1 /*
2 * Copyright 2022 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 #pragma once
17
18 #include <InputDevice.h>
19 #include <InputMapper.h>
20 #include <InputReader.h>
21 #include <ThreadSafeFuzzedDataProvider.h>
22
23 constexpr size_t kValidTypes[] = {EV_SW,
24 EV_SYN,
25 SYN_REPORT,
26 EV_ABS,
27 EV_KEY,
28 EV_MSC,
29 EV_REL,
30 android::EventHubInterface::DEVICE_ADDED,
31 android::EventHubInterface::DEVICE_REMOVED,
32 android::EventHubInterface::FINISHED_DEVICE_SCAN};
33
34 constexpr size_t kValidCodes[] = {
35 SYN_REPORT,
36 ABS_MT_SLOT,
37 SYN_MT_REPORT,
38 ABS_MT_POSITION_X,
39 ABS_MT_POSITION_Y,
40 ABS_MT_TOUCH_MAJOR,
41 ABS_MT_TOUCH_MINOR,
42 ABS_MT_WIDTH_MAJOR,
43 ABS_MT_WIDTH_MINOR,
44 ABS_MT_ORIENTATION,
45 ABS_MT_TRACKING_ID,
46 ABS_MT_PRESSURE,
47 ABS_MT_DISTANCE,
48 ABS_MT_TOOL_TYPE,
49 SYN_MT_REPORT,
50 MSC_SCAN,
51 REL_X,
52 REL_Y,
53 REL_WHEEL,
54 REL_HWHEEL,
55 BTN_LEFT,
56 BTN_RIGHT,
57 BTN_MIDDLE,
58 BTN_BACK,
59 BTN_SIDE,
60 BTN_FORWARD,
61 BTN_EXTRA,
62 BTN_TASK,
63 };
64
65 constexpr size_t kMaxSize = 256;
66
67 namespace android {
68
69 template<class Fdp>
getFuzzedToolType(Fdp & fdp)70 ToolType getFuzzedToolType(Fdp& fdp) {
71 const int32_t toolType = fdp.template ConsumeIntegralInRange<int32_t>(
72 static_cast<int32_t>(ToolType::ftl_first),
73 static_cast<int32_t>(ToolType::ftl_last));
74 return static_cast<ToolType>(toolType);
75 }
76
77 class FuzzEventHub : public EventHubInterface {
78 InputDeviceIdentifier mIdentifier;
79 std::vector<TouchVideoFrame> mVideoFrames;
80 PropertyMap mFuzzConfig;
81 std::shared_ptr<ThreadSafeFuzzedDataProvider> mFdp;
82
83 public:
FuzzEventHub(std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp)84 FuzzEventHub(std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp) : mFdp(std::move(fdp)) {}
~FuzzEventHub()85 ~FuzzEventHub() {}
addProperty(std::string key,std::string value)86 void addProperty(std::string key, std::string value) { mFuzzConfig.addProperty(key, value); }
87
getDeviceClasses(int32_t deviceId)88 ftl::Flags<InputDeviceClass> getDeviceClasses(int32_t deviceId) const override {
89 return ftl::Flags<InputDeviceClass>(mFdp->ConsumeIntegral<uint32_t>());
90 }
getDeviceIdentifier(int32_t deviceId)91 InputDeviceIdentifier getDeviceIdentifier(int32_t deviceId) const override {
92 return mIdentifier;
93 }
getDeviceControllerNumber(int32_t deviceId)94 int32_t getDeviceControllerNumber(int32_t deviceId) const override {
95 return mFdp->ConsumeIntegral<int32_t>();
96 }
getConfiguration(int32_t deviceId)97 std::optional<PropertyMap> getConfiguration(int32_t deviceId) const override {
98 return mFuzzConfig;
99 }
getAbsoluteAxisInfo(int32_t deviceId,int axis,RawAbsoluteAxisInfo * outAxisInfo)100 status_t getAbsoluteAxisInfo(int32_t deviceId, int axis,
101 RawAbsoluteAxisInfo* outAxisInfo) const override {
102 return mFdp->ConsumeIntegral<status_t>();
103 }
hasRelativeAxis(int32_t deviceId,int axis)104 bool hasRelativeAxis(int32_t deviceId, int axis) const override { return mFdp->ConsumeBool(); }
hasInputProperty(int32_t deviceId,int property)105 bool hasInputProperty(int32_t deviceId, int property) const override {
106 return mFdp->ConsumeBool();
107 }
hasMscEvent(int32_t deviceId,int mscEvent)108 bool hasMscEvent(int32_t deviceId, int mscEvent) const override { return mFdp->ConsumeBool(); }
mapKey(int32_t deviceId,int32_t scanCode,int32_t usageCode,int32_t metaState,int32_t * outKeycode,int32_t * outMetaState,uint32_t * outFlags)109 status_t mapKey(int32_t deviceId, int32_t scanCode, int32_t usageCode, int32_t metaState,
110 int32_t* outKeycode, int32_t* outMetaState, uint32_t* outFlags) const override {
111 return mFdp->ConsumeIntegral<status_t>();
112 }
mapAxis(int32_t deviceId,int32_t scanCode,AxisInfo * outAxisInfo)113 status_t mapAxis(int32_t deviceId, int32_t scanCode, AxisInfo* outAxisInfo) const override {
114 return mFdp->ConsumeIntegral<status_t>();
115 }
setExcludedDevices(const std::vector<std::string> & devices)116 void setExcludedDevices(const std::vector<std::string>& devices) override {}
getEvents(int timeoutMillis)117 std::vector<RawEvent> getEvents(int timeoutMillis) override {
118 std::vector<RawEvent> events;
119 const size_t count = mFdp->ConsumeIntegralInRange<size_t>(0, kMaxSize);
120 for (size_t i = 0; i < count; ++i) {
121 int32_t type = mFdp->ConsumeBool() ? mFdp->PickValueInArray(kValidTypes)
122 : mFdp->ConsumeIntegral<int32_t>();
123 int32_t code = mFdp->ConsumeBool() ? mFdp->PickValueInArray(kValidCodes)
124 : mFdp->ConsumeIntegral<int32_t>();
125 events.push_back({
126 .when = mFdp->ConsumeIntegral<nsecs_t>(),
127 .readTime = mFdp->ConsumeIntegral<nsecs_t>(),
128 .deviceId = mFdp->ConsumeIntegral<int32_t>(),
129 .type = type,
130 .code = code,
131 .value = mFdp->ConsumeIntegral<int32_t>(),
132 });
133 }
134 return events;
135 }
getVideoFrames(int32_t deviceId)136 std::vector<TouchVideoFrame> getVideoFrames(int32_t deviceId) override { return mVideoFrames; }
137
mapSensor(int32_t deviceId,int32_t absCode)138 base::Result<std::pair<InputDeviceSensorType, int32_t>> mapSensor(
139 int32_t deviceId, int32_t absCode) const override {
140 return base::ResultError("Fuzzer", UNKNOWN_ERROR);
141 };
142 // Raw batteries are sysfs power_supply nodes we found from the EventHub device sysfs node,
143 // containing the raw info of the sysfs node structure.
getRawBatteryIds(int32_t deviceId)144 std::vector<int32_t> getRawBatteryIds(int32_t deviceId) const override { return {}; }
getRawBatteryInfo(int32_t deviceId,int32_t BatteryId)145 std::optional<RawBatteryInfo> getRawBatteryInfo(int32_t deviceId,
146 int32_t BatteryId) const override {
147 return std::nullopt;
148 };
149
getRawLightIds(int32_t deviceId)150 std::vector<int32_t> getRawLightIds(int32_t deviceId) const override { return {}; };
getRawLightInfo(int32_t deviceId,int32_t lightId)151 std::optional<RawLightInfo> getRawLightInfo(int32_t deviceId, int32_t lightId) const override {
152 return std::nullopt;
153 };
getLightBrightness(int32_t deviceId,int32_t lightId)154 std::optional<int32_t> getLightBrightness(int32_t deviceId, int32_t lightId) const override {
155 return std::nullopt;
156 };
setLightBrightness(int32_t deviceId,int32_t lightId,int32_t brightness)157 void setLightBrightness(int32_t deviceId, int32_t lightId, int32_t brightness) override{};
getLightIntensities(int32_t deviceId,int32_t lightId)158 std::optional<std::unordered_map<LightColor, int32_t>> getLightIntensities(
159 int32_t deviceId, int32_t lightId) const override {
160 return std::nullopt;
161 };
setLightIntensities(int32_t deviceId,int32_t lightId,std::unordered_map<LightColor,int32_t> intensities)162 void setLightIntensities(int32_t deviceId, int32_t lightId,
163 std::unordered_map<LightColor, int32_t> intensities) override{};
164
getRawLayoutInfo(int32_t deviceId)165 std::optional<RawLayoutInfo> getRawLayoutInfo(int32_t deviceId) const override {
166 return std::nullopt;
167 };
168
getScanCodeState(int32_t deviceId,int32_t scanCode)169 int32_t getScanCodeState(int32_t deviceId, int32_t scanCode) const override {
170 return mFdp->ConsumeIntegral<int32_t>();
171 }
getKeyCodeState(int32_t deviceId,int32_t keyCode)172 int32_t getKeyCodeState(int32_t deviceId, int32_t keyCode) const override {
173 return mFdp->ConsumeIntegral<int32_t>();
174 }
getSwitchState(int32_t deviceId,int32_t sw)175 int32_t getSwitchState(int32_t deviceId, int32_t sw) const override {
176 return mFdp->ConsumeIntegral<int32_t>();
177 }
addKeyRemapping(int32_t deviceId,int32_t fromKeyCode,int32_t toKeyCode)178 void addKeyRemapping(int32_t deviceId, int32_t fromKeyCode, int32_t toKeyCode) const override {}
getKeyCodeForKeyLocation(int32_t deviceId,int32_t locationKeyCode)179 int32_t getKeyCodeForKeyLocation(int32_t deviceId, int32_t locationKeyCode) const override {
180 return mFdp->ConsumeIntegral<int32_t>();
181 }
getAbsoluteAxisValue(int32_t deviceId,int32_t axis,int32_t * outValue)182 status_t getAbsoluteAxisValue(int32_t deviceId, int32_t axis,
183 int32_t* outValue) const override {
184 return mFdp->ConsumeIntegral<status_t>();
185 }
markSupportedKeyCodes(int32_t deviceId,const std::vector<int32_t> & keyCodes,uint8_t * outFlags)186 bool markSupportedKeyCodes(int32_t deviceId, const std::vector<int32_t>& keyCodes,
187 uint8_t* outFlags) const override {
188 return mFdp->ConsumeBool();
189 }
hasScanCode(int32_t deviceId,int32_t scanCode)190 bool hasScanCode(int32_t deviceId, int32_t scanCode) const override {
191 return mFdp->ConsumeBool();
192 }
hasKeyCode(int32_t deviceId,int32_t keyCode)193 bool hasKeyCode(int32_t deviceId, int32_t keyCode) const override {
194 return mFdp->ConsumeBool();
195 }
hasLed(int32_t deviceId,int32_t led)196 bool hasLed(int32_t deviceId, int32_t led) const override { return mFdp->ConsumeBool(); }
setLedState(int32_t deviceId,int32_t led,bool on)197 void setLedState(int32_t deviceId, int32_t led, bool on) override {}
getVirtualKeyDefinitions(int32_t deviceId,std::vector<VirtualKeyDefinition> & outVirtualKeys)198 void getVirtualKeyDefinitions(
199 int32_t deviceId, std::vector<VirtualKeyDefinition>& outVirtualKeys) const override {}
getKeyCharacterMap(int32_t deviceId)200 const std::shared_ptr<KeyCharacterMap> getKeyCharacterMap(int32_t deviceId) const override {
201 return nullptr;
202 }
setKeyboardLayoutOverlay(int32_t deviceId,std::shared_ptr<KeyCharacterMap> map)203 bool setKeyboardLayoutOverlay(int32_t deviceId, std::shared_ptr<KeyCharacterMap> map) override {
204 return mFdp->ConsumeBool();
205 }
vibrate(int32_t deviceId,const VibrationElement & effect)206 void vibrate(int32_t deviceId, const VibrationElement& effect) override {}
cancelVibrate(int32_t deviceId)207 void cancelVibrate(int32_t deviceId) override {}
208
getVibratorIds(int32_t deviceId)209 std::vector<int32_t> getVibratorIds(int32_t deviceId) const override { return {}; };
210
211 /* Query battery level. */
getBatteryCapacity(int32_t deviceId,int32_t batteryId)212 std::optional<int32_t> getBatteryCapacity(int32_t deviceId, int32_t batteryId) const override {
213 return std::nullopt;
214 };
215
216 /* Query battery status. */
getBatteryStatus(int32_t deviceId,int32_t batteryId)217 std::optional<int32_t> getBatteryStatus(int32_t deviceId, int32_t batteryId) const override {
218 return std::nullopt;
219 };
220
requestReopenDevices()221 void requestReopenDevices() override {}
wake()222 void wake() override {}
dump(std::string & dump)223 void dump(std::string& dump) const override {}
monitor()224 void monitor() const override {}
isDeviceEnabled(int32_t deviceId)225 bool isDeviceEnabled(int32_t deviceId) const override { return mFdp->ConsumeBool(); }
enableDevice(int32_t deviceId)226 status_t enableDevice(int32_t deviceId) override { return mFdp->ConsumeIntegral<status_t>(); }
disableDevice(int32_t deviceId)227 status_t disableDevice(int32_t deviceId) override { return mFdp->ConsumeIntegral<status_t>(); }
sysfsNodeChanged(const std::string & sysfsNodePath)228 void sysfsNodeChanged(const std::string& sysfsNodePath) override {}
229 };
230
231 class FuzzPointerController : public PointerControllerInterface {
232 std::shared_ptr<ThreadSafeFuzzedDataProvider> mFdp;
233
234 public:
FuzzPointerController(std::shared_ptr<ThreadSafeFuzzedDataProvider> mFdp)235 FuzzPointerController(std::shared_ptr<ThreadSafeFuzzedDataProvider> mFdp) : mFdp(mFdp) {}
~FuzzPointerController()236 ~FuzzPointerController() {}
getBounds()237 std::optional<FloatRect> getBounds() const override {
238 if (mFdp->ConsumeBool()) {
239 return {};
240 } else {
241 return FloatRect{mFdp->ConsumeFloatingPoint<float>(),
242 mFdp->ConsumeFloatingPoint<float>(),
243 mFdp->ConsumeFloatingPoint<float>(),
244 mFdp->ConsumeFloatingPoint<float>()};
245 }
246 }
move(float deltaX,float deltaY)247 void move(float deltaX, float deltaY) override {}
setPosition(float x,float y)248 void setPosition(float x, float y) override {}
getPosition()249 FloatPoint getPosition() const override {
250 return {mFdp->ConsumeFloatingPoint<float>(), mFdp->ConsumeFloatingPoint<float>()};
251 }
fade(Transition transition)252 void fade(Transition transition) override {}
unfade(Transition transition)253 void unfade(Transition transition) override {}
setPresentation(Presentation presentation)254 void setPresentation(Presentation presentation) override {}
setSpots(const PointerCoords * spotCoords,const uint32_t * spotIdToIndex,BitSet32 spotIdBits,int32_t displayId)255 void setSpots(const PointerCoords* spotCoords, const uint32_t* spotIdToIndex,
256 BitSet32 spotIdBits, int32_t displayId) override {}
clearSpots()257 void clearSpots() override {}
getDisplayId()258 int32_t getDisplayId() const override { return mFdp->ConsumeIntegral<int32_t>(); }
setDisplayViewport(const DisplayViewport & displayViewport)259 void setDisplayViewport(const DisplayViewport& displayViewport) override {}
260 };
261
262 class FuzzInputReaderPolicy : public InputReaderPolicyInterface {
263 TouchAffineTransformation mTransform;
264 std::shared_ptr<FuzzPointerController> mPointerController;
265 std::shared_ptr<ThreadSafeFuzzedDataProvider> mFdp;
266
267 protected:
~FuzzInputReaderPolicy()268 ~FuzzInputReaderPolicy() {}
269
270 public:
FuzzInputReaderPolicy(std::shared_ptr<ThreadSafeFuzzedDataProvider> mFdp)271 FuzzInputReaderPolicy(std::shared_ptr<ThreadSafeFuzzedDataProvider> mFdp) : mFdp(mFdp) {
272 mPointerController = std::make_shared<FuzzPointerController>(mFdp);
273 }
getReaderConfiguration(InputReaderConfiguration * outConfig)274 void getReaderConfiguration(InputReaderConfiguration* outConfig) override {}
obtainPointerController(int32_t deviceId)275 std::shared_ptr<PointerControllerInterface> obtainPointerController(int32_t deviceId) override {
276 return mPointerController;
277 }
notifyInputDevicesChanged(const std::vector<InputDeviceInfo> & inputDevices)278 void notifyInputDevicesChanged(const std::vector<InputDeviceInfo>& inputDevices) override {}
getKeyboardLayoutOverlay(const InputDeviceIdentifier & identifier)279 std::shared_ptr<KeyCharacterMap> getKeyboardLayoutOverlay(
280 const InputDeviceIdentifier& identifier) override {
281 return nullptr;
282 }
getDeviceAlias(const InputDeviceIdentifier & identifier)283 std::string getDeviceAlias(const InputDeviceIdentifier& identifier) {
284 return mFdp->ConsumeRandomLengthString(32);
285 }
getTouchAffineTransformation(const std::string & inputDeviceDescriptor,ui::Rotation surfaceRotation)286 TouchAffineTransformation getTouchAffineTransformation(const std::string& inputDeviceDescriptor,
287 ui::Rotation surfaceRotation) override {
288 return mTransform;
289 }
setTouchAffineTransformation(const TouchAffineTransformation t)290 void setTouchAffineTransformation(const TouchAffineTransformation t) { mTransform = t; }
notifyStylusGestureStarted(int32_t,nsecs_t)291 void notifyStylusGestureStarted(int32_t, nsecs_t) {}
isInputMethodConnectionActive()292 bool isInputMethodConnectionActive() override { return mFdp->ConsumeBool(); }
293 };
294
295 class FuzzInputListener : public virtual InputListenerInterface {
296 public:
notifyInputDevicesChanged(const NotifyInputDevicesChangedArgs & args)297 void notifyInputDevicesChanged(const NotifyInputDevicesChangedArgs& args) override {}
notifyConfigurationChanged(const NotifyConfigurationChangedArgs & args)298 void notifyConfigurationChanged(const NotifyConfigurationChangedArgs& args) override {}
notifyKey(const NotifyKeyArgs & args)299 void notifyKey(const NotifyKeyArgs& args) override {}
notifyMotion(const NotifyMotionArgs & args)300 void notifyMotion(const NotifyMotionArgs& args) override {}
notifySwitch(const NotifySwitchArgs & args)301 void notifySwitch(const NotifySwitchArgs& args) override {}
notifySensor(const NotifySensorArgs & args)302 void notifySensor(const NotifySensorArgs& args) override{};
notifyVibratorState(const NotifyVibratorStateArgs & args)303 void notifyVibratorState(const NotifyVibratorStateArgs& args) override{};
notifyDeviceReset(const NotifyDeviceResetArgs & args)304 void notifyDeviceReset(const NotifyDeviceResetArgs& args) override {}
notifyPointerCaptureChanged(const NotifyPointerCaptureChangedArgs & args)305 void notifyPointerCaptureChanged(const NotifyPointerCaptureChangedArgs& args) override{};
306 };
307
308 class FuzzInputReaderContext : public InputReaderContext {
309 std::shared_ptr<EventHubInterface> mEventHub;
310 sp<InputReaderPolicyInterface> mPolicy;
311 std::shared_ptr<ThreadSafeFuzzedDataProvider> mFdp;
312
313 public:
FuzzInputReaderContext(std::shared_ptr<EventHubInterface> eventHub,const sp<InputReaderPolicyInterface> & policy,InputListenerInterface & listener,std::shared_ptr<ThreadSafeFuzzedDataProvider> mFdp)314 FuzzInputReaderContext(std::shared_ptr<EventHubInterface> eventHub,
315 const sp<InputReaderPolicyInterface>& policy,
316 InputListenerInterface& listener,
317 std::shared_ptr<ThreadSafeFuzzedDataProvider> mFdp)
318 : mEventHub(eventHub), mPolicy(policy), mFdp(mFdp) {}
~FuzzInputReaderContext()319 ~FuzzInputReaderContext() {}
updateGlobalMetaState()320 void updateGlobalMetaState() override {}
getGlobalMetaState()321 int32_t getGlobalMetaState() { return mFdp->ConsumeIntegral<int32_t>(); }
disableVirtualKeysUntil(nsecs_t time)322 void disableVirtualKeysUntil(nsecs_t time) override {}
shouldDropVirtualKey(nsecs_t now,int32_t keyCode,int32_t scanCode)323 bool shouldDropVirtualKey(nsecs_t now, int32_t keyCode, int32_t scanCode) override {
324 return mFdp->ConsumeBool();
325 }
fadePointer()326 void fadePointer() override {}
getPointerController(int32_t deviceId)327 std::shared_ptr<PointerControllerInterface> getPointerController(int32_t deviceId) override {
328 return mPolicy->obtainPointerController(0);
329 }
requestTimeoutAtTime(nsecs_t when)330 void requestTimeoutAtTime(nsecs_t when) override {}
bumpGeneration()331 int32_t bumpGeneration() override { return mFdp->ConsumeIntegral<int32_t>(); }
getExternalStylusDevices(std::vector<InputDeviceInfo> & outDevices)332 void getExternalStylusDevices(std::vector<InputDeviceInfo>& outDevices) override {}
dispatchExternalStylusState(const StylusState & outState)333 std::list<NotifyArgs> dispatchExternalStylusState(const StylusState& outState) override {
334 return {};
335 }
getPolicy()336 InputReaderPolicyInterface* getPolicy() override { return mPolicy.get(); }
getEventHub()337 EventHubInterface* getEventHub() override { return mEventHub.get(); }
getNextId()338 int32_t getNextId() override { return mFdp->ConsumeIntegral<int32_t>(); }
339
updateLedMetaState(int32_t metaState)340 void updateLedMetaState(int32_t metaState) override{};
getLedMetaState()341 int32_t getLedMetaState() override { return mFdp->ConsumeIntegral<int32_t>(); };
notifyStylusGestureStarted(int32_t,nsecs_t)342 void notifyStylusGestureStarted(int32_t, nsecs_t) {}
343
setPreventingTouchpadTaps(bool prevent)344 void setPreventingTouchpadTaps(bool prevent) {}
isPreventingTouchpadTaps()345 bool isPreventingTouchpadTaps() { return mFdp->ConsumeBool(); };
346 };
347
348 } // namespace android
349