• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2019 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 #define FUZZ_LOG_TAG "binder_ndk"
17 
18 #include "binder_ndk.h"
19 #include "aidl/parcelables/EmptyParcelable.h"
20 #include "aidl/parcelables/GenericDataParcelable.h"
21 #include "aidl/parcelables/SingleDataParcelable.h"
22 
23 #include <android/binder_parcel_utils.h>
24 #include <android/binder_parcelable_utils.h>
25 
26 #include "util.h"
27 
28 // TODO(b/142061461): parent class
29 class SomeParcelable {
30 public:
writeToParcel(AParcel *)31     binder_status_t writeToParcel(AParcel* /*parcel*/) { return STATUS_OK; }
readFromParcel(const AParcel * parcel)32     binder_status_t readFromParcel(const AParcel* parcel) {
33         return AParcel_readInt32(parcel, &mValue);
34     }
35 
36 private:
37     int32_t mValue = 0;
38 };
39 
40 class ISomeInterface : public ::ndk::ICInterface {
41 public:
42     ISomeInterface() = default;
43     virtual ~ISomeInterface() = default;
44     static binder_status_t readFromParcel(const AParcel* parcel,
45                                           std::shared_ptr<ISomeInterface>* instance);
46 };
47 
onTransact(AIBinder *,transaction_code_t,const AParcel *,AParcel *)48 static binder_status_t onTransact(AIBinder*, transaction_code_t, const AParcel*, AParcel*) {
49     return STATUS_UNKNOWN_TRANSACTION;
50 }
51 
52 static AIBinder_Class* g_class = ::ndk::ICInterface::defineClass("ISomeInterface", onTransact);
53 
54 class BpSomeInterface : public ::ndk::BpCInterface<ISomeInterface> {
55 public:
BpSomeInterface(const::ndk::SpAIBinder & binder)56     explicit BpSomeInterface(const ::ndk::SpAIBinder& binder) : BpCInterface(binder) {}
57     virtual ~BpSomeInterface() = default;
58 };
59 
readFromParcel(const AParcel * parcel,std::shared_ptr<ISomeInterface> * instance)60 binder_status_t ISomeInterface::readFromParcel(const AParcel* parcel,
61                                                std::shared_ptr<ISomeInterface>* instance) {
62     ::ndk::SpAIBinder binder;
63     binder_status_t status = AParcel_readStrongBinder(parcel, binder.getR());
64     if (status == STATUS_OK) {
65         if (AIBinder_associateClass(binder.get(), g_class)) {
66             *instance = std::static_pointer_cast<ISomeInterface>(
67                     ::ndk::ICInterface::asInterface(binder.get()));
68         } else {
69             *instance = ::ndk::SharedRefBase::make<BpSomeInterface>(binder);
70         }
71     }
72     return status;
73 }
74 
75 #define PARCEL_READ(T, FUN)                                              \
76     [](const NdkParcelAdapter& p, FuzzedDataProvider& /*provider*/) {    \
77         FUZZ_LOG() << "about to read " #T " using " #FUN " with status"; \
78         T t{};                                                           \
79         binder_status_t status = FUN(p.aParcel(), &t);                   \
80         FUZZ_LOG() << #T " status: " << status /* << " value: " << t*/;  \
81     }
82 
83 // clang-format off
84 std::vector<ParcelRead<NdkParcelAdapter>> BINDER_NDK_PARCEL_READ_FUNCTIONS{
85         // methods from binder_parcel.h
__anonb97ca9940102() 86         [](const NdkParcelAdapter& p, FuzzedDataProvider& provider) {
87             // aborts on larger values
88             size_t pos = provider.ConsumeIntegralInRange<size_t>(0, INT32_MAX);
89             FUZZ_LOG() << "about to set data position to " << pos;
90             binder_status_t status = AParcel_setDataPosition(p.aParcel(), pos);
91             FUZZ_LOG() << "set data position: " << status;
92         },
__anonb97ca9940202() 93         [](const NdkParcelAdapter& p, FuzzedDataProvider& /*provider*/) {
94             FUZZ_LOG() << "about to read status header";
95             ndk::ScopedAStatus t;
96             binder_status_t status = AParcel_readStatusHeader(p.aParcel(), t.getR());
97             FUZZ_LOG() << "read status header: " << status;
98         },
__anonb97ca9940302() 99         [](const NdkParcelAdapter& p, FuzzedDataProvider& /*provider*/) {
100             FUZZ_LOG() << "about to getDataSize the parcel";
101             AParcel_getDataSize(p.aParcel());
102             FUZZ_LOG() << "getDataSize done";
103         },
__anonb97ca9940402() 104         [](const NdkParcelAdapter& p, FuzzedDataProvider& provider) {
105             FUZZ_LOG() << "about to read a ParcelableHolder";
106             ndk::AParcelableHolder ph {provider.ConsumeBool() ? ndk::STABILITY_LOCAL : ndk::STABILITY_VINTF};
107             binder_status_t status = AParcel_readParcelable(p.aParcel(), &ph);
108             FUZZ_LOG() << "read the ParcelableHolder: " << status;
109         },
__anonb97ca9940502() 110         [](const NdkParcelAdapter& p, FuzzedDataProvider& provider) {
111             size_t offset = provider.ConsumeIntegral<size_t>();
112             size_t pos = provider.ConsumeIntegral<size_t>();
113             FUZZ_LOG() << "about to appendFrom " << pos;
114             // TODO: create random parcel
115             AParcel* parcel = AParcel_create();
116             binder_status_t status = AParcel_appendFrom(p.aParcel(), parcel, offset, pos);
117             AParcel_delete(parcel);
118             FUZZ_LOG() << "appendFrom: " << status;
119         },
120 
121         PARCEL_READ(int32_t, AParcel_readInt32),
122         PARCEL_READ(uint32_t, AParcel_readUint32),
123         PARCEL_READ(int64_t, AParcel_readInt64),
124         PARCEL_READ(uint64_t, AParcel_readUint64),
125         PARCEL_READ(float, AParcel_readFloat),
126         PARCEL_READ(double, AParcel_readDouble),
127         PARCEL_READ(bool, AParcel_readBool),
128         PARCEL_READ(char16_t, AParcel_readChar),
129         PARCEL_READ(int8_t, AParcel_readByte),
130 
131         // methods from binder_parcel_utils.h
132         PARCEL_READ(ndk::SpAIBinder, ndk::AParcel_readNullableStrongBinder),
133         PARCEL_READ(ndk::SpAIBinder, ndk::AParcel_readRequiredStrongBinder),
134         PARCEL_READ(ndk::ScopedFileDescriptor, ndk::AParcel_readNullableParcelFileDescriptor),
135         PARCEL_READ(ndk::ScopedFileDescriptor, ndk::AParcel_readRequiredParcelFileDescriptor),
136         PARCEL_READ(std::string, ndk::AParcel_readString),
137         PARCEL_READ(std::optional<std::string>, ndk::AParcel_readString),
138 
139         PARCEL_READ(std::vector<std::string>, ndk::AParcel_readVector),
140         PARCEL_READ(std::optional<std::vector<std::optional<std::string>>>, ndk::AParcel_readVector),
141         PARCEL_READ(std::vector<SomeParcelable>, ndk::AParcel_readVector),
142         PARCEL_READ(std::optional<std::vector<std::optional<SomeParcelable>>>, ndk::AParcel_readVector),
143         PARCEL_READ(std::vector<ndk::SpAIBinder>, ndk::AParcel_readVector),
144         PARCEL_READ(std::optional<std::vector<ndk::SpAIBinder>>, ndk::AParcel_readVector),
145         PARCEL_READ(std::vector<ndk::ScopedFileDescriptor>, ndk::AParcel_readVector),
146         PARCEL_READ(std::optional<std::vector<ndk::ScopedFileDescriptor>>, ndk::AParcel_readVector),
147         PARCEL_READ(std::vector<std::shared_ptr<ISomeInterface>>, ndk::AParcel_readVector),
148         PARCEL_READ(std::optional<std::vector<std::shared_ptr<ISomeInterface>>>, ndk::AParcel_readVector),
149         PARCEL_READ(std::vector<int32_t>, ndk::AParcel_readVector),
150         PARCEL_READ(std::optional<std::vector<int32_t>>, ndk::AParcel_readVector),
151         PARCEL_READ(std::vector<uint32_t>, ndk::AParcel_readVector),
152         PARCEL_READ(std::optional<std::vector<uint32_t>>, ndk::AParcel_readVector),
153         PARCEL_READ(std::vector<int64_t>, ndk::AParcel_readVector),
154         PARCEL_READ(std::optional<std::vector<int64_t>>, ndk::AParcel_readVector),
155         PARCEL_READ(std::vector<uint64_t>, ndk::AParcel_readVector),
156         PARCEL_READ(std::optional<std::vector<uint64_t>>, ndk::AParcel_readVector),
157         PARCEL_READ(std::vector<float>, ndk::AParcel_readVector),
158         PARCEL_READ(std::optional<std::vector<float>>, ndk::AParcel_readVector),
159         PARCEL_READ(std::vector<double>, ndk::AParcel_readVector),
160         PARCEL_READ(std::optional<std::vector<double>>, ndk::AParcel_readVector),
161         PARCEL_READ(std::vector<bool>, ndk::AParcel_readVector),
162         PARCEL_READ(std::optional<std::vector<bool>>, ndk::AParcel_readVector),
163         PARCEL_READ(std::vector<char16_t>, ndk::AParcel_readVector),
164         PARCEL_READ(std::optional<std::vector<char16_t>>, ndk::AParcel_readVector),
165         PARCEL_READ(std::vector<int32_t>, ndk::AParcel_resizeVector),
166         PARCEL_READ(std::optional<std::vector<int32_t>>, ndk::AParcel_resizeVector),
167 
168         // methods for std::array<T,N>
169 #define COMMA ,
170         PARCEL_READ(std::array<bool COMMA 3>, ndk::AParcel_readData),
171         PARCEL_READ(std::array<uint8_t COMMA 3>, ndk::AParcel_readData),
172         PARCEL_READ(std::array<char16_t COMMA 3>, ndk::AParcel_readData),
173         PARCEL_READ(std::array<int32_t COMMA 3>, ndk::AParcel_readData),
174         PARCEL_READ(std::array<int64_t COMMA 3>, ndk::AParcel_readData),
175         PARCEL_READ(std::array<float COMMA 3>, ndk::AParcel_readData),
176         PARCEL_READ(std::array<double COMMA 3>, ndk::AParcel_readData),
177         PARCEL_READ(std::array<std::string COMMA 3>, ndk::AParcel_readData),
178         PARCEL_READ(std::array<SomeParcelable COMMA 3>, ndk::AParcel_readData),
179         PARCEL_READ(std::array<ndk::SpAIBinder COMMA 3>, ndk::AParcel_readData),
180         PARCEL_READ(std::array<ndk::ScopedFileDescriptor COMMA 3>, ndk::AParcel_readData),
181         PARCEL_READ(std::array<std::shared_ptr<ISomeInterface> COMMA 3>, ndk::AParcel_readData),
182 #undef COMMA
183 
__anonb97ca9940602() 184         [](const NdkParcelAdapter& p, FuzzedDataProvider& /*provider*/) {
185             FUZZ_LOG() << "about to read parcel using readFromParcel for EmptyParcelable";
186             aidl::parcelables::EmptyParcelable emptyParcelable;
187             binder_status_t status = emptyParcelable.readFromParcel(p.aParcel());
188             FUZZ_LOG() << "status: " << status;
189         },
__anonb97ca9940702() 190         [](const NdkParcelAdapter& p, FuzzedDataProvider& /*provider*/) {
191             FUZZ_LOG() << "about to read parcel using readFromParcel for SingleDataParcelable";
192             aidl::parcelables::SingleDataParcelable singleDataParcelable;
193             binder_status_t status = singleDataParcelable.readFromParcel(p.aParcel());
194             FUZZ_LOG() << "status: " << status;
195         },
__anonb97ca9940802() 196         [](const NdkParcelAdapter& p, FuzzedDataProvider& /*provider*/) {
197             FUZZ_LOG() << "about to read parcel using readFromParcel for GenericDataParcelable";
198             aidl::parcelables::GenericDataParcelable genericDataParcelable;
199             binder_status_t status = genericDataParcelable.readFromParcel(p.aParcel());
200             FUZZ_LOG() << "status: " << status;
201             std::string toString = genericDataParcelable.toString();
202             FUZZ_LOG() << "toString() result: " << toString;
203         },
__anonb97ca9940902() 204         [](const NdkParcelAdapter& p, FuzzedDataProvider& provider) {
205             FUZZ_LOG() << "about to marshal AParcel";
206             size_t start = provider.ConsumeIntegral<size_t>();
207             // limit 1MB to avoid OOM issues
208             size_t len = provider.ConsumeIntegralInRange<size_t>(0, 1000000);
209             uint8_t buffer[len];
210             binder_status_t status = AParcel_marshal(p.aParcel(), buffer, start, len);
211             FUZZ_LOG() << "status: " << status;
212         },
__anonb97ca9940a02() 213         [](const NdkParcelAdapter& /*p*/, FuzzedDataProvider& provider) {
214             FUZZ_LOG() << "about to unmarshal AParcel";
215             size_t len = provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes());
216             std::vector<uint8_t> parcelData = provider.ConsumeBytes<uint8_t>(len);
217             const uint8_t* buffer = parcelData.data();
218             const size_t bufferLen = parcelData.size();
219             NdkParcelAdapter adapter;
220             binder_status_t status = AParcel_unmarshal(adapter.aParcel(), buffer, bufferLen);
221             FUZZ_LOG() << "status: " << status;
222         },
223 
224 };
225 // clang-format on
226