1 /*
2 * Copyright 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 */
17
18 #include <FuzzableDataspaces.h>
19 #include <binder/IServiceManager.h>
20 #include <fuzzer/FuzzedDataProvider.h>
21 #include <ui/DisplayStatInfo.h>
22 #include "surfaceflinger_fuzzers_utils.h"
23
24 namespace android::fuzz {
25
26 static constexpr LatchUnsignaledConfig kLatchUnsignaledConfig[] = {
27 LatchUnsignaledConfig::Always,
28 LatchUnsignaledConfig::AutoSingleLayer,
29 LatchUnsignaledConfig::Disabled,
30 };
31
32 static constexpr BnSurfaceComposer::ISurfaceComposerTag kSurfaceComposerTags[]{
33 BnSurfaceComposer::BOOT_FINISHED,
34 BnSurfaceComposer::CREATE_CONNECTION,
35 BnSurfaceComposer::GET_STATIC_DISPLAY_INFO,
36 BnSurfaceComposer::CREATE_DISPLAY_EVENT_CONNECTION,
37 BnSurfaceComposer::CREATE_DISPLAY,
38 BnSurfaceComposer::DESTROY_DISPLAY,
39 BnSurfaceComposer::GET_PHYSICAL_DISPLAY_TOKEN,
40 BnSurfaceComposer::SET_TRANSACTION_STATE,
41 BnSurfaceComposer::AUTHENTICATE_SURFACE,
42 BnSurfaceComposer::GET_SUPPORTED_FRAME_TIMESTAMPS,
43 BnSurfaceComposer::GET_DISPLAY_MODES,
44 BnSurfaceComposer::GET_ACTIVE_DISPLAY_MODE,
45 BnSurfaceComposer::GET_DISPLAY_STATE,
46 BnSurfaceComposer::CAPTURE_DISPLAY,
47 BnSurfaceComposer::CAPTURE_LAYERS,
48 BnSurfaceComposer::CLEAR_ANIMATION_FRAME_STATS,
49 BnSurfaceComposer::GET_ANIMATION_FRAME_STATS,
50 BnSurfaceComposer::SET_POWER_MODE,
51 BnSurfaceComposer::GET_DISPLAY_STATS,
52 BnSurfaceComposer::GET_HDR_CAPABILITIES,
53 BnSurfaceComposer::GET_DISPLAY_COLOR_MODES,
54 BnSurfaceComposer::GET_ACTIVE_COLOR_MODE,
55 BnSurfaceComposer::SET_ACTIVE_COLOR_MODE,
56 BnSurfaceComposer::ENABLE_VSYNC_INJECTIONS,
57 BnSurfaceComposer::INJECT_VSYNC,
58 BnSurfaceComposer::GET_LAYER_DEBUG_INFO,
59 BnSurfaceComposer::GET_COMPOSITION_PREFERENCE,
60 BnSurfaceComposer::GET_COLOR_MANAGEMENT,
61 BnSurfaceComposer::GET_DISPLAYED_CONTENT_SAMPLING_ATTRIBUTES,
62 BnSurfaceComposer::SET_DISPLAY_CONTENT_SAMPLING_ENABLED,
63 BnSurfaceComposer::GET_DISPLAYED_CONTENT_SAMPLE,
64 BnSurfaceComposer::GET_PROTECTED_CONTENT_SUPPORT,
65 BnSurfaceComposer::IS_WIDE_COLOR_DISPLAY,
66 BnSurfaceComposer::GET_DISPLAY_NATIVE_PRIMARIES,
67 BnSurfaceComposer::GET_PHYSICAL_DISPLAY_IDS,
68 BnSurfaceComposer::ADD_REGION_SAMPLING_LISTENER,
69 BnSurfaceComposer::REMOVE_REGION_SAMPLING_LISTENER,
70 BnSurfaceComposer::SET_DESIRED_DISPLAY_MODE_SPECS,
71 BnSurfaceComposer::GET_DESIRED_DISPLAY_MODE_SPECS,
72 BnSurfaceComposer::GET_DISPLAY_BRIGHTNESS_SUPPORT,
73 BnSurfaceComposer::SET_DISPLAY_BRIGHTNESS,
74 BnSurfaceComposer::CAPTURE_DISPLAY_BY_ID,
75 BnSurfaceComposer::NOTIFY_POWER_BOOST,
76 BnSurfaceComposer::SET_GLOBAL_SHADOW_SETTINGS,
77 BnSurfaceComposer::GET_AUTO_LOW_LATENCY_MODE_SUPPORT,
78 BnSurfaceComposer::SET_AUTO_LOW_LATENCY_MODE,
79 BnSurfaceComposer::GET_GAME_CONTENT_TYPE_SUPPORT,
80 BnSurfaceComposer::SET_GAME_CONTENT_TYPE,
81 BnSurfaceComposer::SET_FRAME_RATE,
82 BnSurfaceComposer::ACQUIRE_FRAME_RATE_FLEXIBILITY_TOKEN,
83 BnSurfaceComposer::SET_FRAME_TIMELINE_INFO,
84 BnSurfaceComposer::ADD_TRANSACTION_TRACE_LISTENER,
85 BnSurfaceComposer::GET_GPU_CONTEXT_PRIORITY,
86 BnSurfaceComposer::GET_MAX_ACQUIRED_BUFFER_COUNT,
87 BnSurfaceComposer::GET_DYNAMIC_DISPLAY_INFO,
88 BnSurfaceComposer::ADD_FPS_LISTENER,
89 BnSurfaceComposer::REMOVE_FPS_LISTENER,
90 BnSurfaceComposer::OVERRIDE_HDR_TYPES,
91 BnSurfaceComposer::ADD_HDR_LAYER_INFO_LISTENER,
92 BnSurfaceComposer::REMOVE_HDR_LAYER_INFO_LISTENER,
93 BnSurfaceComposer::ON_PULL_ATOM,
94 BnSurfaceComposer::ADD_TUNNEL_MODE_ENABLED_LISTENER,
95 BnSurfaceComposer::REMOVE_TUNNEL_MODE_ENABLED_LISTENER,
96 BnSurfaceComposer::ADD_WINDOW_INFOS_LISTENER,
97 BnSurfaceComposer::REMOVE_WINDOW_INFOS_LISTENER,
98 };
99
100 static constexpr uint32_t kMinCode = 1000;
101 static constexpr uint32_t kMaxCode = 1050;
102
103 class SurfaceFlingerFuzzer {
104 public:
SurfaceFlingerFuzzer(const uint8_t * data,size_t size)105 SurfaceFlingerFuzzer(const uint8_t *data, size_t size) : mFdp(data, size) {
106 mFlinger = sp<SurfaceFlinger>::fromExisting(mTestableFlinger.flinger());
107 };
108 void process(const uint8_t *data, size_t size);
109
110 private:
111 void setUp();
112 void invokeFlinger();
113 void setTransactionState();
114 void setInternalDisplayPrimaries();
115 void setDisplayStateLocked();
116 void onTransact(const uint8_t *data, size_t size);
117
118 FuzzedDataProvider mFdp;
119 TestableSurfaceFlinger mTestableFlinger;
120 sp<SurfaceFlinger> mFlinger = nullptr;
121 };
122
invokeFlinger()123 void SurfaceFlingerFuzzer::invokeFlinger() {
124 mFlinger->setSchedFifo(mFdp.ConsumeBool());
125 mFlinger->setSchedAttr(mFdp.ConsumeBool());
126 mFlinger->getServiceName();
127 mFlinger->hasSyncFramework = mFdp.ConsumeBool();
128 mFlinger->dispSyncPresentTimeOffset = mFdp.ConsumeIntegral<int64_t>();
129 mFlinger->useHwcForRgbToYuv = mFdp.ConsumeBool();
130 mFlinger->maxFrameBufferAcquiredBuffers = mFdp.ConsumeIntegral<int64_t>();
131 mFlinger->maxGraphicsWidth = mFdp.ConsumeIntegral<uint32_t>();
132 mFlinger->maxGraphicsHeight = mFdp.ConsumeIntegral<uint32_t>();
133 mTestableFlinger.mutableSupportsWideColor() = mFdp.ConsumeBool();
134 mFlinger->useContextPriority = mFdp.ConsumeBool();
135
136 mFlinger->defaultCompositionDataspace = mFdp.PickValueInArray(kDataspaces);
137 mFlinger->defaultCompositionPixelFormat = mFdp.PickValueInArray(kPixelFormats);
138 mFlinger->wideColorGamutCompositionDataspace = mFdp.PickValueInArray(kDataspaces);
139 mFlinger->wideColorGamutCompositionPixelFormat = mFdp.PickValueInArray(kPixelFormats);
140
141 mFlinger->enableLatchUnsignaledConfig = mFdp.PickValueInArray(kLatchUnsignaledConfig);
142
143 using FrameHint = SurfaceFlinger::FrameHint;
144 mFlinger->scheduleComposite(mFdp.ConsumeBool() ? FrameHint::kActive : FrameHint::kNone);
145 mFlinger->scheduleRepaint();
146 mFlinger->scheduleSample();
147
148 uint32_t texture = mFlinger->getNewTexture();
149 mFlinger->deleteTextureAsync(texture);
150
151 sp<IBinder> handle = defaultServiceManager()->checkService(
152 String16(mFdp.ConsumeRandomLengthString().c_str()));
153 LayerHandle::getLayer(handle);
154 mFlinger->disableExpensiveRendering();
155 }
156
setInternalDisplayPrimaries()157 void SurfaceFlingerFuzzer::setInternalDisplayPrimaries() {
158 ui::DisplayPrimaries primaries;
159 primaries.red.X = mFdp.ConsumeFloatingPoint<float>();
160 primaries.red.Y = mFdp.ConsumeFloatingPoint<float>();
161 primaries.red.Z = mFdp.ConsumeFloatingPoint<float>();
162 primaries.green.X = mFdp.ConsumeFloatingPoint<float>();
163 primaries.green.Y = mFdp.ConsumeFloatingPoint<float>();
164 primaries.green.Z = mFdp.ConsumeFloatingPoint<float>();
165 primaries.blue.X = mFdp.ConsumeFloatingPoint<float>();
166 primaries.blue.Y = mFdp.ConsumeFloatingPoint<float>();
167 primaries.blue.Z = mFdp.ConsumeFloatingPoint<float>();
168 primaries.white.X = mFdp.ConsumeFloatingPoint<float>();
169 primaries.white.Y = mFdp.ConsumeFloatingPoint<float>();
170 primaries.white.Z = mFdp.ConsumeFloatingPoint<float>();
171 mTestableFlinger.setInternalDisplayPrimaries(primaries);
172 }
173
setTransactionState()174 void SurfaceFlingerFuzzer::setTransactionState() {
175 Vector<ComposerState> states;
176 Vector<DisplayState> displays;
177 ComposerState composerState;
178 composerState.state.what = layer_state_t::eLayerChanged;
179 composerState.state.surface = nullptr;
180 states.add(composerState);
181 uint32_t flags = mFdp.ConsumeIntegral<uint32_t>();
182 const sp<IBinder> applyToken = nullptr;
183 int64_t desiredPresentTime = mFdp.ConsumeIntegral<int64_t>();
184 bool isAutoTimestamp = mFdp.ConsumeBool();
185 bool hasListenerCallbacks = mFdp.ConsumeBool();
186 std::vector<ListenerCallbacks> listenerCallbacks{};
187 uint64_t transactionId = mFdp.ConsumeIntegral<uint64_t>();
188 std::vector<uint64_t> mergedTransactionIds{};
189
190 mTestableFlinger.setTransactionState(FrameTimelineInfo{}, states, displays, flags, applyToken,
191 InputWindowCommands{}, desiredPresentTime, isAutoTimestamp,
192 {}, hasListenerCallbacks, listenerCallbacks, transactionId,
193 mergedTransactionIds);
194 }
195
setDisplayStateLocked()196 void SurfaceFlingerFuzzer::setDisplayStateLocked() {
197 DisplayState state{};
198 mTestableFlinger.setDisplayStateLocked(state);
199 }
200
onTransact(const uint8_t * data,size_t size)201 void SurfaceFlingerFuzzer::onTransact(const uint8_t *data, size_t size) {
202 Parcel fuzzedData, reply;
203 fuzzedData.writeInterfaceToken(String16("android.ui.ISurfaceComposer"));
204 fuzzedData.setData(data, size);
205 fuzzedData.setDataPosition(0);
206 uint32_t code = mFdp.ConsumeBool() ? mFdp.PickValueInArray(kSurfaceComposerTags)
207 : mFdp.ConsumeIntegralInRange<uint32_t>(kMinCode, kMaxCode);
208 mTestableFlinger.onTransact(code, fuzzedData, &reply, 0);
209 }
210
setUp()211 void SurfaceFlingerFuzzer::setUp() {
212 mTestableFlinger.setupScheduler(std::make_unique<android::mock::VsyncController>(),
213 std::make_unique<android::mock::VSyncTracker>(),
214 std::make_unique<android::mock::EventThread>(),
215 std::make_unique<android::mock::EventThread>());
216
217 mTestableFlinger.setupTimeStats(std::make_unique<android::mock::TimeStats>());
218
219 std::unique_ptr<android::renderengine::RenderEngine> renderEngine =
220 std::make_unique<android::renderengine::mock::RenderEngine>();
221 mTestableFlinger.setupRenderEngine(std::move(renderEngine));
222 mTestableFlinger.setupComposer(std::make_unique<android::Hwc2::mock::Composer>());
223 }
224
process(const uint8_t * data,size_t size)225 void SurfaceFlingerFuzzer::process(const uint8_t *data, size_t size) {
226 setUp();
227
228 invokeFlinger();
229
230 mTestableFlinger.fuzzSurfaceFlinger(data, size);
231
232 mTestableFlinger.setCreateBufferQueueFunction(
233 surfaceflinger::test::Factory::CreateBufferQueueFunction());
234 mTestableFlinger.setCreateNativeWindowSurface(
235 surfaceflinger::test::Factory::CreateNativeWindowSurfaceFunction());
236
237 setInternalDisplayPrimaries();
238
239 mTestableFlinger.enableHalVirtualDisplays(mFdp.ConsumeBool());
240
241 FTL_FAKE_GUARD(kMainThreadContext,
242 mTestableFlinger.commitTransactionsLocked(mFdp.ConsumeIntegral<uint32_t>()));
243
244 mTestableFlinger.notifyPowerBoost(mFdp.ConsumeIntegral<int32_t>());
245
246 setDisplayStateLocked();
247
248 setTransactionState();
249 mTestableFlinger.flushTransactionQueues();
250
251 onTransact(data, size);
252 }
253
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)254 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
255 android::fuzz::SurfaceFlingerFuzzer surfaceFlingerFuzzer(data, size);
256 surfaceFlingerFuzzer.process(data, size);
257 return 0;
258 }
259
260 } // namespace android::fuzz
261