xref: /aosp_15_r20/frameworks/native/libs/binder/tests/unit_fuzzers/RecordedTransactionFuzz.cpp (revision 38e8c45f13ce32b0dcecb25141ffecaf386fa17f) 
1 /*
2  * Copyright (C) 2023 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <binder/RecordedTransaction.h>
18 #include <fuzzbinder/random_parcel.h>
19 #include <filesystem>
20 #include <string>
21 
22 #include "fuzzer/FuzzedDataProvider.h"
23 
24 using android::fillRandomParcel;
25 using android::binder::unique_fd;
26 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)27 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
28     FuzzedDataProvider provider = FuzzedDataProvider(data, size);
29 
30     android::String16 interfaceName =
31             android::String16(provider.ConsumeRandomLengthString().c_str());
32 
33     uint32_t code = provider.ConsumeIntegral<uint32_t>();
34     uint32_t flags = provider.ConsumeIntegral<uint32_t>();
35     time_t sec = provider.ConsumeIntegral<time_t>();
36     long nsec = provider.ConsumeIntegral<long>();
37     timespec timestamp = {.tv_sec = sec, .tv_nsec = nsec};
38     android::status_t transactionStatus = provider.ConsumeIntegral<android::status_t>();
39 
40     std::vector<uint8_t> bytes = provider.ConsumeBytes<uint8_t>(
41             provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes()));
42 
43     // same options so that FDs and binders could be shared in both Parcels
44     android::RandomParcelOptions options;
45 
46     android::Parcel p0, p1;
47     fillRandomParcel(&p0, FuzzedDataProvider(bytes.data(), bytes.size()), &options);
48     fillRandomParcel(&p1, std::move(provider), &options);
49 
50     auto transaction =
51             android::binder::debug::RecordedTransaction::fromDetails(interfaceName, code, flags,
52                                                                      timestamp, p0, p1,
53                                                                      transactionStatus);
54 
55     if (transaction.has_value()) {
56         std::FILE* intermediateFile = std::tmpfile();
57         unique_fd fdForWriting(dup(fileno(intermediateFile)));
58         auto writeStatus [[maybe_unused]] = transaction.value().dumpToFile(fdForWriting);
59 
60         std::fclose(intermediateFile);
61     }
62 
63     return 0;
64 }
65