From 9004a82df5eb2de97cd947efe7751c71f57da3bd Mon Sep 17 00:00:00 2001 From: Pawan Wagh Date: Mon, 28 Aug 2023 17:26:43 +0000 Subject: Rust API to fuzz multiple binders Adding rust wrapper fuzz_multiple_services so that multiple binders can be fuzzed together. Test: m keystore_service_fuzzer && adb sync data && adb shell /data/fuzz/$(get_build_var TARGET_ARCH)/keystore_service_fuzzer/keystore_service_fuzzer -runs=1000 Bug: 296464642 Change-Id: I2392141a53fbf38aba84074ab6f6e14574a151fa --- .../tests/parcel_fuzzer/random_parcel/src/lib.rs | 22 +++++++++++++++++++--- .../random_parcel/wrappers/RandomParcelWrapper.hpp | 4 ++-- .../tests/parcel_fuzzer/libbinder_ndk_driver.cpp | 14 +++++++++++--- 3 files changed, 32 insertions(+), 8 deletions(-) diff --git a/libs/binder/rust/tests/parcel_fuzzer/random_parcel/src/lib.rs b/libs/binder/rust/tests/parcel_fuzzer/random_parcel/src/lib.rs index 1bbd6742f2..896b78f488 100644 --- a/libs/binder/rust/tests/parcel_fuzzer/random_parcel/src/lib.rs +++ b/libs/binder/rust/tests/parcel_fuzzer/random_parcel/src/lib.rs @@ -35,10 +35,26 @@ pub fn create_random_parcel(fuzzer_data: &[u8]) -> Parcel { /// This API automatically fuzzes provided service pub fn fuzz_service(binder: &mut SpIBinder, fuzzer_data: &[u8]) { - let ptr = binder.as_native_mut() as *mut c_void; + let mut binders = [binder]; + fuzz_multiple_services(&mut binders, fuzzer_data); +} + +/// This API automatically fuzzes provided services +pub fn fuzz_multiple_services(binders: &mut [&mut SpIBinder], fuzzer_data: &[u8]) { + let mut cppBinders = vec![]; + for binder in binders.iter_mut() { + let ptr = binder.as_native_mut() as *mut c_void; + cppBinders.push(ptr); + } + unsafe { - // Safety: `SpIBinder::as_native_mut` and `slice::as_ptr` always + // Safety: `Vec::as_mut_ptr` and `slice::as_ptr` always // return valid pointers. - fuzzRustService(ptr, fuzzer_data.as_ptr(), fuzzer_data.len()); + fuzzRustService( + cppBinders.as_mut_ptr(), + cppBinders.len(), + fuzzer_data.as_ptr(), + fuzzer_data.len(), + ); } } diff --git a/libs/binder/rust/tests/parcel_fuzzer/random_parcel/wrappers/RandomParcelWrapper.hpp b/libs/binder/rust/tests/parcel_fuzzer/random_parcel/wrappers/RandomParcelWrapper.hpp index 831bd5660c..cfdd2abd05 100644 --- a/libs/binder/rust/tests/parcel_fuzzer/random_parcel/wrappers/RandomParcelWrapper.hpp +++ b/libs/binder/rust/tests/parcel_fuzzer/random_parcel/wrappers/RandomParcelWrapper.hpp @@ -21,5 +21,5 @@ extern "C" { void createRandomParcel(void* aParcel, const uint8_t* data, size_t len); // This API is used by fuzzers to automatically fuzz aidl services - void fuzzRustService(void* binder, const uint8_t* data, size_t len); -} \ No newline at end of file + void fuzzRustService(void** binders, size_t numBinders, const uint8_t* data, size_t len); +} diff --git a/libs/binder/tests/parcel_fuzzer/libbinder_ndk_driver.cpp b/libs/binder/tests/parcel_fuzzer/libbinder_ndk_driver.cpp index 0b0ca34586..84b9ff684f 100644 --- a/libs/binder/tests/parcel_fuzzer/libbinder_ndk_driver.cpp +++ b/libs/binder/tests/parcel_fuzzer/libbinder_ndk_driver.cpp @@ -22,6 +22,9 @@ // and APEX users, but we need access to it to fuzz. #include "../../ndk/ibinder_internal.h" +using android::IBinder; +using android::sp; + namespace android { void fuzzService(const std::vector& binders, FuzzedDataProvider&& provider) { @@ -41,9 +44,14 @@ void fuzzService(AIBinder* binder, FuzzedDataProvider&& provider) { extern "C" { // This API is used by fuzzers to automatically fuzz aidl services -void fuzzRustService(void* binder, const uint8_t* data, size_t len) { - AIBinder* aiBinder = static_cast(binder); +void fuzzRustService(void** binders, size_t numBinders, const uint8_t* data, size_t len) { + std::vector> cppBinders; + for (size_t binderIndex = 0; binderIndex < numBinders; ++binderIndex) { + AIBinder* aiBinder = static_cast(binders[binderIndex]); + cppBinders.push_back(aiBinder->getBinder()); + } + FuzzedDataProvider provider(data, len); - android::fuzzService(aiBinder, std::move(provider)); + android::fuzzService(cppBinders, std::move(provider)); } } // extern "C" -- cgit v1.2.3-59-g8ed1b