1 /******************************************************************************
2 *
3 * Copyright (C) 2021 The Android Open Source Project
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 *****************************************************************************
18 * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore
19 */
20
21 #include <ServiceLog.h>
22 #include <aidl/android/media/BnResourceManagerClient.h>
23 #include <media/MediaResource.h>
24 #include <media/MediaResourcePolicy.h>
25 #include <media/stagefright/ProcessInfoInterface.h>
26 #include <media/stagefright/foundation/ADebug.h>
27 #include "ResourceManagerService.h"
28 #include "fuzzer/FuzzedDataProvider.h"
29
30 using namespace std;
31 using namespace android;
32 using Status = ::ndk::ScopedAStatus;
33 using ::aidl::android::media::BnResourceManagerClient;
34 using ::aidl::android::media::IResourceManagerClient;
35 using ::aidl::android::media::IResourceManagerService;
36 using MedResType = aidl::android::media::MediaResourceType;
37 using MedResSubType = aidl::android::media::MediaResourceSubType;
38
39 const size_t kMaxStringLength = 100;
40 const int32_t kMaxServiceLog = 100;
41 const int32_t kMinServiceLog = 1;
42 const int32_t kMinResourceType = 0;
43 const int32_t kMaxResourceType = 10;
44 const int32_t kMinThreadPairs = 1;
45 const int32_t kMaxThreadPairs = 3;
46
47 const string kPolicyType[] = {IResourceManagerService::kPolicySupportsMultipleSecureCodecs,
48 IResourceManagerService::kPolicySupportsSecureWithNonSecureCodec};
49
50 struct resourceThreadArgs {
51 int32_t pid;
52 int32_t uid;
53 int64_t testClientId;
54 shared_ptr<ResourceManagerService> service;
55 shared_ptr<IResourceManagerClient> testClient;
56 vector<MediaResourceParcel> mediaResource;
57 };
58
getId(const shared_ptr<IResourceManagerClient> & client)59 static int64_t getId(const shared_ptr<IResourceManagerClient>& client) {
60 return (int64_t)client.get();
61 }
62
63 struct TestProcessInfo : public ProcessInfoInterface {
TestProcessInfoTestProcessInfo64 TestProcessInfo() {}
~TestProcessInfoTestProcessInfo65 virtual ~TestProcessInfo() {}
66
getPriorityTestProcessInfo67 virtual bool getPriority(int pid, int* priority) {
68 // For testing, use pid as priority.
69 // Lower the value higher the priority.
70 *priority = pid;
71 return true;
72 }
73
isPidTrustedTestProcessInfo74 virtual bool isPidTrusted(int /* pid */) { return true; }
isPidUidTrustedTestProcessInfo75 virtual bool isPidUidTrusted(int /* pid */, int /* uid */) { return true; }
overrideProcessInfoTestProcessInfo76 virtual bool overrideProcessInfo(int /* pid */, int /*procState*/, int /*oomScore*/) {
77 return true;
78 }
removeProcessInfoOverrideTestProcessInfo79 virtual void removeProcessInfoOverride(int /* pid */) { return; }
80
81 private:
82 DISALLOW_EVIL_CONSTRUCTORS(TestProcessInfo);
83 };
84
85 struct TestSystemCallback : public ResourceManagerService::SystemCallbackInterface {
TestSystemCallbackTestSystemCallback86 TestSystemCallback() : mLastEvent({EventType::INVALID, 0}), mEventCount(0) {}
87
88 enum EventType {
89 INVALID = -1,
90 VIDEO_ON = 0,
91 VIDEO_OFF = 1,
92 VIDEO_RESET = 2,
93 CPUSET_ENABLE = 3,
94 CPUSET_DISABLE = 4,
95 };
96
97 struct EventEntry {
98 EventType type;
99 int arg;
100 };
101
noteStartVideoTestSystemCallback102 virtual void noteStartVideo(int uid) override {
103 mLastEvent = {EventType::VIDEO_ON, uid};
104 ++mEventCount;
105 }
106
noteStopVideoTestSystemCallback107 virtual void noteStopVideo(int uid) override {
108 mLastEvent = {EventType::VIDEO_OFF, uid};
109 ++mEventCount;
110 }
111
noteResetVideoTestSystemCallback112 virtual void noteResetVideo() override {
113 mLastEvent = {EventType::VIDEO_RESET, 0};
114 ++mEventCount;
115 }
116
requestCpusetBoostTestSystemCallback117 virtual bool requestCpusetBoost(bool enable) override {
118 mLastEvent = {enable ? EventType::CPUSET_ENABLE : EventType::CPUSET_DISABLE, 0};
119 ++mEventCount;
120 return true;
121 }
122
eventCountTestSystemCallback123 size_t eventCount() { return mEventCount; }
lastEventTypeTestSystemCallback124 EventType lastEventType() { return mLastEvent.type; }
lastEventTestSystemCallback125 EventEntry lastEvent() { return mLastEvent; }
126
127 protected:
~TestSystemCallbackTestSystemCallback128 virtual ~TestSystemCallback() {}
129
130 private:
131 EventEntry mLastEvent;
132 size_t mEventCount;
133
134 DISALLOW_EVIL_CONSTRUCTORS(TestSystemCallback);
135 };
136
137 struct TestClient : public BnResourceManagerClient {
TestClientTestClient138 TestClient(int pid, const shared_ptr<ResourceManagerService>& service)
139 : mReclaimed(false), mPid(pid), mService(service) {}
140
reclaimResourceTestClient141 Status reclaimResource(bool* aidlReturn) override {
142 mService->removeClient(mPid, getId(ref<TestClient>()));
143 mReclaimed = true;
144 *aidlReturn = true;
145 return Status::ok();
146 }
147
getNameTestClient148 Status getName(string* aidlReturn) override {
149 *aidlReturn = "test_client";
150 return Status::ok();
151 }
152
~TestClientTestClient153 virtual ~TestClient() {}
154
155 private:
156 bool mReclaimed;
157 int mPid;
158 shared_ptr<ResourceManagerService> mService;
159 DISALLOW_EVIL_CONSTRUCTORS(TestClient);
160 };
161
162 class ResourceManagerServiceFuzzer {
163 public:
164 ResourceManagerServiceFuzzer() = default;
~ResourceManagerServiceFuzzer()165 ~ResourceManagerServiceFuzzer() {
166 mService = nullptr;
167 delete mFuzzedDataProvider;
168 }
169 void process(const uint8_t* data, size_t size);
170
171 private:
172 void setConfig();
173 void setResources();
174 void setServiceLog();
175
addResource(void * arg)176 static void* addResource(void* arg) {
177 resourceThreadArgs* tArgs = (resourceThreadArgs*)arg;
178 if (tArgs) {
179 (tArgs->service)
180 ->addResource(tArgs->pid, tArgs->uid, tArgs->testClientId, tArgs->testClient,
181 tArgs->mediaResource);
182 }
183 return nullptr;
184 }
185
removeResource(void * arg)186 static void* removeResource(void* arg) {
187 resourceThreadArgs* tArgs = (resourceThreadArgs*)arg;
188 if (tArgs) {
189 bool result;
190 (tArgs->service)->markClientForPendingRemoval(tArgs->pid, tArgs->testClientId);
191 (tArgs->service)->removeResource(tArgs->pid, tArgs->testClientId, tArgs->mediaResource);
192 (tArgs->service)->reclaimResource(tArgs->pid, tArgs->mediaResource, &result);
193 (tArgs->service)->removeClient(tArgs->pid, tArgs->testClientId);
194 (tArgs->service)->overridePid(tArgs->pid, tArgs->pid - 1);
195 }
196 return nullptr;
197 }
198
199 shared_ptr<ResourceManagerService> mService =
200 ::ndk::SharedRefBase::make<ResourceManagerService>(new TestProcessInfo(),
201 new TestSystemCallback());
202 FuzzedDataProvider* mFuzzedDataProvider = nullptr;
203 };
204
process(const uint8_t * data,size_t size)205 void ResourceManagerServiceFuzzer::process(const uint8_t* data, size_t size) {
206 mFuzzedDataProvider = new FuzzedDataProvider(data, size);
207 setConfig();
208 setResources();
209 setServiceLog();
210 }
211
setConfig()212 void ResourceManagerServiceFuzzer::setConfig() {
213 bool policyTypeIndex = mFuzzedDataProvider->ConsumeBool();
214 string policyValue = mFuzzedDataProvider->ConsumeRandomLengthString(kMaxStringLength);
215 if (mService) {
216 vector<MediaResourcePolicyParcel> policies;
217 policies.push_back(MediaResourcePolicy(kPolicyType[policyTypeIndex], policyValue));
218 mService->config(policies);
219 }
220 }
221
setResources()222 void ResourceManagerServiceFuzzer::setResources() {
223 if (!mService) {
224 return;
225 }
226 size_t numThreadPairs =
227 mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(kMinThreadPairs, kMaxThreadPairs);
228 // Make even number of threads
229 size_t numThreads = numThreadPairs * 2;
230 resourceThreadArgs threadArgs[numThreadPairs];
231 vector<MediaResourceParcel> mediaResource[numThreadPairs];
232 pthread_t pt[numThreads];
233 for (int k = 0; k < numThreadPairs; ++k) {
234 threadArgs[k].pid = mFuzzedDataProvider->ConsumeIntegral<int32_t>();
235 threadArgs[k].uid = mFuzzedDataProvider->ConsumeIntegral<int32_t>();
236 int32_t mediaResourceType = mFuzzedDataProvider->ConsumeIntegralInRange<int32_t>(
237 kMinResourceType, kMaxResourceType);
238 int32_t mediaResourceSubType = mFuzzedDataProvider->ConsumeIntegralInRange<int32_t>(
239 kMinResourceType, kMaxResourceType);
240 uint64_t mediaResourceValue = mFuzzedDataProvider->ConsumeIntegral<uint64_t>();
241 threadArgs[k].service = mService;
242 shared_ptr<IResourceManagerClient> testClient =
243 ::ndk::SharedRefBase::make<TestClient>(threadArgs[k].pid, mService);
244 threadArgs[k].testClient = testClient;
245 threadArgs[k].testClientId = getId(testClient);
246 mediaResource[k].push_back(MediaResource(static_cast<MedResType>(mediaResourceType),
247 static_cast<MedResSubType>(mediaResourceSubType),
248 mediaResourceValue));
249 threadArgs[k].mediaResource = mediaResource[k];
250 pthread_create(&pt[2 * k], nullptr, addResource, &threadArgs[k]);
251 pthread_create(&pt[2 * k + 1], nullptr, removeResource, &threadArgs[k]);
252 }
253
254 for (int i = 0; i < numThreads; ++i) {
255 pthread_join(pt[i], nullptr);
256 }
257
258 // No resource was added with pid = 0
259 int32_t pidZero = 0;
260 shared_ptr<IResourceManagerClient> testClient =
261 ::ndk::SharedRefBase::make<TestClient>(pidZero, mService);
262 int32_t mediaResourceType =
263 mFuzzedDataProvider->ConsumeIntegralInRange<int32_t>(kMinResourceType, kMaxResourceType);
264 int32_t mediaResourceSubType =
265 mFuzzedDataProvider->ConsumeIntegralInRange<int32_t>(kMinResourceType, kMaxResourceType);
266 uint64_t mediaResourceValue = mFuzzedDataProvider->ConsumeIntegral<uint64_t>();
267 vector<MediaResourceParcel> mediaRes;
268 mediaRes.push_back(MediaResource(static_cast<MedResType>(mediaResourceType),
269 static_cast<MedResSubType>(mediaResourceSubType),
270 mediaResourceValue));
271 bool result;
272 mService->reclaimResource(pidZero, mediaRes, &result);
273 mService->removeResource(pidZero, getId(testClient), mediaRes);
274 mService->removeClient(pidZero, getId(testClient));
275 }
276
setServiceLog()277 void ResourceManagerServiceFuzzer::setServiceLog() {
278 size_t maxNum =
279 mFuzzedDataProvider->ConsumeIntegralInRange<int32_t>(kMinServiceLog, kMaxServiceLog);
280 sp<ServiceLog> serviceLog = new ServiceLog(maxNum);
281 if (serviceLog) {
282 serviceLog->add(String8("log"));
283 serviceLog->toString();
284 }
285 }
286
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)287 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
288 if (size < 1) {
289 return 0;
290 }
291 ResourceManagerServiceFuzzer* rmFuzzer = new ResourceManagerServiceFuzzer();
292 if (!rmFuzzer) {
293 return 0;
294 }
295 rmFuzzer->process(data, size);
296 delete rmFuzzer;
297 return 0;
298 }
299