diff options
| -rw-r--r-- | libs/binder/tests/parcel_fuzzer/random_binder.cpp | 49 | 
1 files changed, 46 insertions, 3 deletions
| diff --git a/libs/binder/tests/parcel_fuzzer/random_binder.cpp b/libs/binder/tests/parcel_fuzzer/random_binder.cpp index 8eab454203..8a1fecb212 100644 --- a/libs/binder/tests/parcel_fuzzer/random_binder.cpp +++ b/libs/binder/tests/parcel_fuzzer/random_binder.cpp @@ -15,18 +15,54 @@   */  #include <fuzzbinder/random_binder.h> +#include <fuzzbinder/random_parcel.h> + +#include <android-base/logging.h>  #include <binder/IInterface.h>  #include <binder/IServiceManager.h>  namespace android { -class NamedBinder : public BBinder { +class RandomBinder : public BBinder {  public: -    NamedBinder(const String16& descriptor) : mDescriptor(descriptor) {} +    RandomBinder(const String16& descriptor, std::vector<uint8_t>&& bytes) +          : mDescriptor(descriptor), +            mBytes(std::move(bytes)), +            mProvider(mBytes.data(), mBytes.size()) {}      const String16& getInterfaceDescriptor() const override { return mDescriptor; } +    status_t onTransact(uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags) override { +        (void)code; +        (void)data; +        (void)reply; +        (void)flags; // note - for maximum coverage even ignore if oneway + +        if (mProvider.ConsumeBool()) { +            return mProvider.ConsumeIntegral<status_t>(); +        } + +        if (reply == nullptr) return OK; + +        // TODO: things we could do to increase state space +        // - also pull FDs and binders from 'data' +        //     (optionally combine these into random parcel 'options') +        // - also pull FDs and binders from random parcel 'options' +        RandomParcelOptions options; + +        // random output +        std::vector<uint8_t> subData = mProvider.ConsumeBytes<uint8_t>( +                mProvider.ConsumeIntegralInRange<size_t>(0, mProvider.remaining_bytes())); +        fillRandomParcel(reply, FuzzedDataProvider(subData.data(), subData.size()), &options); + +        return OK; +    } +  private:      String16 mDescriptor; + +    // note may not all be used +    std::vector<uint8_t> mBytes; +    FuzzedDataProvider mProvider;  };  sp<IBinder> getRandomBinder(FuzzedDataProvider* provider) { @@ -35,7 +71,14 @@ sp<IBinder> getRandomBinder(FuzzedDataProvider* provider) {                  // descriptor is the length of a class name, e.g.                  // "some.package.Foo"                  std::string str = provider->ConsumeRandomLengthString(100 /*max length*/); -                return new NamedBinder(String16(str.c_str())); + +                // arbitrarily consume remaining data to create a binder that can return +                // random results - coverage guided fuzzer should ensure all of the remaining +                // data isn't always used +                std::vector<uint8_t> bytes = provider->ConsumeBytes<uint8_t>( +                        provider->ConsumeIntegralInRange<size_t>(0, provider->remaining_bytes())); + +                return new RandomBinder(String16(str.c_str()), std::move(bytes));              },              []() {                  // this is the easiest remote binder to get ahold of, and it |