From 418914a7c54f4aa0418b6ddbb5096b66286cd80e Mon Sep 17 00:00:00 2001 From: Steven Moreland Date: Wed, 28 Jun 2023 21:47:14 +0000 Subject: libbinder_ndk: fwd fuzzing status to NDK binders When passing binders into NDK backend services, we always type check them immediately. This allows errors to show up earlier there, but may be inefficient because the type will also be checked on every transaction. Anyway... This poses a problem for our automatic fuzzers because callbacks passed into services (e.g. RandomBinder) will be ignored for NDK backend fuzzers unless they correctly guess their interface descriptor. There are a few things we could do: - use random strings from the environment - export a list of possible interface descriptors from AIDL - generate our corpuses from other data However, the simplest thing we can do is ignore the check, which this CL does. Of course, it isn't great to continue differentiated fuzzer behavior from actual behavior, so we'd like to revert this once we have a more comprehensive solution. However, callbacks are a fundamental AIDL building blocks, so forcing good fuzzer coverage for these pieces seems justified. Bug: N/A Test: I added an abort in an NDK backend service. Without this change, that path is never found, but with this change, it was hit after only ~6,000 iterations. Change-Id: I4cbe5c56b93b9300fbd57e72e24075c02df38ba9 --- libs/binder/Parcel.cpp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'libs/binder/Parcel.cpp') diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index 2c2a1b636e..9b685f9145 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -992,6 +992,10 @@ void Parcel::setServiceFuzzing() { mServiceFuzzing = true; } +bool Parcel::isServiceFuzzing() const { + return mServiceFuzzing; +} + binder::Status Parcel::enforceNoDataAvail() const { if (!mEnforceNoDataAvail) { return binder::Status::ok(); -- cgit v1.2.3-59-g8ed1b