Merge changes I01f5f1d5,I65aa5ebd,I67746d7f into main

devinmoore-goog · Android (Google) Code Review · commit b9067b8a3165 · 2025-03-26T16:20:45.000-07:00
* changes:
  binder_parcel_fuzzer: close FDs in unflatten
  Check for leaking FDs in binder_parcel_fuzzer
  Add errno to CHECK_EQ log
diff --git a/libs/binder/tests/parcel_fuzzer/binder.cpp b/libs/binder/tests/parcel_fuzzer/binder.cpp
@@ -62,13 +62,17 @@ struct ExampleFlattenable : public android::Flattenable<ExampleFlattenable> {
         FUZZ_LOG() << "should not reach";
         abort();
     }
-    status_t unflatten(void const*& buffer, size_t& size, int const*& /*fds*/, size_t& /*count*/) {
+    status_t unflatten(void const*& buffer, size_t& size, int const*& fds, size_t& count) {
+        for (size_t i = 0; i < count; i++) {
+            close(fds[i]);
+        }
         if (size < sizeof(mValue)) {
             return android::NO_MEMORY;
         }
         android::FlattenableUtils::read(buffer, size, mValue);
         return android::OK;
     }
+
 private:
     int32_t mValue = 0xFEEDBEEF;
 };
diff --git a/libs/binder/tests/parcel_fuzzer/main.cpp b/libs/binder/tests/parcel_fuzzer/main.cpp
@@ -28,10 +28,11 @@
 #include <fuzzbinder/random_parcel.h>
 #include <fuzzer/FuzzedDataProvider.h>
 
-#include <cstdlib>
-#include <ctime>
 #include <sys/resource.h>
 #include <sys/time.h>
+#include <cstdlib>
+#include <ctime>
+#include <filesystem>
 
 #include "../../Utils.h"
 
@@ -157,12 +158,21 @@ static AIBinder_Class* kNothingClass =
         AIBinder_Class_define("nothing", NothingClass_onCreate, NothingClass_onDestroy,
                               NothingClass_onTransact);
 
+static long numFds() {
+    return std::distance(std::filesystem::directory_iterator("/proc/self/fd"),
+                         std::filesystem::directory_iterator{});
+}
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
     if (size <= 1) return 0;  // no use
 
     // avoid timeouts, see b/142617274, b/142473153
     if (size > 50000) return 0;
 
+    struct rlimit limit{};
+    CHECK_EQ(0, getrlimit(RLIMIT_NOFILE, &limit));
+    uint64_t maxFds = limit.rlim_cur;
+    int initialFds = numFds();
+
     FuzzedDataProvider provider = FuzzedDataProvider(data, size);
 
     const std::function<void(FuzzedDataProvider&&)> fuzzBackend[] = {
@@ -209,5 +219,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
 
     provider.PickValueInArray(fuzzBackend)(std::move(provider));
 
+    CHECK_EQ(initialFds, numFds()) << "FDs are being leaked";
     return 0;
 }
diff --git a/libs/binder/tests/parcel_fuzzer/random_fd.cpp b/libs/binder/tests/parcel_fuzzer/random_fd.cpp
@@ -55,7 +55,8 @@ std::vector<unique_fd> getRandomFds(FuzzedDataProvider* provider) {
                  // TODO(b/236812909): also test blocking
                  if (true) flags |= O_NONBLOCK;
 
-                 CHECK_EQ(0, pipe2(pipefds, flags)) << flags;
+                 CHECK_EQ(0, pipe2(pipefds, flags))
+                         << "flags: " << flags << ", errno: " << strerror(errno);
 
                  if (provider->ConsumeBool()) std::swap(pipefds[0], pipefds[1]);
 

Original file line number	Diff line number	Diff line change
`@@ -62,13 +62,17 @@ struct ExampleFlattenable : public android::Flattenable<ExampleFlattenable> {`
`62`	`62`	`FUZZ_LOG() << "should not reach";`
`63`	`63`	`abort();`
`64`	`64`	`}`
`65`		`- status_t unflatten(void const& buffer, size_t& size, int const& /fds/, size_t& /count/) {`
	`65`	`+ status_t unflatten(void const& buffer, size_t& size, int const& fds, size_t& count) {`
	`66`	`+ for (size_t i = 0; i < count; i++) {`
	`67`	`+ close(fds[i]);`
	`68`	`+ }`
`66`	`69`	`if (size < sizeof(mValue)) {`
`67`	`70`	`return android::NO_MEMORY;`
`68`	`71`	`}`
`69`	`72`	`android::FlattenableUtils::read(buffer, size, mValue);`
`70`	`73`	`return android::OK;`
`71`	`74`	`}`
	`75`	`+`
`72`	`76`	`private:`
`73`	`77`	`int32_t mValue = 0xFEEDBEEF;`
`74`	`78`	`};`