1 /* 2 * Copyright 2020 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #pragma once 18 19 #include <fuzzer/FuzzedDataProvider.h> 20 21 #include <binder/IBinder.h> 22 #include <binder/IPCThreadState.h> 23 #include <binder/IResultReceiver.h> 24 #include <binder/Parcel.h> 25 #include <binder/Stability.h> 26 #include <utils/KeyedVector.h> 27 #include <utils/Log.h> 28 #include <utils/Mutex.h> 29 30 namespace android { 31 32 class FuzzDeathRecipient : public IBinder::DeathRecipient { 33 private: binderDied(const wp<IBinder> & who)34 virtual void binderDied(const wp<IBinder>& who) { (void)who; }; 35 }; 36 37 // Allow objects to be attached that aren't stack locals 38 static uint32_t objectID = 0; 39 static uint32_t object = 0; 40 static uint32_t cleanup_cookie = 0; 41 42 /* This is a vector of lambda functions the fuzzer will pull from. 43 * This is done so new functions can be added to the fuzzer easily 44 * without requiring modifications to the main fuzzer file. This also 45 * allows multiple fuzzers to include this file, if functionality is needed. 46 */ 47 static const std::vector<std::function<void(FuzzedDataProvider*, IBinder*)>> gIBinderOperations = 48 {[](FuzzedDataProvider*, IBinder* ibinder) -> void { ibinder->getInterfaceDescriptor(); }, 49 [](FuzzedDataProvider*, IBinder* ibinder) -> void { ibinder->isBinderAlive(); }, 50 [](FuzzedDataProvider*, IBinder* ibinder) -> void { ibinder->pingBinder(); }, 51 [](FuzzedDataProvider* fdp, IBinder* ibinder) -> void { 52 int fd = STDOUT_FILENO; 53 std::string rand_str = fdp->ConsumeRandomLengthString(fdp->remaining_bytes()); 54 Vector<String16> args; 55 args.push(String16(rand_str.c_str())); 56 ibinder->dump(fd, args); 57 }, 58 [](FuzzedDataProvider* fdp, IBinder* ibinder) -> void { 59 objectID = fdp->ConsumeIntegral<uint32_t>(); 60 object = fdp->ConsumeIntegral<uint32_t>(); 61 cleanup_cookie = fdp->ConsumeIntegral<uint32_t>(); 62 IBinder::object_cleanup_func func = IBinder::object_cleanup_func(); 63 (void)ibinder->attachObject(fdp->ConsumeBool() ? reinterpret_cast<void*>(&objectID) 64 : nullptr, 65 fdp->ConsumeBool() ? reinterpret_cast<void*>(&object) 66 : nullptr, 67 fdp->ConsumeBool() 68 ? reinterpret_cast<void*>(&cleanup_cookie) 69 : nullptr, 70 func); 71 }, 72 [](FuzzedDataProvider* fdp, IBinder* ibinder) -> void { 73 uint32_t id = fdp->ConsumeIntegral<uint32_t>(); 74 (void)ibinder->findObject(reinterpret_cast<void*>(&id)); 75 }, 76 [](FuzzedDataProvider* fdp, IBinder* ibinder) -> void { 77 uint32_t id = fdp->ConsumeIntegral<uint32_t>(); 78 (void)ibinder->detachObject(reinterpret_cast<void*>(&id)); 79 }, 80 [](FuzzedDataProvider* fdp, IBinder* ibinder) -> void { 81 uint32_t code = fdp->ConsumeIntegral<uint32_t>(); 82 Parcel p_data; 83 Parcel reply; 84 uint32_t flags = fdp->ConsumeIntegral<uint32_t>(); 85 ibinder->transact(code, p_data, &reply, flags); 86 }}; 87 } // namespace android 88