1 /* 2 * Copyright 2020 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #pragma once 18 19 #include <fuzzer/FuzzedDataProvider.h> 20 21 #include <binder/IBinder.h> 22 #include <binder/IPCThreadState.h> 23 #include <binder/IResultReceiver.h> 24 #include <binder/Parcel.h> 25 #include <binder/Stability.h> 26 #include <cutils/compiler.h> 27 #include <utils/KeyedVector.h> 28 #include <utils/Log.h> 29 #include <utils/Mutex.h> 30 31 namespace android { 32 33 class FuzzDeathRecipient : public IBinder::DeathRecipient { 34 private: binderDied(const wp<IBinder> & who)35 virtual void binderDied(const wp<IBinder>& who) { (void)who; }; 36 }; 37 38 // Allow objects to be attached that aren't stack locals 39 static uint32_t objectID = 0; 40 static uint32_t object = 0; 41 static uint32_t cleanup_cookie = 0; 42 43 /* This is a vector of lambda functions the fuzzer will pull from. 44 * This is done so new functions can be added to the fuzzer easily 45 * without requiring modifications to the main fuzzer file. This also 46 * allows multiple fuzzers to include this file, if functionality is needed. 47 */ 48 static const std::vector<std::function<void(FuzzedDataProvider*, IBinder*)>> gIBinderOperations = 49 {[](FuzzedDataProvider*, IBinder* ibinder) -> void { ibinder->getInterfaceDescriptor(); }, 50 [](FuzzedDataProvider*, IBinder* ibinder) -> void { ibinder->isBinderAlive(); }, 51 [](FuzzedDataProvider*, IBinder* ibinder) -> void { ibinder->pingBinder(); }, 52 [](FuzzedDataProvider* fdp, IBinder* ibinder) -> void { 53 int fd = STDOUT_FILENO; 54 std::string rand_str = fdp->ConsumeRandomLengthString(fdp->remaining_bytes()); 55 Vector<String16> args; 56 args.push(String16(rand_str.c_str())); 57 ibinder->dump(fd, args); 58 }, 59 [](FuzzedDataProvider* fdp, IBinder* ibinder) -> void { 60 objectID = fdp->ConsumeIntegral<uint32_t>(); 61 object = fdp->ConsumeIntegral<uint32_t>(); 62 cleanup_cookie = fdp->ConsumeIntegral<uint32_t>(); 63 IBinder::object_cleanup_func func = IBinder::object_cleanup_func(); 64 (void)ibinder->attachObject(fdp->ConsumeBool() ? reinterpret_cast<void*>(&objectID) 65 : nullptr, 66 fdp->ConsumeBool() ? reinterpret_cast<void*>(&object) 67 : nullptr, 68 fdp->ConsumeBool() 69 ? reinterpret_cast<void*>(&cleanup_cookie) 70 : nullptr, 71 func); 72 }, 73 [](FuzzedDataProvider* fdp, IBinder* ibinder) -> void { 74 uint32_t id = fdp->ConsumeIntegral<uint32_t>(); 75 (void)ibinder->findObject(reinterpret_cast<void*>(&id)); 76 }, 77 [](FuzzedDataProvider* fdp, IBinder* ibinder) -> void { 78 uint32_t id = fdp->ConsumeIntegral<uint32_t>(); 79 (void)ibinder->detachObject(reinterpret_cast<void*>(&id)); 80 }, 81 [](FuzzedDataProvider* fdp, IBinder* ibinder) -> void { 82 uint32_t code = fdp->ConsumeIntegral<uint32_t>(); 83 Parcel p_data; 84 Parcel reply; 85 uint32_t flags = fdp->ConsumeIntegral<uint32_t>(); 86 ibinder->transact(code, p_data, &reply, flags); 87 }}; 88 } // namespace android 89