xref: /aosp_15_r20/frameworks/av/media/libaudioclient/aidl/fuzzer/audioflinger_aidl_fuzzer.cpp (revision ec779b8e0859a360c3d303172224686826e6e0e1) 
1 /*
2  * Copyright (C) 2022 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at:
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  *
16  */
17 #include <AudioFlinger.h>
18 #include <android-base/logging.h>
19 #include <android/binder_interface_utils.h>
20 #include <android/binder_manager.h>
21 #include <android/binder_process.h>
22 #include <android/media/IAudioPolicyService.h>
23 #include <core-mock/ConfigMock.h>
24 #include <core-mock/ModuleMock.h>
25 #include <effect-mock/FactoryMock.h>
26 #include <fakeservicemanager/FakeServiceManager.h>
27 #include <fuzzbinder/libbinder_driver.h>
28 #include <fuzzbinder/random_binder.h>
29 #include <fuzzer/FuzzedDataProvider.h>
30 #include <media/IAudioFlinger.h>
31 #include <service/AudioPolicyService.h>
32 
33 using namespace android;
34 using namespace android::binder;
35 using android::fuzzService;
36 
37 [[clang::no_destroy]] static std::once_flag gSmOnce;
38 sp<FakeServiceManager> gFakeServiceManager;
39 sp<AudioFlingerServerAdapter> gAudioFlingerServerAdapter;
40 
addService(const String16 & serviceName,const sp<FakeServiceManager> & fakeServiceManager,FuzzedDataProvider & fdp)41 bool addService(const String16& serviceName, const sp<FakeServiceManager>& fakeServiceManager,
42                 FuzzedDataProvider& fdp) {
43     sp<IBinder> binder = getRandomBinder(&fdp);
44     if (binder == nullptr) {
45         return false;
46     }
47     CHECK_EQ(NO_ERROR, fakeServiceManager->addService(serviceName, binder));
48     return true;
49 }
50 
LLVMFuzzerInitialize(int *,char ***)51 extern "C" int LLVMFuzzerInitialize(int* /*argc*/, char*** /*argv*/) {
52     /* Create a FakeServiceManager instance and add required services */
53     gFakeServiceManager = sp<FakeServiceManager>::make();
54     setDefaultServiceManager(gFakeServiceManager);
55 
56     auto configService = ndk::SharedRefBase::make<ConfigMock>();
57     CHECK_EQ(NO_ERROR, AServiceManager_addService(configService.get()->asBinder().get(),
58                                                   "android.hardware.audio.core.IConfig/default"));
59 
60     auto factoryService = ndk::SharedRefBase::make<FactoryMock>();
61     CHECK_EQ(NO_ERROR,
62              AServiceManager_addService(factoryService.get()->asBinder().get(),
63                                         "android.hardware.audio.effect.IFactory/default"));
64 
65     auto moduleService = ndk::SharedRefBase::make<ModuleMock>();
66     CHECK_EQ(NO_ERROR, AServiceManager_addService(moduleService.get()->asBinder().get(),
67                                                   "android.hardware.audio.core.IModule/default"));
68 
69     // Disable creating thread pool for fuzzer instance of audio flinger and audio policy services
70     AudioSystem::disableThreadPool();
71 
72     return 0;
73 }
74 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)75 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
76     FuzzedDataProvider fdp(data, size);
77 
78     for (const char* service : {"activity", "sensor_privacy", "permission", "scheduling_policy",
79                                 "batterystats", "media.metrics"}) {
80         if (!addService(String16(service), gFakeServiceManager, fdp)) {
81             return 0;
82         }
83     }
84 
85     // TODO(330882064) : Initialise Audio Flinger and Audio Policy services every time
86     std::call_once(gSmOnce, [&] {
87         const auto audioFlinger = sp<AudioFlinger>::make();
88         gAudioFlingerServerAdapter = sp<AudioFlingerServerAdapter>::make(audioFlinger);
89         CHECK_EQ(NO_ERROR,
90                  gFakeServiceManager->addService(String16(IAudioFlinger::DEFAULT_SERVICE_NAME),
91                                                  IInterface::asBinder(gAudioFlingerServerAdapter),
92                                                  false /* allowIsolated */,
93                                                  IServiceManager::DUMP_FLAG_PRIORITY_DEFAULT));
94 
95         const auto audioPolicyService = sp<AudioPolicyService>::make();
96         CHECK_EQ(NO_ERROR,
97                  gFakeServiceManager->addService(String16("media.audio_policy"), audioPolicyService,
98                                                  false /* allowIsolated */,
99                                                  IServiceManager::DUMP_FLAG_PRIORITY_DEFAULT));
100     });
101 
102     fuzzService(media::IAudioFlingerService::asBinder(gAudioFlingerServerAdapter), std::move(fdp));
103 
104     return 0;
105 }
106