• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <fuzzbinder/random_parcel.h>
18 
19 #include <android-base/logging.h>
20 #include <binder/IServiceManager.h>
21 #include <fuzzbinder/random_fd.h>
22 #include <utils/String16.h>
23 
24 namespace android {
25 
26 class NamedBinder : public BBinder {
27 public:
NamedBinder(const String16 & descriptor)28     NamedBinder(const String16& descriptor) : mDescriptor(descriptor) {}
getInterfaceDescriptor() const29     const String16& getInterfaceDescriptor() const override { return mDescriptor; }
30 
31 private:
32     String16 mDescriptor;
33 };
34 
fillRandomParcel(Parcel * p,FuzzedDataProvider && provider)35 void fillRandomParcel(Parcel* p, FuzzedDataProvider&& provider) {
36     while (provider.remaining_bytes() > 0) {
37         auto fillFunc = provider.PickValueInArray<const std::function<void()>>({
38                 // write data
39                 [&]() {
40                     size_t toWrite =
41                             provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes());
42                     std::vector<uint8_t> data = provider.ConsumeBytes<uint8_t>(toWrite);
43                     CHECK(OK == p->write(data.data(), data.size()));
44                 },
45                 // write FD
46                 [&]() {
47                     int fd = getRandomFd(&provider);
48                     CHECK(OK == p->writeFileDescriptor(fd, true /*takeOwnership*/));
49                 },
50                 // write binder
51                 [&]() {
52                     auto makeFunc = provider.PickValueInArray<const std::function<sp<IBinder>()>>({
53                             [&]() {
54                                 // descriptor is the length of a class name, e.g.
55                                 // "some.package.Foo"
56                                 std::string str =
57                                         provider.ConsumeRandomLengthString(100 /*max length*/);
58                                 return new NamedBinder(String16(str.c_str()));
59                             },
60                             []() {
61                                 // this is the easiest remote binder to get ahold of, and it
62                                 // should be able to handle anything thrown at it, and
63                                 // essentially every process can talk to it, so it's a good
64                                 // candidate for checking usage of an actual BpBinder
65                                 return IInterface::asBinder(defaultServiceManager());
66                             },
67                             []() { return nullptr; },
68                     });
69                     sp<IBinder> binder = makeFunc();
70                     CHECK(OK == p->writeStrongBinder(binder));
71                 },
72         });
73 
74         fillFunc();
75     }
76 }
77 
fillRandomParcelData(Parcel * p,FuzzedDataProvider && provider)78 void fillRandomParcelData(Parcel* p, FuzzedDataProvider&& provider) {
79     std::vector<uint8_t> data = provider.ConsumeBytes<uint8_t>(provider.remaining_bytes());
80     CHECK(OK == p->write(data.data(), data.size()));
81 }
82 
83 } // namespace android
84