• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <BpBinderFuzzFunctions.h>
18 #include <IBinderFuzzFunctions.h>
19 #include <commonFuzzHelpers.h>
20 #include <fuzzer/FuzzedDataProvider.h>
21 
22 #include <binder/BpBinder.h>
23 #include <binder/IServiceManager.h>
24 
25 namespace android {
26 
27 // Fuzzer entry point.
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)28 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
29     FuzzedDataProvider fdp(data, size);
30 
31     // TODO: In the future it would be more effective to fork a new process and then pass a BBinder
32     // to your process. Right now this is not implemented because it would involved fuzzing IPC on a
33     // forked process, and libfuzzer will not be able to handle code coverage. This would lead to
34     // crashes that are not easy to diagnose.
35     int32_t handle = fdp.ConsumeIntegralInRange<int32_t>(0, 1024);
36     sp<BpBinder> bpbinder = BpBinder::create(handle);
37     if (bpbinder == nullptr) return 0;
38 
39     // To prevent memory from running out from calling too many add item operations.
40     const uint32_t MAX_RUNS = 2048;
41     uint32_t count = 0;
42     sp<IBinder::DeathRecipient> s_recipient = new FuzzDeathRecipient();
43 
44     while (fdp.remaining_bytes() > 0 && count++ < MAX_RUNS) {
45         if (fdp.ConsumeBool()) {
46             callArbitraryFunction(&fdp, gBPBinderOperations, bpbinder, s_recipient);
47         } else {
48             callArbitraryFunction(&fdp, gIBinderOperations, bpbinder.get());
49         }
50     }
51 
52     return 0;
53 }
54 } // namespace android
55