libs/binder/tests/fuzzers/BpBinderFuzzFunctions.h - android_frameworks_native - Gitiles

 /*
  * Copyright 2020 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #pragma once

 #include <IBinderFuzzFunctions.h>
 #include <fuzzer/FuzzedDataProvider.h>

 #include <binder/BpBinder.h>
 #include <binder/IBinder.h>
 #include <binder/IPCThreadState.h>
 #include <binder/IResultReceiver.h>
 #include <binder/Parcel.h>
 #include <binder/Stability.h>

 #include <cutils/compiler.h>
 #include <utils/KeyedVector.h>
 #include <utils/Log.h>
 #include <utils/Mutex.h>
 #include <utils/threads.h>

 #include <stdio.h>

 namespace android {

 // Static variable to reference so we don't consume a bunch of memory to link and
 // unlink DeathRecipients.
 static int8_t kBpBinderCookie = 0;

 /* This is a vector of lambda functions the fuzzer will pull from.
  *  This is done so new functions can be added to the fuzzer easily
  *  without requiring modifications to the main fuzzer file. This also
  *  allows multiple fuzzers to include this file, if functionality is needed.
  */
 static const std::vector<std::function<void(FuzzedDataProvider*, const sp<BpBinder>&,
                                             const sp<IBinder::DeathRecipient>&)>>
         gBPBinderOperations =
                 {[](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
                     const sp<IBinder::DeathRecipient>& s_recipient) -> void {
                      // Clean up possible leftover memory.
                      wp<IBinder::DeathRecipient> outRecipient(nullptr);
                      bpbinder->sendObituary();
                      bpbinder->unlinkToDeath(nullptr, reinterpret_cast<void*>(&kBpBinderCookie), 0,
                                              &outRecipient);

                      uint32_t flags = fdp->ConsumeIntegral<uint32_t>();
                      kBpBinderCookie = fdp->ConsumeIntegral<int8_t>();
                      bpbinder->linkToDeath(s_recipient.get(),
                                            reinterpret_cast<void*>(&kBpBinderCookie), flags);
                  },
                  [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
                     const sp<IBinder::DeathRecipient>&) -> void {
                      wp<IBinder::DeathRecipient> out_recipient(nullptr);
                      uint32_t flags = fdp->ConsumeIntegral<uint32_t>();
                      int8_t random_cookie = fdp->ConsumeIntegral<int8_t>();
                      bpbinder->unlinkToDeath(nullptr, reinterpret_cast<void*>(&random_cookie),
                                              flags, &out_recipient);
                  },
                  [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
                     const sp<IBinder::DeathRecipient>&) -> void { bpbinder->remoteBinder(); },
                  [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
                     const sp<IBinder::DeathRecipient>&) -> void { bpbinder->sendObituary(); },
                  [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
                     const sp<IBinder::DeathRecipient>&) -> void {
                      uint32_t uid = fdp->ConsumeIntegral<uint32_t>();
                      bpbinder->getBinderProxyCount(uid);
                  },
                  [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
                     const sp<IBinder::DeathRecipient>&) -> void { bpbinder->enableCountByUid(); },
                  [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
                     const sp<IBinder::DeathRecipient>&) -> void { bpbinder->disableCountByUid(); },
                  [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
                     const sp<IBinder::DeathRecipient>&) -> void {
                      Vector<uint32_t> uids;
                      Vector<uint32_t> counts;
                      bpbinder->getCountByUid(uids, counts);
                  },
                  [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
                     const sp<IBinder::DeathRecipient>&) -> void {
                      bool enable = fdp->ConsumeBool();
                      bpbinder->setCountByUidEnabled(enable);
                  },
                  [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
                     const sp<IBinder::DeathRecipient>&) -> void {
                      binder_proxy_limit_callback cb = binder_proxy_limit_callback();
                      bpbinder->setLimitCallback(cb);
                  },
                  [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
                     const sp<IBinder::DeathRecipient>&) -> void {
                      int high = fdp->ConsumeIntegral<int>();
                      int low = fdp->ConsumeIntegral<int>();
                      bpbinder->setBinderProxyCountWatermarks(high, low);
                  }};

 } // namespace android
	/*
	* Copyright 2020 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#pragma once

	#include <IBinderFuzzFunctions.h>
	#include <fuzzer/FuzzedDataProvider.h>

	#include <binder/BpBinder.h>
	#include <binder/IBinder.h>
	#include <binder/IPCThreadState.h>
	#include <binder/IResultReceiver.h>
	#include <binder/Parcel.h>
	#include <binder/Stability.h>

	#include <cutils/compiler.h>
	#include <utils/KeyedVector.h>
	#include <utils/Log.h>
	#include <utils/Mutex.h>
	#include <utils/threads.h>

	#include <stdio.h>

	namespace android {

	// Static variable to reference so we don't consume a bunch of memory to link and
	// unlink DeathRecipients.
	static int8_t kBpBinderCookie = 0;

	/* This is a vector of lambda functions the fuzzer will pull from.
	* This is done so new functions can be added to the fuzzer easily
	* without requiring modifications to the main fuzzer file. This also
	* allows multiple fuzzers to include this file, if functionality is needed.
	*/
	static const std::vector<std::function<void(FuzzedDataProvider*, const sp<BpBinder>&,
	const sp<IBinder::DeathRecipient>&)>>
	gBPBinderOperations =
	{[](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
	const sp<IBinder::DeathRecipient>& s_recipient) -> void {
	// Clean up possible leftover memory.
	wp<IBinder::DeathRecipient> outRecipient(nullptr);
	bpbinder->sendObituary();
	bpbinder->unlinkToDeath(nullptr, reinterpret_cast<void*>(&kBpBinderCookie), 0,
	&outRecipient);

	uint32_t flags = fdp->ConsumeIntegral<uint32_t>();
	kBpBinderCookie = fdp->ConsumeIntegral<int8_t>();
	bpbinder->linkToDeath(s_recipient.get(),
	reinterpret_cast<void*>(&kBpBinderCookie), flags);
	},
	[](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
	const sp<IBinder::DeathRecipient>&) -> void {
	wp<IBinder::DeathRecipient> out_recipient(nullptr);
	uint32_t flags = fdp->ConsumeIntegral<uint32_t>();
	int8_t random_cookie = fdp->ConsumeIntegral<int8_t>();
	bpbinder->unlinkToDeath(nullptr, reinterpret_cast<void*>(&random_cookie),
	flags, &out_recipient);
	},
	[](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
	const sp<IBinder::DeathRecipient>&) -> void { bpbinder->remoteBinder(); },
	[](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
	const sp<IBinder::DeathRecipient>&) -> void { bpbinder->sendObituary(); },
	[](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
	const sp<IBinder::DeathRecipient>&) -> void {
	uint32_t uid = fdp->ConsumeIntegral<uint32_t>();
	bpbinder->getBinderProxyCount(uid);
	},
	[](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
	const sp<IBinder::DeathRecipient>&) -> void { bpbinder->enableCountByUid(); },
	[](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
	const sp<IBinder::DeathRecipient>&) -> void { bpbinder->disableCountByUid(); },
	[](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
	const sp<IBinder::DeathRecipient>&) -> void {
	Vector<uint32_t> uids;
	Vector<uint32_t> counts;
	bpbinder->getCountByUid(uids, counts);
	},
	[](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
	const sp<IBinder::DeathRecipient>&) -> void {
	bool enable = fdp->ConsumeBool();
	bpbinder->setCountByUidEnabled(enable);
	},
	[](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
	const sp<IBinder::DeathRecipient>&) -> void {
	binder_proxy_limit_callback cb = binder_proxy_limit_callback();
	bpbinder->setLimitCallback(cb);
	},
	[](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
	const sp<IBinder::DeathRecipient>&) -> void {
	int high = fdp->ConsumeIntegral<int>();
	int low = fdp->ConsumeIntegral<int>();
	bpbinder->setBinderProxyCountWatermarks(high, low);
	}};

	} // namespace android