Fuzz incident AIDL service
Adding AIDL service fuzzer using fuzzService for
incident service
Test: m incidentd_service_fuzzer && adb sync data && adb shell /data/fuzz/x86_64/incidentd_service_fuzzer/incidentd_service_fuzzer
Bug: 232439428
Change-Id: I8d0738ac7f9cea99ce017e25cd68093bfe38e68c
diff --git a/cmds/incidentd/Android.bp b/cmds/incidentd/Android.bp
index b0b23f5..bd30404 100644
--- a/cmds/incidentd/Android.bp
+++ b/cmds/incidentd/Android.bp
@@ -82,17 +82,11 @@
},
},
-
init_rc: ["incidentd.rc"],
}
-// ==============
-// incidentd_test
-// ==============
-
-cc_test {
- name: "incidentd_test",
- test_suites: ["device-tests"],
+cc_defaults {
+ name: "incidentd_test_defaults",
cflags: [
"-Werror",
@@ -110,8 +104,6 @@
generated_headers: ["framework-cppstream-protos"],
srcs: [
- "tests/**/*.cpp",
- "tests/**/*.proto",
"src/FdBuffer.cpp",
"src/Privacy.cpp",
"src/PrivacyFilter.cpp",
@@ -125,13 +117,11 @@
"src/**/*.proto",
],
- data: ["testdata/**/*"],
-
static_libs: [
- "libgmock",
"libincidentcompanion",
"libplatformprotos-test",
],
+
shared_libs: [
"libbase",
"libbinder",
@@ -144,6 +134,30 @@
"libservices",
"libutils",
],
+}
+
+// ==============
+// incidentd_test
+// ==============
+cc_test {
+ name: "incidentd_test",
+
+ defaults: [
+ "incidentd_test_defaults",
+ ],
+
+ test_suites: ["device-tests"],
+
+ srcs: [
+ "tests/**/*.cpp",
+ "tests/**/*.proto",
+ ],
+
+ data: ["testdata/**/*"],
+
+ static_libs: [
+ "libgmock",
+ ],
target: {
android: {
@@ -160,3 +174,27 @@
out: ["section_list.cpp"],
cmd: "$(location incident-section-gen) incidentd > $(out)",
}
+
+cc_fuzz {
+ name: "incidentd_service_fuzzer",
+ defaults: [
+ "service_fuzzer_defaults",
+ "fuzzer_disable_leaks",
+ "incidentd_test_defaults",
+ ],
+
+ fuzz_config: {
+ cc: [
+ "yaochen@google.com",
+ "yanmin@google.com",
+ ],
+ triage_assignee: "waghpawan@google.com",
+ },
+
+ srcs: [
+ "fuzzers/IncidentServiceFuzzer.cpp",
+ "src/IncidentService.cpp",
+ "src/Broadcaster.cpp",
+ ":incidentd_section_list",
+ ],
+}
diff --git a/cmds/incidentd/fuzzers/IncidentServiceFuzzer.cpp b/cmds/incidentd/fuzzers/IncidentServiceFuzzer.cpp
new file mode 100644
index 0000000..14c969b
--- /dev/null
+++ b/cmds/incidentd/fuzzers/IncidentServiceFuzzer.cpp
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <fuzzbinder/libbinder_driver.h>
+#include <utils/Looper.h>
+
+#include "IncidentService.h"
+
+using ::android::fuzzService;
+using ::android::os::incidentd::IncidentService;
+using ::android::Looper;
+using ::android::sp;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+ sp<Looper> looper(Looper::prepare(0));
+ sp<IncidentService> service = sp<IncidentService>::make(looper);
+ fuzzService(service, FuzzedDataProvider(data, size));
+ return 0;
+}