blob: c685b410262b6e065877a8d4477d4f0126013a7f [file] [log] [blame]
Corbin Souffrant84f5c0f2020-06-26 00:42:43 -07001/*
2 * Copyright 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#pragma once
18
19#include <IBinderFuzzFunctions.h>
20#include <fuzzer/FuzzedDataProvider.h>
21
22#include <binder/BpBinder.h>
23#include <binder/IBinder.h>
24#include <binder/IPCThreadState.h>
25#include <binder/IResultReceiver.h>
26#include <binder/Parcel.h>
27#include <binder/Stability.h>
28
29#include <cutils/compiler.h>
30#include <utils/KeyedVector.h>
31#include <utils/Log.h>
32#include <utils/Mutex.h>
33#include <utils/threads.h>
34
35#include <stdio.h>
36
37namespace android {
38
39// Static variable to reference so we don't consume a bunch of memory to link and
40// unlink DeathRecipients.
41static int8_t kBpBinderCookie = 0;
42
43/* This is a vector of lambda functions the fuzzer will pull from.
44 * This is done so new functions can be added to the fuzzer easily
45 * without requiring modifications to the main fuzzer file. This also
46 * allows multiple fuzzers to include this file, if functionality is needed.
47 */
48static const std::vector<std::function<void(FuzzedDataProvider*, const sp<BpBinder>&,
49 const sp<IBinder::DeathRecipient>&)>>
50 gBPBinderOperations =
51 {[](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
52 const sp<IBinder::DeathRecipient>&) -> void { bpbinder->handle(); },
53 [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
54 const sp<IBinder::DeathRecipient>& s_recipient) -> void {
55 // Clean up possible leftover memory.
56 wp<IBinder::DeathRecipient> outRecipient(nullptr);
57 bpbinder->sendObituary();
58 bpbinder->unlinkToDeath(nullptr, reinterpret_cast<void*>(&kBpBinderCookie), 0,
59 &outRecipient);
60
61 uint32_t flags = fdp->ConsumeIntegral<uint32_t>();
62 kBpBinderCookie = fdp->ConsumeIntegral<int8_t>();
63 bpbinder->linkToDeath(s_recipient.get(),
64 reinterpret_cast<void*>(&kBpBinderCookie), flags);
65 },
66 [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
67 const sp<IBinder::DeathRecipient>&) -> void {
68 wp<IBinder::DeathRecipient> out_recipient(nullptr);
69 uint32_t flags = fdp->ConsumeIntegral<uint32_t>();
70 int8_t random_cookie = fdp->ConsumeIntegral<int8_t>();
71 bpbinder->unlinkToDeath(nullptr, reinterpret_cast<void*>(&random_cookie),
72 flags, &out_recipient);
73 },
74 [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
75 const sp<IBinder::DeathRecipient>&) -> void { bpbinder->remoteBinder(); },
76 [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
77 const sp<IBinder::DeathRecipient>&) -> void { bpbinder->sendObituary(); },
78 [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
79 const sp<IBinder::DeathRecipient>&) -> void {
80 uint32_t uid = fdp->ConsumeIntegral<uint32_t>();
81 bpbinder->getBinderProxyCount(uid);
82 },
83 [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
84 const sp<IBinder::DeathRecipient>&) -> void { bpbinder->enableCountByUid(); },
85 [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
86 const sp<IBinder::DeathRecipient>&) -> void { bpbinder->disableCountByUid(); },
87 [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
88 const sp<IBinder::DeathRecipient>&) -> void {
89 Vector<uint32_t> uids;
90 Vector<uint32_t> counts;
91 bpbinder->getCountByUid(uids, counts);
92 },
93 [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
94 const sp<IBinder::DeathRecipient>&) -> void {
95 bool enable = fdp->ConsumeBool();
96 bpbinder->setCountByUidEnabled(enable);
97 },
98 [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
99 const sp<IBinder::DeathRecipient>&) -> void {
100 binder_proxy_limit_callback cb = binder_proxy_limit_callback();
101 bpbinder->setLimitCallback(cb);
102 },
103 [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
104 const sp<IBinder::DeathRecipient>&) -> void {
105 int high = fdp->ConsumeIntegral<int>();
106 int low = fdp->ConsumeIntegral<int>();
107 bpbinder->setBinderProxyCountWatermarks(high, low);
108 }};
109
110} // namespace android