1*ec779b8eSAndroid Build Coastguard Worker# Fuzzer for libaaudio 2*ec779b8eSAndroid Build Coastguard Worker 3*ec779b8eSAndroid Build Coastguard Worker## Plugin Design Considerations 4*ec779b8eSAndroid Build Coastguard WorkerThe fuzzer plugin for `libaaudio` are designed based on the understanding of the 5*ec779b8eSAndroid Build Coastguard Workersource code and tries to achieve the following: 6*ec779b8eSAndroid Build Coastguard Worker 7*ec779b8eSAndroid Build Coastguard Worker##### Maximize code coverage 8*ec779b8eSAndroid Build Coastguard WorkerThe configuration parameters are not hardcoded, but instead selected based on 9*ec779b8eSAndroid Build Coastguard Workerincoming data. This ensures more code paths are reached by the fuzzer. 10*ec779b8eSAndroid Build Coastguard Worker 11*ec779b8eSAndroid Build Coastguard WorkerFuzzers assigns values to the following parameters to pass on to libaaudio: 12*ec779b8eSAndroid Build Coastguard Worker1. Device Id (parameter name: `deviceId`) 13*ec779b8eSAndroid Build Coastguard Worker2. Sampling Rate (parameter name: `sampleRate`) 14*ec779b8eSAndroid Build Coastguard Worker3. Number of channels (parameter name: `channelCount`) 15*ec779b8eSAndroid Build Coastguard Worker4. Audio Travel Direction (parameter name: `direction`) 16*ec779b8eSAndroid Build Coastguard Worker5. Audio Format (parameter name: `format`) 17*ec779b8eSAndroid Build Coastguard Worker6. Audio Sharing Mode (parameter name: `sharingMode`) 18*ec779b8eSAndroid Build Coastguard Worker7. Audio Usage (parameter name: `usage`) 19*ec779b8eSAndroid Build Coastguard Worker8. Audio Content type (parameter name: `contentType`) 20*ec779b8eSAndroid Build Coastguard Worker9. Audio Input Preset (parameter name: `inputPreset`) 21*ec779b8eSAndroid Build Coastguard Worker10. Audio Privacy Sensitivity (parameter name: `privacySensitive`) 22*ec779b8eSAndroid Build Coastguard Worker11. Buffer Capacity In Frames (parameter name: `frames`) 23*ec779b8eSAndroid Build Coastguard Worker12. Performance Mode (parameter name: `mode`) 24*ec779b8eSAndroid Build Coastguard Worker13. Allowed Capture Policy (parameter name: `allowedCapturePolicy`) 25*ec779b8eSAndroid Build Coastguard Worker14. Session Id (parameter name: `sessionId`) 26*ec779b8eSAndroid Build Coastguard Worker15. Frames per Data Callback (parameter name: `framesPerDataCallback`) 27*ec779b8eSAndroid Build Coastguard Worker16. MMap Policy (parameter name: `policy`) 28*ec779b8eSAndroid Build Coastguard Worker 29*ec779b8eSAndroid Build Coastguard Worker| Parameter| Valid Values| Configured Value| 30*ec779b8eSAndroid Build Coastguard Worker|------------- |-------------| ----- | 31*ec779b8eSAndroid Build Coastguard Worker| `deviceId` | Any value of type `int32_t` | Value obtained from FuzzedDataProvider | 32*ec779b8eSAndroid Build Coastguard Worker| `sampleRate` | Any value of type `int32_t` | Value obtained from FuzzedDataProvider | 33*ec779b8eSAndroid Build Coastguard Worker| `channelCount` | Any value of type `int32_t` | Value obtained from FuzzedDataProvider | 34*ec779b8eSAndroid Build Coastguard Worker| `direction` | 0. `AAUDIO_DIRECTION_OUTPUT` 1. `AAUDIO_DIRECTION_INPUT` | Value obtained from FuzzedDataProvider | 35*ec779b8eSAndroid Build Coastguard Worker| `format` | 0. `AAUDIO_FORMAT_INVALID` 1. `AAUDIO_FORMAT_UNSPECIFIED` 2. `AAUDIO_FORMAT_PCM_I16` 3. `AAUDIO_FORMAT_PCM_FLOAT` | Value obtained from FuzzedDataProvider | 36*ec779b8eSAndroid Build Coastguard Worker| `sharingMode` | 0. `AAUDIO_SHARING_MODE_EXCLUSIVE` 1. `AAUDIO_SHARING_MODE_SHARED` | Value obtained from FuzzedDataProvider | 37*ec779b8eSAndroid Build Coastguard Worker| `usage` | 0. `AAUDIO_USAGE_MEDIA` 1. `AAUDIO_USAGE_VOICE_COMMUNICATION` 2. `AAUDIO_USAGE_VOICE_COMMUNICATION_SIGNALLING` 3. `AAUDIO_USAGE_ALARM` 4. `AAUDIO_USAGE_NOTIFICATION` 5. `AAUDIO_USAGE_NOTIFICATION_RINGTONE` 6. `AAUDIO_USAGE_NOTIFICATION_EVENT` 7. `AAUDIO_USAGE_ASSISTANCE_ACCESSIBILITY` 8. `AAUDIO_USAGE_ASSISTANCE_NAVIGATION_GUIDANCE` 9. `AAUDIO_USAGE_ASSISTANCE_SONIFICATION` 10. `AAUDIO_USAGE_GAME` 11. `AAUDIO_USAGE_ASSISTANT` 12. `AAUDIO_SYSTEM_USAGE_EMERGENCY` 13. `AAUDIO_SYSTEM_USAGE_SAFETY` 14. `AAUDIO_SYSTEM_USAGE_VEHICLE_STATUS` 15. `AAUDIO_SYSTEM_USAGE_ANNOUNCEMENT` | Value obtained from FuzzedDataProvider | 38*ec779b8eSAndroid Build Coastguard Worker| `contentType` | 0. `AAUDIO_CONTENT_TYPE_SPEECH` 1. `AAUDIO_CONTENT_TYPE_MUSIC` 2. `AAUDIO_CONTENT_TYPE_MOVIE` 3. `AAUDIO_CONTENT_TYPE_SONIFICATION` | Value obtained from FuzzedDataProvider | 39*ec779b8eSAndroid Build Coastguard Worker| `inputPreset` | 0. `AAUDIO_INPUT_PRESET_GENERIC` 1. `AAUDIO_INPUT_PRESET_CAMCORDER` 2. `AAUDIO_INPUT_PRESET_VOICE_RECOGNITION` 3. `AAUDIO_INPUT_PRESET_VOICE_COMMUNICATION` 4. `AAUDIO_INPUT_PRESET_UNPROCESSED` 5. `AAUDIO_INPUT_PRESET_VOICE_PERFORMANCE` | Value obtained from FuzzedDataProvider | 40*ec779b8eSAndroid Build Coastguard Worker| `privacySensitive` | 0. `true` 1. `false` | Value obtained from FuzzedDataProvider | 41*ec779b8eSAndroid Build Coastguard Worker| `frames` | Any value of type `int32_t` | Value obtained from FuzzedDataProvider | 42*ec779b8eSAndroid Build Coastguard Worker| `mode` | 0. `AAUDIO_PERFORMANCE_MODE_NONE` 1. `AAUDIO_PERFORMANCE_MODE_POWER_SAVING` 2. `AAUDIO_PERFORMANCE_MODE_LOW_LATENCY` | Value obtained from FuzzedDataProvider | 43*ec779b8eSAndroid Build Coastguard Worker| `allowedCapturePolicy` | 0. `AAUDIO_ALLOW_CAPTURE_BY_ALL` 1. `AAUDIO_ALLOW_CAPTURE_BY_SYSTEM` 2. `AAUDIO_ALLOW_CAPTURE_BY_NONE` | Value obtained from FuzzedDataProvider | 44*ec779b8eSAndroid Build Coastguard Worker| `sessionId` | 0. `AAUDIO_SESSION_ID_NONE` 1. `AAUDIO_SESSION_ID_ALLOCATE` | Value obtained from FuzzedDataProvider | 45*ec779b8eSAndroid Build Coastguard Worker| `framesPerDataCallback` | Any value of type `int32_t` | Value obtained from FuzzedDataProvider | 46*ec779b8eSAndroid Build Coastguard Worker| `policy` | 0. `AAUDIO_POLICY_NEVER` 1. `AAUDIO_POLICY_AUTO` 2. `AAUDIO_POLICY_ALWAYS` | Value obtained from FuzzedDataProvider | 47*ec779b8eSAndroid Build Coastguard Worker 48*ec779b8eSAndroid Build Coastguard WorkerThis also ensures that the plugin is always deterministic for any given input. 49*ec779b8eSAndroid Build Coastguard Worker 50*ec779b8eSAndroid Build Coastguard Worker##### Maximize utilization of input data 51*ec779b8eSAndroid Build Coastguard WorkerThe plugin feed the entire input data to the module. 52*ec779b8eSAndroid Build Coastguard WorkerThis ensures that the plugins tolerates any kind of input (empty, huge, 53*ec779b8eSAndroid Build Coastguard Workermalformed, etc) and doesn't `exit()` on any input and thereby increasing the 54*ec779b8eSAndroid Build Coastguard Workerchance of identifying vulnerabilities. 55*ec779b8eSAndroid Build Coastguard Worker 56*ec779b8eSAndroid Build Coastguard Worker## Build 57*ec779b8eSAndroid Build Coastguard Worker 58*ec779b8eSAndroid Build Coastguard WorkerThis describes steps to build libaaudio_fuzzer binary. 59*ec779b8eSAndroid Build Coastguard Worker 60*ec779b8eSAndroid Build Coastguard Worker### Android 61*ec779b8eSAndroid Build Coastguard Worker 62*ec779b8eSAndroid Build Coastguard Worker#### Steps to build 63*ec779b8eSAndroid Build Coastguard WorkerBuild the fuzzer 64*ec779b8eSAndroid Build Coastguard Worker``` 65*ec779b8eSAndroid Build Coastguard Worker $ mm -j$(nproc) libaaudio_fuzzer 66*ec779b8eSAndroid Build Coastguard Worker``` 67*ec779b8eSAndroid Build Coastguard Worker### Steps to run 68*ec779b8eSAndroid Build Coastguard Worker 69*ec779b8eSAndroid Build Coastguard WorkerTo run on device 70*ec779b8eSAndroid Build Coastguard Worker``` 71*ec779b8eSAndroid Build Coastguard Worker $ adb sync data 72*ec779b8eSAndroid Build Coastguard Worker $ adb shell /data/fuzz/arm64/libaaudio_fuzzer/libaaudio_fuzzer 73*ec779b8eSAndroid Build Coastguard Worker``` 74*ec779b8eSAndroid Build Coastguard Worker 75*ec779b8eSAndroid Build Coastguard Worker## References: 76*ec779b8eSAndroid Build Coastguard Worker * http://llvm.org/docs/LibFuzzer.html 77*ec779b8eSAndroid Build Coastguard Worker * https://github.com/google/oss-fuzz 78