177 lines
6.0 KiB
C++
177 lines
6.0 KiB
C++
/*
|
|
* Copyright (C) 2021 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#include <android-base/file.h>
|
|
#include <android-base/logging.h>
|
|
#include <android-base/unique_fd.h>
|
|
#include <binder/Binder.h>
|
|
#include <binder/Parcel.h>
|
|
#include <binder/RpcServer.h>
|
|
#include <binder/RpcTlsTestUtils.h>
|
|
#include <binder/RpcTransport.h>
|
|
#include <binder/RpcTransportRaw.h>
|
|
#include <binder/RpcTransportTls.h>
|
|
#include <fuzzer/FuzzedDataProvider.h>
|
|
#include <openssl/rand.h>
|
|
#include <openssl/ssl.h>
|
|
|
|
#include <sys/resource.h>
|
|
#include <sys/un.h>
|
|
|
|
namespace android {
|
|
|
|
static const std::string kSock = std::string(getenv("TMPDIR") ?: "/tmp") +
|
|
"/binderRpcFuzzerSocket_" + std::to_string(getpid());
|
|
|
|
class SomeBinder : public BBinder {
|
|
status_t onTransact(uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags = 0) {
|
|
(void)flags;
|
|
|
|
if ((code & 1) == 0) {
|
|
sp<IBinder> binder;
|
|
(void)data.readStrongBinder(&binder);
|
|
if (binder != nullptr) {
|
|
(void)binder->pingBinder();
|
|
}
|
|
}
|
|
if ((code & 2) == 0) {
|
|
(void)data.readInt32();
|
|
}
|
|
if ((code & 4) == 0) {
|
|
(void)reply->writeStrongBinder(sp<BBinder>::make());
|
|
}
|
|
|
|
return OK;
|
|
}
|
|
};
|
|
|
|
int passwordCallback(char* buf, int size, int /*rwflag*/, void* /*u*/) {
|
|
constexpr const char pass[] = "xxxx"; // See create_certs.sh
|
|
if (size <= 0) return 0;
|
|
int numCopy = std::min<int>(size, sizeof(pass));
|
|
(void)memcpy(buf, pass, numCopy);
|
|
return numCopy;
|
|
}
|
|
|
|
struct ServerAuth {
|
|
bssl::UniquePtr<EVP_PKEY> pkey;
|
|
bssl::UniquePtr<X509> cert;
|
|
};
|
|
|
|
// Use pre-configured keys because runtime generated keys / certificates are not
|
|
// deterministic, and the algorithm is time consuming.
|
|
ServerAuth readServerKeyAndCert() {
|
|
ServerAuth ret;
|
|
|
|
auto keyPath = android::base::GetExecutableDirectory() + "/data/server.key";
|
|
bssl::UniquePtr<BIO> keyBio(BIO_new_file(keyPath.c_str(), "r"));
|
|
ret.pkey.reset(PEM_read_bio_PrivateKey(keyBio.get(), nullptr, passwordCallback, nullptr));
|
|
CHECK_NE(ret.pkey.get(), nullptr);
|
|
|
|
auto certPath = android::base::GetExecutableDirectory() + "/data/server.crt";
|
|
bssl::UniquePtr<BIO> certBio(BIO_new_file(certPath.c_str(), "r"));
|
|
ret.cert.reset(PEM_read_bio_X509(certBio.get(), nullptr, nullptr, nullptr));
|
|
CHECK_NE(ret.cert.get(), nullptr);
|
|
|
|
return ret;
|
|
}
|
|
|
|
std::unique_ptr<RpcAuth> createServerRpcAuth() {
|
|
static auto sAuth = readServerKeyAndCert();
|
|
|
|
CHECK(EVP_PKEY_up_ref(sAuth.pkey.get()));
|
|
bssl::UniquePtr<EVP_PKEY> pkey(sAuth.pkey.get());
|
|
CHECK(X509_up_ref(sAuth.cert.get()));
|
|
bssl::UniquePtr<X509> cert(sAuth.cert.get());
|
|
|
|
return std::make_unique<RpcAuthPreSigned>(std::move(pkey), std::move(cert));
|
|
}
|
|
|
|
std::unique_ptr<RpcTransportCtxFactory> makeTransportCtxFactory(FuzzedDataProvider* provider) {
|
|
bool isTls = provider->ConsumeBool();
|
|
if (!isTls) {
|
|
return RpcTransportCtxFactoryRaw::make();
|
|
}
|
|
status_t verifyStatus = provider->ConsumeIntegral<status_t>();
|
|
auto verifier = std::make_shared<RpcCertificateVerifierNoOp>(verifyStatus);
|
|
return RpcTransportCtxFactoryTls::make(verifier, createServerRpcAuth());
|
|
}
|
|
|
|
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
|
|
if (size > 50000) return 0;
|
|
FuzzedDataProvider provider(data, size);
|
|
RAND_reset_for_fuzzing();
|
|
|
|
unlink(kSock.c_str());
|
|
|
|
sp<RpcServer> server = RpcServer::make(makeTransportCtxFactory(&provider));
|
|
server->setRootObject(sp<SomeBinder>::make());
|
|
CHECK_EQ(OK, server->setupUnixDomainServer(kSock.c_str()));
|
|
|
|
std::thread serverThread([=] { (void)server->join(); });
|
|
|
|
sockaddr_un addr{
|
|
.sun_family = AF_UNIX,
|
|
};
|
|
CHECK_LT(kSock.size(), sizeof(addr.sun_path));
|
|
memcpy(&addr.sun_path, kSock.c_str(), kSock.size());
|
|
|
|
std::vector<base::unique_fd> connections;
|
|
|
|
bool hangupBeforeShutdown = provider.ConsumeBool();
|
|
|
|
while (provider.remaining_bytes() > 0) {
|
|
if (connections.empty() || provider.ConsumeBool()) {
|
|
base::unique_fd fd(TEMP_FAILURE_RETRY(socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0)));
|
|
CHECK_NE(fd.get(), -1);
|
|
CHECK_EQ(0,
|
|
TEMP_FAILURE_RETRY(
|
|
connect(fd.get(), reinterpret_cast<sockaddr*>(&addr), sizeof(addr))))
|
|
<< strerror(errno);
|
|
connections.push_back(std::move(fd));
|
|
} else {
|
|
size_t idx = provider.ConsumeIntegralInRange<size_t>(0, connections.size() - 1);
|
|
|
|
if (provider.ConsumeBool()) {
|
|
std::string writeData = provider.ConsumeRandomLengthString();
|
|
ssize_t size = TEMP_FAILURE_RETRY(send(connections.at(idx).get(), writeData.data(),
|
|
writeData.size(), MSG_NOSIGNAL));
|
|
CHECK(errno == EPIPE || size == writeData.size())
|
|
<< size << " " << writeData.size() << " " << strerror(errno);
|
|
} else {
|
|
connections.erase(connections.begin() + idx); // hang up
|
|
}
|
|
}
|
|
}
|
|
|
|
usleep(10000);
|
|
|
|
if (hangupBeforeShutdown) {
|
|
connections.clear();
|
|
while (!server->listSessions().empty() || server->numUninitializedSessions()) {
|
|
// wait for all threads to finish processing existing information
|
|
usleep(1);
|
|
}
|
|
}
|
|
|
|
while (!server->shutdown()) usleep(1);
|
|
serverThread.join();
|
|
|
|
return 0;
|
|
}
|
|
|
|
} // namespace android
|