Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_native / 38429f003c617f42bd3adebeeda1d8f31e6ed270^! / .
commit38429f003c617f42bd3adebeeda1d8f31e6ed270[log] [tgz]
authorPawan Wagh <waghpawan@google.com>Mon Oct 17 19:39:50 2022 +0000
committerPawan Wagh <waghpawan@google.com>Thu Nov 03 23:39:59 2022 +0000
treebd6008170e8781011e2c3e826712f42479be3ff4
parent7d978c9093370111bd2ad69fa216e3c9c086831d [diff]
Adding fuzz_service for rust backend

Adding an rust API for fuzzService in libbinder_random_parcel_rs
to automatically fuzz rust services.

Bug: 256874936
Test: m libbinder_random_parcel_rs
Change-Id: Ice318393d83b6cb34777b57ab25b533a7429af7f

diff --git a/libs/binder/rust/tests/parcel_fuzzer/random_parcel/Android.bp b/libs/binder/rust/tests/parcel_fuzzer/random_parcel/Android.bp
index 6fe4fcd..43a3094 100644
--- a/libs/binder/rust/tests/parcel_fuzzer/random_parcel/Android.bp
+++ b/libs/binder/rust/tests/parcel_fuzzer/random_parcel/Android.bp

@@ -14,6 +14,8 @@
         "--size_t-is-usize",
         "--allowlist-function",
         "createRandomParcel",
+        "--allowlist-function",
+        "fuzzRustService",
     ],
     shared_libs: [
         "libc++",

diff --git a/libs/binder/rust/tests/parcel_fuzzer/random_parcel/src/lib.rs b/libs/binder/rust/tests/parcel_fuzzer/random_parcel/src/lib.rs
index ee3b6f8..1bbd674 100644
--- a/libs/binder/rust/tests/parcel_fuzzer/random_parcel/src/lib.rs
+++ b/libs/binder/rust/tests/parcel_fuzzer/random_parcel/src/lib.rs

@@ -16,7 +16,8 @@
 
 use binder::binder_impl::Parcel;
 use binder::unstable_api::{AParcel, AsNative};
-use binder_random_parcel_bindgen::createRandomParcel;
+use binder::SpIBinder;
+use binder_random_parcel_bindgen::{createRandomParcel, fuzzRustService};
 use std::os::raw::c_void;
 
 /// This API creates a random parcel to be used by fuzzers
@@ -31,3 +32,13 @@
     }
     parcel
 }
+
+/// This API automatically fuzzes provided service
+pub fn fuzz_service(binder: &mut SpIBinder, fuzzer_data: &[u8]) {
+    let ptr = binder.as_native_mut() as *mut c_void;
+    unsafe {
+        // Safety: `SpIBinder::as_native_mut` and `slice::as_ptr` always
+        // return valid pointers.
+        fuzzRustService(ptr, fuzzer_data.as_ptr(), fuzzer_data.len());
+    }
+}

diff --git a/libs/binder/rust/tests/parcel_fuzzer/random_parcel/wrappers/RandomParcelWrapper.hpp b/libs/binder/rust/tests/parcel_fuzzer/random_parcel/wrappers/RandomParcelWrapper.hpp
index 167a64e..831bd56 100644
--- a/libs/binder/rust/tests/parcel_fuzzer/random_parcel/wrappers/RandomParcelWrapper.hpp
+++ b/libs/binder/rust/tests/parcel_fuzzer/random_parcel/wrappers/RandomParcelWrapper.hpp

@@ -19,4 +19,7 @@
 extern "C" {
     // This API is used by rust to fill random parcel.
     void createRandomParcel(void* aParcel, const uint8_t* data, size_t len);
+
+    // This API is used by fuzzers to automatically fuzz aidl services
+    void fuzzRustService(void* binder, const uint8_t* data, size_t len);
 }
\ No newline at end of file

diff --git a/libs/binder/tests/parcel_fuzzer/libbinder_ndk_driver.cpp b/libs/binder/tests/parcel_fuzzer/libbinder_ndk_driver.cpp
index 462ef9a..a1fb701 100644
--- a/libs/binder/tests/parcel_fuzzer/libbinder_ndk_driver.cpp
+++ b/libs/binder/tests/parcel_fuzzer/libbinder_ndk_driver.cpp

@@ -29,3 +29,12 @@
 }
 
 } // namespace android
+
+extern "C" {
+// This API is used by fuzzers to automatically fuzz aidl services
+void fuzzRustService(void* binder, const uint8_t* data, size_t len) {
+    AIBinder* aiBinder = static_cast<AIBinder*>(binder);
+    FuzzedDataProvider provider(data, len);
+    android::fuzzService(aiBinder, std::move(provider));
+}
+} // extern "C"