commit 1b6e52ff3a8657f1e20c26dee82c321ed7dc8f78
author Pawan Wagh <waghpawan@google.com> Thu Apr 20 18:42:11 2023 +0000
committer Pawan Wagh <waghpawan@google.com> Fri Apr 21 00:20:00 2023 +0000
tree 1997266c9469ee42c432072d28f218915411f795
parent 0b3159fbf965ea4d26674932687efdc61027d61a

Adding ServiceManagerTestFuzzer to use seed corpus

Using seed corpus generated by record_binder tool

Generate seeds using:

record_binder start manager
atest servicemanager_test
record_binder stop manager
record_binder generate-corpus manager

Test: adb shell /data/fuzz/arm64/servicemanager_test_fuzzer/servicemanager_test_fuzzer /data/local/recordings/corpus
Bug: 278975837
Change-Id: I90c5286244c1cae0c63e1cfd636bc8473e33ddc2

cmds/servicemanager/fuzzers/ServiceManagerTestFuzzer.cpp

diff --git a/cmds/servicemanager/fuzzers/ServiceManagerTestFuzzer.cpp b/cmds/servicemanager/fuzzers/ServiceManagerTestFuzzer.cpp
new file mode 100644
index 0000000..e19b6eb
--- /dev/null
+++ b/cmds/servicemanager/fuzzers/ServiceManagerTestFuzzer.cpp
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <fuzzbinder/libbinder_driver.h>
+#include <utils/StrongPointer.h>
+
+#include "Access.h"
+#include "ServiceManager.h"
+
+using ::android::Access;
+using ::android::Parcel;
+using ::android::ServiceManager;
+using ::android::sp;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+    FuzzedDataProvider provider(data, size);
+    auto accessPtr = std::make_unique<Access>();
+    auto serviceManager = sp<ServiceManager>::make(std::move(accessPtr));
+
+    // Reserved bytes
+    provider.ConsumeBytes<uint8_t>(8);
+    uint32_t code = provider.ConsumeIntegral<uint32_t>();
+    uint32_t flag = provider.ConsumeIntegral<uint32_t>();
+    std::vector<uint8_t> parcelData = provider.ConsumeRemainingBytes<uint8_t>();
+
+    Parcel inputParcel;
+    inputParcel.setData(parcelData.data(), parcelData.size());
+
+    Parcel reply;
+    serviceManager->transact(code, inputParcel, &reply, flag);
+
+    serviceManager->clear();
+
+    return 0;
+}