1 /*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 #define FUZZ_LOG_TAG "binder_ndk"
17
18 #include "binder_ndk.h"
19 #include "aidl/parcelables/EmptyParcelable.h"
20 #include "aidl/parcelables/GenericDataParcelable.h"
21 #include "aidl/parcelables/SingleDataParcelable.h"
22
23 #include <android/binder_libbinder.h>
24 #include <android/binder_parcel_utils.h>
25 #include <android/binder_parcelable_utils.h>
26 #include <fuzzbinder/random_binder.h>
27 #include <fuzzbinder/random_fd.h>
28
29 #include "util.h"
30
31 // TODO(b/142061461): parent class
32 class SomeParcelable {
33 public:
writeToParcel(AParcel *)34 binder_status_t writeToParcel(AParcel* /*parcel*/) { return STATUS_OK; }
readFromParcel(const AParcel * parcel)35 binder_status_t readFromParcel(const AParcel* parcel) {
36 return AParcel_readInt32(parcel, &mValue);
37 }
38
39 private:
40 int32_t mValue = 0;
41 };
42
43 class ISomeInterface : public ::ndk::ICInterface {
44 public:
45 ISomeInterface() = default;
46 virtual ~ISomeInterface() = default;
47 static binder_status_t readFromParcel(const AParcel* parcel,
48 std::shared_ptr<ISomeInterface>* instance);
49 };
50
onTransact(AIBinder *,transaction_code_t,const AParcel *,AParcel *)51 static binder_status_t onTransact(AIBinder*, transaction_code_t, const AParcel*, AParcel*) {
52 return STATUS_UNKNOWN_TRANSACTION;
53 }
54
55 static AIBinder_Class* g_class =
56 ::ndk::ICInterface::defineClass("ISomeInterface", onTransact, nullptr, 0);
57
58 class BpSomeInterface : public ::ndk::BpCInterface<ISomeInterface> {
59 public:
BpSomeInterface(const::ndk::SpAIBinder & binder)60 explicit BpSomeInterface(const ::ndk::SpAIBinder& binder) : BpCInterface(binder) {}
61 virtual ~BpSomeInterface() = default;
62 };
63
readFromParcel(const AParcel * parcel,std::shared_ptr<ISomeInterface> * instance)64 binder_status_t ISomeInterface::readFromParcel(const AParcel* parcel,
65 std::shared_ptr<ISomeInterface>* instance) {
66 ::ndk::SpAIBinder binder;
67 binder_status_t status = AParcel_readStrongBinder(parcel, binder.getR());
68 if (status == STATUS_OK) {
69 if (AIBinder_associateClass(binder.get(), g_class)) {
70 *instance = std::static_pointer_cast<ISomeInterface>(
71 ::ndk::ICInterface::asInterface(binder.get()));
72 } else {
73 *instance = ::ndk::SharedRefBase::make<BpSomeInterface>(binder);
74 }
75 }
76 return status;
77 }
78
79 #define PARCEL_READ(T, FUN) \
80 [](const NdkParcelAdapter& p, FuzzedDataProvider& /*provider*/) { \
81 FUZZ_LOG() << "about to read " #T " using " #FUN " with status"; \
82 T t{}; \
83 binder_status_t status = FUN(p.aParcel(), &t); \
84 FUZZ_LOG() << #T " status: " << status /* << " value: " << t*/; \
85 }
86
87 // clang-format off
88 std::vector<ParcelRead<NdkParcelAdapter>> BINDER_NDK_PARCEL_READ_FUNCTIONS{
89 // methods from binder_parcel.h
__anon184454c50102() 90 [](const NdkParcelAdapter& p, FuzzedDataProvider& provider) {
91 // aborts on larger values
92 size_t pos = provider.ConsumeIntegralInRange<size_t>(0, INT32_MAX);
93 FUZZ_LOG() << "about to set data position to " << pos;
94 binder_status_t status = AParcel_setDataPosition(p.aParcel(), pos);
95 FUZZ_LOG() << "set data position: " << status;
96 },
__anon184454c50202() 97 [](const NdkParcelAdapter& p, FuzzedDataProvider& /*provider*/) {
98 FUZZ_LOG() << "about to read status header";
99 ndk::ScopedAStatus t;
100 binder_status_t status = AParcel_readStatusHeader(p.aParcel(), t.getR());
101 FUZZ_LOG() << "read status header: " << status;
102 },
__anon184454c50302() 103 [](const NdkParcelAdapter& p, FuzzedDataProvider& /*provider*/) {
104 FUZZ_LOG() << "about to getDataSize the parcel";
105 AParcel_getDataSize(p.aParcel());
106 FUZZ_LOG() << "getDataSize done";
107 },
__anon184454c50402() 108 [](const NdkParcelAdapter& p, FuzzedDataProvider& provider) {
109 FUZZ_LOG() << "about to read a ParcelableHolder";
110 ndk::AParcelableHolder ph {provider.ConsumeBool() ? ndk::STABILITY_LOCAL : ndk::STABILITY_VINTF};
111 binder_status_t status = AParcel_readParcelable(p.aParcel(), &ph);
112 FUZZ_LOG() << "read the ParcelableHolder: " << status;
113 },
__anon184454c50502() 114 [](const NdkParcelAdapter& p, FuzzedDataProvider& provider) {
115 size_t offset = provider.ConsumeIntegral<size_t>();
116 size_t pos = provider.ConsumeIntegral<size_t>();
117 FUZZ_LOG() << "about to appendFrom " << pos;
118 // TODO: create random parcel
119 AParcel* parcel = AParcel_create();
120 binder_status_t status = AParcel_appendFrom(p.aParcel(), parcel, offset, pos);
121 AParcel_delete(parcel);
122 FUZZ_LOG() << "appendFrom: " << status;
123 },
124
125 PARCEL_READ(int32_t, AParcel_readInt32),
126 PARCEL_READ(uint32_t, AParcel_readUint32),
127 PARCEL_READ(int64_t, AParcel_readInt64),
128 PARCEL_READ(uint64_t, AParcel_readUint64),
129 PARCEL_READ(float, AParcel_readFloat),
130 PARCEL_READ(double, AParcel_readDouble),
131 PARCEL_READ(bool, AParcel_readBool),
132 PARCEL_READ(char16_t, AParcel_readChar),
133 PARCEL_READ(int8_t, AParcel_readByte),
134
135 // methods from binder_parcel_utils.h
136 PARCEL_READ(ndk::SpAIBinder, ndk::AParcel_readNullableStrongBinder),
137 PARCEL_READ(ndk::SpAIBinder, ndk::AParcel_readRequiredStrongBinder),
138 PARCEL_READ(ndk::ScopedFileDescriptor, ndk::AParcel_readNullableParcelFileDescriptor),
139 PARCEL_READ(ndk::ScopedFileDescriptor, ndk::AParcel_readRequiredParcelFileDescriptor),
140 PARCEL_READ(std::string, ndk::AParcel_readString),
141 PARCEL_READ(std::optional<std::string>, ndk::AParcel_readString),
142
143 PARCEL_READ(std::vector<std::string>, ndk::AParcel_readVector),
144 PARCEL_READ(std::optional<std::vector<std::optional<std::string>>>, ndk::AParcel_readVector),
145 PARCEL_READ(std::vector<SomeParcelable>, ndk::AParcel_readVector),
146 PARCEL_READ(std::optional<std::vector<std::optional<SomeParcelable>>>, ndk::AParcel_readVector),
147 PARCEL_READ(std::vector<ndk::SpAIBinder>, ndk::AParcel_readVector),
148 PARCEL_READ(std::optional<std::vector<ndk::SpAIBinder>>, ndk::AParcel_readVector),
149 PARCEL_READ(std::vector<ndk::ScopedFileDescriptor>, ndk::AParcel_readVector),
150 PARCEL_READ(std::optional<std::vector<ndk::ScopedFileDescriptor>>, ndk::AParcel_readVector),
151 PARCEL_READ(std::vector<std::shared_ptr<ISomeInterface>>, ndk::AParcel_readVector),
152 PARCEL_READ(std::optional<std::vector<std::shared_ptr<ISomeInterface>>>, ndk::AParcel_readVector),
153 PARCEL_READ(std::vector<int32_t>, ndk::AParcel_readVector),
154 PARCEL_READ(std::optional<std::vector<int32_t>>, ndk::AParcel_readVector),
155 PARCEL_READ(std::vector<uint32_t>, ndk::AParcel_readVector),
156 PARCEL_READ(std::optional<std::vector<uint32_t>>, ndk::AParcel_readVector),
157 PARCEL_READ(std::vector<int64_t>, ndk::AParcel_readVector),
158 PARCEL_READ(std::optional<std::vector<int64_t>>, ndk::AParcel_readVector),
159 PARCEL_READ(std::vector<uint64_t>, ndk::AParcel_readVector),
160 PARCEL_READ(std::optional<std::vector<uint64_t>>, ndk::AParcel_readVector),
161 PARCEL_READ(std::vector<float>, ndk::AParcel_readVector),
162 PARCEL_READ(std::optional<std::vector<float>>, ndk::AParcel_readVector),
163 PARCEL_READ(std::vector<double>, ndk::AParcel_readVector),
164 PARCEL_READ(std::optional<std::vector<double>>, ndk::AParcel_readVector),
165 PARCEL_READ(std::vector<bool>, ndk::AParcel_readVector),
166 PARCEL_READ(std::optional<std::vector<bool>>, ndk::AParcel_readVector),
167 PARCEL_READ(std::vector<char16_t>, ndk::AParcel_readVector),
168 PARCEL_READ(std::optional<std::vector<char16_t>>, ndk::AParcel_readVector),
169 PARCEL_READ(std::vector<int32_t>, ndk::AParcel_resizeVector),
170 PARCEL_READ(std::optional<std::vector<int32_t>>, ndk::AParcel_resizeVector),
171
172 // methods for std::array<T,N>
173 #define COMMA ,
174 PARCEL_READ(std::array<bool COMMA 3>, ndk::AParcel_readData),
175 PARCEL_READ(std::array<uint8_t COMMA 3>, ndk::AParcel_readData),
176 PARCEL_READ(std::array<char16_t COMMA 3>, ndk::AParcel_readData),
177 PARCEL_READ(std::array<int32_t COMMA 3>, ndk::AParcel_readData),
178 PARCEL_READ(std::array<int64_t COMMA 3>, ndk::AParcel_readData),
179 PARCEL_READ(std::array<float COMMA 3>, ndk::AParcel_readData),
180 PARCEL_READ(std::array<double COMMA 3>, ndk::AParcel_readData),
181 PARCEL_READ(std::array<std::string COMMA 3>, ndk::AParcel_readData),
182 PARCEL_READ(std::array<SomeParcelable COMMA 3>, ndk::AParcel_readData),
183 PARCEL_READ(std::array<ndk::SpAIBinder COMMA 3>, ndk::AParcel_readData),
184 PARCEL_READ(std::array<ndk::ScopedFileDescriptor COMMA 3>, ndk::AParcel_readData),
185 PARCEL_READ(std::array<std::shared_ptr<ISomeInterface> COMMA 3>, ndk::AParcel_readData),
186 #undef COMMA
187
__anon184454c50602() 188 [](const NdkParcelAdapter& p, FuzzedDataProvider& /*provider*/) {
189 FUZZ_LOG() << "about to read parcel using readFromParcel for EmptyParcelable";
190 aidl::parcelables::EmptyParcelable emptyParcelable;
191 binder_status_t status = emptyParcelable.readFromParcel(p.aParcel());
192 FUZZ_LOG() << "status: " << status;
193 },
__anon184454c50702() 194 [](const NdkParcelAdapter& p, FuzzedDataProvider& /*provider*/) {
195 FUZZ_LOG() << "about to read parcel using readFromParcel for SingleDataParcelable";
196 aidl::parcelables::SingleDataParcelable singleDataParcelable;
197 binder_status_t status = singleDataParcelable.readFromParcel(p.aParcel());
198 FUZZ_LOG() << "status: " << status;
199 },
__anon184454c50802() 200 [](const NdkParcelAdapter& p, FuzzedDataProvider& /*provider*/) {
201 FUZZ_LOG() << "about to read parcel using readFromParcel for GenericDataParcelable";
202 aidl::parcelables::GenericDataParcelable genericDataParcelable;
203 binder_status_t status = genericDataParcelable.readFromParcel(p.aParcel());
204 FUZZ_LOG() << "status: " << status;
205 std::string toString = genericDataParcelable.toString();
206 FUZZ_LOG() << "toString() result: " << toString;
207 },
__anon184454c50902() 208 [](const NdkParcelAdapter& p, FuzzedDataProvider& provider) {
209 FUZZ_LOG() << "about to marshal AParcel";
210 size_t start = provider.ConsumeIntegral<size_t>();
211 // limit 1MB to avoid OOM issues
212 size_t len = provider.ConsumeIntegralInRange<size_t>(0, 1000000);
213 uint8_t buffer[len];
214 binder_status_t status = AParcel_marshal(p.aParcel(), buffer, start, len);
215 FUZZ_LOG() << "status: " << status;
216 },
217 };
218 std::vector<ParcelWrite<NdkParcelAdapter>> BINDER_NDK_PARCEL_WRITE_FUNCTIONS{
__anon184454c50a02() 219 [] (NdkParcelAdapter& p, FuzzedDataProvider& provider, android::RandomParcelOptions* options) {
220 FUZZ_LOG() << "about to call AParcel_writeStrongBinder";
221
222 // TODO: this logic is somewhat duplicated with random parcel
223 android::sp<android::IBinder> binder;
224 if (provider.ConsumeBool() && options->extraBinders.size() > 0) {
225 binder = options->extraBinders.at(
226 provider.ConsumeIntegralInRange<size_t>(0, options->extraBinders.size() - 1));
227 } else {
228 binder = android::getRandomBinder(&provider);
229 options->extraBinders.push_back(binder);
230 }
231
232 ndk::SpAIBinder abinder = ndk::SpAIBinder(AIBinder_fromPlatformBinder(binder));
233 AParcel_writeStrongBinder(p.aParcel(), abinder.get());
234 },
__anon184454c50b02() 235 [] (NdkParcelAdapter& p, FuzzedDataProvider& provider, android::RandomParcelOptions* options) {
236 FUZZ_LOG() << "about to call AParcel_writeParcelFileDescriptor";
237
238 auto fds = android::getRandomFds(&provider);
239 if (fds.size() == 0) return;
240
241 AParcel_writeParcelFileDescriptor(p.aParcel(), fds.at(0).get());
242 options->extraFds.insert(options->extraFds.end(),
243 std::make_move_iterator(fds.begin() + 1),
244 std::make_move_iterator(fds.end()));
245 },
246 // all possible data writes can be done as a series of 4-byte reads
__anon184454c50c02() 247 [] (NdkParcelAdapter& p, FuzzedDataProvider& provider, android::RandomParcelOptions* /*options*/) {
248 FUZZ_LOG() << "about to call AParcel_writeInt32";
249 int32_t val = provider.ConsumeIntegral<int32_t>();
250 AParcel_writeInt32(p.aParcel(), val);
251 },
__anon184454c50d02() 252 [] (NdkParcelAdapter& p, FuzzedDataProvider& /* provider */, android::RandomParcelOptions* /*options*/) {
253 FUZZ_LOG() << "about to call AParcel_reset";
254 AParcel_reset(p.aParcel());
255 },
__anon184454c50e02() 256 [](NdkParcelAdapter& p, FuzzedDataProvider& provider, android::RandomParcelOptions* /*options*/) {
257 FUZZ_LOG() << "about to call AParcel_unmarshal";
258 size_t len = provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes());
259 std::vector<uint8_t> data = provider.ConsumeBytes<uint8_t>(len);
260 binder_status_t status = AParcel_unmarshal(p.aParcel(), data.data(), data.size());
261 FUZZ_LOG() << "status: " << status;
262 },
263 };
264 // clang-format on
265