commit 6065c0576fdc22d7cbb264fbdda06a05595225f5
author Steven Moreland <smoreland@google.com> Mon Sep 30 18:22:44 2019 -0700
committer Steven Moreland <smoreland@google.com> Mon Sep 30 18:29:12 2019 -0700
tree 9795c2db090fede8ae79e64284523e5361bc0a9f
parent 6d81393c13ba5bf816fe0ed7c39b51c9af3cb6be

libbinder fuzzer: print data from inplace reads

To make sure there are no OOB reads for these two cases.

Bug: 131861045
Test: binder_parcel_fuzzer
Change-Id: Id58fc8e8e72c6fc1c88734794382c1138ffd36f6

libs/binder/fuzzer/binder.cpp

diff --git a/libs/binder/fuzzer/binder.cpp b/libs/binder/fuzzer/binder.cpp
index f678f4c..86264db 100644
--- a/libs/binder/fuzzer/binder.cpp
+++ b/libs/binder/fuzzer/binder.cpp
@@ -125,7 +125,7 @@
     [] (const ::android::Parcel& p, uint8_t len) {
         FUZZ_LOG() << "about to readInplace";
         const void* r = p.readInplace(len);
-        FUZZ_LOG() << "readInplace done. pointer: " << r;
+        FUZZ_LOG() << "readInplace done. pointer: " << r << " bytes: " << hexString(r, len);
     },
     PARCEL_READ_OPT_STATUS(int32_t, readInt32),
     PARCEL_READ_OPT_STATUS(uint32_t, readUint32),
@@ -152,7 +152,8 @@
         FUZZ_LOG() << "about to readString16Inplace";
         size_t outLen = 0;
         const char16_t* str = p.readString16Inplace(&outLen);
-        FUZZ_LOG() << "readString16Inplace: " << (str ? "non-null" : "null") << " size: " << outLen;
+        FUZZ_LOG() << "readString16Inplace: " << hexString(str, sizeof(char16_t) * outLen)
+                   << " size: " << outLen;
     },
     PARCEL_READ_WITH_STATUS(android::sp<android::IBinder>, readStrongBinder),
     PARCEL_READ_WITH_STATUS(android::sp<android::IBinder>, readNullableStrongBinder),

libs/binder/fuzzer/util.cpp

diff --git a/libs/binder/fuzzer/util.cpp b/libs/binder/fuzzer/util.cpp
index b3a4ee7..b1213e9 100644
--- a/libs/binder/fuzzer/util.cpp
+++ b/libs/binder/fuzzer/util.cpp
@@ -21,11 +21,17 @@
 #include <iomanip>
 #include <sstream>
 
-std::string hexString(const std::vector<uint8_t>& hash) {
+std::string hexString(const void* bytes, size_t len) {
+    if (bytes == nullptr) return "<null>";
+
     std::ostringstream s;
     s << std::hex << std::setfill('0');
-    for (uint8_t i : hash) {
-        s << std::setw(2) << static_cast<int>(i);
+    for (size_t i = 0; i < len; i++) {
+        s << std::setw(2) << static_cast<int>(
+            static_cast<const uint8_t*>(bytes)[i]);
     }
     return s.str();
 }
+std::string hexString(const std::vector<uint8_t>& bytes) {
+    return hexString(bytes.data(), bytes.size());
+}

libs/binder/fuzzer/util.h

diff --git a/libs/binder/fuzzer/util.h b/libs/binder/fuzzer/util.h
index 07e68a8..416c3a7 100644
--- a/libs/binder/fuzzer/util.h
+++ b/libs/binder/fuzzer/util.h
@@ -45,4 +45,5 @@
     std::stringstream mOs;
 };
 
-std::string hexString(const std::vector<uint8_t>& hash);
+std::string hexString(const void* bytes, size_t len);
+std::string hexString(const std::vector<uint8_t>& bytes);