| Corbin Souffrant | 84f5c0f | 2020-06-26 00:42:43 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright 2020 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #pragma once |
| 18 | |
| 19 | #include <IBinderFuzzFunctions.h> |
| 20 | #include <fuzzer/FuzzedDataProvider.h> |
| 21 | |
| 22 | #include <binder/BpBinder.h> |
| 23 | #include <binder/IBinder.h> |
| 24 | #include <binder/IPCThreadState.h> |
| 25 | #include <binder/IResultReceiver.h> |
| 26 | #include <binder/Parcel.h> |
| 27 | #include <binder/Stability.h> |
| 28 | |
| 29 | #include <cutils/compiler.h> |
| 30 | #include <utils/KeyedVector.h> |
| 31 | #include <utils/Log.h> |
| 32 | #include <utils/Mutex.h> |
| 33 | #include <utils/threads.h> |
| 34 | |
| 35 | #include <stdio.h> |
| 36 | |
| 37 | namespace android { |
| 38 | |
| 39 | // Static variable to reference so we don't consume a bunch of memory to link and |
| 40 | // unlink DeathRecipients. |
| 41 | static int8_t kBpBinderCookie = 0; |
| 42 | |
| 43 | /* This is a vector of lambda functions the fuzzer will pull from. |
| 44 | * This is done so new functions can be added to the fuzzer easily |
| 45 | * without requiring modifications to the main fuzzer file. This also |
| 46 | * allows multiple fuzzers to include this file, if functionality is needed. |
| 47 | */ |
| 48 | static const std::vector<std::function<void(FuzzedDataProvider*, const sp<BpBinder>&, |
| 49 | const sp<IBinder::DeathRecipient>&)>> |
| 50 | gBPBinderOperations = |
| Steven Moreland | e839388 | 2020-12-18 02:27:20 +0000 | [diff] [blame] | 51 | {[](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder, |
| Corbin Souffrant | 84f5c0f | 2020-06-26 00:42:43 -0700 | [diff] [blame] | 52 | const sp<IBinder::DeathRecipient>& s_recipient) -> void { |
| 53 | // Clean up possible leftover memory. |
| 54 | wp<IBinder::DeathRecipient> outRecipient(nullptr); |
| 55 | bpbinder->sendObituary(); |
| 56 | bpbinder->unlinkToDeath(nullptr, reinterpret_cast<void*>(&kBpBinderCookie), 0, |
| 57 | &outRecipient); |
| 58 | |
| 59 | uint32_t flags = fdp->ConsumeIntegral<uint32_t>(); |
| 60 | kBpBinderCookie = fdp->ConsumeIntegral<int8_t>(); |
| 61 | bpbinder->linkToDeath(s_recipient.get(), |
| 62 | reinterpret_cast<void*>(&kBpBinderCookie), flags); |
| 63 | }, |
| 64 | [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder, |
| 65 | const sp<IBinder::DeathRecipient>&) -> void { |
| 66 | wp<IBinder::DeathRecipient> out_recipient(nullptr); |
| 67 | uint32_t flags = fdp->ConsumeIntegral<uint32_t>(); |
| 68 | int8_t random_cookie = fdp->ConsumeIntegral<int8_t>(); |
| 69 | bpbinder->unlinkToDeath(nullptr, reinterpret_cast<void*>(&random_cookie), |
| 70 | flags, &out_recipient); |
| 71 | }, |
| 72 | [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder, |
| 73 | const sp<IBinder::DeathRecipient>&) -> void { bpbinder->remoteBinder(); }, |
| 74 | [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder, |
| 75 | const sp<IBinder::DeathRecipient>&) -> void { bpbinder->sendObituary(); }, |
| 76 | [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder, |
| 77 | const sp<IBinder::DeathRecipient>&) -> void { |
| 78 | uint32_t uid = fdp->ConsumeIntegral<uint32_t>(); |
| 79 | bpbinder->getBinderProxyCount(uid); |
| 80 | }, |
| 81 | [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder, |
| 82 | const sp<IBinder::DeathRecipient>&) -> void { bpbinder->enableCountByUid(); }, |
| 83 | [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder, |
| 84 | const sp<IBinder::DeathRecipient>&) -> void { bpbinder->disableCountByUid(); }, |
| 85 | [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder, |
| 86 | const sp<IBinder::DeathRecipient>&) -> void { |
| 87 | Vector<uint32_t> uids; |
| 88 | Vector<uint32_t> counts; |
| 89 | bpbinder->getCountByUid(uids, counts); |
| 90 | }, |
| 91 | [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder, |
| 92 | const sp<IBinder::DeathRecipient>&) -> void { |
| 93 | bool enable = fdp->ConsumeBool(); |
| 94 | bpbinder->setCountByUidEnabled(enable); |
| 95 | }, |
| 96 | [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder, |
| 97 | const sp<IBinder::DeathRecipient>&) -> void { |
| 98 | binder_proxy_limit_callback cb = binder_proxy_limit_callback(); |
| 99 | bpbinder->setLimitCallback(cb); |
| 100 | }, |
| 101 | [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder, |
| 102 | const sp<IBinder::DeathRecipient>&) -> void { |
| 103 | int high = fdp->ConsumeIntegral<int>(); |
| 104 | int low = fdp->ConsumeIntegral<int>(); |
| 105 | bpbinder->setBinderProxyCountWatermarks(high, low); |
| 106 | }}; |
| 107 | |
| 108 | } // namespace android |