• Home
Name Date Size #Lines LOC

..--

Android.bpD03-May-20241.4 KiB5345

README.mdD03-May-20243.4 KiB6651

vibrator_fuzzer.cppD03-May-20245.2 KiB13194

README.md

1# Fuzzer for libvibrator
2
3## Plugin Design Considerations
4This fuzzer fuzzes native code present in libvibrator and does not cover the Java implementation ExternalVibration
5The fuzzer plugin is designed based on the understanding of the
6library and tries to achieve the following:
7
8##### Maximize code coverage
9The configuration parameters are not hardcoded, but instead selected based on
10incoming data. This ensures more code paths are reached by the fuzzer.
11
12libvibrator supports the following parameters:
131. Uid (parameter name: `uid`)
142. Package Name (parameter name: `pkg`)
153. Audio Content Type (parameter name: `content_type`)
164. Audio Usage (parameter name: `usage`)
175. Audio Source (parameter name: `source`)
186. Audio flags (parameter name: `flags`)
19
20| Parameter| Valid Values| Configured Value|
21|------------- |-------------| ----- |
22| `uid` | `INT32_MIN` to `INT32_MAX` | Value obtained from FuzzedDataProvider |
23| `pkg`   | Any std::string value | Value obtained from FuzzedDataProvider |
24| `content_type`   | 0.`AUDIO_CONTENT_TYPE_UNKNOWN` 1.`AUDIO_CONTENT_TYPE_SPEECH` 2.`AUDIO_CONTENT_TYPE_MUSIC` 3.`AUDIO_CONTENT_TYPE_MOVIE` 4.`AUDIO_CONTENT_TYPE_SONIFICATION`| Value obtained from FuzzedDataProvider in the range 0 to 4|
25| `usage`   | 0.`AUDIO_USAGE_UNKNOWN` 1.`AUDIO_USAGE_MEDIA` 2.`AUDIO_USAGE_VOICE_COMMUNICATION` 3.`AUDIO_USAGE_VOICE_COMMUNICATION_SIGNALLING` 4.`AUDIO_USAGE_ALARM` 5.`AUDIO_USAGE_NOTIFICATION` 6.`AUDIO_USAGE_NOTIFICATION_TELEPHONY_RINGTONE`  7.`AUDIO_USAGE_NOTIFICATION_COMMUNICATION_REQUEST` 8.`AUDIO_USAGE_NOTIFICATION_COMMUNICATION_INSTANT` 9.`AUDIO_USAGE_NOTIFICATION_COMMUNICATION_DELAYED` 10.`AUDIO_USAGE_NOTIFICATION_EVENT` 11.`AUDIO_USAGE_ASSISTANCE_ACCESSIBILITY` 12.`AUDIO_USAGE_ASSISTANCE_NAVIGATION_GUIDANCE` 13.`AUDIO_USAGE_ASSISTANCE_SONIFICATION` 14.`AUDIO_USAGE_GAME` 15.`AUDIO_USAGE_VIRTUAL_SOURCE` 16.`AUDIO_USAGE_ASSISTANT` 17.`AUDIO_USAGE_CALL_ASSISTANT` 18.`AUDIO_USAGE_EMERGENCY` 19.`AUDIO_USAGE_SAFETY` 20.`AUDIO_USAGE_VEHICLE_STATUS` 21.`AUDIO_USAGE_ANNOUNCEMENT`| Value obtained from FuzzedDataProvider in the range 0 to 21|
26| `source`   |  0.`AUDIO_SOURCE_DEFAULT` 1.`AUDIO_SOURCE_MIC` 2.`AUDIO_SOURCE_VOICE_UPLINK` 3.`AUDIO_SOURCE_VOICE_DOWNLINK` 4.`AUDIO_SOURCE_VOICE_CALL` 5.`AUDIO_SOURCE_CAMCORDER` 6.`AUDIO_SOURCE_VOICE_RECOGNITION` 7.`AUDIO_SOURCE_VOICE_COMMUNICATION` 8.`AUDIO_SOURCE_REMOTE_SUBMIX` 9.`AUDIO_SOURCE_UNPROCESSED` 10.`AUDIO_SOURCE_VOICE_PERFORMANCE` 11.`AUDIO_SOURCE_ECHO_REFERENCE` 12.`AUDIO_SOURCE_FM_TUNER` | Value obtained from FuzzedDataProvider in the range 0 to 12 |
27| `flags`   | `UINT32_MIN` to `UINT32_MAX` | Value obtained from FuzzedDataProvider |
28
29This also ensures that the plugin is always deterministic for any given input.
30
31##### Maximize utilization of input data
32The plugin tolerates any kind of input (empty, huge,
33malformed, etc) and doesn't `exit()` on any input and thereby increasing the
34chance of identifying vulnerabilities.
35
36## Build
37
38This describes steps to build vibrator_fuzzer binary.
39
40### Android
41
42#### Steps to build
43Build the fuzzer
44```
45  $ mm -j$(nproc) vibrator_fuzzer
46```
47
48#### Steps to run
49Create a directory CORPUS_DIR and copy some files to that folder
50Push this directory to device.
51
52To run on device
53```
54  $ adb sync data
55  $ adb shell /data/fuzz/arm64/vibrator_fuzzer/vibrator_fuzzer CORPUS_DIR
56```
57
58To run on host
59```
60  $ $ANDROID_HOST_OUT/fuzz/x86_64/vibrator_fuzzer/vibrator_fuzzer CORPUS_DIR
61```
62
63## References:
64 * http://llvm.org/docs/LibFuzzer.html
65 * https://github.com/google/oss-fuzz
66