| Corbin Souffrant | 84f5c0f | 2020-06-26 00:42:43 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright 2020 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #pragma once |
| 18 | |
| 19 | #include <fuzzer/FuzzedDataProvider.h> |
| 20 | |
| 21 | #include <binder/IBinder.h> |
| 22 | #include <binder/IPCThreadState.h> |
| 23 | #include <binder/IResultReceiver.h> |
| 24 | #include <binder/Parcel.h> |
| 25 | #include <binder/Stability.h> |
| 26 | #include <cutils/compiler.h> |
| 27 | #include <utils/KeyedVector.h> |
| 28 | #include <utils/Log.h> |
| 29 | #include <utils/Mutex.h> |
| 30 | #include <utils/threads.h> |
| 31 | |
| 32 | namespace android { |
| 33 | |
| 34 | class FuzzDeathRecipient : public IBinder::DeathRecipient { |
| 35 | private: |
| 36 | virtual void binderDied(const wp<IBinder>& who) { (void)who; }; |
| 37 | }; |
| 38 | |
| 39 | // Allow objects to be attached that aren't stack locals |
| 40 | static uint32_t objectID = 0; |
| 41 | static uint32_t object = 0; |
| 42 | static uint32_t cleanup_cookie = 0; |
| 43 | |
| 44 | /* This is a vector of lambda functions the fuzzer will pull from. |
| 45 | * This is done so new functions can be added to the fuzzer easily |
| 46 | * without requiring modifications to the main fuzzer file. This also |
| 47 | * allows multiple fuzzers to include this file, if functionality is needed. |
| 48 | */ |
| 49 | static const std::vector<std::function<void(FuzzedDataProvider*, IBinder*)>> gIBinderOperations = |
| 50 | {[](FuzzedDataProvider*, IBinder* ibinder) -> void { ibinder->getInterfaceDescriptor(); }, |
| 51 | [](FuzzedDataProvider*, IBinder* ibinder) -> void { ibinder->isBinderAlive(); }, |
| 52 | [](FuzzedDataProvider*, IBinder* ibinder) -> void { ibinder->pingBinder(); }, |
| 53 | [](FuzzedDataProvider* fdp, IBinder* ibinder) -> void { |
| 54 | int fd = STDOUT_FILENO; |
| 55 | std::string rand_str = fdp->ConsumeRandomLengthString(fdp->remaining_bytes()); |
| 56 | Vector<String16> args; |
| 57 | args.push(String16(rand_str.c_str())); |
| 58 | ibinder->dump(fd, args); |
| 59 | }, |
| 60 | [](FuzzedDataProvider* fdp, IBinder* ibinder) -> void { |
| 61 | objectID = fdp->ConsumeIntegral<uint32_t>(); |
| 62 | object = fdp->ConsumeIntegral<uint32_t>(); |
| 63 | cleanup_cookie = fdp->ConsumeIntegral<uint32_t>(); |
| 64 | IBinder::object_cleanup_func func = IBinder::object_cleanup_func(); |
| 65 | ibinder->attachObject(fdp->ConsumeBool() ? reinterpret_cast<void*>(&objectID) |
| 66 | : nullptr, |
| 67 | fdp->ConsumeBool() ? reinterpret_cast<void*>(&object) : nullptr, |
| 68 | fdp->ConsumeBool() ? reinterpret_cast<void*>(&cleanup_cookie) |
| 69 | : nullptr, |
| 70 | func); |
| 71 | }, |
| 72 | [](FuzzedDataProvider* fdp, IBinder* ibinder) -> void { |
| 73 | uint32_t id = fdp->ConsumeIntegral<uint32_t>(); |
| 74 | ibinder->findObject(reinterpret_cast<void*>(&id)); |
| 75 | }, |
| 76 | [](FuzzedDataProvider* fdp, IBinder* ibinder) -> void { |
| 77 | uint32_t id = fdp->ConsumeIntegral<uint32_t>(); |
| 78 | ibinder->detachObject(reinterpret_cast<void*>(&id)); |
| 79 | }, |
| 80 | [](FuzzedDataProvider* fdp, IBinder* ibinder) -> void { |
| 81 | uint32_t code = fdp->ConsumeIntegral<uint32_t>(); |
| 82 | Parcel p_data; |
| 83 | Parcel reply; |
| 84 | uint32_t flags = fdp->ConsumeIntegral<uint32_t>(); |
| 85 | ibinder->transact(code, p_data, &reply, flags); |
| 86 | }}; |
| 87 | } // namespace android |