• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #pragma once
18 
19 #include <IBinderFuzzFunctions.h>
20 #include <fuzzer/FuzzedDataProvider.h>
21 
22 #include <binder/BpBinder.h>
23 #include <binder/IBinder.h>
24 #include <binder/IPCThreadState.h>
25 #include <binder/IResultReceiver.h>
26 #include <binder/Parcel.h>
27 #include <binder/Stability.h>
28 
29 #include <cutils/compiler.h>
30 #include <utils/KeyedVector.h>
31 #include <utils/Log.h>
32 #include <utils/Mutex.h>
33 #include <utils/threads.h>
34 
35 #include <stdio.h>
36 
37 namespace android {
38 
39 // Static variable to reference so we don't consume a bunch of memory to link and
40 // unlink DeathRecipients.
41 static int8_t kBpBinderCookie = 0;
42 
43 /* This is a vector of lambda functions the fuzzer will pull from.
44  *  This is done so new functions can be added to the fuzzer easily
45  *  without requiring modifications to the main fuzzer file. This also
46  *  allows multiple fuzzers to include this file, if functionality is needed.
47  */
48 static const std::vector<std::function<void(FuzzedDataProvider*, const sp<BpBinder>&,
49                                             const sp<IBinder::DeathRecipient>&)>>
50         gBPBinderOperations =
51                 {[](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
52                     const sp<IBinder::DeathRecipient>& s_recipient) -> void {
53                      // Clean up possible leftover memory.
54                      wp<IBinder::DeathRecipient> outRecipient(nullptr);
55                      bpbinder->sendObituary();
56                      bpbinder->unlinkToDeath(nullptr, reinterpret_cast<void*>(&kBpBinderCookie), 0,
57                                              &outRecipient);
58 
59                      uint32_t flags = fdp->ConsumeIntegral<uint32_t>();
60                      kBpBinderCookie = fdp->ConsumeIntegral<int8_t>();
61                      bpbinder->linkToDeath(s_recipient.get(),
62                                            reinterpret_cast<void*>(&kBpBinderCookie), flags);
63                  },
64                  [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
65                     const sp<IBinder::DeathRecipient>&) -> void {
66                      wp<IBinder::DeathRecipient> out_recipient(nullptr);
67                      uint32_t flags = fdp->ConsumeIntegral<uint32_t>();
68                      int8_t random_cookie = fdp->ConsumeIntegral<int8_t>();
69                      bpbinder->unlinkToDeath(nullptr, reinterpret_cast<void*>(&random_cookie),
70                                              flags, &out_recipient);
71                  },
72                  [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
73                     const sp<IBinder::DeathRecipient>&) -> void { bpbinder->remoteBinder(); },
74                  [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
75                     const sp<IBinder::DeathRecipient>&) -> void { bpbinder->sendObituary(); },
76                  [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
77                     const sp<IBinder::DeathRecipient>&) -> void {
78                      uint32_t uid = fdp->ConsumeIntegral<uint32_t>();
79                      bpbinder->getBinderProxyCount(uid);
80                  },
81                  [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
82                     const sp<IBinder::DeathRecipient>&) -> void { bpbinder->enableCountByUid(); },
83                  [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
84                     const sp<IBinder::DeathRecipient>&) -> void { bpbinder->disableCountByUid(); },
85                  [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
86                     const sp<IBinder::DeathRecipient>&) -> void {
87                      Vector<uint32_t> uids;
88                      Vector<uint32_t> counts;
89                      bpbinder->getCountByUid(uids, counts);
90                  },
91                  [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
92                     const sp<IBinder::DeathRecipient>&) -> void {
93                      bool enable = fdp->ConsumeBool();
94                      bpbinder->setCountByUidEnabled(enable);
95                  },
96                  [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
97                     const sp<IBinder::DeathRecipient>&) -> void {
98                      binder_proxy_limit_callback cb = binder_proxy_limit_callback();
99                      bpbinder->setLimitCallback(cb);
100                  },
101                  [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
102                     const sp<IBinder::DeathRecipient>&) -> void {
103                      int high = fdp->ConsumeIntegral<int>();
104                      int low = fdp->ConsumeIntegral<int>();
105                      bpbinder->setBinderProxyCountWatermarks(high, low);
106                  }};
107 
108 } // namespace android
109