1*ec779b8eSAndroid Build Coastguard Worker# Fuzzer for libaudioflinger 2*ec779b8eSAndroid Build Coastguard Worker 3*ec779b8eSAndroid Build Coastguard Worker## Plugin Design Considerations 4*ec779b8eSAndroid Build Coastguard WorkerThe fuzzer plugin for libaudioflinger is designed based on the understanding of the 5*ec779b8eSAndroid Build Coastguard Workerlibrary and tries to achieve the following: 6*ec779b8eSAndroid Build Coastguard Worker 7*ec779b8eSAndroid Build Coastguard Worker##### Maximize code coverage 8*ec779b8eSAndroid Build Coastguard WorkerThe configuration parameters are not hardcoded, but instead selected based on 9*ec779b8eSAndroid Build Coastguard Workerincoming data. This ensures more code paths are reached by the fuzzer. The fuzzer 10*ec779b8eSAndroid Build Coastguard Workercovers libaudioflinger APIs as called from libaudioclient through IPC. 11*ec779b8eSAndroid Build Coastguard Worker 12*ec779b8eSAndroid Build Coastguard Workerlibaudioflinger supports the following parameters: 13*ec779b8eSAndroid Build Coastguard Worker1. Unique IDs (parameter name: `uniqueId`) 14*ec779b8eSAndroid Build Coastguard Worker2. Audio Mode (parameter name: `mode`) 15*ec779b8eSAndroid Build Coastguard Worker3. Session ID (parameter name: `sessionId`) 16*ec779b8eSAndroid Build Coastguard Worker4. Encapsulation Mode (parameter name: `encapsulationMode`) 17*ec779b8eSAndroid Build Coastguard Worker5. Audio Port Role (parameter name: `portRole`) 18*ec779b8eSAndroid Build Coastguard Worker6. Audio Port Type (parameter name: `portType`) 19*ec779b8eSAndroid Build Coastguard Worker7. Audio Stream Type (parameter name: `streamType`) 20*ec779b8eSAndroid Build Coastguard Worker8. Audio Format (parameter name: `format`) 21*ec779b8eSAndroid Build Coastguard Worker9. Audio Channel Mask (parameter name: `channelMask`) 22*ec779b8eSAndroid Build Coastguard Worker10. Usage (parameter name: `usage`) 23*ec779b8eSAndroid Build Coastguard Worker11. Audio Content Type (parameter name: `contentType`) 24*ec779b8eSAndroid Build Coastguard Worker12. Input Source (parameter name: `inputSource`) 25*ec779b8eSAndroid Build Coastguard Worker13. Input Flags (parameter name: `inputFlags`) 26*ec779b8eSAndroid Build Coastguard Worker14. Output Flags (parameter name: `outputFlags`) 27*ec779b8eSAndroid Build Coastguard Worker15. Audio Gain Mode (parameter name: `gainMode`) 28*ec779b8eSAndroid Build Coastguard Worker16. Audio Device (parameter name: `device`) 29*ec779b8eSAndroid Build Coastguard Worker 30*ec779b8eSAndroid Build Coastguard Worker| Parameter| Valid Values| Configured Value| 31*ec779b8eSAndroid Build Coastguard Worker|------------- |-------------| ----- | 32*ec779b8eSAndroid Build Coastguard Worker| `uniqueId` | 0. `AUDIO_UNIQUE_ID_USE_UNSPECIFIED` 1. `AUDIO_UNIQUE_ID_USE_SESSION` 2. `AUDIO_UNIQUE_ID_USE_MODULE` 3. `AUDIO_UNIQUE_ID_USE_EFFECT` 4. `AUDIO_UNIQUE_ID_USE_PATCH` 5. `AUDIO_UNIQUE_ID_USE_OUTPUT` 6. `AUDIO_UNIQUE_ID_USE_INPUT` 7. `AUDIO_UNIQUE_ID_USE_CLIENT` 8. `AUDIO_UNIQUE_ID_USE_MAX` | Value obtained from FuzzedDataProvider 33*ec779b8eSAndroid Build Coastguard Worker| `mode` | 0.`AUDIO_MODE_INVALID` 1. `AUDIO_MODE_CURRENT` 2. ` AUDIO_MODE_NORMAL` 3. `AUDIO_MODE_RINGTONE` 4. `AUDIO_MODE_IN_CALL` 5. `AUDIO_MODE_IN_COMMUNICATION` 6. `AUDIO_MODE_CALL_SCREEN` | Value obtained from FuzzedDataProvider| 34*ec779b8eSAndroid Build Coastguard Worker| `sessionId` | 0. `AUDIO_SESSION_NONE` 1. `AUDIO_SESSION_OUTPUT_STAGE` 2. `AUDIO_SESSION_DEVICE` | Value obtained from FuzzedDataProvider| 35*ec779b8eSAndroid Build Coastguard Worker| `encapsulationMode` | 0. `AUDIO_ENCAPSULATION_MODE_NONE` 1. `AUDIO_ENCAPSULATION_MODE_ELEMENTARY_STREAM` 2. `AUDIO_ENCAPSULATION_MODE_HANDLE` | Value obtained from FuzzedDataProvider| 36*ec779b8eSAndroid Build Coastguard Worker| `portRole` | 0. `AUDIO_PORT_ROLE_NONE` 1. `AUDIO_PORT_ROLE_SOURCE` 2. `AUDIO_PORT_ROLE_SINK` | Value obtained from FuzzedDataProvider| 37*ec779b8eSAndroid Build Coastguard Worker| `portType` | 0. `AUDIO_PORT_TYPE_NONE` 1. `AUDIO_PORT_TYPE_DEVICE` 2. `AUDIO_PORT_TYPE_MIX` 3. `AUDIO_PORT_TYPE_SESSION`| Value obtained from FuzzedDataProvider| 38*ec779b8eSAndroid Build Coastguard Worker| `streamType` | 15 values of type `audio_stream_type_t` | Value chosen from valid values by obtaining index from FuzzedDataProvider | 39*ec779b8eSAndroid Build Coastguard Worker| `format` | 77 values of type `audio_format_t` | Value chosen from valid values by obtaining index from FuzzedDataProvider | 40*ec779b8eSAndroid Build Coastguard Worker| `channelMask` | 83 values of type `audio_channel_mask_t` | Value chosen from valid values by obtaining index from FuzzedDataProvider | 41*ec779b8eSAndroid Build Coastguard Worker| `usage` | 22 values of type `audio_usage_t` | Value chosen from valid values by obtaining index from FuzzedDataProvider | 42*ec779b8eSAndroid Build Coastguard Worker| `contentType` | 5 values of type `audio_content_type_t` | Value chosen from valid values by obtaining index from FuzzedDataProvider | 43*ec779b8eSAndroid Build Coastguard Worker| `inputSource` | 14 values of type `audio_source_t` | Value chosen from valid values by obtaining index from FuzzedDataProvider | 44*ec779b8eSAndroid Build Coastguard Worker| `inputFlags` | 9 values of type `audio_input_flags_t` | Value chosen from valid values by obtaining index from FuzzedDataProvider | 45*ec779b8eSAndroid Build Coastguard Worker| `outputFlags` | 16 values of type `audio_output_flags_t` | Value chosen from valid values by obtaining index from FuzzedDataProvider | 46*ec779b8eSAndroid Build Coastguard Worker| `gainMode` | 3 values of type `audio_gain_mode_t` | Value chosen from valid values by obtaining index from FuzzedDataProvider | 47*ec779b8eSAndroid Build Coastguard Worker| `device` | 66 values of type `audio_devices_t` | Value chosen from valid values by obtaining index from FuzzedDataProvider | 48*ec779b8eSAndroid Build Coastguard Worker 49*ec779b8eSAndroid Build Coastguard WorkerThis also ensures that the plugin is always deterministic for any given input. 50*ec779b8eSAndroid Build Coastguard Worker 51*ec779b8eSAndroid Build Coastguard Worker##### Maximize utilization of input data 52*ec779b8eSAndroid Build Coastguard WorkerThe plugin tolerates any kind of input (empty, huge, 53*ec779b8eSAndroid Build Coastguard Workermalformed, etc) and doesn't `exit()` on any input and thereby increasing the 54*ec779b8eSAndroid Build Coastguard Workerchance of identifying vulnerabilities. 55*ec779b8eSAndroid Build Coastguard Worker 56*ec779b8eSAndroid Build Coastguard Worker## Build 57*ec779b8eSAndroid Build Coastguard Worker 58*ec779b8eSAndroid Build Coastguard WorkerThis describes steps to build audioflinger_fuzzer binary. 59*ec779b8eSAndroid Build Coastguard Worker 60*ec779b8eSAndroid Build Coastguard Worker### Android 61*ec779b8eSAndroid Build Coastguard Worker 62*ec779b8eSAndroid Build Coastguard Worker#### Steps to build 63*ec779b8eSAndroid Build Coastguard WorkerBuild the fuzzer 64*ec779b8eSAndroid Build Coastguard Worker``` 65*ec779b8eSAndroid Build Coastguard Worker $ mm -j$(nproc) audioflinger_fuzzer 66*ec779b8eSAndroid Build Coastguard Worker``` 67*ec779b8eSAndroid Build Coastguard Worker 68*ec779b8eSAndroid Build Coastguard Worker#### Steps to run 69*ec779b8eSAndroid Build Coastguard WorkerCreate a directory CORPUS_DIR and copy some files to that folder 70*ec779b8eSAndroid Build Coastguard WorkerPush this directory to device. 71*ec779b8eSAndroid Build Coastguard Worker 72*ec779b8eSAndroid Build Coastguard WorkerTo run on device 73*ec779b8eSAndroid Build Coastguard Worker``` 74*ec779b8eSAndroid Build Coastguard Worker $ adb sync data 75*ec779b8eSAndroid Build Coastguard Worker $ adb shell /data/fuzz/arm64/audioflinger_fuzzer/audioflinger_fuzzer CORPUS_DIR 76*ec779b8eSAndroid Build Coastguard Worker``` 77*ec779b8eSAndroid Build Coastguard Worker 78*ec779b8eSAndroid Build Coastguard Worker## References: 79*ec779b8eSAndroid Build Coastguard Worker * http://llvm.org/docs/LibFuzzer.html 80*ec779b8eSAndroid Build Coastguard Worker * https://github.co 81