fuzz_service_test: test restore calling ID
Test for recently changed libbinder driver code.
Bug: N/A
Test: atest fuzz_service_test
Change-Id: I6669c4002b2cf1f2bf43d8a48ff674d05765b67d
diff --git a/libs/binder/tests/parcel_fuzzer/test_fuzzer/ITestService.aidl b/libs/binder/tests/parcel_fuzzer/test_fuzzer/ITestService.aidl
index 3eadc02..5089ae5 100644
--- a/libs/binder/tests/parcel_fuzzer/test_fuzzer/ITestService.aidl
+++ b/libs/binder/tests/parcel_fuzzer/test_fuzzer/ITestService.aidl
@@ -21,4 +21,6 @@
void setCharData(char input);
void setBooleanData(boolean input);
-}
\ No newline at end of file
+
+ void setService(ITestService service);
+}
diff --git a/libs/binder/tests/parcel_fuzzer/test_fuzzer/TestServiceFuzzer.cpp b/libs/binder/tests/parcel_fuzzer/test_fuzzer/TestServiceFuzzer.cpp
index 8907ea0..7fbf2d0 100644
--- a/libs/binder/tests/parcel_fuzzer/test_fuzzer/TestServiceFuzzer.cpp
+++ b/libs/binder/tests/parcel_fuzzer/test_fuzzer/TestServiceFuzzer.cpp
@@ -17,35 +17,102 @@
#include <BnTestService.h>
#include <fuzzbinder/libbinder_driver.h>
+#include <binder/IPCThreadState.h>
#include <log/log.h>
-using android::fuzzService;
-using android::sp;
using android::binder::Status;
namespace android {
+
+enum class CrashType {
+ NONE,
+ ON_PLAIN,
+ ON_BINDER,
+ ON_KNOWN_UID,
+};
+
// This service is to verify that fuzzService is functioning properly
class TestService : public BnTestService {
public:
- Status setIntData(int /*input*/) {
- LOG_ALWAYS_FATAL("Expected crash in setIntData");
+ TestService(CrashType crash) : mCrash(crash) {}
+
+ void onData() {
+ switch (mCrash) {
+ case CrashType::ON_PLAIN: {
+ LOG_ALWAYS_FATAL("Expected crash, PLAIN.");
+ break;
+ }
+ case CrashType::ON_KNOWN_UID: {
+ if (IPCThreadState::self()->getCallingUid() == getuid()) {
+ LOG_ALWAYS_FATAL("Expected crash, KNOWN_UID.");
+ }
+ break;
+ }
+ default:
+ break;
+ }
+ }
+
+ Status setIntData(int /*input*/) override {
+ onData();
return Status::ok();
}
- Status setCharData(char16_t /*input*/) {
- LOG_ALWAYS_FATAL("Expected crash in setCharData");
+ Status setCharData(char16_t /*input*/) override {
+ onData();
return Status::ok();
}
- Status setBooleanData(bool /*input*/) {
- LOG_ALWAYS_FATAL("Expected crash in setBooleanData");
+ Status setBooleanData(bool /*input*/) override {
+ onData();
return Status::ok();
}
+
+ Status setService(const sp<ITestService>& service) override {
+ onData();
+ if (mCrash == CrashType::ON_BINDER && service != nullptr) {
+ LOG_ALWAYS_FATAL("Expected crash, BINDER.");
+ }
+ return Status::ok();
+ }
+
+private:
+ CrashType mCrash;
};
-} // namespace android
+
+CrashType gCrashType = CrashType::NONE;
+
+extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
+ if (*argc < 2) {
+ printf("You must specify at least one argument\n");
+ exit(0); // success because this is a crash test
+ }
+
+ std::string arg = std::string((*argv)[1]);
+
+ // ignore first argument, because we consume it
+ (*argv)[1] = (*argv[0]);
+ (*argc)--;
+ (*argv)++;
+
+ if (arg == "PLAIN") {
+ gCrashType = CrashType::ON_PLAIN;
+ } else if (arg == "KNOWN_UID") {
+ gCrashType = CrashType::ON_KNOWN_UID;
+ } else if (arg == "BINDER") {
+ gCrashType = CrashType::ON_BINDER;
+ } else {
+ printf("INVALID ARG\n");
+ exit(0); // success because this is a crash test
+ }
+
+ return 0;
+}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
- auto service = sp<android::TestService>::make();
+ auto service = sp<TestService>::make(gCrashType);
fuzzService(service, FuzzedDataProvider(data, size));
return 0;
}
+
+} // namespace android
diff --git a/libs/binder/tests/parcel_fuzzer/test_fuzzer/run_fuzz_service_test.sh b/libs/binder/tests/parcel_fuzzer/test_fuzzer/run_fuzz_service_test.sh
old mode 100644
new mode 100755
index cec52fd..e568035
--- a/libs/binder/tests/parcel_fuzzer/test_fuzzer/run_fuzz_service_test.sh
+++ b/libs/binder/tests/parcel_fuzzer/test_fuzzer/run_fuzz_service_test.sh
@@ -27,16 +27,18 @@
exit 1
fi
-echo "INFO: Running fuzzer : test_service_fuzzer_should_crash"
+for CRASH_TYPE in PLAIN KNOWN_UID BINDER; do
+ echo "INFO: Running fuzzer : test_service_fuzzer_should_crash $CRASH_TYPE"
-./test_service_fuzzer_should_crash -max_total_time=30 &>${FUZZER_OUT}
+ ./test_service_fuzzer_should_crash "$CRASH_TYPE" -max_total_time=30 &>"$FUZZER_OUT"
-echo "INFO: Searching fuzzer output for expected crashes"
-if grep -q "Expected crash in set" ${FUZZER_OUT};
-then
- echo -e "${color_success}Success: Found expected crash. fuzzService test successful!"
-else
- echo -e "${color_failed}Failed: Unable to find successful fuzzing output from test_service_fuzzer_should_crash"
- echo "${color_reset}"
- exit 1
-fi
+ echo "INFO: Searching fuzzer output for expected crashes"
+ if grep -q "Expected crash, $CRASH_TYPE." "$FUZZER_OUT"
+ then
+ echo -e "${color_success}Success: Found expected crash. fuzzService test successful!"
+ else
+ echo -e "${color_failed}Failed: Unable to find successful fuzzing output from test_service_fuzzer_should_crash"
+ echo "${color_reset}"
+ exit 1
+ fi
+done