Adding example java binder service fuzzer
using fuzzService API to fuzz an test service.
Test: m java_binder_service_fuzzer &&
./jazzer_helper.sh --fuzz_target java_binder_service_fuzzer --target_class ServiceFuzzer
Bug: 258075558
Change-Id: If1ff082638eaec04e8ba9c4f8f7321c952b22f82
diff --git a/core/java/Android.bp b/core/java/Android.bp
index eac8b9b..88ee39d 100644
--- a/core/java/Android.bp
+++ b/core/java/Android.bp
@@ -425,6 +425,16 @@
],
}
+// This file group is used by service fuzzer
+filegroup {
+ name: "framework-core-sources-for-fuzzers",
+ srcs: [
+ "android/os/IInterface.java",
+ "android/os/Binder.java",
+ "android/os/IBinder.java",
+ ],
+}
+
aidl_interface {
name: "android.os.statsbootstrap_aidl",
unstable: true,
diff --git a/core/tests/fuzzers/FuzzService/FuzzBinder.java b/core/tests/fuzzers/FuzzService/FuzzBinder.java
index 7c09831..7096f52 100644
--- a/core/tests/fuzzers/FuzzService/FuzzBinder.java
+++ b/core/tests/fuzzers/FuzzService/FuzzBinder.java
@@ -22,7 +22,7 @@
}
// DO NOT REUSE: This API should be called from fuzzer to setup JNI dependencies from
- // libandroid_runtime. THIS IS WORKAROUND. Please file a bug if you need to use this
+ // libandroid_runtime. THIS IS WORKAROUND. Please file a bug if you need to use this.
public static void init() {
System.loadLibrary("android_runtime");
registerNatives();
diff --git a/core/tests/fuzzers/java_service_fuzzer/Android.bp b/core/tests/fuzzers/java_service_fuzzer/Android.bp
new file mode 100644
index 0000000..625de14
--- /dev/null
+++ b/core/tests/fuzzers/java_service_fuzzer/Android.bp
@@ -0,0 +1,40 @@
+package {
+ default_applicable_licenses: ["frameworks_base_license"],
+}
+
+aidl_interface {
+ name: "fuzzTestInterface",
+ srcs: ["fuzztest/ITestService.aidl"],
+ unstable: true,
+ backend: {
+ java: {
+ enabled: true,
+ },
+ },
+}
+
+java_fuzz {
+ name: "java_binder_service_fuzzer",
+ srcs: [
+ "ServiceFuzzer.java",
+ "TestService.java",
+ ":framework-core-sources-for-fuzzers",
+ ],
+ static_libs: [
+ "jazzer",
+ "fuzzTestInterface-java",
+ "random_parcel_lib",
+ ],
+ jni_libs: [
+ "librandom_parcel_jni",
+ "libc++",
+ "libandroid_runtime",
+ ],
+ libs: [
+ "framework",
+ "unsupportedappusage",
+ "ext",
+ "framework-res",
+ ],
+ native_bridge_supported: true,
+}
diff --git a/core/tests/fuzzers/java_service_fuzzer/ServiceFuzzer.java b/core/tests/fuzzers/java_service_fuzzer/ServiceFuzzer.java
new file mode 100644
index 0000000..a6e0986
--- /dev/null
+++ b/core/tests/fuzzers/java_service_fuzzer/ServiceFuzzer.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import com.code_intelligence.jazzer.api.FuzzedDataProvider;
+
+import randomparcel.FuzzBinder;
+
+public class ServiceFuzzer {
+
+ static {
+ // Initialize fuzzService and JNI dependencies
+ FuzzBinder.init();
+ }
+
+ public static void fuzzerTestOneInput(FuzzedDataProvider data) {
+ TestService service = new TestService();
+ FuzzBinder.fuzzService(service, data.consumeRemainingAsBytes());
+ }
+}
diff --git a/core/tests/fuzzers/java_service_fuzzer/TestService.java b/core/tests/fuzzers/java_service_fuzzer/TestService.java
new file mode 100644
index 0000000..4404386
--- /dev/null
+++ b/core/tests/fuzzers/java_service_fuzzer/TestService.java
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import fuzztest.ITestService;
+
+public class TestService extends ITestService.Stub {
+
+ @Override
+ public boolean repeatData(boolean token) {
+ return token;
+ }
+}
diff --git a/core/tests/fuzzers/java_service_fuzzer/fuzztest/ITestService.aidl b/core/tests/fuzzers/java_service_fuzzer/fuzztest/ITestService.aidl
new file mode 100644
index 0000000..b766c9f
--- /dev/null
+++ b/core/tests/fuzzers/java_service_fuzzer/fuzztest/ITestService.aidl
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package fuzztest;
+
+interface ITestService {
+ boolean repeatData(boolean token);
+}
\ No newline at end of file