• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Fuzzer for libaudiopolicy
2
3## Plugin Design Considerations
4The fuzzer plugin for libaudiopolicy is designed based on the
5understanding of the service and tries to achieve the following:
6
7##### Maximize code coverage
8The configuration parameters are not hardcoded, but instead selected based on
9incoming data. This ensures more code paths are reached by the fuzzer.
10
11AudioPolicy APIs contain the following parameters:
121. AudioFormats
132. AudioChannelMasks
143. AudioOutputFlags
154. AudioDevices
165. MixTypes
176. MixRouteFlags
187. SampleRates
198. AudioUsages
209. AudioContentTypes
2110. AudioSources
2211. AudioFlagMasks
2312. AudioPolicyDeviceStates
24
25| Parameter| Valid Input Values| Configured Value|
26|------------- |-------------| ----- |
27| `AudioFormat` | 77 values of type `audio_format_t` | Value chosen from valid values by obtaining index from FuzzedDataProvider |
28| `AudioChannelMask` | 83 values of type `audio_channel_mask_t` | Value chosen from valid values by obtaining index from FuzzedDataProvider |
29| `AudioOutputFlag` | 16 values of type `audio_output_flags_t` | Value chosen from valid values by obtaining index from FuzzedDataProvider |
30| `AudioDevice`   | `AUDIO_DEVICE_OUT_AUX_DIGITAL`, `AUDIO_DEVICE_OUT_STUB`, `AUDIO_DEVICE_IN_VOICE_CALL`, `AUDIO_DEVICE_IN_AUX_DIGITAL`, `AUDIO_DEVICE_IN_STUB` | Value chosen from valid values by obtaining index from FuzzedDataProvider |
31| `MixType`   | `MIX_TYPE_PLAYERS`, `MIX_TYPE_RECORDERS` | Value chosen from valid values by obtaining index from FuzzedDataProvider |
32| `MixRouteFlag`   | `MIX_ROUTE_FLAG_RENDER`, `MIX_ROUTE_FLAG_LOOP_BACK`, `MIX_ROUTE_FLAG_LOOP_BACK_AND_RENDER`, `MIX_ROUTE_FLAG_ALL` | Value chosen from valid values by obtaining index from FuzzedDataProvider |
33| `SampleRate` | `0` to `UINT32_MAX` | Value obtained from FuzzedDataProvider |
34| `AudioUsage` | `AUDIO_USAGE_NOTIFICATION_COMMUNICATION_REQUEST`, `AUDIO_USAGE_NOTIFICATION_COMMUNICATION_INSTANT`, `AUDIO_USAGE_NOTIFICATION_COMMUNICATION_DELAYED`, `AUDIO_USAGE_NOTIFICATION_EVENT` | Value chosen from valid values by obtaining index from FuzzedDataProvider |
35| `AudioContentType` | `AUDIO_CONTENT_TYPE_UNKNOWN`, `AUDIO_CONTENT_TYPE_SPEECH`, `AUDIO_CONTENT_TYPE_MUSIC`, `AUDIO_CONTENT_TYPE_MOVIE`, `AUDIO_CONTENT_TYPE_SONIFICATION` | Value chosen from valid values by obtaining index from FuzzedDataProvider |
36| `AudioSource` | 14 values of type `audio_source_t` | Value chosen from valid values by obtaining index from FuzzedDataProvider |
37| `AudioFlagMask` | 15 values of type `audio_flags_mask_t` | Value chosen from valid values by obtaining index from FuzzedDataProvider |
38| `AudioPolicyDeviceStates` | `AUDIO_POLICY_DEVICE_STATE_UNAVAILABLE`, `AUDIO_POLICY_DEVICE_STATE_AVAILABLE`, `AUDIO_POLICY_DEVICE_STATE_CNT` | Value chosen from valid values by obtaining index from FuzzedDataProvider |
39
40This also ensures that the plugin is always deterministic for any given input.
41
42## Build
43
44This describes steps to build audiopolicy_fuzzer binary.
45
46### Android
47
48#### Steps to build
49Build the fuzzer
50```
51  $ mm -j$(nproc) audiopolicy_fuzzer
52```
53
54#### Steps to run
55To run on device
56```
57  $ adb sync data
58  $ adb shell /data/fuzz/arm64/audiopolicy_fuzzer/audiopolicy_fuzzer
59```
60
61## References:
62 * http://llvm.org/docs/LibFuzzer.html
63 * https://github.com/google/oss-fuzz
64