); Parcel reply; (void)binder->transact(code, data, &reply, flags); diff --git a/libs/binder/tests/parcel_fuzzer/random_parcel.cpp b/libs/binder/tests/parcel_fuzzer/random_parcel.cpp index 8bf04ccae0..cfabc1e6b5 100644 --- a/libs/binder/tests/parcel_fuzzer/random_parcel.cpp +++ b/libs/binder/tests/parcel_fuzzer/random_parcel.cpp @@ -34,15 +34,26 @@ private: String16 mDescriptor; }; -void fillRandomParcel(Parcel* p, FuzzedDataProvider&& provider) { +static void fillRandomParcelData(Parcel* p, FuzzedDataProvider&& provider) { + std::vector<uint8_t> data = provider.ConsumeBytes<uint8_t>(provider.remaining_bytes()); + CHECK(OK == p->write(data.data(), data.size())); +} + +void fillRandomParcel(Parcel* p, FuzzedDataProvider&& provider, + std::function<void(Parcel* p, FuzzedDataProvider& provider)> writeHeader) { if (provider.ConsumeBool()) { auto session = RpcSession::make(RpcTransportCtxFactoryRaw::make()); CHECK_EQ(OK, session->addNullDebuggingClient()); p->markForRpc(session); + + writeHeader(p, provider); + fillRandomParcelData(p, std::move(provider)); return; } + writeHeader(p, provider); + while (provider.remaining_bytes() > 0) { auto fillFunc = provider.PickValueInArray<const std::function<void()>>({ // write data @@ -85,9 +96,4 @@ void fillRandomParcel(Parcel* p, FuzzedDataProvider&& provider) { } } -void fillRandomParcelData(Parcel* p, FuzzedDataProvider&& provider) { - std::vector<uint8_t> data = provider.ConsumeBytes<uint8_t>(provider.remaining_bytes()); - CHECK(OK == p->write(data.data(), data.size())); -} - } // namespace android |