1# Fuzzer for libaaudioservice 2 3## Plugin Design Considerations 4The fuzzer plugin for libaaudioservice is designed based on the 5understanding of the service and tries to achieve the following: 6 7##### Maximize code coverage 8The configuration parameters are not hardcoded, but instead selected based on 9incoming data. This ensures more code paths are reached by the fuzzer. 10 11AAudio Service request contains the following parameters: 121. AAudioFormat 132. UserId 143. ProcessId 154. InService 165. DeviceId 176. SampleRate 187. SamplesPerFrame 198. Direction 209. SharingMode 2110. Usage 2211. ContentType 2312. InputPreset 2413. BufferCapacity 25 26| Parameter| Valid Input Values| Configured Value| 27|------------- |-------------| ----- | 28| `AAudioFormat` | `AAUDIO_FORMAT_UNSPECIFIED`, `AAUDIO_FORMAT_PCM_I16`, `AAUDIO_FORMAT_PCM_FLOAT` | Value chosen from valid values by obtaining index from FuzzedDataProvider | 29| `UserId` | `INT32_MIN` to `INT32_MAX` | Value obtained from getuid() | 30| `ProcessId` | `INT32_MIN` to `INT32_MAX` | Value obtained from getpid() | 31| `InService` | `bool` | Value obtained from FuzzedDataProvider | 32| `DeviceId` | `INT32_MIN` to `INT32_MAX` | Value obtained from FuzzedDataProvider | 33| `SampleRate` | `INT32_MIN` to `INT32_MAX` | Value obtained from FuzzedDataProvider | 34| `SamplesPerFrame` | `INT32_MIN` to `INT32_MAX` | Value obtained from FuzzedDataProvider | 35| `Direction` | `AAUDIO_DIRECTION_OUTPUT`, `AAUDIO_DIRECTION_INPUT` | Value chosen from valid values by obtaining index from FuzzedDataProvider | 36| `SharingMode` | `AAUDIO_SHARING_MODE_EXCLUSIVE`, `AAUDIO_SHARING_MODE_SHARED` | Value chosen from valid values by obtaining index from FuzzedDataProvider | 37| `Usage` | `AAUDIO_USAGE_MEDIA`, `AAUDIO_USAGE_VOICE_COMMUNICATION`, `AAUDIO_USAGE_VOICE_COMMUNICATION_SIGNALLING`, `AAUDIO_USAGE_ALARM`, `AAUDIO_USAGE_NOTIFICATION`, `AAUDIO_USAGE_NOTIFICATION_RINGTONE`, `AAUDIO_USAGE_NOTIFICATION_EVENT`, `AAUDIO_USAGE_ASSISTANCE_ACCESSIBILITY`, `AAUDIO_USAGE_ASSISTANCE_NAVIGATION_GUIDANCE`, `AAUDIO_USAGE_ASSISTANCE_SONIFICATION`, `AAUDIO_USAGE_GAME`, `AAUDIO_USAGE_ASSISTANT`, `AAUDIO_SYSTEM_USAGE_EMERGENCY`, `AAUDIO_SYSTEM_USAGE_SAFETY`, `AAUDIO_SYSTEM_USAGE_VEHICLE_STATUS`, `AAUDIO_SYSTEM_USAGE_ANNOUNCEMENT` | Value chosen from valid values by obtaining index from FuzzedDataProvider | 38| `ContentType` | `AAUDIO_CONTENT_TYPE_SPEECH`, `AAUDIO_CONTENT_TYPE_MUSIC`, `AAUDIO_CONTENT_TYPE_MOVIE`, `AAUDIO_CONTENT_TYPE_SONIFICATION` | Value chosen from valid values by obtaining index from FuzzedDataProvider | 39| `InputPreset` | `AAUDIO_INPUT_PRESET_GENERIC`, `AAUDIO_INPUT_PRESET_CAMCORDER`, `AAUDIO_INPUT_PRESET_VOICE_RECOGNITION`, `AAUDIO_INPUT_PRESET_VOICE_COMMUNICATION`, `AAUDIO_INPUT_PRESET_UNPROCESSED`, `AAUDIO_INPUT_PRESET_VOICE_PERFORMANCE` | Value chosen from valid values by obtaining index from FuzzedDataProvider | 40| `BufferCapacity` | `INT32_MIN` to `INT32_MAX` | Value obtained from FuzzedDataProvider | 41 42This also ensures that the plugin is always deterministic for any given input. 43 44## Build 45 46This describes steps to build oboeservice_fuzzer binary. 47 48### Android 49 50#### Steps to build 51Build the fuzzer 52``` 53 $ mm -j$(nproc) oboeservice_fuzzer 54``` 55 56#### Steps to run 57To run on device 58``` 59 $ adb sync data 60 $ adb shell /data/fuzz/arm64/oboeservice_fuzzer/oboeservice_fuzzer 61``` 62 63## References: 64 * http://llvm.org/docs/LibFuzzer.html 65 * https://github.com/google/oss-fuzz 66