commit 227e5fcd6e025adc5fe1ab61ceb57cc6ff822923
author Pawan Wagh <waghpawan@google.com> Wed Jul 13 00:57:06 2022 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Jul 13 00:57:06 2022 +0000
tree 46f83a8569c5766ee21c04979a2fef6f4a1e9b03
parent 3e7dd2435d4ff9bee5f48c7b8dbe928c123f914b
parent e95443891e89cd20d2437d6a95fa94ceb32ca0ee

Merge "Fuzzing readFromParcel method for AIDL generated parcelables. Three parcelabels with no data fields, single data field and multiple data fields are added in these changes. Parcelables are fuzzed using binder parcel fuzzer."

libs/binder/RpcServer.cpp

diff --git a/libs/binder/RpcServer.cpp b/libs/binder/RpcServer.cpp
index ee90710..096d5cc 100644
--- a/libs/binder/RpcServer.cpp
+++ b/libs/binder/RpcServer.cpp
@@ -421,7 +421,9 @@
             session->setMaxIncomingThreads(server->mMaxThreads);
             if (!session->setProtocolVersion(protocolVersion)) return;
 
-            if (server->mSupportedFileDescriptorTransportModes.test(
+            if (header.fileDescriptorTransportMode <
+                        server->mSupportedFileDescriptorTransportModes.size() &&
+                server->mSupportedFileDescriptorTransportModes.test(
                         header.fileDescriptorTransportMode)) {
                 session->setFileDescriptorTransportMode(
                         static_cast<RpcSession::FileDescriptorTransportMode>(

libs/binder/include/binder/Parcel.h

diff --git a/libs/binder/include/binder/Parcel.h b/libs/binder/include/binder/Parcel.h
index 32b0ded..91febbd 100644
--- a/libs/binder/include/binder/Parcel.h
+++ b/libs/binder/include/binder/Parcel.h
@@ -1184,10 +1184,20 @@
         c->clear(); // must clear before resizing/reserving otherwise move ctors may be called.
         if constexpr (is_pointer_equivalent_array_v<T>) {
             // could consider POD without gaps and alignment of 4.
-            auto data = reinterpret_cast<const T*>(
-                    readInplace(static_cast<size_t>(size) * sizeof(T)));
+            size_t dataLen;
+            if (__builtin_mul_overflow(size, sizeof(T), &dataLen)) {
+                return -EOVERFLOW;
+            }
+            auto data = reinterpret_cast<const T*>(readInplace(dataLen));
             if (data == nullptr) return BAD_VALUE;
-            c->insert(c->begin(), data, data + size); // insert should do a reserve().
+            // std::vector::insert and similar methods will require type-dependent
+            // byte alignment when inserting from a const iterator such as `data`,
+            // e.g. 8 byte alignment for int64_t, and so will not work if `data`
+            // is 4 byte aligned (which is all Parcel guarantees). Copying
+            // the contents into the vector directly, where possible, circumvents
+            // this.
+            c->resize(size);
+            memcpy(c->data(), data, dataLen);
         } else if constexpr (std::is_same_v<T, bool>
                 || std::is_same_v<T, char16_t>) {
             c->reserve(size); // avoids default initialization

libs/binder/tests/binderRpcTest.cpp

diff --git a/libs/binder/tests/binderRpcTest.cpp b/libs/binder/tests/binderRpcTest.cpp
index 4e41d8e..fca3c29 100644
--- a/libs/binder/tests/binderRpcTest.cpp
+++ b/libs/binder/tests/binderRpcTest.cpp
@@ -930,7 +930,7 @@
 
     size_t epochMsAfter = epochMillis();
 
-    EXPECT_GT(epochMsAfter, epochMsBefore + kSleepMs * kNumSleeps);
+    EXPECT_GE(epochMsAfter, epochMsBefore + kSleepMs * kNumSleeps);
 
     saturateThreadPool(1 + kNumExtraServerThreads, proc.rootIface);
 }