1 /*
2  * Copyright (C) 2022 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 #include <fuzzbinder/libbinder_driver.h>
17 
18 #include <fuzzbinder/random_parcel.h>
19 
20 #include <android-base/logging.h>
21 #include <binder/IPCThreadState.h>
22 #include <binder/ProcessState.h>
23 
24 #include <private/android_filesystem_config.h>
25 
26 using android::binder::unique_fd;
27 
28 namespace android {
29 
fuzzService(const sp<IBinder> & binder,FuzzedDataProvider && provider)30 void fuzzService(const sp<IBinder>& binder, FuzzedDataProvider&& provider) {
31     fuzzService(std::vector<sp<IBinder>>{binder}, std::move(provider));
32 }
33 
fuzzService(const std::vector<sp<IBinder>> & binders,FuzzedDataProvider && provider)34 void fuzzService(const std::vector<sp<IBinder>>& binders, FuzzedDataProvider&& provider) {
35     RandomParcelOptions options{
36             .extraBinders = binders,
37             .extraFds = {},
38     };
39 
40     // Reserved bytes so that we don't have to change fuzzers and seed corpus if
41     // we introduce anything new in fuzzService.
42     std::vector<uint8_t> reservedBytes = provider.ConsumeBytes<uint8_t>(8);
43     (void)reservedBytes;
44 
45     // always refresh the calling identity, because we sometimes set it below, but also,
46     // the code we're fuzzing might reset it
47     IPCThreadState::self()->clearCallingIdentity();
48 
49     // Always take so that a perturbation of just the one ConsumeBool byte will always
50     // take the same path, but with a different UID. Without this, the fuzzer needs to
51     // guess both the change in value and the shift at the same time.
52     int64_t maybeSetUid = provider.PickValueInArray<int64_t>(
53             {static_cast<int64_t>(AID_ROOT) << 32, static_cast<int64_t>(AID_SYSTEM) << 32,
54              provider.ConsumeIntegralInRange<int64_t>(static_cast<int64_t>(AID_ROOT) << 32,
55                                                       static_cast<int64_t>(AID_USER) << 32),
56              provider.ConsumeIntegral<int64_t>()});
57 
58     if (provider.ConsumeBool()) {
59         // set calling uid
60         IPCThreadState::self()->restoreCallingIdentity(maybeSetUid);
61     }
62 
63     while (provider.remaining_bytes() > 0) {
64         // Most of the AIDL services will have small set of transaction codes.
65         // TODO(b/295942369) : Add remaining transact codes from IBinder.h
66         uint32_t code = provider.ConsumeBool() ? provider.ConsumeIntegral<uint32_t>()
67                 : provider.ConsumeBool()
68                 ? provider.ConsumeIntegralInRange<uint32_t>(0, 100)
69                 : provider.PickValueInArray<uint32_t>(
70                           {IBinder::DUMP_TRANSACTION, IBinder::PING_TRANSACTION,
71                            IBinder::SHELL_COMMAND_TRANSACTION, IBinder::INTERFACE_TRANSACTION,
72                            IBinder::SYSPROPS_TRANSACTION, IBinder::EXTENSION_TRANSACTION,
73                            IBinder::TWEET_TRANSACTION, IBinder::LIKE_TRANSACTION});
74         uint32_t flags = provider.ConsumeIntegral<uint32_t>();
75         Parcel data;
76         // for increased fuzz coverage
77         data.setEnforceNoDataAvail(false);
78         data.setServiceFuzzing();
79 
80         sp<IBinder> target = options.extraBinders.at(
81                 provider.ConsumeIntegralInRange<size_t>(0, options.extraBinders.size() - 1));
82         options.writeHeader = [&target](Parcel* p, FuzzedDataProvider& provider) {
83             // most code will be behind checks that the head of the Parcel
84             // is exactly this, so make it easier for fuzzers to reach this
85             if (provider.ConsumeBool()) {
86                 p->writeInterfaceToken(target->getInterfaceDescriptor());
87             }
88         };
89 
90         std::vector<uint8_t> subData = provider.ConsumeBytes<uint8_t>(
91                 provider.ConsumeIntegralInRange<size_t>(0, provider.remaining_bytes()));
92         fillRandomParcel(&data, FuzzedDataProvider(subData.data(), subData.size()), &options);
93 
94         Parcel reply;
95         // for increased fuzz coverage
96         reply.setEnforceNoDataAvail(false);
97         reply.setServiceFuzzing();
98         (void)target->transact(code, data, &reply, flags);
99 
100         // feed back in binders and fds that are returned from the service, so that
101         // we can fuzz those binders, and use the fds and binders to feed back into
102         // the binders
103         auto retBinders = reply.debugReadAllStrongBinders();
104         options.extraBinders.insert(options.extraBinders.end(), retBinders.begin(),
105                                     retBinders.end());
106         auto retFds = reply.debugReadAllFileDescriptors();
107         for (size_t i = 0; i < retFds.size(); i++) {
108             options.extraFds.push_back(unique_fd(dup(retFds[i])));
109         }
110     }
111 
112     // invariants
113     auto ps = ProcessState::selfOrNull();
114     if (ps) {
115         CHECK_EQ(0, ps->getThreadPoolMaxTotalThreadCount())
116                 << "Binder threadpool should not be started by fuzzer because coverage can only "
117                    "cover in-process calls.";
118     }
119 }
120 
121 } // namespace android
122