Limit number of fds written in parcel
Certain input sequence causes fuzzers to pick a single fd from
getRandomFd and write it to parcel. Check object count before writing more fds and binders in parcel.
Test: m incidentd_service_fuzzer && adb sync data && adb shell
/data/fuzz/x86_64/incidentd_service_fuzzer/incidentd_service_fuzzer
-runs=1000
Test: atest fuzz_service_test
Test: atest binderRecordReplayTest
Bug: 296516864
Change-Id: I84359a7128fde359828c26ea43ac2559d1236708
diff --git a/libs/binder/tests/parcel_fuzzer/random_parcel.cpp b/libs/binder/tests/parcel_fuzzer/random_parcel.cpp
index f0beed2..f367b41 100644
--- a/libs/binder/tests/parcel_fuzzer/random_parcel.cpp
+++ b/libs/binder/tests/parcel_fuzzer/random_parcel.cpp
@@ -66,6 +66,11 @@
},
// write FD
[&]() {
+ // b/296516864 - Limit number of objects written to a parcel.
+ if (p->objectsCount() > 100) {
+ return;
+ }
+
if (options->extraFds.size() > 0 && provider.ConsumeBool()) {
const base::unique_fd& fd = options->extraFds.at(
provider.ConsumeIntegralInRange<size_t>(0,
@@ -82,7 +87,6 @@
CHECK(OK ==
p->writeFileDescriptor(fds.begin()->release(),
true /*takeOwnership*/));
-
options->extraFds.insert(options->extraFds.end(),
std::make_move_iterator(fds.begin() + 1),
std::make_move_iterator(fds.end()));
@@ -90,6 +94,11 @@
},
// write binder
[&]() {
+ // b/296516864 - Limit number of objects written to a parcel.
+ if (p->objectsCount() > 100) {
+ return;
+ }
+
sp<IBinder> binder;
if (options->extraBinders.size() > 0 && provider.ConsumeBool()) {
binder = options->extraBinders.at(