1 /* 2 * Copyright 2020 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #pragma once 18 19 #include <fuzzer/FuzzedDataProvider.h> 20 21 #include <binder/IBinder.h> 22 #include <binder/IPCThreadState.h> 23 #include <binder/IResultReceiver.h> 24 #include <binder/Parcel.h> 25 #include <binder/Stability.h> 26 #include <cutils/compiler.h> 27 #include <utils/KeyedVector.h> 28 #include <utils/Log.h> 29 #include <utils/Mutex.h> 30 #include <utils/threads.h> 31 32 namespace android { 33 34 class FuzzDeathRecipient : public IBinder::DeathRecipient { 35 private: binderDied(const wp<IBinder> & who)36 virtual void binderDied(const wp<IBinder>& who) { (void)who; }; 37 }; 38 39 // Allow objects to be attached that aren't stack locals 40 static uint32_t objectID = 0; 41 static uint32_t object = 0; 42 static uint32_t cleanup_cookie = 0; 43 44 /* This is a vector of lambda functions the fuzzer will pull from. 45 * This is done so new functions can be added to the fuzzer easily 46 * without requiring modifications to the main fuzzer file. This also 47 * allows multiple fuzzers to include this file, if functionality is needed. 48 */ 49 static const std::vector<std::function<void(FuzzedDataProvider*, IBinder*)>> gIBinderOperations = 50 {[](FuzzedDataProvider*, IBinder* ibinder) -> void { ibinder->getInterfaceDescriptor(); }, 51 [](FuzzedDataProvider*, IBinder* ibinder) -> void { ibinder->isBinderAlive(); }, 52 [](FuzzedDataProvider*, IBinder* ibinder) -> void { ibinder->pingBinder(); }, 53 [](FuzzedDataProvider* fdp, IBinder* ibinder) -> void { 54 int fd = STDOUT_FILENO; 55 std::string rand_str = fdp->ConsumeRandomLengthString(fdp->remaining_bytes()); 56 Vector<String16> args; 57 args.push(String16(rand_str.c_str())); 58 ibinder->dump(fd, args); 59 }, 60 [](FuzzedDataProvider* fdp, IBinder* ibinder) -> void { 61 objectID = fdp->ConsumeIntegral<uint32_t>(); 62 object = fdp->ConsumeIntegral<uint32_t>(); 63 cleanup_cookie = fdp->ConsumeIntegral<uint32_t>(); 64 IBinder::object_cleanup_func func = IBinder::object_cleanup_func(); 65 ibinder->attachObject(fdp->ConsumeBool() ? reinterpret_cast<void*>(&objectID) 66 : nullptr, 67 fdp->ConsumeBool() ? reinterpret_cast<void*>(&object) : nullptr, 68 fdp->ConsumeBool() ? reinterpret_cast<void*>(&cleanup_cookie) 69 : nullptr, 70 func); 71 }, 72 [](FuzzedDataProvider* fdp, IBinder* ibinder) -> void { 73 uint32_t id = fdp->ConsumeIntegral<uint32_t>(); 74 ibinder->findObject(reinterpret_cast<void*>(&id)); 75 }, 76 [](FuzzedDataProvider* fdp, IBinder* ibinder) -> void { 77 uint32_t id = fdp->ConsumeIntegral<uint32_t>(); 78 ibinder->detachObject(reinterpret_cast<void*>(&id)); 79 }, 80 [](FuzzedDataProvider* fdp, IBinder* ibinder) -> void { 81 uint32_t code = fdp->ConsumeIntegral<uint32_t>(); 82 Parcel p_data; 83 Parcel reply; 84 uint32_t flags = fdp->ConsumeIntegral<uint32_t>(); 85 ibinder->transact(code, p_data, &reply, flags); 86 }}; 87 } // namespace android 88