1 /* 2 * Copyright (C) 2019 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 #define FUZZ_LOG_TAG "binder" 17 18 #include "binder.h" 19 #include "parcelables/EmptyParcelable.h" 20 #include "parcelables/GenericDataParcelable.h" 21 #include "parcelables/SingleDataParcelable.h" 22 #include "util.h" 23 24 #include <android/os/IServiceManager.h> 25 #include <binder/ParcelableHolder.h> 26 #include <binder/PersistableBundle.h> 27 #include <binder/Status.h> 28 #include <fuzzbinder/random_binder.h> 29 #include <fuzzbinder/random_fd.h> 30 #include <utils/Flattenable.h> 31 32 #include "../../Utils.h" 33 34 using ::android::HexString; 35 using ::android::status_t; 36 using ::android::binder::unique_fd; 37 38 enum ByteEnum : int8_t {}; 39 enum IntEnum : int32_t {}; 40 enum LongEnum : int64_t {}; 41 42 class ExampleParcelable : public android::Parcelable { 43 public: writeToParcel(android::Parcel *) const44 status_t writeToParcel(android::Parcel* /*parcel*/) const override { 45 FUZZ_LOG() << "should not reach"; 46 abort(); 47 } readFromParcel(const android::Parcel * parcel)48 status_t readFromParcel(const android::Parcel* parcel) override { 49 mExampleExtraField++; 50 return parcel->readInt64(&(this->mExampleUsedData)); 51 } 52 private: 53 int64_t mExampleExtraField = 0; 54 int64_t mExampleUsedData = 0; 55 }; 56 57 struct ExampleFlattenable : public android::Flattenable<ExampleFlattenable> { 58 public: getFlattenedSizeExampleFlattenable59 size_t getFlattenedSize() const { return sizeof(mValue); } getFdCountExampleFlattenable60 size_t getFdCount() const { return 0; } flattenExampleFlattenable61 status_t flatten(void*& /*buffer*/, size_t& /*size*/, int*& /*fds*/, size_t& /*count*/) const { 62 FUZZ_LOG() << "should not reach"; 63 abort(); 64 } unflattenExampleFlattenable65 status_t unflatten(void const*& buffer, size_t& size, int const*& /*fds*/, size_t& /*count*/) { 66 if (size < sizeof(mValue)) { 67 return android::NO_MEMORY; 68 } 69 android::FlattenableUtils::read(buffer, size, mValue); 70 return android::OK; 71 } 72 private: 73 int32_t mValue = 0xFEEDBEEF; 74 }; 75 76 struct ExampleLightFlattenable : public android::LightFlattenablePod<ExampleLightFlattenable> { 77 int32_t mValue = 0; 78 }; 79 80 struct BigStruct { 81 uint8_t data[1337]; 82 }; 83 84 #define PARCEL_READ_WITH_STATUS(T, FUN) \ 85 [](const ::android::Parcel& p, FuzzedDataProvider& /*provider*/) { \ 86 FUZZ_LOG() << "about to read " #T " using " #FUN " with status"; \ 87 T t{}; \ 88 status_t status = p.FUN(&t); \ 89 FUZZ_LOG() << #T " status: " << status /* << " value: " << t*/; \ 90 } 91 92 #define PARCEL_READ_NO_STATUS(T, FUN) \ 93 [](const ::android::Parcel& p, FuzzedDataProvider& /*provider*/) { \ 94 FUZZ_LOG() << "about to read " #T " using " #FUN " with no status"; \ 95 T t = p.FUN(); \ 96 (void)t; \ 97 FUZZ_LOG() << #T " done " /* << " value: " << t*/; \ 98 } 99 100 #define PARCEL_READ_OPT_STATUS(T, FUN) \ 101 PARCEL_READ_WITH_STATUS(T, FUN), \ 102 PARCEL_READ_NO_STATUS(T, FUN) 103 104 #pragma clang diagnostic push 105 #pragma clang diagnostic ignored "-Wdeprecated-declarations" 106 // clang-format off 107 std::vector<ParcelRead<::android::Parcel>> BINDER_PARCEL_READ_FUNCTIONS { 108 PARCEL_READ_NO_STATUS(size_t, dataSize), 109 PARCEL_READ_NO_STATUS(size_t, dataAvail), 110 PARCEL_READ_NO_STATUS(size_t, dataPosition), 111 PARCEL_READ_NO_STATUS(size_t, dataCapacity), 112 PARCEL_READ_NO_STATUS(::android::binder::Status, enforceNoDataAvail), __anon5d41f7090102() 113 [] (const ::android::Parcel& p, FuzzedDataProvider& provider) { 114 // aborts on larger values 115 size_t pos = provider.ConsumeIntegralInRange<size_t>(0, INT32_MAX); 116 FUZZ_LOG() << "about to setDataPosition: " << pos; 117 p.setDataPosition(pos); 118 FUZZ_LOG() << "setDataPosition done"; 119 }, 120 PARCEL_READ_NO_STATUS(size_t, allowFds), 121 PARCEL_READ_NO_STATUS(size_t, hasFileDescriptors), 122 PARCEL_READ_NO_STATUS(std::vector<android::sp<android::IBinder>>, debugReadAllStrongBinders), 123 PARCEL_READ_NO_STATUS(std::vector<int>, debugReadAllFileDescriptors), __anon5d41f7090202() 124 [] (const ::android::Parcel& p, FuzzedDataProvider& provider) { 125 std::string interface = provider.ConsumeRandomLengthString(); 126 FUZZ_LOG() << "about to enforceInterface: " << interface; 127 bool b = p.enforceInterface(::android::String16(interface.c_str())); 128 FUZZ_LOG() << "enforced interface: " << b; 129 }, __anon5d41f7090302() 130 [] (const ::android::Parcel& p, FuzzedDataProvider& /*provider*/) { 131 FUZZ_LOG() << "about to checkInterface"; 132 android::sp<android::IBinder> aBinder = new android::BBinder(); 133 bool b = p.checkInterface(aBinder.get()); 134 FUZZ_LOG() << "checked interface: " << b; 135 }, 136 PARCEL_READ_NO_STATUS(size_t, objectsCount), 137 PARCEL_READ_NO_STATUS(status_t, errorCheck), __anon5d41f7090402() 138 [] (const ::android::Parcel& p, FuzzedDataProvider& provider) { 139 // Read at least a bit. Unbounded allocation would OOM. 140 size_t len = provider.ConsumeIntegralInRange<size_t>(0, 1024); 141 FUZZ_LOG() << "about to read void*"; 142 std::vector<uint8_t> data(len); 143 status_t status = p.read(data.data(), len); 144 FUZZ_LOG() << "read status: " << status; 145 }, __anon5d41f7090502() 146 [] (const ::android::Parcel& p, FuzzedDataProvider& provider) { 147 size_t len = provider.ConsumeIntegral<size_t>(); 148 FUZZ_LOG() << "about to readInplace"; 149 const void* r = p.readInplace(len); 150 FUZZ_LOG() << "readInplace done. pointer: " << r << " bytes: " << (r ? HexString(r, len) : "null"); 151 }, 152 PARCEL_READ_OPT_STATUS(int32_t, readInt32), 153 PARCEL_READ_OPT_STATUS(uint32_t, readUint32), 154 PARCEL_READ_OPT_STATUS(int64_t, readInt64), 155 PARCEL_READ_OPT_STATUS(uint64_t, readUint64), 156 PARCEL_READ_OPT_STATUS(float, readFloat), 157 PARCEL_READ_OPT_STATUS(double, readDouble), 158 PARCEL_READ_OPT_STATUS(bool, readBool), 159 PARCEL_READ_OPT_STATUS(char16_t, readChar), 160 PARCEL_READ_OPT_STATUS(int8_t, readByte), 161 162 PARCEL_READ_WITH_STATUS(std::string, readUtf8FromUtf16), 163 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::string>, readUtf8FromUtf16), 164 PARCEL_READ_WITH_STATUS(std::optional<std::string>, readUtf8FromUtf16), __anon5d41f7090602() 165 [] (const ::android::Parcel& p, FuzzedDataProvider& /*provider*/) { 166 FUZZ_LOG() << "about to read c-str"; 167 const char* str = p.readCString(); 168 FUZZ_LOG() << "read c-str: " << (str ? str : "<empty string>"); 169 }, 170 PARCEL_READ_OPT_STATUS(android::String8, readString8), __anon5d41f7090702() 171 [] (const ::android::Parcel& p, FuzzedDataProvider& /*provider*/) { 172 FUZZ_LOG() << "about to readString8Inplace"; 173 size_t outLen = 0; 174 const char* str = p.readString8Inplace(&outLen); 175 std::string bytes = str ? HexString(str, sizeof(char) * (outLen + 1)) : "null"; 176 FUZZ_LOG() << "readString8Inplace: " << bytes << " size: " << outLen; 177 }, 178 PARCEL_READ_OPT_STATUS(android::String16, readString16), 179 PARCEL_READ_WITH_STATUS(std::unique_ptr<android::String16>, readString16), 180 PARCEL_READ_WITH_STATUS(std::optional<android::String16>, readString16), __anon5d41f7090802() 181 [] (const ::android::Parcel& p, FuzzedDataProvider& /*provider*/) { 182 FUZZ_LOG() << "about to readString16Inplace"; 183 size_t outLen = 0; 184 const char16_t* str = p.readString16Inplace(&outLen); 185 std::string bytes = str ? HexString(str, sizeof(char16_t) * (outLen + 1)) : "null"; 186 FUZZ_LOG() << "readString16Inplace: " << bytes << " size: " << outLen; 187 }, 188 PARCEL_READ_WITH_STATUS(android::sp<android::IBinder>, readStrongBinder), 189 PARCEL_READ_WITH_STATUS(android::sp<android::IBinder>, readNullableStrongBinder), 190 191 PARCEL_READ_WITH_STATUS(std::vector<ByteEnum>, readEnumVector), 192 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<ByteEnum>>, readEnumVector), 193 PARCEL_READ_WITH_STATUS(std::optional<std::vector<ByteEnum>>, readEnumVector), 194 PARCEL_READ_WITH_STATUS(std::vector<IntEnum>, readEnumVector), 195 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<IntEnum>>, readEnumVector), 196 PARCEL_READ_WITH_STATUS(std::optional<std::vector<IntEnum>>, readEnumVector), 197 PARCEL_READ_WITH_STATUS(std::vector<LongEnum>, readEnumVector), 198 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<LongEnum>>, readEnumVector), 199 PARCEL_READ_WITH_STATUS(std::optional<std::vector<LongEnum>>, readEnumVector), 200 201 // only reading one parcelable type for now 202 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<std::unique_ptr<ExampleParcelable>>>, readParcelableVector), 203 PARCEL_READ_WITH_STATUS(std::optional<std::vector<std::optional<ExampleParcelable>>>, readParcelableVector), 204 PARCEL_READ_WITH_STATUS(std::vector<ExampleParcelable>, readParcelableVector), 205 PARCEL_READ_WITH_STATUS(ExampleParcelable, readParcelable), 206 PARCEL_READ_WITH_STATUS(std::unique_ptr<ExampleParcelable>, readParcelable), 207 PARCEL_READ_WITH_STATUS(std::optional<ExampleParcelable>, readParcelable), 208 209 // only reading one binder type for now 210 PARCEL_READ_WITH_STATUS(android::sp<android::os::IServiceManager>, readStrongBinder), 211 PARCEL_READ_WITH_STATUS(android::sp<android::os::IServiceManager>, readNullableStrongBinder), 212 PARCEL_READ_WITH_STATUS(std::vector<android::sp<android::os::IServiceManager>>, readStrongBinderVector), 213 PARCEL_READ_WITH_STATUS(std::optional<std::vector<android::sp<android::os::IServiceManager>>>, readStrongBinderVector), 214 215 PARCEL_READ_WITH_STATUS(::std::unique_ptr<std::vector<android::sp<android::IBinder>>>, readStrongBinderVector), 216 PARCEL_READ_WITH_STATUS(::std::optional<std::vector<android::sp<android::IBinder>>>, readStrongBinderVector), 217 PARCEL_READ_WITH_STATUS(std::vector<android::sp<android::IBinder>>, readStrongBinderVector), 218 219 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<int8_t>>, readByteVector), 220 PARCEL_READ_WITH_STATUS(std::optional<std::vector<int8_t>>, readByteVector), 221 PARCEL_READ_WITH_STATUS(std::vector<int8_t>, readByteVector), 222 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<uint8_t>>, readByteVector), 223 PARCEL_READ_WITH_STATUS(std::optional<std::vector<uint8_t>>, readByteVector), 224 PARCEL_READ_WITH_STATUS(std::vector<uint8_t>, readByteVector), 225 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<int32_t>>, readInt32Vector), 226 PARCEL_READ_WITH_STATUS(std::optional<std::vector<int32_t>>, readInt32Vector), 227 PARCEL_READ_WITH_STATUS(std::vector<int32_t>, readInt32Vector), 228 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<int64_t>>, readInt64Vector), 229 PARCEL_READ_WITH_STATUS(std::optional<std::vector<int64_t>>, readInt64Vector), 230 PARCEL_READ_WITH_STATUS(std::vector<int64_t>, readInt64Vector), 231 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<uint64_t>>, readUint64Vector), 232 PARCEL_READ_WITH_STATUS(std::optional<std::vector<uint64_t>>, readUint64Vector), 233 PARCEL_READ_WITH_STATUS(std::vector<uint64_t>, readUint64Vector), 234 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<float>>, readFloatVector), 235 PARCEL_READ_WITH_STATUS(std::optional<std::vector<float>>, readFloatVector), 236 PARCEL_READ_WITH_STATUS(std::vector<float>, readFloatVector), 237 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<double>>, readDoubleVector), 238 PARCEL_READ_WITH_STATUS(std::optional<std::vector<double>>, readDoubleVector), 239 PARCEL_READ_WITH_STATUS(std::vector<double>, readDoubleVector), 240 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<bool>>, readBoolVector), 241 PARCEL_READ_WITH_STATUS(std::optional<std::vector<bool>>, readBoolVector), 242 PARCEL_READ_WITH_STATUS(std::vector<bool>, readBoolVector), 243 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<char16_t>>, readCharVector), 244 PARCEL_READ_WITH_STATUS(std::optional<std::vector<char16_t>>, readCharVector), 245 PARCEL_READ_WITH_STATUS(std::vector<char16_t>, readCharVector), 246 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<std::unique_ptr<android::String16>>>, readString16Vector), 247 PARCEL_READ_WITH_STATUS(std::optional<std::vector<std::optional<android::String16>>>, readString16Vector), 248 PARCEL_READ_WITH_STATUS(std::vector<android::String16>, readString16Vector), 249 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<std::unique_ptr<std::string>>>, readUtf8VectorFromUtf16Vector), 250 PARCEL_READ_WITH_STATUS(std::optional<std::vector<std::optional<std::string>>>, readUtf8VectorFromUtf16Vector), 251 PARCEL_READ_WITH_STATUS(std::vector<std::string>, readUtf8VectorFromUtf16Vector), 252 253 #define COMMA , 254 PARCEL_READ_WITH_STATUS(std::array<uint8_t COMMA 3>, readFixedArray), 255 PARCEL_READ_WITH_STATUS(std::optional<std::array<uint8_t COMMA 3>>, readFixedArray), 256 PARCEL_READ_WITH_STATUS(std::array<char16_t COMMA 3>, readFixedArray), 257 PARCEL_READ_WITH_STATUS(std::optional<std::array<char16_t COMMA 3>>, readFixedArray), 258 PARCEL_READ_WITH_STATUS(std::array<std::string COMMA 3>, readFixedArray), 259 PARCEL_READ_WITH_STATUS(std::optional<std::array<std::optional<std::string> COMMA 3>>, readFixedArray), 260 PARCEL_READ_WITH_STATUS(std::array<android::String16 COMMA 3>, readFixedArray), 261 PARCEL_READ_WITH_STATUS(std::optional<std::array<std::optional<android::String16> COMMA 3>>, readFixedArray), 262 PARCEL_READ_WITH_STATUS(std::array<android::sp<android::IBinder> COMMA 3>, readFixedArray), 263 PARCEL_READ_WITH_STATUS(std::optional<std::array<android::sp<android::IBinder> COMMA 3>>, readFixedArray), 264 PARCEL_READ_WITH_STATUS(std::array<ExampleParcelable COMMA 3>, readFixedArray), 265 PARCEL_READ_WITH_STATUS(std::optional<std::array<std::optional<ExampleParcelable> COMMA 3>>, readFixedArray), 266 PARCEL_READ_WITH_STATUS(std::array<ByteEnum COMMA 3>, readFixedArray), 267 PARCEL_READ_WITH_STATUS(std::optional<std::array<ByteEnum COMMA 3>>, readFixedArray), 268 PARCEL_READ_WITH_STATUS(std::array<IntEnum COMMA 3>, readFixedArray), 269 PARCEL_READ_WITH_STATUS(std::optional<std::array<IntEnum COMMA 3>>, readFixedArray), 270 PARCEL_READ_WITH_STATUS(std::array<LongEnum COMMA 3>, readFixedArray), 271 PARCEL_READ_WITH_STATUS(std::optional<std::array<LongEnum COMMA 3>>, readFixedArray), 272 // nested arrays 273 PARCEL_READ_WITH_STATUS(std::array<std::array<uint8_t COMMA 3> COMMA 4>, readFixedArray), 274 PARCEL_READ_WITH_STATUS(std::optional<std::array<std::array<uint8_t COMMA 3> COMMA 4>>, readFixedArray), 275 PARCEL_READ_WITH_STATUS(std::array<ExampleParcelable COMMA 3>, readFixedArray), 276 PARCEL_READ_WITH_STATUS(std::optional<std::array<std::array<std::optional<ExampleParcelable> COMMA 3> COMMA 4>>, readFixedArray), 277 #undef COMMA 278 __anon5d41f7090902() 279 [] (const ::android::Parcel& p, FuzzedDataProvider& /*provider*/) { 280 FUZZ_LOG() << "about to read flattenable"; 281 ExampleFlattenable f; 282 status_t status = p.read(f); 283 FUZZ_LOG() << "read flattenable: " << status; 284 }, __anon5d41f7090a02() 285 [] (const ::android::Parcel& p, FuzzedDataProvider& /*provider*/) { 286 FUZZ_LOG() << "about to read lite flattenable"; 287 ExampleLightFlattenable f; 288 status_t status = p.read(f); 289 FUZZ_LOG() << "read lite flattenable: " << status; 290 }, 291 292 PARCEL_READ_WITH_STATUS(std::vector<uint8_t>, resizeOutVector), 293 PARCEL_READ_WITH_STATUS(std::optional<std::vector<uint8_t>>, resizeOutVector), 294 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<uint8_t>>, resizeOutVector), 295 PARCEL_READ_WITH_STATUS(std::vector<BigStruct>, resizeOutVector), 296 PARCEL_READ_WITH_STATUS(std::optional<std::vector<BigStruct>>, resizeOutVector), 297 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<BigStruct>>, resizeOutVector), 298 299 PARCEL_READ_NO_STATUS(int32_t, readExceptionCode), __anon5d41f7090b02() 300 [] (const ::android::Parcel& p, FuzzedDataProvider& /*provider*/) { 301 FUZZ_LOG() << "about to readNativeHandle"; 302 native_handle_t* t = p.readNativeHandle(); 303 FUZZ_LOG() << "readNativeHandle: " << t; 304 if (t != nullptr) { 305 FUZZ_LOG() << "about to free readNativeHandle"; 306 native_handle_close(t); 307 native_handle_delete(t); 308 FUZZ_LOG() << "readNativeHandle freed"; 309 } 310 }, 311 PARCEL_READ_NO_STATUS(int, readFileDescriptor), 312 PARCEL_READ_NO_STATUS(int, readParcelFileDescriptor), 313 PARCEL_READ_WITH_STATUS(unique_fd, readUniqueFileDescriptor), 314 315 PARCEL_READ_WITH_STATUS(std::unique_ptr<std::vector<unique_fd>>, 316 readUniqueFileDescriptorVector), 317 PARCEL_READ_WITH_STATUS(std::optional<std::vector<unique_fd>>, readUniqueFileDescriptorVector), 318 PARCEL_READ_WITH_STATUS(std::vector<unique_fd>, readUniqueFileDescriptorVector), 319 __anon5d41f7090c02() 320 [] (const ::android::Parcel& p, FuzzedDataProvider& provider) { 321 size_t len = provider.ConsumeIntegral<size_t>(); 322 FUZZ_LOG() << "about to readBlob"; 323 ::android::Parcel::ReadableBlob blob; 324 status_t status = p.readBlob(len, &blob); 325 FUZZ_LOG() << "readBlob status: " << status; 326 }, __anon5d41f7090d02() 327 [] (const ::android::Parcel& p, FuzzedDataProvider& provider) { 328 FUZZ_LOG() << "about to readObject"; 329 bool nullMetaData = provider.ConsumeBool(); 330 const void* obj = static_cast<const void*>(p.readObject(nullMetaData)); 331 FUZZ_LOG() << "readObject: " << obj; 332 }, 333 PARCEL_READ_NO_STATUS(uid_t, readCallingWorkSourceUid), 334 PARCEL_READ_NO_STATUS(size_t, getOpenAshmemSize), 335 336 // additional parcelable objects defined in libbinder __anon5d41f7090e02() 337 [] (const ::android::Parcel& p, FuzzedDataProvider& provider) { 338 using ::android::os::ParcelableHolder; 339 using ::android::Parcelable; 340 FUZZ_LOG() << "about to read ParcelableHolder using readParcelable with status"; 341 Parcelable::Stability stability = provider.ConsumeBool() 342 ? Parcelable::Stability::STABILITY_LOCAL 343 : Parcelable::Stability::STABILITY_VINTF; 344 ParcelableHolder t = ParcelableHolder(stability); 345 status_t status = p.readParcelable(&t); 346 FUZZ_LOG() << "ParcelableHolder status: " << status; 347 }, 348 PARCEL_READ_WITH_STATUS(android::os::PersistableBundle, readParcelable), __anon5d41f7090f02() 349 [] (const ::android::Parcel& p, FuzzedDataProvider& /*provider*/) { 350 FUZZ_LOG() << "about to call hasFileDescriptorsInRange() with status"; 351 size_t offset = p.readUint32(); 352 size_t length = p.readUint32(); 353 bool result; 354 status_t status = p.hasFileDescriptorsInRange(offset, length, &result); 355 FUZZ_LOG() << " status: " << status << " result: " << result; 356 }, __anon5d41f7091002() 357 [] (const ::android::Parcel& p, FuzzedDataProvider& /*provider*/) { 358 FUZZ_LOG() << "about to call hasBinders() with status"; 359 bool result; 360 status_t status = p.hasBinders(&result); 361 FUZZ_LOG() << " status: " << status << " result: " << result; 362 }, __anon5d41f7091102() 363 [] (const ::android::Parcel& p, FuzzedDataProvider& /*provider*/) { 364 FUZZ_LOG() << "about to call hasBindersInRange() with status"; 365 size_t offset = p.readUint32(); 366 size_t length = p.readUint32(); 367 bool result; 368 status_t status = p.hasBindersInRange(offset, length, &result); 369 FUZZ_LOG() << " status: " << status << " result: " << result; 370 }, __anon5d41f7091202() 371 [] (const ::android::Parcel& p, FuzzedDataProvider& /*provider*/) { 372 FUZZ_LOG() << "about to call compareDataInRange() with status"; 373 size_t thisOffset = p.readUint32(); 374 size_t otherOffset = p.readUint32(); 375 size_t length = p.readUint32(); 376 int result; 377 status_t status = p.compareDataInRange(thisOffset, p, otherOffset, length, &result); 378 FUZZ_LOG() << " status: " << status << " result: " << result; 379 }, __anon5d41f7091302() 380 [] (const ::android::Parcel& p, FuzzedDataProvider& /*provider*/) { 381 FUZZ_LOG() << "about to call readFromParcel() with status for EmptyParcelable"; 382 parcelables::EmptyParcelable emptyParcelable{}; 383 status_t status = emptyParcelable.readFromParcel(&p); 384 FUZZ_LOG() << " status: " << status; 385 }, __anon5d41f7091402() 386 [] (const ::android::Parcel& p , FuzzedDataProvider& /*provider*/) { 387 FUZZ_LOG() << "about to call readFromParcel() with status for SingleDataParcelable"; 388 parcelables::SingleDataParcelable singleDataParcelable; 389 status_t status = singleDataParcelable.readFromParcel(&p); 390 FUZZ_LOG() << " status: " << status; 391 }, __anon5d41f7091502() 392 [] (const ::android::Parcel& p, FuzzedDataProvider& /*provider*/) { 393 FUZZ_LOG() << "about to call readFromParcel() with status for GenericDataParcelable"; 394 parcelables::GenericDataParcelable genericDataParcelable; 395 status_t status = genericDataParcelable.readFromParcel(&p); 396 FUZZ_LOG() << " status: " << status; 397 std::string toString = genericDataParcelable.toString(); 398 FUZZ_LOG() << " toString() result: " << toString; 399 }, 400 }; 401 402 std::vector<ParcelWrite<::android::Parcel>> BINDER_PARCEL_WRITE_FUNCTIONS { __anon5d41f7091602() 403 [] (::android::Parcel& p, FuzzedDataProvider& provider, android::RandomParcelOptions* /*options*/) { 404 FUZZ_LOG() << "about to call setDataSize"; 405 size_t len = provider.ConsumeIntegralInRange<size_t>(0, 1024); 406 p.setDataSize(len); 407 }, __anon5d41f7091702() 408 [] (::android::Parcel& p, FuzzedDataProvider& provider, android::RandomParcelOptions* /*options*/) { 409 FUZZ_LOG() << "about to call setDataCapacity"; 410 size_t len = provider.ConsumeIntegralInRange<size_t>(0, 1024); 411 p.setDataCapacity(len); 412 }, __anon5d41f7091802() 413 [] (::android::Parcel& p, FuzzedDataProvider& provider, android::RandomParcelOptions* /*options*/) { 414 FUZZ_LOG() << "about to call setData"; 415 size_t len = provider.ConsumeIntegralInRange<size_t>(0, 1024); 416 std::vector<uint8_t> bytes = provider.ConsumeBytes<uint8_t>(len); 417 p.setData(bytes.data(), bytes.size()); 418 }, __anon5d41f7091902() 419 [] (::android::Parcel& p, FuzzedDataProvider& provider, android::RandomParcelOptions* options) { 420 FUZZ_LOG() << "about to call appendFrom"; 421 422 std::vector<uint8_t> bytes = provider.ConsumeBytes<uint8_t>(provider.ConsumeIntegralInRange<size_t>(0, 4096)); 423 ::android::Parcel p2; 424 fillRandomParcel(&p2, FuzzedDataProvider(bytes.data(), bytes.size()), options); 425 426 int32_t start = provider.ConsumeIntegral<int32_t>(); 427 int32_t len = provider.ConsumeIntegral<int32_t>(); 428 p.appendFrom(&p2, start, len); 429 }, __anon5d41f7091a02() 430 [] (::android::Parcel& p, FuzzedDataProvider& provider, android::RandomParcelOptions* /*options*/) { 431 FUZZ_LOG() << "about to call pushAllowFds"; 432 bool val = provider.ConsumeBool(); 433 p.pushAllowFds(val); 434 }, __anon5d41f7091b02() 435 [] (::android::Parcel& p, FuzzedDataProvider& provider, android::RandomParcelOptions* /*options*/) { 436 FUZZ_LOG() << "about to call restoreAllowFds"; 437 bool val = provider.ConsumeBool(); 438 p.restoreAllowFds(val); 439 }, 440 // markForBinder - covered by fillRandomParcel, aborts if called multiple times 441 // markForRpc - covered by fillRandomParcel, aborts if called multiple times __anon5d41f7091c02() 442 [] (::android::Parcel& p, FuzzedDataProvider& provider, android::RandomParcelOptions* /*options*/) { 443 FUZZ_LOG() << "about to call writeInterfaceToken"; 444 std::string interface = provider.ConsumeRandomLengthString(); 445 p.writeInterfaceToken(android::String16(interface.c_str())); 446 }, __anon5d41f7091d02() 447 [] (::android::Parcel& p, FuzzedDataProvider& provider, android::RandomParcelOptions* /*options*/) { 448 FUZZ_LOG() << "about to call setEnforceNoDataAvail"; 449 p.setEnforceNoDataAvail(provider.ConsumeBool()); 450 }, __anon5d41f7091e02() 451 [] (::android::Parcel& p, FuzzedDataProvider& /* provider */, android::RandomParcelOptions* /*options*/) { 452 FUZZ_LOG() << "about to call setServiceFuzzing"; 453 p.setServiceFuzzing(); 454 }, __anon5d41f7091f02() 455 [] (::android::Parcel& p, FuzzedDataProvider& /* provider */, android::RandomParcelOptions* /*options*/) { 456 FUZZ_LOG() << "about to call freeData"; 457 p.freeData(); 458 }, __anon5d41f7092002() 459 [] (::android::Parcel& p, FuzzedDataProvider& provider, android::RandomParcelOptions* /*options*/) { 460 FUZZ_LOG() << "about to call write"; 461 size_t len = provider.ConsumeIntegralInRange<size_t>(0, 256); 462 std::vector<uint8_t> bytes = provider.ConsumeBytes<uint8_t>(len); 463 p.write(bytes.data(), bytes.size()); 464 }, 465 // write* - write functions all implemented by calling 'write' itself. __anon5d41f7092102() 466 [] (::android::Parcel& p, FuzzedDataProvider& provider, android::RandomParcelOptions* options) { 467 FUZZ_LOG() << "about to call writeStrongBinder"; 468 469 // TODO: this logic is somewhat duplicated with random parcel 470 android::sp<android::IBinder> binder; 471 if (provider.ConsumeBool() && options->extraBinders.size() > 0) { 472 binder = options->extraBinders.at( 473 provider.ConsumeIntegralInRange<size_t>(0, options->extraBinders.size() - 1)); 474 } else { 475 binder = android::getRandomBinder(&provider); 476 options->extraBinders.push_back(binder); 477 } 478 479 p.writeStrongBinder(binder); 480 }, __anon5d41f7092202() 481 [] (::android::Parcel& p, FuzzedDataProvider& /* provider */, android::RandomParcelOptions* /*options*/) { 482 FUZZ_LOG() << "about to call writeFileDescriptor (no ownership)"; 483 p.writeFileDescriptor(STDERR_FILENO, false /* takeOwnership */); 484 }, __anon5d41f7092302() 485 [] (::android::Parcel& p, FuzzedDataProvider& provider, android::RandomParcelOptions* options) { 486 FUZZ_LOG() << "about to call writeFileDescriptor (take ownership)"; 487 std::vector<unique_fd> fds = android::getRandomFds(&provider); 488 if (fds.size() == 0) return; 489 490 p.writeDupFileDescriptor(fds.at(0).get()); 491 options->extraFds.insert(options->extraFds.end(), 492 std::make_move_iterator(fds.begin() + 1), 493 std::make_move_iterator(fds.end())); 494 }, 495 // TODO: writeBlob 496 // TODO: writeDupImmutableBlobFileDescriptor 497 // TODO: writeObject (or make the API private more likely) __anon5d41f7092402() 498 [] (::android::Parcel& p, FuzzedDataProvider& /* provider */, android::RandomParcelOptions* /*options*/) { 499 FUZZ_LOG() << "about to call writeNoException"; 500 p.writeNoException(); 501 }, __anon5d41f7092502() 502 [] (::android::Parcel& p, FuzzedDataProvider& provider, android::RandomParcelOptions* /*options*/) { 503 FUZZ_LOG() << "about to call replaceCallingWorkSourceUid"; 504 uid_t uid = provider.ConsumeIntegral<uid_t>(); 505 p.replaceCallingWorkSourceUid(uid); 506 }, 507 }; 508 509 // clang-format on 510 #pragma clang diagnostic pop 511