1 /*
2  * Copyright (C) 2023 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at:
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  *
16  */
17 
18 #include <AudioFlinger.h>
19 #include <android-base/logging.h>
20 #include <android/binder_interface_utils.h>
21 #include <android/binder_manager.h>
22 #include <android/binder_process.h>
23 #include <android/media/IAudioPolicyService.h>
24 #include <core-mock/ConfigMock.h>
25 #include <core-mock/ModuleMock.h>
26 #include <effect-mock/FactoryMock.h>
27 #include <fakeservicemanager/FakeServiceManager.h>
28 #include <fuzzbinder/libbinder_driver.h>
29 #include <fuzzbinder/random_binder.h>
30 #include <fuzzer/FuzzedDataProvider.h>
31 #include <media/IAudioFlinger.h>
32 #include <service/AudioPolicyService.h>
33 
34 using namespace android;
35 using namespace android::binder;
36 using namespace android::hardware;
37 using android::fuzzService;
38 
39 [[clang::no_destroy]] static std::once_flag gSmOnce;
40 sp<FakeServiceManager> gFakeServiceManager;
41 sp<AudioPolicyService> gAudioPolicyService;
42 
addService(const String16 & serviceName,const sp<FakeServiceManager> & fakeServiceManager,FuzzedDataProvider & fdp)43 bool addService(const String16& serviceName, const sp<FakeServiceManager>& fakeServiceManager,
44                 FuzzedDataProvider& fdp) {
45     sp<IBinder> binder = getRandomBinder(&fdp);
46     if (binder == nullptr) {
47         return false;
48     }
49     CHECK_EQ(NO_ERROR, fakeServiceManager->addService(serviceName, binder));
50     return true;
51 }
52 
LLVMFuzzerInitialize(int *,char ***)53 extern "C" int LLVMFuzzerInitialize(int* /*argc*/, char*** /*argv*/) {
54     /* Create a FakeServiceManager instance and add required services */
55     gFakeServiceManager = sp<FakeServiceManager>::make();
56     setDefaultServiceManager(gFakeServiceManager);
57 
58     auto configService = ndk::SharedRefBase::make<ConfigMock>();
59     CHECK_EQ(NO_ERROR, AServiceManager_addService(configService.get()->asBinder().get(),
60                                                   "android.hardware.audio.core.IConfig/default"));
61 
62     auto factoryService = ndk::SharedRefBase::make<FactoryMock>();
63     CHECK_EQ(NO_ERROR,
64              AServiceManager_addService(factoryService.get()->asBinder().get(),
65                                         "android.hardware.audio.effect.IFactory/default"));
66 
67     auto moduleService = ndk::SharedRefBase::make<ModuleMock>();
68     CHECK_EQ(NO_ERROR, AServiceManager_addService(moduleService.get()->asBinder().get(),
69                                                   "android.hardware.audio.core.IModule/default"));
70 
71     // Disable creating thread pool for fuzzer instance of audio flinger and audio policy services
72     AudioSystem::disableThreadPool();
73 
74     return 0;
75 }
76 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)77 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
78     FuzzedDataProvider fdp(data, size);
79 
80     for (const char* service : {"activity", "sensor_privacy", "permission", "scheduling_policy",
81                                 "batterystats", "media.metrics"}) {
82         if (!addService(String16(service), gFakeServiceManager, fdp)) {
83             return 0;
84         }
85     }
86 
87     // TODO(330882064) : Initialise Audio Flinger and Audio Policy services every time
88     std::call_once(gSmOnce, [&] {
89         const auto audioFlinger = sp<AudioFlinger>::make();
90         const auto audioFlingerServerAdapter = sp<AudioFlingerServerAdapter>::make(audioFlinger);
91         CHECK_EQ(NO_ERROR,
92                  gFakeServiceManager->addService(String16(IAudioFlinger::DEFAULT_SERVICE_NAME),
93                                                  IInterface::asBinder(audioFlingerServerAdapter),
94                                                  false /* allowIsolated */,
95                                                  IServiceManager::DUMP_FLAG_PRIORITY_DEFAULT));
96 
97         gAudioPolicyService = sp<AudioPolicyService>::make();
98         CHECK_EQ(NO_ERROR,
99                  gFakeServiceManager->addService(String16("media.audio_policy"),
100                                                  gAudioPolicyService, false /* allowIsolated */,
101                                                  IServiceManager::DUMP_FLAG_PRIORITY_DEFAULT));
102     });
103 
104     fuzzService(media::IAudioPolicyService::asBinder(gAudioPolicyService), std::move(fdp));
105 
106     return 0;
107 }
108