Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ca9c28df authored by Devin Moore's avatar Devin Moore
Browse files

sensorservice: Adding fuzzer 

Test: libsensorserviceaidl_fuzzer
Bug: 205764765

Change-Id: Ia4cd7c25ab0e0d513e2f998bf5e1db2997b3a194
parent 8cc776ae

libs/sensor/Android.bp

+2 −1
Original line number Diff line number Diff line
@@ -21,9 +21,10 @@ package { 
    default_applicable_licenses: ["frameworks_native_license"],

}



cc_library_shared {

cc_library {

    name: "libsensor",



    host_supported: true,

    cflags: [

        "-Wall",

        "-Werror",

services/sensorservice/aidl/Android.bp

+2 −1
Original line number Diff line number Diff line
@@ -7,7 +7,7 @@ package { 
    default_applicable_licenses: ["frameworks_native_license"],

}



cc_library_shared {

cc_library {

    name: "libsensorserviceaidl",

    srcs: [

        "EventQueue.cpp",
@@ -15,6 +15,7 @@ cc_library_shared { 
        "SensorManager.cpp",

        "utils.cpp",

    ],

    host_supported: true,

    cflags: [

        "-Wall",

        "-Werror",

services/sensorservice/aidl/EventQueue.cpp

+1 −1
Original line number Diff line number Diff line
@@ -34,7 +34,7 @@ public: 
                             std::shared_ptr<IEventQueueCallback> callback)

          : mQueue(queue), mCallback(callback) {}



    int handleEvent(__unused int fd, __unused int events, __unused void* data) {

    int handleEvent(int /* fd */, int /* events */, void* /* data */) {

        ASensorEvent event;

        ssize_t actual;

services/sensorservice/aidl/fuzzer/Android.bp

0 → 100644
+52 −0
Original line number Diff line number Diff line 
package {

    // See: http://go/android-license-faq

    // A large-scale-change added 'default_applicable_licenses' to import

    // all of the 'license_kinds' from "frameworks_native_license"

    // to get the below license kinds:

    //   SPDX-license-identifier-Apache-2.0

    default_applicable_licenses: ["frameworks_native_license"],

}



cc_fuzz {

    name: "libsensorserviceaidl_fuzzer",

    defaults: [

        "service_fuzzer_defaults",

    ],

    host_supported: true,

    static_libs: [

        "libsensorserviceaidl",

        "libpermission",

        "android.frameworks.sensorservice-V1-ndk",

        "android.hardware.sensors-V1-convert",

        "android.hardware.sensors-V1-ndk",

        "android.hardware.common-V2-ndk",

        "libsensor",

        "libfakeservicemanager",

        "libcutils",

        "liblog",

    ],

    srcs: [

        "fuzzer.cpp",

    ],

    fuzz_config: {

        cc: [

            "android-sensors@google.com",

            "devinmoore@google.com",

        ],

    },

    sanitize: {

        misc_undefined: [

            "signed-integer-overflow",

            "unsigned-integer-overflow",

        ],

        diag: {

            misc_undefined: [

                "signed-integer-overflow",

                "unsigned-integer-overflow",

            ],

        },

        address: true,

        integer_overflow: true,

    },



}

services/sensorservice/aidl/fuzzer/fuzzer.cpp

0 → 100644
+53 −0
Original line number Diff line number Diff line 
/*

 * Copyright (C) 2022 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#include <fuzzbinder/libbinder_ndk_driver.h>

#include <fuzzer/FuzzedDataProvider.h>



#include <ServiceManager.h>

#include <android-base/logging.h>

#include <android/binder_interface_utils.h>

#include <fuzzbinder/random_binder.h>

#include <sensorserviceaidl/SensorManagerAidl.h>



using android::fuzzService;

using android::frameworks::sensorservice::implementation::SensorManagerAidl;

using ndk::SharedRefBase;



[[clang::no_destroy]] static std::once_flag gSmOnce;



extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

    static android::sp<android::ServiceManager> fakeServiceManager = new android::ServiceManager();

    std::call_once(gSmOnce, [&] { setDefaultServiceManager(fakeServiceManager); });

    fakeServiceManager->clear();



    FuzzedDataProvider fdp(data, size);

    android::sp<android::IBinder> binder = android::getRandomBinder(&fdp);

    if (binder == nullptr) {

        // Nothing to do if we get a null binder. It will cause SensorManager to

        // hang while trying to get sensorservice.

        return 0;

    }



    CHECK(android::NO_ERROR == fakeServiceManager->addService(android::String16("sensorservice"),

                                   binder));



    std::shared_ptr<SensorManagerAidl> sensorService =

            ndk::SharedRefBase::make<SensorManagerAidl>(nullptr);



    fuzzService(sensorService->asBinder().get(), std::move(fdp));



    return 0;

}