1*ec779b8eSAndroid Build Coastguard Worker# Fuzzers for libcamera_client 2*ec779b8eSAndroid Build Coastguard Worker 3*ec779b8eSAndroid Build Coastguard Worker## Plugin Design Considerations 4*ec779b8eSAndroid Build Coastguard WorkerThe fuzzer plugins for libcamera_client are designed based on the understanding of the 5*ec779b8eSAndroid Build Coastguard Workersource code and try to achieve the following: 6*ec779b8eSAndroid Build Coastguard Worker 7*ec779b8eSAndroid Build Coastguard Worker##### Maximize code coverage 8*ec779b8eSAndroid Build Coastguard WorkerThe configuration parameters are not hardcoded, but instead selected based on 9*ec779b8eSAndroid Build Coastguard Workerincoming data. This ensures more code paths are reached by the fuzzers. 10*ec779b8eSAndroid Build Coastguard Worker 11*ec779b8eSAndroid Build Coastguard Workerlibcamera_client supports the following parameters: 12*ec779b8eSAndroid Build Coastguard Worker1. Command (parameter name: `cmd`) 13*ec779b8eSAndroid Build Coastguard Worker2. Video Buffer Mode (parameter name: `videoBufferMode`) 14*ec779b8eSAndroid Build Coastguard Worker3. Preview Callback Flag (parameter name: `previewCallbackFlag`) 15*ec779b8eSAndroid Build Coastguard Worker4. Facing (parameter name: `facing`) 16*ec779b8eSAndroid Build Coastguard Worker5. Orientation (parameter name: `orientation`) 17*ec779b8eSAndroid Build Coastguard Worker6. Format (parameter name: `format`) 18*ec779b8eSAndroid Build Coastguard Worker 19*ec779b8eSAndroid Build Coastguard Worker| Parameter| Valid Values| Configured Value| 20*ec779b8eSAndroid Build Coastguard Worker|------------- |-------------| ----- | 21*ec779b8eSAndroid Build Coastguard Worker| `cmd` | 0.`CAMERA_CMD_START_SMOOTH_ZOOM` 1.`CAMERA_CMD_STOP_SMOOTH_ZOOM` 3.`CAMERA_CMD_SET_DISPLAY_ORIENTATION` 4.`CAMERA_CMD_ENABLE_SHUTTER_SOUND` 5.`CAMERA_CMD_PLAY_RECORDING_SOUND` 6.`CAMERA_CMD_START_FACE_DETECTION` 7.`CAMERA_CMD_STOP_FACE_DETECTION` 8.`CAMERA_CMD_ENABLE_FOCUS_MOVE_MSG` 9.`CAMERA_CMD_PING` 10.`CAMERA_CMD_SET_VIDEO_BUFFER_COUNT` 11.`CAMERA_CMD_SET_VIDEO_FORMAT`| Value obtained from FuzzedDataProvider| 22*ec779b8eSAndroid Build Coastguard Worker| `videoBufferMode` |0. `ICamera::VIDEO_BUFFER_MODE_DATA_CALLBACK_YUV` 1.`ICamera::VIDEO_BUFFER_MODE_DATA_CALLBACK_METADATA` 2.`ICamera::VIDEO_BUFFER_MODE_BUFFER_QUEUE`| Value obtained from FuzzedDataProvider| 23*ec779b8eSAndroid Build Coastguard Worker| `previewCallbackFlag` | 0. `CAMERA_FRAME_CALLBACK_FLAG_ENABLE_MASK` 1.`CAMERA_FRAME_CALLBACK_FLAG_ONE_SHOT_MASK` 2.`CAMERA_FRAME_CALLBACK_FLAG_COPY_OUT_MASK` 3.`CAMERA_FRAME_CALLBACK_FLAG_NOOP` 4.`CAMERA_FRAME_CALLBACK_FLAG_CAMCORDER` 5.`CAMERA_FRAME_CALLBACK_FLAG_CAMERA` 6.`CAMERA_FRAME_CALLBACK_FLAG_BARCODE_SCANNER`| Value obtained from FuzzedDataProvider| 24*ec779b8eSAndroid Build Coastguard Worker| `facing` | 0.`android::hardware::CAMERA_FACING_BACK` 1.`android::hardware::CAMERA_FACING_FRONT`| Value obtained from FuzzedDataProvider| 25*ec779b8eSAndroid Build Coastguard Worker| `orientation` | 0.`0` 1.`90` 2.`180`3.`270`| Value obtained from FuzzedDataProvider| 26*ec779b8eSAndroid Build Coastguard Worker| `format` | 0.`CameraParameters::PIXEL_FORMAT_YUV422SP` 1.`CameraParameters::PIXEL_FORMAT_YUV420SP` 2.`CameraParameters::PIXEL_FORMAT_YUV422I` 3.`CameraParameters::PIXEL_FORMAT_YUV420P` 4.`CameraParameters::PIXEL_FORMAT_RGB565` 5.`CameraParameters::PIXEL_FORMAT_RGBA8888` 6.`CameraParameters::PIXEL_FORMAT_JPEG` 7.`CameraParameters::PIXEL_FORMAT_BAYER_RGGB` 8.`CameraParameters::PIXEL_FORMAT_ANDROID_OPAQUE`| Value obtained from FuzzedDataProvider| 27*ec779b8eSAndroid Build Coastguard Worker 28*ec779b8eSAndroid Build Coastguard WorkerThis also ensures that the plugins are always deterministic for any given input. 29*ec779b8eSAndroid Build Coastguard Worker 30*ec779b8eSAndroid Build Coastguard Worker##### Maximize utilization of input data 31*ec779b8eSAndroid Build Coastguard WorkerThe plugins feed the entire input data to the module. 32*ec779b8eSAndroid Build Coastguard WorkerThis ensures that the plugins tolerate any kind of input (empty, huge, 33*ec779b8eSAndroid Build Coastguard Workermalformed, etc) and dont `exit()` on any input and thereby increasing the 34*ec779b8eSAndroid Build Coastguard Workerchance of identifying vulnerabilities. 35*ec779b8eSAndroid Build Coastguard Worker 36*ec779b8eSAndroid Build Coastguard Worker## Build 37*ec779b8eSAndroid Build Coastguard Worker 38*ec779b8eSAndroid Build Coastguard WorkerThis describes steps to build camera_fuzzer, camera2CaptureRequest_fuzzer, camera2ConcurrentCamera_fuzzer, camera2SubmitInfo_fuzzer, camera2SessionConfiguration_fuzzer, camera2OutputConfiguration_fuzzer, vendorTagDescriptor_fuzzer, cameraParameters_fuzzer, cameraSessionStats_fuzzer and captureResult_fuzzer binaries 39*ec779b8eSAndroid Build Coastguard Worker 40*ec779b8eSAndroid Build Coastguard Worker### Android 41*ec779b8eSAndroid Build Coastguard Worker 42*ec779b8eSAndroid Build Coastguard Worker#### Steps to build 43*ec779b8eSAndroid Build Coastguard WorkerBuild the fuzzer 44*ec779b8eSAndroid Build Coastguard Worker``` 45*ec779b8eSAndroid Build Coastguard Worker $ mm -j$(nproc) camera_fuzzer 46*ec779b8eSAndroid Build Coastguard Worker $ mm -j$(nproc) camera_c2CaptureRequest_fuzzer 47*ec779b8eSAndroid Build Coastguard Worker $ mm -j$(nproc) camera_c2ConcurrentCamera_fuzzer 48*ec779b8eSAndroid Build Coastguard Worker $ mm -j$(nproc) camera_c2SubmitInfo_fuzzer 49*ec779b8eSAndroid Build Coastguard Worker $ mm -j$(nproc) camera_c2SessionConfiguration_fuzzer 50*ec779b8eSAndroid Build Coastguard Worker $ mm -j$(nproc) camera_c2OutputConfiguration_fuzzer 51*ec779b8eSAndroid Build Coastguard Worker $ mm -j$(nproc) camera_vendorTagDescriptor_fuzzer 52*ec779b8eSAndroid Build Coastguard Worker $ mm -j$(nproc) camera_Parameters_fuzzer 53*ec779b8eSAndroid Build Coastguard Worker $ mm -j$(nproc) camera_SessionStats_fuzzer 54*ec779b8eSAndroid Build Coastguard Worker $ mm -j$(nproc) camera_captureResult_fuzzer 55*ec779b8eSAndroid Build Coastguard Worker $ mm -j$(nproc) camera_utils_fuzzer 56*ec779b8eSAndroid Build Coastguard Worker $ mm -j$(nproc) camera_metadata_fuzzer 57*ec779b8eSAndroid Build Coastguard Worker``` 58*ec779b8eSAndroid Build Coastguard Worker#### Steps to run 59*ec779b8eSAndroid Build Coastguard WorkerTo run on device 60*ec779b8eSAndroid Build Coastguard Worker``` 61*ec779b8eSAndroid Build Coastguard Worker $ adb sync data 62*ec779b8eSAndroid Build Coastguard Worker $ adb shell /data/fuzz/${TARGET_ARCH}/camera_fuzzer/camera_fuzzer 63*ec779b8eSAndroid Build Coastguard Worker $ adb shell /data/fuzz/${TARGET_ARCH}/camera_c2CaptureRequest_fuzzer/camera_c2CaptureRequest_fuzzer 64*ec779b8eSAndroid Build Coastguard Worker $ adb shell /data/fuzz/${TARGET_ARCH}/camera_c2ConcurrentCamera_fuzzer/camera_c2ConcurrentCamera_fuzzer 65*ec779b8eSAndroid Build Coastguard Worker $ adb shell /data/fuzz/${TARGET_ARCH}/camera_c2SubmitInfo_fuzzer/camera_c2SubmitInfo_fuzzer 66*ec779b8eSAndroid Build Coastguard Worker $ adb shell /data/fuzz/${TARGET_ARCH}/camera_c2SessionConfiguration_fuzzer/camera_c2SessionConfiguration_fuzzer 67*ec779b8eSAndroid Build Coastguard Worker $ adb shell /data/fuzz/${TARGET_ARCH}/camera_c2OutputConfiguration_fuzzer/camera_c2OutputConfiguration_fuzzer 68*ec779b8eSAndroid Build Coastguard Worker $ adb shell /data/fuzz/${TARGET_ARCH}/camera_vendorTagDescriptor_fuzzer/camera_vendorTagDescriptor_fuzzer 69*ec779b8eSAndroid Build Coastguard Worker $ adb shell /data/fuzz/${TARGET_ARCH}/camera_Parameters_fuzzer/camera_Parameters_fuzzer 70*ec779b8eSAndroid Build Coastguard Worker $ adb shell /data/fuzz/${TARGET_ARCH}/camera_SessionStats_fuzzer/camera_SessionStats_fuzzer 71*ec779b8eSAndroid Build Coastguard Worker $ adb shell /data/fuzz/${TARGET_ARCH}/camera_captureResult_fuzzer/camera_captureResult_fuzzer 72*ec779b8eSAndroid Build Coastguard Worker $ adb shell /data/fuzz/${TARGET_ARCH}/camera_utils_fuzzer/camera_utils_fuzzer 73*ec779b8eSAndroid Build Coastguard Worker $ adb shell /data/fuzz/${TARGET_ARCH}/camera_metadata_fuzzer/camera_metadata_fuzzer 74*ec779b8eSAndroid Build Coastguard Worker``` 75*ec779b8eSAndroid Build Coastguard Worker 76*ec779b8eSAndroid Build Coastguard Worker## References: 77*ec779b8eSAndroid Build Coastguard Worker * http://llvm.org/docs/LibFuzzer.html 78*ec779b8eSAndroid Build Coastguard Worker * https://github.com/google/oss-fuzz 79