Merge changes from topic "sensorservice_fuzzer" am: a87bb3c945 am: fca46f6241 (9cb37639) · Commits · e / os / platform_frameworks_native

libs/sensor/Android.bp

+2 −1

Original line number	Original line	Diff line number	Diff line
	@@ -21,9 +21,10 @@ package {
	default_applicable_licenses: ["frameworks_native_license"],		default_applicable_licenses: ["frameworks_native_license"],
	}		}

	cc_library_shared {		cc_library {
	name: "libsensor",		name: "libsensor",

			host_supported: true,
	cflags: [		cflags: [
	"-Wall",		"-Wall",
	"-Werror",		"-Werror",

services/sensorservice/aidl/Android.bp

+2 −1

Original line number	Original line	Diff line number	Diff line
	@@ -7,7 +7,7 @@ package {
	default_applicable_licenses: ["frameworks_native_license"],		default_applicable_licenses: ["frameworks_native_license"],
	}		}

	cc_library_shared {		cc_library {
	name: "libsensorserviceaidl",		name: "libsensorserviceaidl",
	srcs: [		srcs: [
	"EventQueue.cpp",		"EventQueue.cpp",
	@@ -15,6 +15,7 @@ cc_library_shared {
	"SensorManager.cpp",		"SensorManager.cpp",
	"utils.cpp",		"utils.cpp",
	],		],
			host_supported: true,
	cflags: [		cflags: [
	"-Wall",		"-Wall",
	"-Werror",		"-Werror",

services/sensorservice/aidl/EventQueue.cpp

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -34,7 +34,7 @@ public:
	std::shared_ptr<IEventQueueCallback> callback)		std::shared_ptr<IEventQueueCallback> callback)
	: mQueue(queue), mCallback(callback) {}		: mQueue(queue), mCallback(callback) {}

	int handleEvent(__unused int fd, __unused int events, __unused void* data) {		int handleEvent(int /* fd /, int / events /, void /* data */) {
	ASensorEvent event;		ASensorEvent event;
	ssize_t actual;		ssize_t actual;

services/sensorservice/aidl/fuzzer/Android.bp

0 → 100644

+52 −0

Original line number	Original line	Diff line number	Diff line
			package {
			// See: http://go/android-license-faq
			// A large-scale-change added 'default_applicable_licenses' to import
			// all of the 'license_kinds' from "frameworks_native_license"
			// to get the below license kinds:
			// SPDX-license-identifier-Apache-2.0
			default_applicable_licenses: ["frameworks_native_license"],
			}

			cc_fuzz {
			name: "libsensorserviceaidl_fuzzer",
			defaults: [
			"service_fuzzer_defaults",
			],
			host_supported: true,
			static_libs: [
			"libsensorserviceaidl",
			"libpermission",
			"android.frameworks.sensorservice-V1-ndk",
			"android.hardware.sensors-V1-convert",
			"android.hardware.sensors-V1-ndk",
			"android.hardware.common-V2-ndk",
			"libsensor",
			"libfakeservicemanager",
			"libcutils",
			"liblog",
			],
			srcs: [
			"fuzzer.cpp",
			],
			fuzz_config: {
			cc: [
			"android-sensors@google.com",
			"devinmoore@google.com",
			],
			},
			sanitize: {
			misc_undefined: [
			"signed-integer-overflow",
			"unsigned-integer-overflow",
			],
			diag: {
			misc_undefined: [
			"signed-integer-overflow",
			"unsigned-integer-overflow",
			],
			},
			address: true,
			integer_overflow: true,
			},

			}

services/sensorservice/aidl/fuzzer/fuzzer.cpp

0 → 100644

+53 −0

Original line number	Original line	Diff line number	Diff line
			/*
			* Copyright (C) 2022 The Android Open Source Project
			*
			* Licensed under the Apache License, Version 2.0 (the "License");
			* you may not use this file except in compliance with the License.
			* You may obtain a copy of the License at
			*
			* http://www.apache.org/licenses/LICENSE-2.0
			*
			* Unless required by applicable law or agreed to in writing, software
			* distributed under the License is distributed on an "AS IS" BASIS,
			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
			* See the License for the specific language governing permissions and
			* limitations under the License.
			*/
			#include <fuzzbinder/libbinder_ndk_driver.h>
			#include <fuzzer/FuzzedDataProvider.h>

			#include <ServiceManager.h>
			#include <android-base/logging.h>
			#include <android/binder_interface_utils.h>
			#include <fuzzbinder/random_binder.h>
			#include <sensorserviceaidl/SensorManagerAidl.h>

			using android::fuzzService;
			using android::frameworks::sensorservice::implementation::SensorManagerAidl;
			using ndk::SharedRefBase;

			[[clang::no_destroy]] static std::once_flag gSmOnce;

			extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
			static android::sp<android::ServiceManager> fakeServiceManager = new android::ServiceManager();
			std::call_once(gSmOnce, [&] { setDefaultServiceManager(fakeServiceManager); });
			fakeServiceManager->clear();

			FuzzedDataProvider fdp(data, size);
			android::sp<android::IBinder> binder = android::getRandomBinder(&fdp);
			if (binder == nullptr) {
			// Nothing to do if we get a null binder. It will cause SensorManager to
			// hang while trying to get sensorservice.
			return 0;
			}

			CHECK(android::NO_ERROR == fakeServiceManager->addService(android::String16("sensorservice"),
			binder));

			std::shared_ptr<SensorManagerAidl> sensorService =
			ndk::SharedRefBase::make<SensorManagerAidl>(nullptr);

			fuzzService(sensorService->asBinder().get(), std::move(fdp));

			return 0;
			}