| Steven Moreland | 46e0da7 | 2019-09-05 15:52:02 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2019 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | #define FUZZ_LOG_TAG "main" |
| 17 | |
| 18 | #include "binder.h" |
| 19 | #include "hwbinder.h" |
| 20 | #include "util.h" |
| 21 | |
| 22 | #include <android-base/logging.h> |
| 23 | |
| 24 | #include <cstdlib> |
| 25 | #include <ctime> |
| 26 | |
| 27 | template <typename P> |
| 28 | void doFuzz( |
| 29 | const std::vector<ParcelRead<P>>& reads, |
| 30 | const std::vector<uint8_t>& input, |
| 31 | const std::vector<uint8_t>& instructions) { |
| 32 | |
| 33 | P p; |
| 34 | p.setData(input.data(), input.size()); |
| 35 | |
| 36 | for (size_t i = 0; i < instructions.size() - 1; i += 2) { |
| 37 | uint8_t a = instructions[i]; |
| 38 | uint8_t b = instructions[i + 1]; |
| 39 | |
| 40 | FUZZ_LOG() << "size: " << p.dataSize() << " avail: " << p.dataAvail() |
| 41 | << " pos: " << p.dataPosition() << " cap: " << p.dataCapacity(); |
| 42 | |
| 43 | reads[a % reads.size()](p, b); |
| 44 | } |
| 45 | } |
| 46 | |
| 47 | void fuzz(uint8_t options, const std::vector<uint8_t>& input, const std::vector<uint8_t>& instructions) { |
| 48 | (void) options; |
| 49 | |
| 50 | // although they will do completely different things, might as well fuzz both |
| 51 | doFuzz<::android::hardware::Parcel>(HWBINDER_PARCEL_READ_FUNCTIONS, input, instructions); |
| 52 | doFuzz<::android::Parcel>(BINDER_PARCEL_READ_FUNCTIONS, input, instructions); |
| 53 | } |
| 54 | |
| 55 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { |
| 56 | if (size <= 1) return 0; // no use |
| 57 | uint8_t options = *data; |
| 58 | data++; |
| 59 | size--; |
| 60 | |
| 61 | // TODO: generate 'objects' data |
| 62 | |
| 63 | // data to fill out parcel |
| 64 | size_t inputLen = size / 2; |
| 65 | std::vector<uint8_t> input(data, data + inputLen); |
| 66 | data += inputLen; |
| 67 | size -= inputLen; |
| 68 | |
| 69 | // data to use to determine what to do |
| 70 | size_t instructionLen = size; |
| 71 | std::vector<uint8_t> instructions(data, data + instructionLen); |
| 72 | data += instructionLen; |
| 73 | size -= instructionLen; |
| 74 | |
| 75 | CHECK(size == 0) << "size: " << size; |
| 76 | |
| 77 | FUZZ_LOG() << "options: " << (int)options << " inputLen: " << inputLen << " instructionLen: " << instructionLen; |
| 78 | FUZZ_LOG() << "input: " << hexString(input); |
| 79 | FUZZ_LOG() << "instructions: " << hexString(instructions); |
| 80 | |
| 81 | fuzz(options, input, instructions); |
| 82 | return 0; |
| 83 | } |