Merge changes Iae2b4e10,I0e97edf5,I69d529b6,I13c75cbd,I52f434be into main am: d8b9ed515d (813ceaef) · Commits · e / os / android_frameworks_av

media/libaudioclient/aidl/fuzzer/Android.bp

+22 −28

Original line number	Diff line number	Diff line
		@@ -19,63 +19,57 @@ cc_defaults {
		static_libs: [
		"android.hardware.audio.common@7.0-enums",
		"effect-aidl-cpp",
		"liblog",
		"libcgrouprc",
		"libcgrouprc_format",
		"libfakeservicemanager",
		"libjsoncpp",
		"liblog",
		"libmediametricsservice",
		"libmedia_helper",
		"libprocessgroup",
		"shared-file-region-aidl-cpp",
		"libfakeservicemanager"
		],
		shared_libs: [
		"libaudioclient",
		"libaudioflinger",
		"libmediautils",
		"libnblog",
		"libaudioprocessing",
		"libnbaio",
		"libpowermanager",
		"libvibrator",
		"packagemanager_aidl-cpp",
		"android.hardware.audio.common-util",
		"audioclient-types-aidl-cpp",
		"audioflinger-aidl-cpp",
		"audiopolicy-aidl-cpp",
		"audiopolicy-types-aidl-cpp",
		"av-types-aidl-cpp",
		"capture_state_listener-aidl-cpp",
		"framework-permission-aidl-cpp",
		"libaudioclient",
		"audioflinger-aidl-cpp",
		"libaudioflinger",
		"libaudioclient_aidl_conversion",
		"libaudiofoundation",
		"libaudiomanager",
		"libaudiopolicy",
		"libaudioutils",
		"libdl",
		"libxml2",
		"mediametricsservice-aidl-cpp",
		"framework-permission-aidl-cpp",
		"libvndksupport",
		"libmediametrics",
		"libfakeservicemanager",
		"libactivitymanager_aidl",
		"libheadtracking",
		"libaudiopolicyservice",
		"libsensorprivacy",
		"libaudiopolicymanagerdefault",
		"libaudiohal",
		"libhidlbase",
		"libpermission",
		"libaudiohal@7.0",
		"libaudioprocessing",
		"libactivitymanager_aidl",
		"libdl",
		"libheadtracking",
		"libmediautils",
		"libmediametrics",
		"libnblog",
		"libnbaio",
		"libpowermanager",
		"libvibrator",
		"libvndksupport",
		"libxml2",
		"mediametricsservice-aidl-cpp",
		"packagemanager_aidl-cpp",
		],
		header_libs: [
		"libaudiopolicymanager_interface_headers",
		"libbinder_headers",
		"libaudiofoundation_headers",
		"libmedia_headers",
		"libaudiohal_headers",
		"libaudioflinger_headers",
		"mediautils_headers",
		"libbinder_headers",
		"libmedia_headers",
		],
		fuzz_config: {
		cc: [

media/libaudioclient/aidl/fuzzer/audioflinger_aidl_fuzzer.cpp

+42 −172

Original line number	Diff line number	Diff line
		@@ -15,204 +15,74 @@
		*
		*/
		#include <AudioFlinger.h>
		#include <ISchedulingPolicyService.h>
		#include <fakeservicemanager/FakeServiceManager.h>
		#include <android-base/logging.h>
		#include <android/binder_interface_utils.h>
		#include <android/binder_process.h>
		#include <android/media/IAudioPolicyService.h>
		#include <binder/IActivityManager.h>
		#include <binder/IPermissionController.h>
		#include <binder/IServiceManager.h>
		#include <binder/PermissionController.h>
		#include <fakeservicemanager/FakeServiceManager.h>
		#include <fuzzbinder/libbinder_driver.h>
		#include <fuzzbinder/random_binder.h>
		#include <fuzzer/FuzzedDataProvider.h>
		#include <media/IAudioFlinger.h>
		#include <mediautils/SchedulingPolicyService.h>
		#include <sensorprivacy/SensorPrivacyManager.h>
		#include <service/AudioPolicyService.h>

		using namespace android;
		using namespace android::binder;
		using android::fuzzService;

		static sp<media::IAudioFlingerService> gAudioFlingerService;
		[[clang::no_destroy]] static std::once_flag gSmOnce;
		sp<FakeServiceManager> gFakeServiceManager;

		class FuzzerSchedulingPolicyService : public BnInterface<ISchedulingPolicyService> {
		int32_t requestPriority(int32_t /pid_t/, int32_t /tid/, int32_t /prio/, bool /isForApp/,
		bool /asynchronous/) {
		return 0;
		}

		int32_t requestCpusetBoost(bool /enable/, const sp<IBinder>& /client/) { return 0; }
		};

		class FuzzerPermissionController : public BnInterface<IPermissionController> {
		public:
		bool checkPermission(const String16& /permission/, int32_t /pid/, int32_t /uid/) {
		return true;
		}
		int32_t noteOp(const String16& /op/, int32_t /uid/, const String16& /packageName/) {
		return 0;
		}
		void getPackagesForUid(const uid_t /uid/, Vector<String16>& /packages/) {}
		bool isRuntimePermission(const String16& /permission/) { return true; }
		int32_t getPackageUid(const String16& /package/, int /flags/) { return 0; }
		};

		class FuzzerSensorPrivacyManager : public BnInterface<hardware::ISensorPrivacyManager> {
		public:
		Status supportsSensorToggle(int32_t /toggleType/, int32_t /sensor/,
		bool* /_aidl_return/) override {
		return Status::fromStatusT(UNKNOWN_TRANSACTION);
		}
		Status addSensorPrivacyListener(
		const sp<hardware::ISensorPrivacyListener>& /listener/) override {
		return Status::fromStatusT(::android::UNKNOWN_TRANSACTION);
		}
		Status addToggleSensorPrivacyListener(
		const sp<hardware::ISensorPrivacyListener>& /listener/) override {
		return Status::fromStatusT(UNKNOWN_TRANSACTION);
		bool addService(const String16& serviceName, const sp<FakeServiceManager>& fakeServiceManager,
		FuzzedDataProvider& fdp) {
		sp<IBinder> binder = getRandomBinder(&fdp);
		if (binder == nullptr) {
		return false;
		}
		Status removeSensorPrivacyListener(
		const sp<hardware::ISensorPrivacyListener>& /listener/) override {
		return Status::fromStatusT(::android::UNKNOWN_TRANSACTION);
		}
		Status removeToggleSensorPrivacyListener(
		const sp<hardware::ISensorPrivacyListener>& /listener/) override {
		return Status::fromStatusT(::android::UNKNOWN_TRANSACTION);
		}
		Status isSensorPrivacyEnabled(bool* /_aidl_return/) override {
		return Status::fromStatusT(UNKNOWN_TRANSACTION);
		}
		Status isCombinedToggleSensorPrivacyEnabled(int32_t /sensor/,
		bool* /_aidl_return/) override {
		return Status::fromStatusT(UNKNOWN_TRANSACTION);
		}
		Status isToggleSensorPrivacyEnabled(int32_t /toggleType/, int32_t /sensor/,
		bool* /_aidl_return/) override {
		return Status::fromStatusT(UNKNOWN_TRANSACTION);
		}
		Status setSensorPrivacy(bool /enable/) override {
		return Status::fromStatusT(UNKNOWN_TRANSACTION);
		}
		Status setToggleSensorPrivacy(int32_t /userId/, int32_t /source/, int32_t /sensor/,
		bool /enable/) override {
		return Status::fromStatusT(UNKNOWN_TRANSACTION);
		}
		Status setToggleSensorPrivacyForProfileGroup(int32_t /userId/, int32_t /source/,
		int32_t /sensor/, bool /enable/) override {
		return Status::fromStatusT(UNKNOWN_TRANSACTION);
		}
		};

		class FuzzerActivityManager : public BnInterface<IActivityManager> {
		public:
		int32_t openContentUri(const String16& /stringUri/) override { return 0; }

		status_t registerUidObserver(const sp<IUidObserver>& /observer/, const int32_t /event/,
		const int32_t /cutpoint/,
		const String16& /callingPackage/) override {
		return OK;
		}

		status_t unregisterUidObserver(const sp<IUidObserver>& /observer/) override { return OK; }

		bool isUidActive(const uid_t /uid/, const String16& /callingPackage/) override {
		CHECK_EQ(NO_ERROR, fakeServiceManager->addService(serviceName, binder));
		return true;
		}

		int32_t getUidProcessState(const uid_t /uid/, const String16& /callingPackage/) override {
		return ActivityManager::PROCESS_STATE_UNKNOWN;
		}

		status_t checkPermission(const String16& /permission/, const pid_t /pid/,
		const uid_t /uid/, int32_t* /outResult/) override {
		return NO_ERROR;
		}

		status_t registerUidObserverForUids(const sp<IUidObserver>& /observer/ ,
		const int32_t /event/ ,
		const int32_t /cutpoint/ ,
		const String16& /callingPackage/ ,
		const int32_t uids[] ,
		size_t /nUids/ ,
		/out/ sp<IBinder>& /observerToken/ ) {
		(void)uids;
		return OK;
		}

		status_t addUidToObserver(const sp<IBinder>& /observerToken/ ,
		const String16& /callingPackage/ ,
		int32_t /uid/ ) override {
		return NO_ERROR;
		}

		status_t removeUidFromObserver(const sp<IBinder>& /observerToken/ ,
		const String16& /callingPackage/ ,
		int32_t /uid/ ) override {
		return NO_ERROR;
		}
		extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
		FuzzedDataProvider fdp(data, size);

		status_t logFgsApiBegin(int32_t /apiType/ , int32_t /appUid/ ,
		int32_t /appPid/ ) override {
		return NO_ERROR;
		}
		status_t logFgsApiEnd(int32_t /apiType/ , int32_t /appUid/ ,
		int32_t /appPid/ ) override {
		return NO_ERROR;
		std::call_once(gSmOnce, [&] {
		/* Create a FakeServiceManager instance and add required services */
		gFakeServiceManager = sp<FakeServiceManager>::make();
		setDefaultServiceManager(gFakeServiceManager);
		});
		gFakeServiceManager->clear();

		for (const char* service :
		{"activity", "sensor_privacy", "permission", "scheduling_policy",
		"android.hardware.audio.core.IConfig", "batterystats", "media.metrics"}) {
		if (!addService(String16(service), gFakeServiceManager, fdp)) {
		return 0;
		}
		status_t logFgsApiStateChanged(int32_t /apiType/ , int32_t /state/ ,
		int32_t /appUid/ ,
		int32_t /appPid/ ) override {
		return NO_ERROR;
		}
		};

		extern "C" int LLVMFuzzerInitialize(int* /* argc /, char** /* argv */) {
		/* Create a FakeServiceManager instance and add required services */
		sp<FakeServiceManager> fakeServiceManager = new FakeServiceManager();
		setDefaultServiceManager(fakeServiceManager);
		ABinderProcess_setThreadPoolMaxThreadCount(0);
		sp<FuzzerActivityManager> am = new FuzzerActivityManager();
		fakeServiceManager->addService(String16("activity"), IInterface::asBinder(am));

		sp<FuzzerSensorPrivacyManager> sensorPrivacyManager = new FuzzerSensorPrivacyManager();
		fakeServiceManager->addService(String16("sensor_privacy"),
		IInterface::asBinder(sensorPrivacyManager));
		sp<FuzzerPermissionController> permissionController = new FuzzerPermissionController();
		fakeServiceManager->addService(String16("permission"),
		IInterface::asBinder(permissionController));
		const auto audioFlinger = sp<AudioFlinger>::make();
		const auto afAdapter = sp<AudioFlingerServerAdapter>::make(audioFlinger);

		sp<FuzzerSchedulingPolicyService> schedulingService = new FuzzerSchedulingPolicyService();
		fakeServiceManager->addService(String16("scheduling_policy"),
		IInterface::asBinder(schedulingService));

		const auto audioFlingerObj = sp<AudioFlinger>::make();
		const auto afAdapter = sp<AudioFlingerServerAdapter>::make(audioFlingerObj);

		fakeServiceManager->addService(String16(IAudioFlinger::DEFAULT_SERVICE_NAME),
		IInterface::asBinder(afAdapter), false /* allowIsolated */,
		IServiceManager::DUMP_FLAG_PRIORITY_DEFAULT);
		CHECK_EQ(NO_ERROR,
		gFakeServiceManager->addService(
		String16(IAudioFlinger::DEFAULT_SERVICE_NAME), IInterface::asBinder(afAdapter),
		false /* allowIsolated */, IServiceManager::DUMP_FLAG_PRIORITY_DEFAULT));

		AudioSystem::get_audio_flinger_for_fuzzer();
		const auto audioPolicyService = sp<AudioPolicyService>::make();
		fakeServiceManager->addService(String16("media.audio_policy"), audioPolicyService,
		false /* allowIsolated */,
		IServiceManager::DUMP_FLAG_PRIORITY_DEFAULT);

		sp<IBinder> binder =
		fakeServiceManager->getService(String16(IAudioFlinger::DEFAULT_SERVICE_NAME));
		gAudioFlingerService = interface_cast<media::IAudioFlingerService>(binder);
		return 0;
		}
		CHECK_EQ(NO_ERROR,
		gFakeServiceManager->addService(String16("media.audio_policy"), audioPolicyService,
		false /* allowIsolated */,
		IServiceManager::DUMP_FLAG_PRIORITY_DEFAULT));

		extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
		if (!gAudioFlingerService) {
		return 0;
		}
		sp<IBinder> audioFlingerServiceBinder =
		gFakeServiceManager->getService(String16(IAudioFlinger::DEFAULT_SERVICE_NAME));
		sp<media::IAudioFlingerService> audioFlingerService =
		interface_cast<media::IAudioFlingerService>(audioFlingerServiceBinder);

		fuzzService(media::IAudioFlingerService::asBinder(gAudioFlingerService),
		FuzzedDataProvider(data, size));
		fuzzService(media::IAudioFlingerService::asBinder(audioFlingerService), std::move(fdp));

		return 0;
		}