binder_parcel_fuzzer: fuzz parcle types separately
Before, binder, hwbinder, and binder_ndk parcels were always checked
against the same instuctions/data. However, because we are using guided
fuzzing, an interesting case for one parcel is highly likely to be a
waste of time for the other parcels. By only fuzzing one at a time, we
give the fuzzing engine the ability to focus in on individual parcel
implementations.
Bug: 131861045
Test: binder_parcel_fuzzer (and verify all backends are hit)
Change-Id: Ifd3e75828e68eb55d7cebfd3b40a31b0192c9991
diff --git a/libs/binder/fuzzer/main.cpp b/libs/binder/fuzzer/main.cpp
index 31b27ab..929e2c3 100644
--- a/libs/binder/fuzzer/main.cpp
+++ b/libs/binder/fuzzer/main.cpp
@@ -51,12 +51,25 @@
}
void fuzz(uint8_t options, const std::vector<uint8_t>& input, const std::vector<uint8_t>& instructions) {
- (void) options;
+ uint8_t parcelType = options & 0x3;
- // although they will do completely different things, might as well fuzz both
- doFuzz<::android::hardware::Parcel>(HWBINDER_PARCEL_READ_FUNCTIONS, input, instructions);
- doFuzz<::android::Parcel>(BINDER_PARCEL_READ_FUNCTIONS, input, instructions);
- doFuzz<NdkParcelAdapter>(BINDER_NDK_PARCEL_READ_FUNCTIONS, input, instructions);
+ switch (parcelType) {
+ case 0x0:
+ doFuzz<::android::hardware::Parcel>(HWBINDER_PARCEL_READ_FUNCTIONS, input,
+ instructions);
+ break;
+ case 0x1:
+ doFuzz<::android::Parcel>(BINDER_PARCEL_READ_FUNCTIONS, input, instructions);
+ break;
+ case 0x2:
+ doFuzz<NdkParcelAdapter>(BINDER_NDK_PARCEL_READ_FUNCTIONS, input, instructions);
+ break;
+ case 0x3:
+ /*reserved for future use*/
+ break;
+ default:
+ LOG_ALWAYS_FATAL("unknown parcel type %d", static_cast<int>(parcelType));
+ }
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {