1 /*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <fuzzbinder/random_parcel.h>
18
19 #include <android-base/logging.h>
20 #include <binder/RpcSession.h>
21 #include <binder/RpcTransportRaw.h>
22 #include <fuzzbinder/random_binder.h>
23 #include <fuzzbinder/random_fd.h>
24 #include <utils/String16.h>
25
26 using android::binder::unique_fd;
27
28 namespace android {
29
fillRandomParcelData(Parcel * p,FuzzedDataProvider && provider)30 static void fillRandomParcelData(Parcel* p, FuzzedDataProvider&& provider) {
31 std::vector<uint8_t> data = provider.ConsumeBytes<uint8_t>(provider.remaining_bytes());
32 CHECK(OK == p->write(data.data(), data.size()));
33 }
34
fillRandomParcel(Parcel * p,FuzzedDataProvider && provider,RandomParcelOptions * options)35 void fillRandomParcel(Parcel* p, FuzzedDataProvider&& provider, RandomParcelOptions* options) {
36 CHECK_NE(options, nullptr);
37
38 if (provider.ConsumeBool()) {
39 auto session = RpcSession::make(RpcTransportCtxFactoryRaw::make());
40 CHECK_EQ(OK, session->addNullDebuggingClient());
41 // Set the protocol version so that we don't crash if the session
42 // actually gets used. This isn't cheating because the version should
43 // always be set if the session init succeeded and we aren't testing the
44 // session init here (it is bypassed by addNullDebuggingClient).
45 session->setProtocolVersion(RPC_WIRE_PROTOCOL_VERSION);
46 p->markForRpc(session);
47
48 if (options->writeHeader) {
49 options->writeHeader(p, provider);
50 }
51
52 fillRandomParcelData(p, std::move(provider));
53 return;
54 }
55
56 if (options->writeHeader) {
57 options->writeHeader(p, provider);
58 }
59
60 while (provider.remaining_bytes() > 0) {
61 auto fillFunc = provider.PickValueInArray<const std::function<void()>>({
62 // write data
63 [&]() {
64 size_t toWrite =
65 provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes());
66 std::vector<uint8_t> data = provider.ConsumeBytes<uint8_t>(toWrite);
67 CHECK(OK == p->write(data.data(), data.size()));
68 },
69 // write FD
70 [&]() {
71 // b/296516864 - Limit number of objects written to a parcel.
72 if (p->objectsCount() > 100) {
73 return;
74 }
75
76 if (provider.ConsumeBool() && options->extraFds.size() > 0) {
77 const unique_fd& fd = options->extraFds.at(
78 provider.ConsumeIntegralInRange<size_t>(0,
79 options->extraFds.size() -
80 1));
81 CHECK(OK == p->writeFileDescriptor(fd.get(), false /*takeOwnership*/));
82 } else {
83 // b/260119717 - Adding more FDs can eventually lead to FD limit exhaustion
84 if (options->extraFds.size() > 1000) {
85 return;
86 }
87
88 std::vector<unique_fd> fds = getRandomFds(&provider);
89 CHECK(OK ==
90 p->writeFileDescriptor(fds.begin()->release(),
91 true /*takeOwnership*/));
92 options->extraFds.insert(options->extraFds.end(),
93 std::make_move_iterator(fds.begin() + 1),
94 std::make_move_iterator(fds.end()));
95 }
96 },
97 // write binder
98 [&]() {
99 // b/296516864 - Limit number of objects written to a parcel.
100 if (p->objectsCount() > 100) {
101 return;
102 }
103
104 sp<IBinder> binder;
105 if (provider.ConsumeBool() && options->extraBinders.size() > 0) {
106 binder = options->extraBinders.at(
107 provider.ConsumeIntegralInRange<size_t>(0,
108 options->extraBinders
109 .size() -
110 1));
111 } else {
112 binder = getRandomBinder(&provider);
113 }
114 CHECK(OK == p->writeStrongBinder(binder));
115 },
116 });
117
118 fillFunc();
119 }
120 }
121
122 } // namespace android
123