From 104654aefd5165fd44cd223dc4a6427dbfea19db Mon Sep 17 00:00:00 2001 From: Pawan Wagh Date: Tue, 15 Nov 2022 21:18:42 +0000 Subject: Skipping enforceNoDataAvail in fuzzService Adding API to skip dataAvail check and using it in fuzzService. Bug: 241848255 Test: m binderUnitTest && out/host/linux-x86/nativetest64/binderUnitTest/binderUnitTest Test: m servicemanager_fuzzer && out/host/linux-x86/fuzz/x86_64/servicemanager_fuzzer/servicemanager_fuzzer Change-Id: Ib43936ff4a7dca4a036d34b3e475d553f3d21be2 --- libs/binder/Parcel.cpp | 9 +++++++++ libs/binder/include/binder/Parcel.h | 6 ++++++ libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp | 4 ++++ 3 files changed, 19 insertions(+) diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index 07d0a65ae0..4b07608a79 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -966,7 +966,15 @@ bool Parcel::enforceInterface(const char16_t* interface, } } +void Parcel::setEnforceNoDataAvail(bool enforceNoDataAvail) { + mEnforceNoDataAvail = enforceNoDataAvail; +} + binder::Status Parcel::enforceNoDataAvail() const { + if (!mEnforceNoDataAvail) { + return binder::Status::ok(); + } + const auto n = dataAvail(); if (n == 0) { return binder::Status::ok(); @@ -3077,6 +3085,7 @@ void Parcel::initState() mAllowFds = true; mDeallocZero = false; mOwner = nullptr; + mEnforceNoDataAvail = true; } void Parcel::scanForFds() const { diff --git a/libs/binder/include/binder/Parcel.h b/libs/binder/include/binder/Parcel.h index 6de6ce8025..f730acb9f8 100644 --- a/libs/binder/include/binder/Parcel.h +++ b/libs/binder/include/binder/Parcel.h @@ -150,6 +150,9 @@ public: // Returns Status(EX_BAD_PARCELABLE) when the Parcel is not consumed. binder::Status enforceNoDataAvail() const; + // This Api is used by fuzzers to skip dataAvail checks. + void setEnforceNoDataAvail(bool enforceNoDataAvail); + void freeData(); size_t objectsCount() const; @@ -1329,6 +1332,9 @@ private: // data to be overridden with zero when deallocated mutable bool mDeallocZero; + // Set this to false to skip dataAvail checks. + bool mEnforceNoDataAvail; + release_func mOwner; size_t mReserved; diff --git a/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp b/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp index 25f609674e..9670aa30d8 100644 --- a/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp +++ b/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp @@ -34,6 +34,8 @@ void fuzzService(const sp& binder, FuzzedDataProvider&& provider) { uint32_t code = provider.ConsumeIntegral(); uint32_t flags = provider.ConsumeIntegral(); Parcel data; + // for increased fuzz coverage + data.setEnforceNoDataAvail(provider.ConsumeBool()); sp target = options.extraBinders.at( provider.ConsumeIntegralInRange(0, options.extraBinders.size() - 1)); @@ -50,6 +52,8 @@ void fuzzService(const sp& binder, FuzzedDataProvider&& provider) { fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()), &options); Parcel reply; + // for increased fuzz coverage + reply.setEnforceNoDataAvail(provider.ConsumeBool()); (void)target->transact(code, data, &reply, flags); // feed back in binders and fds that are returned from the service, so that -- cgit v1.2.3-59-g8ed1b