Name |
Date |
Size |
#Lines |
LOC |
||
|---|---|---|---|---|---|---|
| .. | - | - | ||||
| Android.bp | D | 03-May-2024 | 2.3 KiB | 70 | 67 | |
| README.md | D | 03-May-2024 | 2.1 KiB | 60 | 46 | |
| camera_service_fuzzer.cpp | D | 03-May-2024 | 23.6 KiB | 601 | 504 |
README.md
1# Fuzzer for libcameraservice 2 3## Plugin Design Considerations 4The fuzzer plugin is designed based on the understanding of the 5library and tries to achieve the following: 6 7##### Maximize code coverage 8The configuration parameters are not hardcoded, but instead selected based on 9incoming data. This ensures more code paths are reached by the fuzzer. 10 11libcameraservice supports the following parameters: 121. Camera Type (parameter name: `cameraType`) 132. Camera API Version (parameter name: `cameraAPIVersion`) 143. Event ID (parameter name: `eventId`) 154. Camera Sound Kind (parameter name: `soundKind`) 165. Shell Command (parameter name: `shellCommand`) 17 18| Parameter| Valid Values| Configured Value| 19|------------- |-------------| ----- | 20| `cameraType` | 0. `CAMERA_TYPE_BACKWARD_COMPATIBLE` 1. `CAMERA_TYPE_ALL` | Value obtained from FuzzedDataProvider | 21| `cameraAPIVersion` | 0. `API_VERSION_1` 1. `API_VERSION_2` | Value obtained from FuzzedDataProvider | 22| `eventId` | 0. `EVENT_USER_SWITCHED` 1. `EVENT_NONE` | Value obtained from FuzzedDataProvider | 23| `soundKind` | 0. `SOUND_SHUTTER` 1. `SOUND_RECORDING_START` 2. `SOUND_RECORDING_STOP`| Value obtained from FuzzedDataProvider | 24| `shellCommand` | 0. `set-uid-state` 1. `reset-uid-state` 2. `get-uid-state` 3. `set-rotate-and-crop` 4. `get-rotate-and-crop` 5. `help`| Value obtained from FuzzedDataProvider | 25 26This also ensures that the plugin is always deterministic for any given input. 27 28##### Maximize utilization of input data 29The plugin tolerates any kind of input (empty, huge, 30malformed, etc) and doesn't `exit()` on any input and thereby increasing the 31chance of identifying vulnerabilities. 32 33## Build 34 35This describes steps to build camera_service_fuzzer binary. 36 37### Android 38 39#### Steps to build 40Build the fuzzer 41``` 42 $ mm -j$(nproc) camera_service_fuzzer 43``` 44 45#### Steps to run 46Create a directory CORPUS_DIR 47``` 48 $ adb shell mkdir CORPUS_DIR 49``` 50 51To run on device 52``` 53 $ adb sync data 54 $ adb shell /data/fuzz/arm64/camera_service_fuzzer/camera_service_fuzzer CORPUS_DIR 55``` 56 57## References: 58 * http://llvm.org/docs/LibFuzzer.html 59 * https://github.com/google/oss-fuzz 60