1 /* 2 * Copyright (C) 2019 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 #define FUZZ_LOG_TAG "binder" 17 18 #include "binder.h" 19 #include "util.h" 20 21 #include <android/os/IServiceManager.h> 22 #include <binder/ParcelableHolder.h> 23 #include <binder/PersistableBundle.h> 24 25 using ::android::status_t; 26 27 enum ByteEnum : int8_t {}; 28 enum IntEnum : int32_t {}; 29 enum LongEnum : int64_t {}; 30 31 class ExampleParcelable : public android::Parcelable { 32 public: writeToParcel(android::Parcel *) const33 status_t writeToParcel(android::Parcel* /*parcel*/) const override { 34 FUZZ_LOG() << "should not reach"; 35 abort(); 36 } readFromParcel(const android::Parcel * parcel)37 status_t readFromParcel(const android::Parcel* parcel) override { 38 mExampleExtraField++; 39 return parcel->readInt64(&(this->mExampleUsedData)); 40 } 41 private: 42 int64_t mExampleExtraField = 0; 43 int64_t mExampleUsedData = 0; 44 }; 45 46 struct ExampleFlattenable : public android::Flattenable<ExampleFlattenable> { 47 public: getFlattenedSizeExampleFlattenable48 size_t getFlattenedSize() const { return sizeof(mValue); } getFdCountExampleFlattenable49 size_t getFdCount() const { return 0; } flattenExampleFlattenable50 status_t flatten(void*& /*buffer*/, size_t& /*size*/, int*& /*fds*/, size_t& /*count*/) const { 51 FUZZ_LOG() << "should not reach"; 52 abort(); 53 } unflattenExampleFlattenable54 status_t unflatten(void const*& buffer, size_t& size, int const*& /*fds*/, size_t& /*count*/) { 55 if (size < sizeof(mValue)) { 56 return android::NO_MEMORY; 57 } 58 android::FlattenableUtils::read(buffer, size, mValue); 59 return android::OK; 60 } 61 private: 62 int32_t mValue = 0xFEEDBEEF; 63 }; 64 65 struct ExampleLightFlattenable : public android::LightFlattenablePod<ExampleLightFlattenable> { 66 int32_t mValue = 0; 67 }; 68 69 #define PARCEL_READ_WITH_STATUS(T, FUN) \ 70 [] (const ::android::Parcel& p, uint8_t /*data*/) {\ 71 FUZZ_LOG() << "about to read " #T " using " #FUN " with status";\ 72 T t{};\ 73 status_t status = p.FUN(&t);\ 74 FUZZ_LOG() << #T " status: " << status /* << " value: " << t*/;\ 75 } 76 77 #define PARCEL_READ_NO_STATUS(T, FUN) \ 78 [] (const ::android::Parcel& p, uint8_t /*data*/) {\ 79 FUZZ_LOG() << "about to read " #T " using " #FUN " with no status";\ 80 T t = p.FUN();\ 81 (void) t;\ 82 FUZZ_LOG() << #T " done " /* << " value: " << t*/;\ 83 } 84 85 #define PARCEL_READ_OPT_STATUS(T, FUN) \ 86 PARCEL_READ_WITH_STATUS(T, FUN), \ 87 PARCEL_READ_NO_STATUS(T, FUN) 88 89 #pragma clang diagnostic push 90 #pragma clang diagnostic ignored "-Wdeprecated-declarations" 91 // clang-format off 92 std::vector<ParcelRead<::android::Parcel>> BINDER_PARCEL_READ_FUNCTIONS { 93 PARCEL_READ_NO_STATUS(size_t, dataSize), 94 PARCEL_READ_NO_STATUS(size_t, dataAvail), 95 PARCEL_READ_NO_STATUS(size_t, dataPosition), 96 PARCEL_READ_NO_STATUS(size_t, dataCapacity), __anon9dbf283a0102() 97 [] (const ::android::Parcel& p, uint8_t pos) { 98 FUZZ_LOG() << "about to setDataPosition: " << pos; 99 p.setDataPosition(pos); 100 FUZZ_LOG() << "setDataPosition done"; 101 }, 102 PARCEL_READ_NO_STATUS(size_t, allowFds), 103 PARCEL_READ_NO_STATUS(size_t, hasFileDescriptors), __anon9dbf283a0202() 104 [] (const ::android::Parcel& p, uint8_t len) { 105 std::string interface(len, 'a'); 106 FUZZ_LOG() << "about to enforceInterface: " << interface; 107 bool b = p.enforceInterface(::android::String16(interface.c_str())); 108 FUZZ_LOG() << "enforced interface: " << b; 109 }, __anon9dbf283a0302() 110 [] (const ::android::Parcel& p, uint8_t /*len*/) { 111 FUZZ_LOG() << "about to checkInterface"; 112 android::sp<android::IBinder> aBinder = new android::BBinder(); 113 bool b = p.checkInterface(aBinder.get()); 114 FUZZ_LOG() << "checked interface: " << b; 115 }, 116 PARCEL_READ_NO_STATUS(size_t, objectsCount), 117 PARCEL_READ_NO_STATUS(status_t, errorCheck), __anon9dbf283a0402() 118 [] (const ::android::Parcel& p, uint8_t len) { 119 FUZZ_LOG() << "about to read void*"; 120 std::vector<uint8_t> data(len); 121 status_t status = p.read(data.data(), len); 122 FUZZ_LOG() << "read status: " << status; 123 }, __anon9dbf283a0502() 124 [] (const ::android::Parcel& p, uint8_t len) { 125 FUZZ_LOG() << "about to readInplace"; 126 const void* r = p.readInplace(len); 127 FUZZ_LOG() << "readInplace done. pointer: " << r << " bytes: " << hexString(r, len); 128 }, 129 PARCEL_READ_OPT_STATUS(int32_t, readInt32), 130 PARCEL_READ_OPT_STATUS(uint32_t, readUint32), 131 PARCEL_READ_OPT_STATUS(int64_t, readInt64), 132 PARCEL_READ_OPT_STATUS(uint64_t, readUint64), 133 PARCEL_READ_OPT_STATUS(float, readFloat), 134 PARCEL_READ_OPT_STATUS(double, readDouble), 135 PARCEL_READ_OPT_STATUS(bool, readBool), 136 PARCEL_READ_OPT_STATUS(char16_t, readChar), 137 PARCEL_READ_OPT_STATUS(int8_t, readByte), 138 139 PARCEL_READ_WITH_STATUS(std::string, readUtf8FromUtf16), 140 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::string>, readUtf8FromUtf16), 141 PARCEL_READ_WITH_STATUS(std::optional<std::string>, readUtf8FromUtf16), __anon9dbf283a0602() 142 [] (const ::android::Parcel& p, uint8_t /*data*/) { 143 FUZZ_LOG() << "about to read c-str"; 144 const char* str = p.readCString(); 145 FUZZ_LOG() << "read c-str: " << (str ? str : "<empty string>"); 146 }, 147 PARCEL_READ_OPT_STATUS(android::String8, readString8), __anon9dbf283a0702() 148 [] (const ::android::Parcel& p, uint8_t /*data*/) { 149 FUZZ_LOG() << "about to readString8Inplace"; 150 size_t outLen = 0; 151 const char* str = p.readString8Inplace(&outLen); 152 std::string bytes = hexString(str, sizeof(char) * (outLen + 1)); 153 FUZZ_LOG() << "readString8Inplace: " << bytes << " size: " << outLen; 154 }, 155 PARCEL_READ_OPT_STATUS(android::String16, readString16), 156 PARCEL_READ_WITH_STATUS(std::unique_ptr<android::String16>, readString16), 157 PARCEL_READ_WITH_STATUS(std::optional<android::String16>, readString16), __anon9dbf283a0802() 158 [] (const ::android::Parcel& p, uint8_t /*data*/) { 159 FUZZ_LOG() << "about to readString16Inplace"; 160 size_t outLen = 0; 161 const char16_t* str = p.readString16Inplace(&outLen); 162 std::string bytes = hexString(str, sizeof(char16_t) * (outLen + 1)); 163 FUZZ_LOG() << "readString16Inplace: " << bytes << " size: " << outLen; 164 }, 165 PARCEL_READ_WITH_STATUS(android::sp<android::IBinder>, readStrongBinder), 166 PARCEL_READ_WITH_STATUS(android::sp<android::IBinder>, readNullableStrongBinder), 167 168 // TODO(b/131868573): can force read of arbitrarily sized vector 169 // PARCEL_READ_WITH_STATUS(std::vector<ByteEnum>, readEnumVector), 170 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<ByteEnum>>, readEnumVector), 171 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<ByteEnum>>, readEnumVector), 172 // PARCEL_READ_WITH_STATUS(std::vector<IntEnum>, readEnumVector), 173 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<IntEnum>>, readEnumVector), 174 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<IntEnum>>, readEnumVector), 175 // PARCEL_READ_WITH_STATUS(std::vector<LongEnum>, readEnumVector), 176 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<LongEnum>>, readEnumVector), 177 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<LongEnum>>, readEnumVector), 178 179 // only reading one parcelable type for now 180 // TODO(b/131868573): can force read of arbitrarily sized vector 181 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<std::unique_ptr<ExampleParcelable>>>, readParcelableVector), 182 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<std::optional<ExampleParcelable>>>, readParcelableVector), 183 // PARCEL_READ_WITH_STATUS(std::vector<ExampleParcelable>, readParcelableVector), 184 PARCEL_READ_WITH_STATUS(ExampleParcelable, readParcelable), 185 PARCEL_READ_WITH_STATUS(std::unique_ptr<ExampleParcelable>, readParcelable), 186 PARCEL_READ_WITH_STATUS(std::optional<ExampleParcelable>, readParcelable), 187 188 // only reading one binder type for now 189 PARCEL_READ_WITH_STATUS(android::sp<android::os::IServiceManager>, readStrongBinder), 190 PARCEL_READ_WITH_STATUS(android::sp<android::os::IServiceManager>, readNullableStrongBinder), 191 192 // TODO(b/131868573): can force read of arbitrarily sized vector 193 // PARCEL_READ_WITH_STATUS(::std::unique_ptr<std::vector<android::sp<android::IBinder>>>, readStrongBinderVector), 194 // PARCEL_READ_WITH_STATUS(::std::optional<std::vector<android::sp<android::IBinder>>>, readStrongBinderVector), 195 // PARCEL_READ_WITH_STATUS(std::vector<android::sp<android::IBinder>>, readStrongBinderVector), 196 197 // TODO(b/131868573): can force read of arbitrarily sized vector 198 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<int8_t>>, readByteVector), 199 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<int8_t>>, readByteVector), 200 // PARCEL_READ_WITH_STATUS(std::vector<int8_t>, readByteVector), 201 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<uint8_t>>, readByteVector), 202 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<uint8_t>>, readByteVector), 203 // PARCEL_READ_WITH_STATUS(std::vector<uint8_t>, readByteVector), 204 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<int32_t>>, readInt32Vector), 205 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<int32_t>>, readInt32Vector), 206 // PARCEL_READ_WITH_STATUS(std::vector<int32_t>, readInt32Vector), 207 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<int64_t>>, readInt64Vector), 208 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<int64_t>>, readInt64Vector), 209 // PARCEL_READ_WITH_STATUS(std::vector<int64_t>, readInt64Vector), 210 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<uint64_t>>, readUint64Vector), 211 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<uint64_t>>, readUint64Vector), 212 // PARCEL_READ_WITH_STATUS(std::vector<uint64_t>, readUint64Vector), 213 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<float>>, readFloatVector), 214 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<float>>, readFloatVector), 215 // PARCEL_READ_WITH_STATUS(std::vector<float>, readFloatVector), 216 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<double>>, readDoubleVector), 217 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<double>>, readDoubleVector), 218 // PARCEL_READ_WITH_STATUS(std::vector<double>, readDoubleVector), 219 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<bool>>, readBoolVector), 220 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<bool>>, readBoolVector), 221 // PARCEL_READ_WITH_STATUS(std::vector<bool>, readBoolVector), 222 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<char16_t>>, readCharVector), 223 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<char16_t>>, readCharVector), 224 // PARCEL_READ_WITH_STATUS(std::vector<char16_t>, readCharVector), 225 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<std::unique_ptr<android::String16>>>, readString16Vector), 226 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<std::optional<android::String16>>>, readString16Vector), 227 // PARCEL_READ_WITH_STATUS(std::vector<android::String16>, readString16Vector), 228 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<std::unique_ptr<std::string>>>, readUtf8VectorFromUtf16Vector), 229 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<std::optional<std::string>>>, readUtf8VectorFromUtf16Vector), 230 // PARCEL_READ_WITH_STATUS(std::vector<std::string>, readUtf8VectorFromUtf16Vector), 231 __anon9dbf283a0902() 232 [] (const android::Parcel& p, uint8_t /*len*/) { 233 FUZZ_LOG() << "about to read flattenable"; 234 ExampleFlattenable f; 235 status_t status = p.read(f); 236 FUZZ_LOG() << "read flattenable: " << status; 237 }, __anon9dbf283a0a02() 238 [] (const android::Parcel& p, uint8_t /*len*/) { 239 FUZZ_LOG() << "about to read lite flattenable"; 240 ExampleLightFlattenable f; 241 status_t status = p.read(f); 242 FUZZ_LOG() << "read lite flattenable: " << status; 243 }, 244 245 // TODO(b/131868573): can force read of arbitrarily sized vector 246 // TODO: resizeOutVector 247 248 PARCEL_READ_NO_STATUS(int32_t, readExceptionCode), __anon9dbf283a0b02() 249 [] (const android::Parcel& p, uint8_t /*len*/) { 250 FUZZ_LOG() << "about to readNativeHandle"; 251 native_handle_t* t = p.readNativeHandle(); 252 FUZZ_LOG() << "readNativeHandle: " << t; 253 if (t != nullptr) { 254 FUZZ_LOG() << "about to free readNativeHandle"; 255 native_handle_close(t); 256 native_handle_delete(t); 257 FUZZ_LOG() << "readNativeHandle freed"; 258 } 259 }, 260 PARCEL_READ_NO_STATUS(int, readFileDescriptor), 261 PARCEL_READ_NO_STATUS(int, readParcelFileDescriptor), 262 PARCEL_READ_WITH_STATUS(android::base::unique_fd, readUniqueFileDescriptor), 263 264 // TODO(b/131868573): can force read of arbitrarily sized vector 265 // PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<android::base::unique_fd>>, readUniqueFileDescriptorVector), 266 // PARCEL_READ_WITH_STATUS(std::optional<std::vector<android::base::unique_fd>>, readUniqueFileDescriptorVector), 267 // PARCEL_READ_WITH_STATUS(std::vector<android::base::unique_fd>, readUniqueFileDescriptorVector), 268 __anon9dbf283a0c02() 269 [] (const android::Parcel& p, uint8_t len) { 270 FUZZ_LOG() << "about to readBlob"; 271 ::android::Parcel::ReadableBlob blob; 272 status_t status = p.readBlob(len, &blob); 273 FUZZ_LOG() << "readBlob status: " << status; 274 }, __anon9dbf283a0d02() 275 [] (const android::Parcel& p, uint8_t options) { 276 FUZZ_LOG() << "about to readObject"; 277 bool nullMetaData = options & 0x1; 278 const void* obj = static_cast<const void*>(p.readObject(nullMetaData)); 279 FUZZ_LOG() << "readObject: " << obj; 280 }, 281 PARCEL_READ_NO_STATUS(uid_t, readCallingWorkSourceUid), 282 PARCEL_READ_NO_STATUS(size_t, getBlobAshmemSize), 283 PARCEL_READ_NO_STATUS(size_t, getOpenAshmemSize), 284 285 // additional parcelable objects defined in libbinder __anon9dbf283a0e02() 286 [] (const ::android::Parcel& p, uint8_t data) { 287 using ::android::os::ParcelableHolder; 288 using ::android::Parcelable; 289 FUZZ_LOG() << "about to read ParcelableHolder using readParcelable with status"; 290 Parcelable::Stability stability = Parcelable::Stability::STABILITY_LOCAL; 291 if ( (data & 1) == 1 ) { 292 stability = Parcelable::Stability::STABILITY_VINTF; 293 } 294 ParcelableHolder t = ParcelableHolder(stability); 295 status_t status = p.readParcelable(&t); 296 FUZZ_LOG() << "ParcelableHolder status: " << status; 297 }, 298 PARCEL_READ_WITH_STATUS(android::os::PersistableBundle, readParcelable), 299 }; 300 // clang-format on 301 #pragma clang diagnostic pop 302