Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_native / 7c7c6485310be3474b35787548adf492d2425ef5 / . / libs / binder / fuzzer / binder.cpp
blob: 1aabfe6907ae27120a073dd65e0050f79a6925c4 [file] [log] [blame]
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]1/*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16#define FUZZ_LOG_TAG "binder"
17
18#include "binder.h"
19#include "util.h"
20
Steven Moreland7c7c6482019-09-30 12:32:02 -0700[diff] [blame^]21#include <android/os/IServiceManager.h>
22
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]23using ::android::status_t;
24
Steven Moreland7c7c6482019-09-30 12:32:02 -0700[diff] [blame^]25class ExampleParcelable : public android::Parcelable {
26public:
27 status_t writeToParcel(android::Parcel* /*parcel*/) const override {
28 FUZZ_LOG() << "should not reach";
29 abort();
30 }
31 status_t readFromParcel(const android::Parcel* parcel) override {
32 mExampleExtraField++;
33 return parcel->readInt64(&(this->mExampleUsedData));
34 }
35private:
36 int64_t mExampleExtraField = 0;
37 int64_t mExampleUsedData = 0;
38};
39
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]40#define PARCEL_READ_WITH_STATUS(T, FUN) \
41 [] (const ::android::Parcel& p, uint8_t /*data*/) {\
42 FUZZ_LOG() << "about to read " #T " using " #FUN " with status";\
43 T t{};\
44 status_t status = p.FUN(&t);\
45 FUZZ_LOG() << #T " status: " << status /* << " value: " << t*/;\
46 }
47
48#define PARCEL_READ_NO_STATUS(T, FUN) \
49 [] (const ::android::Parcel& p, uint8_t /*data*/) {\
50 FUZZ_LOG() << "about to read " #T " using " #FUN " with no status";\
51 T t = p.FUN();\
52 (void) t;\
53 FUZZ_LOG() << #T " done " /* << " value: " << t*/;\
54 }
55
56#define PARCEL_READ_OPT_STATUS(T, FUN) \
57 PARCEL_READ_WITH_STATUS(T, FUN), \
58 PARCEL_READ_NO_STATUS(T, FUN)
59
60std::vector<ParcelRead<::android::Parcel>> BINDER_PARCEL_READ_FUNCTIONS {
61 PARCEL_READ_NO_STATUS(size_t, dataSize),
62 PARCEL_READ_NO_STATUS(size_t, dataAvail),
63 PARCEL_READ_NO_STATUS(size_t, dataPosition),
64 PARCEL_READ_NO_STATUS(size_t, dataCapacity),
65 [] (const ::android::Parcel& p, uint8_t pos) {
66 FUZZ_LOG() << "about to setDataPosition: " << pos;
67 p.setDataPosition(pos);
68 FUZZ_LOG() << "setDataPosition done";
69 },
70 PARCEL_READ_NO_STATUS(size_t, allowFds),
71 PARCEL_READ_NO_STATUS(size_t, hasFileDescriptors),
72 [] (const ::android::Parcel& p, uint8_t len) {
73#ifdef __ANDROID__
74 std::string interface(len, 'a');
75 FUZZ_LOG() << "about to enforceInterface: " << interface;
76 bool b = p.enforceInterface(::android::String16(interface.c_str()));
77 FUZZ_LOG() << "enforced interface: " << b;
78#else
79 FUZZ_LOG() << "skipping enforceInterface";
80 (void)p;
81 (void)len;
82#endif // __ANDROID__
83 },
84 [] (const ::android::Parcel& p, uint8_t /*len*/) {
85#ifdef __ANDROID__
86 FUZZ_LOG() << "about to checkInterface";
87 bool b = p.checkInterface(new android::BBinder());
88 FUZZ_LOG() << "checked interface: " << b;
89#else
90 FUZZ_LOG() << "skipping checkInterface";
91 (void)p;
92#endif // __ANDROID__
93 },
94 PARCEL_READ_NO_STATUS(size_t, objectsCount),
95 PARCEL_READ_NO_STATUS(status_t, errorCheck),
96 [] (const ::android::Parcel& p, uint8_t len) {
97 FUZZ_LOG() << "about to read void*";
98 std::vector<uint8_t> data(len);
99 status_t status = p.read(data.data(), len);
100 FUZZ_LOG() << "read status: " << status;
101 },
102 [] (const ::android::Parcel& p, uint8_t len) {
103 FUZZ_LOG() << "about to readInplace";
104 const void* r = p.readInplace(len);
105 FUZZ_LOG() << "readInplace done. pointer: " << r;
106 },
107 PARCEL_READ_OPT_STATUS(int32_t, readInt32),
108 PARCEL_READ_OPT_STATUS(uint32_t, readUint32),
109 PARCEL_READ_OPT_STATUS(int64_t, readInt64),
110 PARCEL_READ_OPT_STATUS(uint64_t, readUint64),
111 PARCEL_READ_OPT_STATUS(float, readFloat),
112 PARCEL_READ_OPT_STATUS(double, readDouble),
113 PARCEL_READ_OPT_STATUS(intptr_t, readIntPtr),
114 PARCEL_READ_OPT_STATUS(bool, readBool),
115 PARCEL_READ_OPT_STATUS(char16_t, readChar),
116 PARCEL_READ_OPT_STATUS(int8_t, readByte),
117
118 PARCEL_READ_WITH_STATUS(std::string, readUtf8FromUtf16),
119 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::string>, readUtf8FromUtf16),
120 [] (const ::android::Parcel& p, uint8_t /*data*/) {
121 FUZZ_LOG() << "about to read c-str";
122 const char* str = p.readCString();
123 FUZZ_LOG() << "read c-str: " << (str ? str : "<empty string>");
124 },
125 PARCEL_READ_OPT_STATUS(android::String8, readString8),
126 PARCEL_READ_OPT_STATUS(android::String16, readString16),
127 PARCEL_READ_WITH_STATUS(std::unique_ptr<android::String16>, readString16),
Steven Moreland7c7c6482019-09-30 12:32:02 -0700[diff] [blame^]128 [] (const ::android::Parcel& p, uint8_t /*data*/) {
129 FUZZ_LOG() << "about to readString16Inplace";
130 size_t outLen = 0;
131 const char16_t* str = p.readString16Inplace(&outLen);
132 FUZZ_LOG() << "readString16Inplace: " << (str ? "non-null" : "null") << " size: " << outLen;
133 },
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]134 PARCEL_READ_WITH_STATUS(android::sp<android::IBinder>, readStrongBinder),
135 PARCEL_READ_WITH_STATUS(android::sp<android::IBinder>, readNullableStrongBinder),
136
Steven Moreland7c7c6482019-09-30 12:32:02 -0700[diff] [blame^]137 // only reading one parcelable type for now
138 // TODO(b/131868573): can force read of arbitrarily sized vector
139 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<std::unique_ptr<ExampleParcelable>>>, readParcelableVector),
140 // PARCEL_READ_WITH_STATUS(std::vector<ExampleParcelable>, readParcelableVector),
141 PARCEL_READ_WITH_STATUS(ExampleParcelable, readParcelable),
142 PARCEL_READ_WITH_STATUS(std::unique_ptr<ExampleParcelable>, readParcelable),
143
144 // only reading one binder type for now
145 PARCEL_READ_WITH_STATUS(android::sp<android::os::IServiceManager>, readStrongBinder),
146 PARCEL_READ_WITH_STATUS(android::sp<android::os::IServiceManager>, readNullableStrongBinder),
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]147
148 // TODO(b/131868573): can force read of arbitrarily sized vector
149 // PARCEL_READ_WITH_STATUS(::std::unique_ptr<std::vector<android::sp<android::IBinder>>>, readStrongBinderVector),
150 // PARCEL_READ_WITH_STATUS(std::vector<android::sp<android::IBinder>>, readStrongBinderVector),
151
152 // TODO(b/131868573): can force read of arbitrarily sized vector
153 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<int8_t>>, readByteVector),
154 // PARCEL_READ_WITH_STATUS(std::vector<int8_t>, readByteVector),
155 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<uint8_t>>, readByteVector),
156 // PARCEL_READ_WITH_STATUS(std::vector<uint8_t>, readByteVector),
157 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<int32_t>>, readInt32Vector),
158 // PARCEL_READ_WITH_STATUS(std::vector<int32_t>, readInt32Vector),
159 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<int64_t>>, readInt64Vector),
160 // PARCEL_READ_WITH_STATUS(std::vector<int64_t>, readInt64Vector),
161 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<uint64_t>>, readUint64Vector),
162 // PARCEL_READ_WITH_STATUS(std::vector<uint64_t>, readUint64Vector),
163 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<float>>, readFloatVector),
164 // PARCEL_READ_WITH_STATUS(std::vector<float>, readFloatVector),
165 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<double>>, readDoubleVector),
166 // PARCEL_READ_WITH_STATUS(std::vector<double>, readDoubleVector),
167 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<bool>>, readBoolVector),
168 // PARCEL_READ_WITH_STATUS(std::vector<bool>, readBoolVector),
169 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<char16_t>>, readCharVector),
170 // PARCEL_READ_WITH_STATUS(std::vector<char16_t>, readCharVector),
171 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<std::unique_ptr<android::String16>>>, readString16Vector),
172 // PARCEL_READ_WITH_STATUS(std::vector<android::String16>, readString16Vector),
173 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<std::unique_ptr<std::string>>>, readUtf8VectorFromUtf16Vector),
174 // PARCEL_READ_WITH_STATUS(std::vector<std::string>, readUtf8VectorFromUtf16Vector),
175
176 // TODO: read(Flattenable<T>)
177 // TODO: read(LightFlattenable<T>)
Steven Moreland7c7c6482019-09-30 12:32:02 -0700[diff] [blame^]178
179 // TODO(b/131868573): can force read of arbitrarily sized vector
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]180 // TODO: resizeOutVector
181
182 PARCEL_READ_NO_STATUS(int32_t, readExceptionCode),
Steven Moreland7c7c6482019-09-30 12:32:02 -0700[diff] [blame^]183 [] (const android::Parcel& p, uint8_t /*len*/) {
184 FUZZ_LOG() << "about to readNativeHandle";
185 native_handle_t* t = p.readNativeHandle();
186 FUZZ_LOG() << "readNativeHandle: " << t;
187 if (t != nullptr) {
188 FUZZ_LOG() << "about to free readNativeHandle";
189 native_handle_close(t);
190 native_handle_delete(t);
191 FUZZ_LOG() << "readNativeHandle freed";
192 }
193 },
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]194 PARCEL_READ_NO_STATUS(int, readFileDescriptor),
195 PARCEL_READ_NO_STATUS(int, readParcelFileDescriptor),
196 PARCEL_READ_WITH_STATUS(android::base::unique_fd, readUniqueFileDescriptor),
197
198 // TODO(b/131868573): can force read of arbitrarily sized vector
199 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<android::base::unique_fd>>, readUniqueFileDescriptorVector),
200 // PARCEL_READ_WITH_STATUS(std::vector<android::base::unique_fd>, readUniqueFileDescriptorVector),
201
202 [] (const android::Parcel& p, uint8_t len) {
203 FUZZ_LOG() << "about to readBlob";
204 ::android::Parcel::ReadableBlob blob;
205 status_t status = p.readBlob(len, &blob);
206 FUZZ_LOG() << "readBlob status: " << status;
207 },
Steven Moreland7c7c6482019-09-30 12:32:02 -0700[diff] [blame^]208 [] (const android::Parcel& p, uint8_t options) {
209 FUZZ_LOG() << "about to readObject";
210 bool nullMetaData = options & 0x1;
211 const void* obj = static_cast<const void*>(p.readObject(nullMetaData));
212 FUZZ_LOG() << "readObject: " << obj;
213 },
Steven Moreland46e0da72019-09-05 15:52:02 -0700[diff] [blame]214 PARCEL_READ_NO_STATUS(uid_t, readCallingWorkSourceUid),
215 PARCEL_READ_NO_STATUS(size_t, getBlobAshmemSize),
216 PARCEL_READ_NO_STATUS(size_t, getOpenAshmemSize),
217};