Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e2724e4f authored by Treehugger Robot's avatar Treehugger Robot Committed by Gerrit Code Review
Browse files

Merge "Camera Fuzzer: Initialise audio services one time" into main

parents ea63da56 022d9b07

services/camera/libcameraservice/libcameraservice_fuzzer/Android.bp

+24 −17
Original line number Diff line number Diff line
@@ -41,22 +41,7 @@ cc_defaults { 
        "mediautils_headers",

    ],

    shared_libs: [

        "framework-permission-aidl-cpp",

        "libbinder",

        "libbase",

        "libutils",

        "libcutils",

        "libcameraservice",

        "libcamera_client",

        "liblog",

        "libui",

        "libgui",

        "android.hardware.camera.common@1.0",

        "android.hardware.camera.provider@2.4",

        "android.hardware.camera.provider@2.5",

        "android.hardware.camera.provider@2.6",

        "android.hardware.camera.provider@2.7",

        "android.hardware.camera.provider-V3-ndk",

        "android.hardware.camera.device@1.0",

        "android.hardware.camera.device@3.2",

        "android.hardware.camera.device@3.3",
@@ -64,12 +49,25 @@ cc_defaults { 
        "android.hardware.camera.device@3.5",

        "android.hardware.camera.device@3.6",

        "android.hardware.camera.device@3.7",

        "android.hardware.camera.provider-V3-ndk",

        "android.hardware.camera.provider@2.4",

        "android.hardware.camera.provider@2.5",

        "android.hardware.camera.provider@2.6",

        "android.hardware.camera.provider@2.7",

        "camera_platform_flags_c_lib",

        "framework-permission-aidl-cpp",

        "libactivitymanager_aidl",

        "libaudioclient",

        "libaudioflinger",

        "libaudiohal",

        "libaudioprocessing",

        "libbase",

        "libbinder",

        "libcamera_client",

        "libcameraservice",

        "libcutils",

        "libgui",

        "liblog",

        "libmediaplayerservice",

        "libmediautils",

        "libnbaio",
@@ -77,10 +75,15 @@ cc_defaults { 
        "libpermission",

        "libpowermanager",

        "libsensorprivacy",

        "libui",

        "libutils",

        "libvibrator",

        "packagemanager_aidl-cpp",

    ],

    static_libs: ["libbinder_random_parcel"],

    static_libs: [

        "libaudiomockhal",

        "libbinder_random_parcel",

    ],

    fuzz_config: {

        cc: [

            "android-camera-fwk-eng@google.com",
@@ -111,6 +114,10 @@ cc_fuzz { 
    ],

    defaults: [

        "camera_service_fuzzer_defaults",

        "latest_android_hardware_audio_core_ndk_shared",

        "latest_android_hardware_audio_core_sounddose_ndk_shared",

        "latest_android_hardware_audio_effect_ndk_shared",

        "libaudioflinger_dependencies",

    ],

}
@@ -121,8 +128,8 @@ cc_fuzz { 
    ],

    defaults: [

        "camera_service_fuzzer_defaults",

        "service_fuzzer_defaults",

        "fuzzer_disable_leaks",

        "service_fuzzer_defaults",

    ],

    fuzz_config: {

        triage_assignee: "waghpawan@google.com",

services/camera/libcameraservice/libcameraservice_fuzzer/camera_service_fuzzer.cpp

+43 −16
Original line number Diff line number Diff line
@@ -26,6 +26,7 @@ 
#include <ISchedulingPolicyService.h>

#include <MediaPlayerService.h>

#include <android-base/logging.h>

#include <android/binder_manager.h>

#include <android/content/AttributionSourceState.h>

#include <android/hardware/BnCameraServiceListener.h>

#include <android/hardware/ICameraServiceListener.h>
@@ -36,7 +37,10 @@ 
#include <camera/CameraUtils.h>

#include <camera/camera2/OutputConfiguration.h>

#include <com_android_graphics_libgui_flags.h>

#include <core-mock/ConfigMock.h>

#include <core-mock/ModuleMock.h>

#include <device3/Camera3StreamInterface.h>

#include <effect-mock/FactoryMock.h>

#include <fakeservicemanager/FakeServiceManager.h>

#include <fuzzbinder/random_binder.h>

#include <gui/BufferItemConsumer.h>
@@ -111,6 +115,7 @@ const size_t kNumSoundKind = size(kSoundKind); 
const size_t kNumShellCmd = size(kShellCmd);

static std::once_flag gSmOnce;

sp<CameraService> gCameraService;

sp<FakeServiceManager> gFsm;



void addService(const String16& serviceName, const sp<FakeServiceManager>& fakeServiceManager,

                FuzzedDataProvider* fdp) {
@@ -880,6 +885,30 @@ void Camera2Fuzzer::process() { 
    }

}



extern "C" int LLVMFuzzerInitialize(int* /*argc*/, char*** /*argv*/) {

    /* Create a FakeServiceManager instance and add required services */

    gFsm = sp<FakeServiceManager>::make();

    setDefaultServiceManager(gFsm);



    auto configService = ndk::SharedRefBase::make<ConfigMock>();

    CHECK_EQ(NO_ERROR, AServiceManager_addService(configService.get()->asBinder().get(),

                                                  "android.hardware.audio.core.IConfig/default"));



    auto factoryService = ndk::SharedRefBase::make<FactoryMock>();

    CHECK_EQ(NO_ERROR,

             AServiceManager_addService(factoryService.get()->asBinder().get(),

                                        "android.hardware.audio.effect.IFactory/default"));



    auto moduleService = ndk::SharedRefBase::make<ModuleMock>();

    CHECK_EQ(NO_ERROR, AServiceManager_addService(moduleService.get()->asBinder().get(),

                                                  "android.hardware.audio.core.IModule/default"));



    // Disable creating thread pool for fuzzer instance of audio flinger

    AudioSystem::disableThreadPool();



    return 0;

}



extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

    if (size < 1) {

        return 0;
@@ -887,28 +916,26 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 
    setuid(AID_CAMERASERVER);

    std::shared_ptr<FuzzedDataProvider> fp = std::make_shared<FuzzedDataProvider>(data, size);



    std::call_once(gSmOnce, [&] {

        /* Create a FakeServiceManager instance and add required services */

        sp<FakeServiceManager> fsm = sp<FakeServiceManager>::make();

        setDefaultServiceManager(fsm);

    for (const char* service :

         {"sensor_privacy", "permission", "media.camera.proxy", "batterystats", "media.metrics",

          "media.extractor", "drm.drmManager", "permission_checker"}) {

            addService(String16(service), fsm, fp.get());

        addService(String16(service), gFsm, fp.get());

    }



    std::call_once(gSmOnce, [&] {

        const auto audioFlinger = sp<AudioFlinger>::make();

        const auto afAdapter = sp<AudioFlingerServerAdapter>::make(audioFlinger);

        CHECK_EQ(NO_ERROR,

                 fsm->addService(String16(IAudioFlinger::DEFAULT_SERVICE_NAME),

                 gFsm->addService(String16(IAudioFlinger::DEFAULT_SERVICE_NAME),

                                  IInterface::asBinder(afAdapter), false /* allowIsolated */,

                                  IServiceManager::DUMP_FLAG_PRIORITY_DEFAULT));

        sp<FuzzerActivityManager> am = new FuzzerActivityManager();

        CHECK_EQ(NO_ERROR, fsm->addService(String16("activity"), IInterface::asBinder(am)));

        CHECK_EQ(NO_ERROR, gFsm->addService(String16("activity"), IInterface::asBinder(am)));

        sp<FuzzerSensorPrivacyManager> sensorPrivacyManager = new FuzzerSensorPrivacyManager();

        CHECK_EQ(NO_ERROR, fsm->addService(String16("sensor_privacy"),

        CHECK_EQ(NO_ERROR, gFsm->addService(String16("sensor_privacy"),

                                            IInterface::asBinder(sensorPrivacyManager)));

        sp<FuzzAppOpsService> appops = new FuzzAppOpsService();

        CHECK_EQ(NO_ERROR, fsm->addService(String16("appops"), IInterface::asBinder(appops)));

        CHECK_EQ(NO_ERROR, gFsm->addService(String16("appops"), IInterface::asBinder(appops)));

        MediaPlayerService::instantiate();

        gCameraService = new CameraService();

    });