Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_native / 2af0642bfb6548cc6c4962c5e9d42d6bfbbdc907 / . / libs / binder / fuzzer / binder.cpp
blob: 8c0495cf542f7ffac34d7ccc71e1869d4fc3b6bf [file] [log] [blame]
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]1/*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16#define FUZZ_LOG_TAG "binder"
17
18#include "binder.h"
19#include "util.h"
20
Steven Moreland7c7c6482019-09-30 12:32:02 -0700[diff] [blame]21#include <android/os/IServiceManager.h>
22
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]23using ::android::status_t;
24
Steven Moreland9cb1e6a2019-10-15 17:20:51 -0700[diff] [blame]25enum ByteEnum : int8_t {};
26enum IntEnum : int32_t {};
27enum LongEnum : int64_t {};
28
Steven Moreland7c7c6482019-09-30 12:32:02 -0700[diff] [blame]29class ExampleParcelable : public android::Parcelable {
30public:
31 status_t writeToParcel(android::Parcel* /*parcel*/) const override {
32 FUZZ_LOG() << "should not reach";
33 abort();
34 }
35 status_t readFromParcel(const android::Parcel* parcel) override {
36 mExampleExtraField++;
37 return parcel->readInt64(&(this->mExampleUsedData));
38 }
39private:
40 int64_t mExampleExtraField = 0;
41 int64_t mExampleUsedData = 0;
42};
43
Steven Moreland6d813932019-09-30 15:31:35 -0700[diff] [blame]44struct ExampleFlattenable : public android::Flattenable<ExampleFlattenable> {
45public:
46 size_t getFlattenedSize() const { return sizeof(mValue); }
47 size_t getFdCount() const { return 0; }
48 status_t flatten(void*& /*buffer*/, size_t& /*size*/, int*& /*fds*/, size_t& /*count*/) const {
49 FUZZ_LOG() << "should not reach";
50 abort();
51 }
52 status_t unflatten(void const*& buffer, size_t& size, int const*& /*fds*/, size_t& /*count*/) {
53 if (size < sizeof(mValue)) {
54 return android::NO_MEMORY;
55 }
56 android::FlattenableUtils::read(buffer, size, mValue);
57 return android::OK;
58 }
59private:
60 int32_t mValue = 0xFEEDBEEF;
61};
62
63struct ExampleLightFlattenable : public android::LightFlattenablePod<ExampleLightFlattenable> {
64 int32_t mValue = 0;
65};
66
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]67#define PARCEL_READ_WITH_STATUS(T, FUN) \
68 [] (const ::android::Parcel& p, uint8_t /*data*/) {\
69 FUZZ_LOG() << "about to read " #T " using " #FUN " with status";\
70 T t{};\
71 status_t status = p.FUN(&t);\
72 FUZZ_LOG() << #T " status: " << status /* << " value: " << t*/;\
73 }
74
75#define PARCEL_READ_NO_STATUS(T, FUN) \
76 [] (const ::android::Parcel& p, uint8_t /*data*/) {\
77 FUZZ_LOG() << "about to read " #T " using " #FUN " with no status";\
78 T t = p.FUN();\
79 (void) t;\
80 FUZZ_LOG() << #T " done " /* << " value: " << t*/;\
81 }
82
83#define PARCEL_READ_OPT_STATUS(T, FUN) \
84 PARCEL_READ_WITH_STATUS(T, FUN), \
85 PARCEL_READ_NO_STATUS(T, FUN)
86
Steven Moreland9cb1e6a2019-10-15 17:20:51 -0700[diff] [blame]87// clang-format off
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]88std::vector<ParcelRead<::android::Parcel>> BINDER_PARCEL_READ_FUNCTIONS {
89 PARCEL_READ_NO_STATUS(size_t, dataSize),
90 PARCEL_READ_NO_STATUS(size_t, dataAvail),
91 PARCEL_READ_NO_STATUS(size_t, dataPosition),
92 PARCEL_READ_NO_STATUS(size_t, dataCapacity),
93 [] (const ::android::Parcel& p, uint8_t pos) {
94 FUZZ_LOG() << "about to setDataPosition: " << pos;
95 p.setDataPosition(pos);
96 FUZZ_LOG() << "setDataPosition done";
97 },
98 PARCEL_READ_NO_STATUS(size_t, allowFds),
99 PARCEL_READ_NO_STATUS(size_t, hasFileDescriptors),
100 [] (const ::android::Parcel& p, uint8_t len) {
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]101 std::string interface(len, 'a');
102 FUZZ_LOG() << "about to enforceInterface: " << interface;
103 bool b = p.enforceInterface(::android::String16(interface.c_str()));
104 FUZZ_LOG() << "enforced interface: " << b;
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]105 },
106 [] (const ::android::Parcel& p, uint8_t /*len*/) {
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]107 FUZZ_LOG() << "about to checkInterface";
Steven Moreland24bc0d12019-10-11 12:29:20 -0700[diff] [blame]108 android::sp<android::IBinder> aBinder = new android::BBinder();
109 bool b = p.checkInterface(aBinder.get());
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]110 FUZZ_LOG() << "checked interface: " << b;
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]111 },
112 PARCEL_READ_NO_STATUS(size_t, objectsCount),
113 PARCEL_READ_NO_STATUS(status_t, errorCheck),
114 [] (const ::android::Parcel& p, uint8_t len) {
115 FUZZ_LOG() << "about to read void*";
116 std::vector<uint8_t> data(len);
117 status_t status = p.read(data.data(), len);
118 FUZZ_LOG() << "read status: " << status;
119 },
120 [] (const ::android::Parcel& p, uint8_t len) {
121 FUZZ_LOG() << "about to readInplace";
122 const void* r = p.readInplace(len);
Steven Moreland6065c052019-09-30 18:22:44 -0700[diff] [blame]123 FUZZ_LOG() << "readInplace done. pointer: " << r << " bytes: " << hexString(r, len);
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]124 },
125 PARCEL_READ_OPT_STATUS(int32_t, readInt32),
126 PARCEL_READ_OPT_STATUS(uint32_t, readUint32),
127 PARCEL_READ_OPT_STATUS(int64_t, readInt64),
128 PARCEL_READ_OPT_STATUS(uint64_t, readUint64),
129 PARCEL_READ_OPT_STATUS(float, readFloat),
130 PARCEL_READ_OPT_STATUS(double, readDouble),
131 PARCEL_READ_OPT_STATUS(intptr_t, readIntPtr),
132 PARCEL_READ_OPT_STATUS(bool, readBool),
133 PARCEL_READ_OPT_STATUS(char16_t, readChar),
134 PARCEL_READ_OPT_STATUS(int8_t, readByte),
135
136 PARCEL_READ_WITH_STATUS(std::string, readUtf8FromUtf16),
137 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::string>, readUtf8FromUtf16),
Jooyung Han6a0a8ef2020-02-18 10:57:44 +0900[diff] [blame]138 PARCEL_READ_WITH_STATUS(std::optional<std::string>, readUtf8FromUtf16),
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]139 [] (const ::android::Parcel& p, uint8_t /*data*/) {
140 FUZZ_LOG() << "about to read c-str";
141 const char* str = p.readCString();
142 FUZZ_LOG() << "read c-str: " << (str ? str : "<empty string>");
143 },
144 PARCEL_READ_OPT_STATUS(android::String8, readString8),
145 PARCEL_READ_OPT_STATUS(android::String16, readString16),
146 PARCEL_READ_WITH_STATUS(std::unique_ptr<android::String16>, readString16),
Jooyung Han6a0a8ef2020-02-18 10:57:44 +0900[diff] [blame]147 PARCEL_READ_WITH_STATUS(std::optional<android::String16>, readString16),
Steven Moreland7c7c6482019-09-30 12:32:02 -0700[diff] [blame]148 [] (const ::android::Parcel& p, uint8_t /*data*/) {
149 FUZZ_LOG() << "about to readString16Inplace";
150 size_t outLen = 0;
151 const char16_t* str = p.readString16Inplace(&outLen);
Steven Moreland6065c052019-09-30 18:22:44 -0700[diff] [blame]152 FUZZ_LOG() << "readString16Inplace: " << hexString(str, sizeof(char16_t) * outLen)
153 << " size: " << outLen;
Steven Moreland7c7c6482019-09-30 12:32:02 -0700[diff] [blame]154 },
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]155 PARCEL_READ_WITH_STATUS(android::sp<android::IBinder>, readStrongBinder),
156 PARCEL_READ_WITH_STATUS(android::sp<android::IBinder>, readNullableStrongBinder),
157
Steven Moreland9cb1e6a2019-10-15 17:20:51 -0700[diff] [blame]158 // TODO(b/131868573): can force read of arbitrarily sized vector
159 // PARCEL_READ_WITH_STATUS(std::vector<ByteEnum>, readEnumVector),
160 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<ByteEnum>>, readEnumVector),
Jooyung Han6a0a8ef2020-02-18 10:57:44 +0900[diff] [blame]161 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<ByteEnum>>, readEnumVector),
Steven Moreland9cb1e6a2019-10-15 17:20:51 -0700[diff] [blame]162 // PARCEL_READ_WITH_STATUS(std::vector<IntEnum>, readEnumVector),
163 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<IntEnum>>, readEnumVector),
Jooyung Han6a0a8ef2020-02-18 10:57:44 +0900[diff] [blame]164 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<IntEnum>>, readEnumVector),
Steven Moreland9cb1e6a2019-10-15 17:20:51 -0700[diff] [blame]165 // PARCEL_READ_WITH_STATUS(std::vector<LongEnum>, readEnumVector),
166 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<LongEnum>>, readEnumVector),
Jooyung Han6a0a8ef2020-02-18 10:57:44 +0900[diff] [blame]167 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<LongEnum>>, readEnumVector),
Steven Moreland9cb1e6a2019-10-15 17:20:51 -0700[diff] [blame]168
Steven Moreland7c7c6482019-09-30 12:32:02 -0700[diff] [blame]169 // only reading one parcelable type for now
170 // TODO(b/131868573): can force read of arbitrarily sized vector
171 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<std::unique_ptr<ExampleParcelable>>>, readParcelableVector),
Jooyung Han6a0a8ef2020-02-18 10:57:44 +0900[diff] [blame]172 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<std::optional<ExampleParcelable>>>, readParcelableVector),
Steven Moreland7c7c6482019-09-30 12:32:02 -0700[diff] [blame]173 // PARCEL_READ_WITH_STATUS(std::vector<ExampleParcelable>, readParcelableVector),
174 PARCEL_READ_WITH_STATUS(ExampleParcelable, readParcelable),
175 PARCEL_READ_WITH_STATUS(std::unique_ptr<ExampleParcelable>, readParcelable),
Jooyung Han6a0a8ef2020-02-18 10:57:44 +0900[diff] [blame]176 PARCEL_READ_WITH_STATUS(std::optional<ExampleParcelable>, readParcelable),
Steven Moreland7c7c6482019-09-30 12:32:02 -0700[diff] [blame]177
178 // only reading one binder type for now
179 PARCEL_READ_WITH_STATUS(android::sp<android::os::IServiceManager>, readStrongBinder),
180 PARCEL_READ_WITH_STATUS(android::sp<android::os::IServiceManager>, readNullableStrongBinder),
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]181
182 // TODO(b/131868573): can force read of arbitrarily sized vector
183 // PARCEL_READ_WITH_STATUS(::std::unique_ptr<std::vector<android::sp<android::IBinder>>>, readStrongBinderVector),
Jooyung Han6a0a8ef2020-02-18 10:57:44 +0900[diff] [blame]184 // PARCEL_READ_WITH_STATUS(::std::optional<std::vector<android::sp<android::IBinder>>>, readStrongBinderVector),
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]185 // PARCEL_READ_WITH_STATUS(std::vector<android::sp<android::IBinder>>, readStrongBinderVector),
186
187 // TODO(b/131868573): can force read of arbitrarily sized vector
188 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<int8_t>>, readByteVector),
Jooyung Han6a0a8ef2020-02-18 10:57:44 +0900[diff] [blame]189 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<int8_t>>, readByteVector),
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]190 // PARCEL_READ_WITH_STATUS(std::vector<int8_t>, readByteVector),
191 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<uint8_t>>, readByteVector),
Jooyung Han6a0a8ef2020-02-18 10:57:44 +0900[diff] [blame]192 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<uint8_t>>, readByteVector),
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]193 // PARCEL_READ_WITH_STATUS(std::vector<uint8_t>, readByteVector),
194 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<int32_t>>, readInt32Vector),
Jooyung Han6a0a8ef2020-02-18 10:57:44 +0900[diff] [blame]195 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<int32_t>>, readInt32Vector),
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]196 // PARCEL_READ_WITH_STATUS(std::vector<int32_t>, readInt32Vector),
197 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<int64_t>>, readInt64Vector),
Jooyung Han6a0a8ef2020-02-18 10:57:44 +0900[diff] [blame]198 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<int64_t>>, readInt64Vector),
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]199 // PARCEL_READ_WITH_STATUS(std::vector<int64_t>, readInt64Vector),
200 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<uint64_t>>, readUint64Vector),
Jooyung Han6a0a8ef2020-02-18 10:57:44 +0900[diff] [blame]201 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<uint64_t>>, readUint64Vector),
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]202 // PARCEL_READ_WITH_STATUS(std::vector<uint64_t>, readUint64Vector),
203 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<float>>, readFloatVector),
Jooyung Han6a0a8ef2020-02-18 10:57:44 +0900[diff] [blame]204 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<float>>, readFloatVector),
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]205 // PARCEL_READ_WITH_STATUS(std::vector<float>, readFloatVector),
206 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<double>>, readDoubleVector),
Jooyung Han6a0a8ef2020-02-18 10:57:44 +0900[diff] [blame]207 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<double>>, readDoubleVector),
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]208 // PARCEL_READ_WITH_STATUS(std::vector<double>, readDoubleVector),
209 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<bool>>, readBoolVector),
Jooyung Han6a0a8ef2020-02-18 10:57:44 +0900[diff] [blame]210 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<bool>>, readBoolVector),
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]211 // PARCEL_READ_WITH_STATUS(std::vector<bool>, readBoolVector),
212 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<char16_t>>, readCharVector),
Jooyung Han6a0a8ef2020-02-18 10:57:44 +0900[diff] [blame]213 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<char16_t>>, readCharVector),
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]214 // PARCEL_READ_WITH_STATUS(std::vector<char16_t>, readCharVector),
215 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<std::unique_ptr<android::String16>>>, readString16Vector),
Jooyung Han6a0a8ef2020-02-18 10:57:44 +0900[diff] [blame]216 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<std::optional<android::String16>>>, readString16Vector),
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]217 // PARCEL_READ_WITH_STATUS(std::vector<android::String16>, readString16Vector),
218 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<std::unique_ptr<std::string>>>, readUtf8VectorFromUtf16Vector),
Jooyung Han6a0a8ef2020-02-18 10:57:44 +0900[diff] [blame]219 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<std::optional<std::string>>>, readUtf8VectorFromUtf16Vector),
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]220 // PARCEL_READ_WITH_STATUS(std::vector<std::string>, readUtf8VectorFromUtf16Vector),
221
Steven Moreland6d813932019-09-30 15:31:35 -0700[diff] [blame]222 [] (const android::Parcel& p, uint8_t /*len*/) {
223 FUZZ_LOG() << "about to read flattenable";
224 ExampleFlattenable f;
225 status_t status = p.read(f);
226 FUZZ_LOG() << "read flattenable: " << status;
227 },
228 [] (const android::Parcel& p, uint8_t /*len*/) {
229 FUZZ_LOG() << "about to read lite flattenable";
230 ExampleLightFlattenable f;
231 status_t status = p.read(f);
232 FUZZ_LOG() << "read lite flattenable: " << status;
233 },
Steven Moreland7c7c6482019-09-30 12:32:02 -0700[diff] [blame]234
235 // TODO(b/131868573): can force read of arbitrarily sized vector
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]236 // TODO: resizeOutVector
237
238 PARCEL_READ_NO_STATUS(int32_t, readExceptionCode),
Steven Moreland7c7c6482019-09-30 12:32:02 -0700[diff] [blame]239 [] (const android::Parcel& p, uint8_t /*len*/) {
240 FUZZ_LOG() << "about to readNativeHandle";
241 native_handle_t* t = p.readNativeHandle();
242 FUZZ_LOG() << "readNativeHandle: " << t;
243 if (t != nullptr) {
244 FUZZ_LOG() << "about to free readNativeHandle";
245 native_handle_close(t);
246 native_handle_delete(t);
247 FUZZ_LOG() << "readNativeHandle freed";
248 }
249 },
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]250 PARCEL_READ_NO_STATUS(int, readFileDescriptor),
251 PARCEL_READ_NO_STATUS(int, readParcelFileDescriptor),
252 PARCEL_READ_WITH_STATUS(android::base::unique_fd, readUniqueFileDescriptor),
253
254 // TODO(b/131868573): can force read of arbitrarily sized vector
255 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<android::base::unique_fd>>, readUniqueFileDescriptorVector),
Jooyung Han6a0a8ef2020-02-18 10:57:44 +0900[diff] [blame]256 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<android::base::unique_fd>>, readUniqueFileDescriptorVector),
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]257 // PARCEL_READ_WITH_STATUS(std::vector<android::base::unique_fd>, readUniqueFileDescriptorVector),
258
259 [] (const android::Parcel& p, uint8_t len) {
260 FUZZ_LOG() << "about to readBlob";
261 ::android::Parcel::ReadableBlob blob;
262 status_t status = p.readBlob(len, &blob);
263 FUZZ_LOG() << "readBlob status: " << status;
264 },
Steven Moreland7c7c6482019-09-30 12:32:02 -0700[diff] [blame]265 [] (const android::Parcel& p, uint8_t options) {
266 FUZZ_LOG() << "about to readObject";
267 bool nullMetaData = options & 0x1;
268 const void* obj = static_cast<const void*>(p.readObject(nullMetaData));
269 FUZZ_LOG() << "readObject: " << obj;
270 },
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]271 PARCEL_READ_NO_STATUS(uid_t, readCallingWorkSourceUid),
272 PARCEL_READ_NO_STATUS(size_t, getBlobAshmemSize),
273 PARCEL_READ_NO_STATUS(size_t, getOpenAshmemSize),
274};
Steven Moreland9cb1e6a2019-10-15 17:20:51 -0700[diff] [blame]275// clang-format on