Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d8b9ed51 authored by Treehugger Robot's avatar Treehugger Robot Committed by Gerrit Code Review
Browse files

Merge changes Iae2b4e10,I0e97edf5,I69d529b6,I13c75cbd,I52f434be into main 

* changes:
  Updated audioflinger_aidl_fuzzer
  Use service fuzzer defaults in fuzzers
  Added audiopolicy_aidl_fuzzer
  Added get_audio_flinger_for_fuzzer in AudioSystem.cpp
  Added audioflinger_aidl_fuzzer
parents c851dba9 c9ad3c8d

media/libaudioclient/AudioSystem.cpp

+12 −2
Original line number Diff line number Diff line
@@ -108,7 +108,7 @@ status_t AudioSystem::setLocalAudioFlinger(const sp<IAudioFlinger>& af) { 
}



// establish binder interface to AudioFlinger service

const sp<IAudioFlinger> AudioSystem::get_audio_flinger() {

const sp<IAudioFlinger> AudioSystem::getAudioFlingerImpl(bool canStartThreadPool = true) {

    sp<IAudioFlinger> af;

    sp<AudioFlingerClient> afc;

    bool reportNoError = false;
@@ -147,8 +147,10 @@ const sp<IAudioFlinger> AudioSystem::get_audio_flinger() { 
        afc = gAudioFlingerClient;

        af = gAudioFlinger;

        // Make sure callbacks can be received by gAudioFlingerClient

        if(canStartThreadPool) {

            ProcessState::self()->startThreadPool();

        }

    }

    const int64_t token = IPCThreadState::self()->clearCallingIdentity();

    af->registerClient(afc);

    IPCThreadState::self()->restoreCallingIdentity(token);
@@ -156,6 +158,14 @@ const sp<IAudioFlinger> AudioSystem::get_audio_flinger() { 
    return af;

}



const sp<IAudioFlinger> AudioSystem:: get_audio_flinger() {

    return getAudioFlingerImpl();

}



const sp<IAudioFlinger> AudioSystem:: get_audio_flinger_for_fuzzer() {

    return getAudioFlingerImpl(false);

}



const sp<AudioSystem::AudioFlingerClient> AudioSystem::getAudioFlingerClient() {

    // calling get_audio_flinger() will initialize gAudioFlingerClient if needed

    const sp<IAudioFlinger>& af = AudioSystem::get_audio_flinger();

media/libaudioclient/aidl/fuzzer/Android.bp

0 → 100644
+95 −0
Original line number Diff line number Diff line 
/*

 * Copyright (C) 2022 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */



cc_defaults {

    name: "libaudioclient_aidl_fuzzer_defaults",

    static_libs: [

        "android.hardware.audio.common@7.0-enums",

        "effect-aidl-cpp",

        "libcgrouprc",

        "libcgrouprc_format",

        "libfakeservicemanager",

        "libjsoncpp",

        "liblog",

        "libmediametricsservice",

        "libmedia_helper",

        "libprocessgroup",

        "shared-file-region-aidl-cpp",

    ],

    shared_libs: [

        "android.hardware.audio.common-util",

        "audioclient-types-aidl-cpp",

        "audiopolicy-aidl-cpp",

        "audiopolicy-types-aidl-cpp",

        "av-types-aidl-cpp",

        "capture_state_listener-aidl-cpp",

        "framework-permission-aidl-cpp",

        "libaudioclient",

        "audioflinger-aidl-cpp",

        "libaudioflinger",

        "libaudioclient_aidl_conversion",

        "libaudiofoundation",

        "libaudiomanager",

        "libaudiopolicy",

        "libaudioutils",

        "libaudiopolicyservice",

        "libaudiopolicymanagerdefault",

        "libaudiohal",

        "libaudioprocessing",

        "libactivitymanager_aidl",

        "libdl",

        "libheadtracking",

        "libmediautils",

        "libmediametrics",

        "libnblog",

        "libnbaio",

        "libpowermanager",

        "libvibrator",

        "libvndksupport",

        "libxml2",

        "mediametricsservice-aidl-cpp",

        "packagemanager_aidl-cpp",

    ],

    header_libs: [

        "libaudiopolicymanager_interface_headers",

        "libaudiofoundation_headers",

        "libaudiohal_headers",

        "libaudioflinger_headers",

        "libbinder_headers",

        "libmedia_headers",

    ],

     fuzz_config: {

        cc: [

            "android-media-fuzzing-reports@google.com",

        ],

        componentid: 155276,

        hotlists: ["4593311"],

        description: "The fuzzer targets the APIs of libaudioflinger",

        vector: "local_no_privileges_required",

        service_privilege: "privileged",

        users: "multi_user",

        fuzzed_code_usage: "shipped",

    },

}



cc_fuzz {

    name: "audioflinger_aidl_fuzzer",

    srcs: ["audioflinger_aidl_fuzzer.cpp"],

    defaults: [

        "libaudioclient_aidl_fuzzer_defaults",

        "service_fuzzer_defaults"

    ],

}

media/libaudioclient/aidl/fuzzer/audioflinger_aidl_fuzzer.cpp

0 → 100644
+88 −0
Original line number Diff line number Diff line 
/*

 * Copyright (C) 2022 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at:

 *

 * http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 *

 */

#include <AudioFlinger.h>

#include <android-base/logging.h>

#include <android/binder_interface_utils.h>

#include <android/binder_process.h>

#include <android/media/IAudioPolicyService.h>

#include <fakeservicemanager/FakeServiceManager.h>

#include <fuzzbinder/libbinder_driver.h>

#include <fuzzbinder/random_binder.h>

#include <fuzzer/FuzzedDataProvider.h>

#include <media/IAudioFlinger.h>

#include <service/AudioPolicyService.h>



using namespace android;

using namespace android::binder;

using android::fuzzService;



[[clang::no_destroy]] static std::once_flag gSmOnce;

sp<FakeServiceManager> gFakeServiceManager;



bool addService(const String16& serviceName, const sp<FakeServiceManager>& fakeServiceManager,

                FuzzedDataProvider& fdp) {

    sp<IBinder> binder = getRandomBinder(&fdp);

    if (binder == nullptr) {

        return false;

    }

    CHECK_EQ(NO_ERROR, fakeServiceManager->addService(serviceName, binder));

    return true;

}



extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

    FuzzedDataProvider fdp(data, size);



    std::call_once(gSmOnce, [&] {

        /* Create a FakeServiceManager instance and add required services */

        gFakeServiceManager = sp<FakeServiceManager>::make();

        setDefaultServiceManager(gFakeServiceManager);

    });

    gFakeServiceManager->clear();



    for (const char* service :

         {"activity", "sensor_privacy", "permission", "scheduling_policy",

          "android.hardware.audio.core.IConfig", "batterystats", "media.metrics"}) {

        if (!addService(String16(service), gFakeServiceManager, fdp)) {

            return 0;

        }

    }



    const auto audioFlinger = sp<AudioFlinger>::make();

    const auto afAdapter = sp<AudioFlingerServerAdapter>::make(audioFlinger);



    CHECK_EQ(NO_ERROR,

             gFakeServiceManager->addService(

                     String16(IAudioFlinger::DEFAULT_SERVICE_NAME), IInterface::asBinder(afAdapter),

                     false /* allowIsolated */, IServiceManager::DUMP_FLAG_PRIORITY_DEFAULT));



    AudioSystem::get_audio_flinger_for_fuzzer();

    const auto audioPolicyService = sp<AudioPolicyService>::make();



    CHECK_EQ(NO_ERROR,

             gFakeServiceManager->addService(String16("media.audio_policy"), audioPolicyService,

                                             false /* allowIsolated */,

                                             IServiceManager::DUMP_FLAG_PRIORITY_DEFAULT));



    sp<IBinder> audioFlingerServiceBinder =

            gFakeServiceManager->getService(String16(IAudioFlinger::DEFAULT_SERVICE_NAME));

    sp<media::IAudioFlingerService> audioFlingerService =

            interface_cast<media::IAudioFlingerService>(audioFlingerServiceBinder);



    fuzzService(media::IAudioFlingerService::asBinder(audioFlingerService), std::move(fdp));



    return 0;

}

media/libaudioclient/include/media/AudioSystem.h

+2 −0
Original line number Diff line number Diff line
@@ -178,6 +178,7 @@ public: 


    // helper function to obtain AudioFlinger service handle

    static const sp<IAudioFlinger> get_audio_flinger();

    static const sp<IAudioFlinger> get_audio_flinger_for_fuzzer();



    static float linearToLog(int volume);

    static int logToLinear(float volume);
@@ -876,6 +877,7 @@ private: 
    static audio_io_handle_t getOutput(audio_stream_type_t stream);

    static const sp<AudioFlingerClient> getAudioFlingerClient();

    static sp<AudioIoDescriptor> getIoDescriptor(audio_io_handle_t ioHandle);

    static const sp<IAudioFlinger> getAudioFlingerImpl(bool canStartThreadPool);



    // Invokes all registered error callbacks with the given error code.

    static void reportError(status_t err);

services/audiopolicy/fuzzer/aidl/Android.bp

0 → 100644
+74 −0
Original line number Diff line number Diff line 
/******************************************************************************

 *

 * Copyright (C) 2023 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at:

 *

 * http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 *

 ******************************************************************************/



cc_defaults {

    name: "audiopolicy_aidl_fuzzer_defaults",

    shared_libs: [

        "audiopolicy-aidl-cpp",

        "audiopolicy-types-aidl-cpp",

        "framework-permission-aidl-cpp",

        "libaudiopolicy",

        "libaudiopolicymanagerdefault",

        "libactivitymanager_aidl",

        "libaudiohal",

        "libaudiopolicyservice",

        "libaudioflinger",

        "libaudioclient",

        "libaudioprocessing",

        "libhidlbase",

        "liblog",

        "libmediautils",

        "libnblog",

        "libnbaio",

        "libpowermanager",

        "libvibrator",

        "packagemanager_aidl-cpp",

    ],

    static_libs: [

        "libfakeservicemanager",

        "libmediaplayerservice",

    ],

    header_libs: [

        "libaudiohal_headers",

        "libaudioflinger_headers",

        "libaudiopolicymanager_interface_headers",

        "libbinder_headers",

        "libmedia_headers",

    ],

    fuzz_config: {

        cc: [

            "android-media-fuzzing-reports@google.com",

        ],

        componentid: 155276,

        hotlists: ["4593311"],

        description: "The fuzzer targets the APIs of libaudiopolicy",

        vector: "local_no_privileges_required",

        service_privilege: "privileged",

        users: "multi_user",

        fuzzed_code_usage: "shipped",

    },

}



cc_fuzz {

    name: "audiopolicy_aidl_fuzzer",

    srcs: ["audiopolicy_aidl_fuzzer.cpp"],

    defaults: [

        "audiopolicy_aidl_fuzzer_defaults",

        "service_fuzzer_defaults",

    ],

}