Blame - libs/binder/fuzzer/hwbinder.cpp - android_frameworks_native

blob: b8cce72286f3b1e157f16ffdd6f4da502718dbba [file] [log] [blame]

Steven Moreland	46e0da7	2019-09-05 15:52:02 -0700	[diff] [blame]	1	/*
				2	* Copyright (C) 2019 The Android Open Source Project
				3	*
				4	* Licensed under the Apache License, Version 2.0 (the "License");
				5	* you may not use this file except in compliance with the License.
				6	* You may obtain a copy of the License at
				7	*
				8	* http://www.apache.org/licenses/LICENSE-2.0
				9	*
				10	* Unless required by applicable law or agreed to in writing, software
				11	* distributed under the License is distributed on an "AS IS" BASIS,
				12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				13	* See the License for the specific language governing permissions and
				14	* limitations under the License.
				15	*/
				16	#define FUZZ_LOG_TAG "hwbinder"
				17
				18	#include "hwbinder.h"
				19	#include "util.h"
				20
				21	#include <android-base/logging.h>
				22	#include <hwbinder/Parcel.h>
				23
				24	using ::android::status_t;
				25
				26	// TODO: support scatter-gather types
				27
				28	std::ostream& operator<<(std::ostream& os, const ::android::sp<::android::hardware::IBinder>& binder) {
				29	os << binder.get();
				30	return os;
				31	}
				32
				33	#define PARCEL_READ_NO_STATUS(T, FUN) \
				34	[] (const ::android::hardware::Parcel& p, uint8_t /data/) {\
				35	FUZZ_LOG() << "about to read " #T " using " #FUN " with no status";\
				36	T t = p.FUN();\
				37	FUZZ_LOG() << #T " value: " << t;\
				38	}
				39
				40	#define PARCEL_READ_WITH_STATUS(T, FUN) \
				41	[] (const ::android::hardware::Parcel& p, uint8_t /data/) {\
				42	FUZZ_LOG() << "about to read " #T " using " #FUN " with status";\
				43	T t;\
				44	status_t status = p.FUN(&t);\
				45	FUZZ_LOG() << #T " status: " << status << " value: " << t;\
				46	}
				47
				48	std::vector<ParcelRead<::android::hardware::Parcel>> HWBINDER_PARCEL_READ_FUNCTIONS {
				49	PARCEL_READ_NO_STATUS(size_t, dataSize),
				50	PARCEL_READ_NO_STATUS(size_t, dataAvail),
				51	PARCEL_READ_NO_STATUS(size_t, dataPosition),
				52	PARCEL_READ_NO_STATUS(size_t, dataCapacity),
				53	[] (const ::android::hardware::Parcel& p, uint8_t pos) {
				54	FUZZ_LOG() << "about to setDataPosition: " << pos;
				55	p.setDataPosition(pos);
				56	FUZZ_LOG() << "setDataPosition done";
				57	},
				58	[] (const ::android::hardware::Parcel& p, uint8_t length) {
				59	FUZZ_LOG() << "about to enforceInterface";
				60	std::string interfaceName(length, 'a');
				61	bool okay = p.enforceInterface(interfaceName.c_str());
				62	FUZZ_LOG() << "enforceInterface status: " << okay;
				63	},
				64	PARCEL_READ_NO_STATUS(size_t, objectsCount),
				65	PARCEL_READ_WITH_STATUS(int8_t, readInt8),
				66	PARCEL_READ_WITH_STATUS(uint8_t, readUint8),
				67	PARCEL_READ_WITH_STATUS(int16_t, readInt16),
				68	PARCEL_READ_WITH_STATUS(uint16_t, readUint16),
				69	PARCEL_READ_WITH_STATUS(int32_t, readInt32),
				70	PARCEL_READ_WITH_STATUS(uint32_t, readUint32),
				71	PARCEL_READ_WITH_STATUS(int64_t, readInt64),
				72	PARCEL_READ_WITH_STATUS(uint64_t, readUint64),
				73	PARCEL_READ_WITH_STATUS(float, readFloat),
				74	PARCEL_READ_WITH_STATUS(double, readDouble),
				75	PARCEL_READ_WITH_STATUS(bool, readBool),
				76	PARCEL_READ_WITH_STATUS(::android::String16, readString16),
				77	PARCEL_READ_WITH_STATUS(::android::sp<::android::hardware::IBinder>, readStrongBinder),
				78	PARCEL_READ_WITH_STATUS(::android::sp<::android::hardware::IBinder>, readNullableStrongBinder),
				79	[] (const ::android::hardware::Parcel& p, uint8_t amount) {
				80	FUZZ_LOG() << "about to readInPlace " << amount;
				81	const uint8_t* data = (const uint8_t*)p.readInplace(amount);
				82	if (data) {
				83	std::vector<uint8_t> vdata(data, data + amount);
				84	FUZZ_LOG() << "readInPlace " << amount << " data: " << hexString(vdata);
				85	} else {
				86	FUZZ_LOG() << "readInPlace " << amount << " no data";
				87	}
				88	},
				89	[] (const ::android::hardware::Parcel& p, uint8_t size) {
				90	FUZZ_LOG() << "about to readBuffer";
				91	size_t handle = 0;
				92	const void* data = nullptr;
				93	status_t status = p.readBuffer(size, &handle, &data);
				94	FUZZ_LOG() << "readBuffer status: " << status << " handle: " << handle << " data: " << data;
				95
				96	// should be null since we don't create any IPC objects
				97	CHECK(data == nullptr) << data;
				98	},
				99	[] (const ::android::hardware::Parcel& p, uint8_t size) {
				100	FUZZ_LOG() << "about to readNullableBuffer";
				101	size_t handle = 0;
				102	const void* data = nullptr;
				103	status_t status = p.readNullableBuffer(size, &handle, &data);
				104	FUZZ_LOG() << "readNullableBuffer status: " << status << " handle: " << handle << " data: " << data;
				105
				106	// should be null since we don't create any IPC objects
				107	CHECK(data == nullptr) << data;
				108	},
				109	[] (const ::android::hardware::Parcel& p, uint8_t size) {
				110	FUZZ_LOG() << "about to readEmbeddedBuffer";
				111	size_t handle = 0;
				112	size_t parent_buffer_handle = 0;
				113	size_t parent_offset = 3;
				114	const void* data = nullptr;
				115	status_t status = p.readEmbeddedBuffer(size, &handle, parent_buffer_handle, parent_offset, &data);
				116	FUZZ_LOG() << "readEmbeddedBuffer status: " << status << " handle: " << handle << " data: " << data;
				117
				118	// should be null since we don't create any IPC objects
				119	CHECK(data == nullptr) << data;
				120	},
				121	[] (const ::android::hardware::Parcel& p, uint8_t size) {
				122	FUZZ_LOG() << "about to readNullableEmbeddedBuffer";
				123	size_t handle = 0;
				124	size_t parent_buffer_handle = 0;
				125	size_t parent_offset = 3;
				126	const void* data = nullptr;
				127	status_t status = p.readNullableEmbeddedBuffer(size, &handle, parent_buffer_handle, parent_offset, &data);
				128	FUZZ_LOG() << "readNullableEmbeddedBuffer status: " << status << " handle: " << handle << " data: " << data;
				129
				130	// should be null since we don't create any IPC objects
				131	CHECK(data == nullptr) << data;
				132	},
				133	[] (const ::android::hardware::Parcel& p, uint8_t /data/) {
				134	FUZZ_LOG() << "about to readNativeHandleNoDup";
				135	const native_handle_t* handle = nullptr;
				136	status_t status = p.readNativeHandleNoDup(&handle);
				137	FUZZ_LOG() << "readNativeHandleNoDup status: " << status << " handle: " << handle;
				138
				139	// should be null since we don't create any IPC objects
				140	CHECK(handle == nullptr) << handle;
				141	CHECK(status != ::android::OK);
				142	},
				143	[] (const ::android::hardware::Parcel& p, uint8_t /data/) {
				144	FUZZ_LOG() << "about to readNullableNativeHandleNoDup";
				145	const native_handle_t* handle = nullptr;
				146	status_t status = p.readNullableNativeHandleNoDup(&handle);
				147	FUZZ_LOG() << "readNullableNativeHandleNoDup status: " << status << " handle: " << handle;
				148
				149	// should be null since we don't create any IPC objects
				150	CHECK(handle == nullptr) << handle;
				151	},
				152	};