libbinder_random_parcel: rand binder returns data
We now have a 'RandomBinder' which can return random
data. For now, this doesn't integrate with random_parcel.h
RandomParcelOptions. This is to reduce complexity and
validate this approach.
Two ideas with this:
- when we're fuzzing AIDL services, complicated random
parcel objects will get passed in (this RandomBinder)
- when we build AIDL fuzzers, we can use 'getRandomBinder'
in order to dependency inject random binders into a
service. This way, we can fuzz them assuming the
dependencies are malicious.
Bug: 241923341
Test: android.hardware.vibrator-service.example_fuzzer (check that
this code actually contributes to coverage)
Change-Id: I118d5c8d7b643fbd77f3771816600f74894e7bab
diff --git a/libs/binder/tests/parcel_fuzzer/random_binder.cpp b/libs/binder/tests/parcel_fuzzer/random_binder.cpp
index 8eab454..8a1fecb 100644
--- a/libs/binder/tests/parcel_fuzzer/random_binder.cpp
+++ b/libs/binder/tests/parcel_fuzzer/random_binder.cpp
@@ -15,18 +15,54 @@
*/
#include <fuzzbinder/random_binder.h>
+#include <fuzzbinder/random_parcel.h>
+
+#include <android-base/logging.h>
#include <binder/IInterface.h>
#include <binder/IServiceManager.h>
namespace android {
-class NamedBinder : public BBinder {
+class RandomBinder : public BBinder {
public:
- NamedBinder(const String16& descriptor) : mDescriptor(descriptor) {}
+ RandomBinder(const String16& descriptor, std::vector<uint8_t>&& bytes)
+ : mDescriptor(descriptor),
+ mBytes(std::move(bytes)),
+ mProvider(mBytes.data(), mBytes.size()) {}
const String16& getInterfaceDescriptor() const override { return mDescriptor; }
+ status_t onTransact(uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags) override {
+ (void)code;
+ (void)data;
+ (void)reply;
+ (void)flags; // note - for maximum coverage even ignore if oneway
+
+ if (mProvider.ConsumeBool()) {
+ return mProvider.ConsumeIntegral<status_t>();
+ }
+
+ if (reply == nullptr) return OK;
+
+ // TODO: things we could do to increase state space
+ // - also pull FDs and binders from 'data'
+ // (optionally combine these into random parcel 'options')
+ // - also pull FDs and binders from random parcel 'options'
+ RandomParcelOptions options;
+
+ // random output
+ std::vector<uint8_t> subData = mProvider.ConsumeBytes<uint8_t>(
+ mProvider.ConsumeIntegralInRange<size_t>(0, mProvider.remaining_bytes()));
+ fillRandomParcel(reply, FuzzedDataProvider(subData.data(), subData.size()), &options);
+
+ return OK;
+ }
+
private:
String16 mDescriptor;
+
+ // note may not all be used
+ std::vector<uint8_t> mBytes;
+ FuzzedDataProvider mProvider;
};
sp<IBinder> getRandomBinder(FuzzedDataProvider* provider) {
@@ -35,7 +71,14 @@
// descriptor is the length of a class name, e.g.
// "some.package.Foo"
std::string str = provider->ConsumeRandomLengthString(100 /*max length*/);
- return new NamedBinder(String16(str.c_str()));
+
+ // arbitrarily consume remaining data to create a binder that can return
+ // random results - coverage guided fuzzer should ensure all of the remaining
+ // data isn't always used
+ std::vector<uint8_t> bytes = provider->ConsumeBytes<uint8_t>(
+ provider->ConsumeIntegralInRange<size_t>(0, provider->remaining_bytes()));
+
+ return new RandomBinder(String16(str.c_str()), std::move(bytes));
},
[]() {
// this is the easiest remote binder to get ahold of, and it