libbinder_ndk: fwd fuzzing status to NDK binders
When passing binders into NDK backend services, we always
type check them immediately. This allows errors to show
up earlier there, but may be inefficient because the type
will also be checked on every transaction. Anyway...
This poses a problem for our automatic fuzzers because
callbacks passed into services (e.g. RandomBinder) will
be ignored for NDK backend fuzzers unless they correctly
guess their interface descriptor.
There are a few things we could do:
- use random strings from the environment
- export a list of possible interface descriptors from AIDL
- generate our corpuses from other data
However, the simplest thing we can do is ignore the check,
which this CL does.
Of course, it isn't great to continue differentiated fuzzer
behavior from actual behavior, so we'd like to revert this
once we have a more comprehensive solution. However, callbacks
are a fundamental AIDL building blocks, so forcing good
fuzzer coverage for these pieces seems justified.
Bug: N/A
Test: I added an abort in an NDK backend service. Without this
change, that path is never found, but with this change, it
was hit after only ~6,000 iterations.
Change-Id: I4cbe5c56b93b9300fbd57e72e24075c02df38ba9
diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp
index 2c2a1b6..9b685f9 100644
--- a/libs/binder/Parcel.cpp
+++ b/libs/binder/Parcel.cpp
@@ -992,6 +992,10 @@
mServiceFuzzing = true;
}
+bool Parcel::isServiceFuzzing() const {
+ return mServiceFuzzing;
+}
+
binder::Status Parcel::enforceNoDataAvail() const {
if (!mEnforceNoDataAvail) {
return binder::Status::ok();