xref: /aosp_15_r20/frameworks/native/libs/binder/tests/unit_fuzzers/BpBinderFuzzFunctions.h (revision 38e8c45f13ce32b0dcecb25141ffecaf386fa17f) 
1 /*
2  * Copyright 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #pragma once
18 
19 #include <IBinderFuzzFunctions.h>
20 #include <fuzzer/FuzzedDataProvider.h>
21 
22 #include <binder/BpBinder.h>
23 #include <binder/IBinder.h>
24 #include <binder/IPCThreadState.h>
25 #include <binder/IResultReceiver.h>
26 #include <binder/Parcel.h>
27 #include <binder/Stability.h>
28 
29 #include <utils/KeyedVector.h>
30 #include <utils/Log.h>
31 #include <utils/Mutex.h>
32 
33 #include <stdio.h>
34 
35 namespace android {
36 
37 // Static variable to reference so we don't consume a bunch of memory to link and
38 // unlink DeathRecipients.
39 static int8_t kBpBinderCookie = 0;
40 
41 /* This is a vector of lambda functions the fuzzer will pull from.
42  *  This is done so new functions can be added to the fuzzer easily
43  *  without requiring modifications to the main fuzzer file. This also
44  *  allows multiple fuzzers to include this file, if functionality is needed.
45  */
46 static const std::vector<std::function<void(FuzzedDataProvider*, const sp<BpBinder>&,
47                                             const sp<IBinder::DeathRecipient>&)>>
48         gBPBinderOperations =
49                 {[](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
50                     const sp<IBinder::DeathRecipient>& s_recipient) -> void {
51                      // Clean up possible leftover memory.
52                      wp<IBinder::DeathRecipient> outRecipient(nullptr);
53                      if (!bpbinder->isRpcBinder()) bpbinder->sendObituary();
54                      bpbinder->unlinkToDeath(nullptr, reinterpret_cast<void*>(&kBpBinderCookie), 0,
55                                              &outRecipient);
56 
57                      uint32_t flags = fdp->ConsumeIntegral<uint32_t>();
58                      kBpBinderCookie = fdp->ConsumeIntegral<int8_t>();
59                      bpbinder->linkToDeath(s_recipient.get(),
60                                            reinterpret_cast<void*>(&kBpBinderCookie), flags);
61                  },
62                  [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
63                     const sp<IBinder::DeathRecipient>&) -> void {
64                      wp<IBinder::DeathRecipient> out_recipient(nullptr);
65                      uint32_t flags = fdp->ConsumeIntegral<uint32_t>();
66                      int8_t random_cookie = fdp->ConsumeIntegral<int8_t>();
67                      bpbinder->unlinkToDeath(nullptr, reinterpret_cast<void*>(&random_cookie),
68                                              flags, &out_recipient);
69                  },
70                  [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
71                     const sp<IBinder::DeathRecipient>&) -> void { bpbinder->remoteBinder(); },
72                  [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
73                     const sp<IBinder::DeathRecipient>&) -> void {
74                      if (!bpbinder->isRpcBinder()) bpbinder->sendObituary();
75                  },
76                  [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
77                     const sp<IBinder::DeathRecipient>&) -> void {
78                      uint32_t uid = fdp->ConsumeIntegral<uint32_t>();
79                      bpbinder->getBinderProxyCount(uid);
80                  },
81                  [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
82                     const sp<IBinder::DeathRecipient>&) -> void { bpbinder->enableCountByUid(); },
83                  [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
84                     const sp<IBinder::DeathRecipient>&) -> void { bpbinder->disableCountByUid(); },
85                  [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
86                     const sp<IBinder::DeathRecipient>&) -> void {
87                      Vector<uint32_t> uids;
88                      Vector<uint32_t> counts;
89                      bpbinder->getCountByUid(uids, counts);
90                  },
91                  [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
92                     const sp<IBinder::DeathRecipient>&) -> void {
93                      bool enable = fdp->ConsumeBool();
94                      bpbinder->setCountByUidEnabled(enable);
95                  },
96                  [](FuzzedDataProvider*, const sp<BpBinder>& bpbinder,
97                     const sp<IBinder::DeathRecipient>&) -> void {
98                      binder_proxy_limit_callback cbl = binder_proxy_limit_callback();
99                      binder_proxy_warning_callback cbw = binder_proxy_warning_callback();
100                      bpbinder->setBinderProxyCountEventCallback(cbl, cbw);
101                  },
102                  [](FuzzedDataProvider* fdp, const sp<BpBinder>& bpbinder,
103                     const sp<IBinder::DeathRecipient>&) -> void {
104                      int high = fdp->ConsumeIntegral<int>();
105                      int low = fdp->ConsumeIntegral<int>();
106                      int warning = fdp->ConsumeIntegral<int>();
107                      bpbinder->setBinderProxyCountWatermarks(high, low, warning);
108                  }};
109 
110 } // namespace android
111