From d6e4ebb75557d7fabc0e788db39084f607a26a81 Mon Sep 17 00:00:00 2001 From: Pawan Wagh Date: Thu, 11 May 2023 23:12:08 +0000 Subject: Delete fds and binders in fuzzService Test: m servicemanager_fuzzer && adb sync data && adb shell /data/fuzz/x86_64/servicemanager_fuzzer/servicemanager_fuzzer Bug: 264303686 Change-Id: I025998fcdfb0a813e3521127a15e0681cf71bd4c --- .../tests/parcel_fuzzer/libbinder_driver.cpp | 94 ++++++++++++++-------- 1 file changed, 60 insertions(+), 34 deletions(-) (limited to 'libs') diff --git a/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp b/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp index 8bef33f2ca..488a09ed83 100644 --- a/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp +++ b/libs/binder/tests/parcel_fuzzer/libbinder_driver.cpp @@ -37,47 +37,73 @@ void fuzzService(const sp& binder, FuzzedDataProvider&& provider) { } while (provider.remaining_bytes() > 0) { - // Most of the AIDL services will have small set of transaction codes. - uint32_t code = provider.ConsumeBool() ? provider.ConsumeIntegral() - : provider.ConsumeIntegralInRange(0, 100); - uint32_t flags = provider.ConsumeIntegral(); - Parcel data; - // for increased fuzz coverage - data.setEnforceNoDataAvail(provider.ConsumeBool()); + provider.PickValueInArray>({ + [&]() { + // Most of the AIDL services will have small set of transaction codes. + uint32_t code = provider.ConsumeBool() + ? provider.ConsumeIntegral() + : provider.ConsumeIntegralInRange(0, 100); + uint32_t flags = provider.ConsumeIntegral(); + Parcel data; + // for increased fuzz coverage + data.setEnforceNoDataAvail(provider.ConsumeBool()); - sp target = options.extraBinders.at( - provider.ConsumeIntegralInRange(0, options.extraBinders.size() - 1)); - options.writeHeader = [&target](Parcel* p, FuzzedDataProvider& provider) { - // most code will be behind checks that the head of the Parcel - // is exactly this, so make it easier for fuzzers to reach this - if (provider.ConsumeBool()) { - p->writeInterfaceToken(target->getInterfaceDescriptor()); - } - }; + sp target = options.extraBinders.at( + provider.ConsumeIntegralInRange(0, + options.extraBinders.size() - + 1)); + options.writeHeader = [&target](Parcel* p, FuzzedDataProvider& provider) { + // most code will be behind checks that the head of the Parcel + // is exactly this, so make it easier for fuzzers to reach this + if (provider.ConsumeBool()) { + p->writeInterfaceToken(target->getInterfaceDescriptor()); + } + }; - std::vector subData = provider.ConsumeBytes( - provider.ConsumeIntegralInRange(0, provider.remaining_bytes())); - fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()), &options); + std::vector subData = provider.ConsumeBytes( + provider.ConsumeIntegralInRange(0, provider.remaining_bytes())); + fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()), + &options); - Parcel reply; - // for increased fuzz coverage - reply.setEnforceNoDataAvail(provider.ConsumeBool()); - (void)target->transact(code, data, &reply, flags); + Parcel reply; + // for increased fuzz coverage + reply.setEnforceNoDataAvail(provider.ConsumeBool()); + (void)target->transact(code, data, &reply, flags); - // feed back in binders and fds that are returned from the service, so that - // we can fuzz those binders, and use the fds and binders to feed back into - // the binders - auto retBinders = reply.debugReadAllStrongBinders(); - options.extraBinders.insert(options.extraBinders.end(), retBinders.begin(), - retBinders.end()); - auto retFds = reply.debugReadAllFileDescriptors(); - for (size_t i = 0; i < retFds.size(); i++) { - options.extraFds.push_back(base::unique_fd(dup(retFds[i]))); - } + // feed back in binders and fds that are returned from the service, so that + // we can fuzz those binders, and use the fds and binders to feed back into + // the binders + auto retBinders = reply.debugReadAllStrongBinders(); + options.extraBinders.insert(options.extraBinders.end(), retBinders.begin(), + retBinders.end()); + auto retFds = reply.debugReadAllFileDescriptors(); + for (size_t i = 0; i < retFds.size(); i++) { + options.extraFds.push_back(base::unique_fd(dup(retFds[i]))); + } + }, + [&]() { + if (options.extraFds.size() == 0) { + return; + } + uint32_t toDelete = + provider.ConsumeIntegralInRange(0, + options.extraFds.size() - 1); + options.extraFds.erase(options.extraFds.begin() + toDelete); + }, + [&]() { + if (options.extraBinders.size() <= 1) { + return; + } + uint32_t toDelete = + provider.ConsumeIntegralInRange(0, + options.extraBinders.size() - + 1); + options.extraBinders.erase(options.extraBinders.begin() + toDelete); + }, + })(); } // invariants - auto ps = ProcessState::selfOrNull(); if (ps) { CHECK_EQ(0, ps->getThreadPoolMaxTotalThreadCount()) -- cgit v1.2.3-59-g8ed1b