1 /*
2 * Copyright 2022 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <InputReader.h>
18 #include <MapperHelpers.h>
19 #include <fuzzer/FuzzedDataProvider.h>
20 #include <input/InputDevice.h>
21 #include <chrono>
22 #include <thread>
23
24 namespace android {
25
26 constexpr InputDeviceSensorType kInputDeviceSensorType[] = {
27 InputDeviceSensorType::ACCELEROMETER,
28 InputDeviceSensorType::MAGNETIC_FIELD,
29 InputDeviceSensorType::ORIENTATION,
30 InputDeviceSensorType::GYROSCOPE,
31 InputDeviceSensorType::LIGHT,
32 InputDeviceSensorType::PRESSURE,
33 InputDeviceSensorType::TEMPERATURE,
34 InputDeviceSensorType::PROXIMITY,
35 InputDeviceSensorType::GRAVITY,
36 InputDeviceSensorType::LINEAR_ACCELERATION,
37 InputDeviceSensorType::ROTATION_VECTOR,
38 InputDeviceSensorType::RELATIVE_HUMIDITY,
39 InputDeviceSensorType::AMBIENT_TEMPERATURE,
40 InputDeviceSensorType::MAGNETIC_FIELD_UNCALIBRATED,
41 InputDeviceSensorType::GAME_ROTATION_VECTOR,
42 InputDeviceSensorType::GYROSCOPE_UNCALIBRATED,
43 InputDeviceSensorType::SIGNIFICANT_MOTION,
44 };
45
46 class FuzzInputReader : public InputReaderInterface {
47 public:
FuzzInputReader(std::shared_ptr<EventHubInterface> fuzzEventHub,const sp<InputReaderPolicyInterface> & fuzzPolicy,InputListenerInterface & fuzzListener)48 FuzzInputReader(std::shared_ptr<EventHubInterface> fuzzEventHub,
49 const sp<InputReaderPolicyInterface>& fuzzPolicy,
50 InputListenerInterface& fuzzListener) {
51 reader = std::make_unique<InputReader>(fuzzEventHub, fuzzPolicy, fuzzListener);
52 }
53
dump(std::string & dump)54 void dump(std::string& dump) { reader->dump(dump); }
55
monitor()56 void monitor() { reader->monitor(); }
57
isInputDeviceEnabled(int32_t deviceId)58 bool isInputDeviceEnabled(int32_t deviceId) { return reader->isInputDeviceEnabled(deviceId); }
59
start()60 status_t start() { return reader->start(); }
61
stop()62 status_t stop() { return reader->stop(); }
63
getInputDevices() const64 std::vector<InputDeviceInfo> getInputDevices() const { return reader->getInputDevices(); }
65
getScanCodeState(int32_t deviceId,uint32_t sourceMask,int32_t scanCode)66 int32_t getScanCodeState(int32_t deviceId, uint32_t sourceMask, int32_t scanCode) {
67 return reader->getScanCodeState(deviceId, sourceMask, scanCode);
68 }
69
getKeyCodeState(int32_t deviceId,uint32_t sourceMask,int32_t keyCode)70 int32_t getKeyCodeState(int32_t deviceId, uint32_t sourceMask, int32_t keyCode) {
71 return reader->getKeyCodeState(deviceId, sourceMask, keyCode);
72 }
73
getSwitchState(int32_t deviceId,uint32_t sourceMask,int32_t sw)74 int32_t getSwitchState(int32_t deviceId, uint32_t sourceMask, int32_t sw) {
75 return reader->getSwitchState(deviceId, sourceMask, sw);
76 }
77
toggleCapsLockState(int32_t deviceId)78 void toggleCapsLockState(int32_t deviceId) { reader->toggleCapsLockState(deviceId); }
79
hasKeys(int32_t deviceId,uint32_t sourceMask,const std::vector<int32_t> & keyCodes,uint8_t * outFlags)80 bool hasKeys(int32_t deviceId, uint32_t sourceMask, const std::vector<int32_t>& keyCodes,
81 uint8_t* outFlags) {
82 return reader->hasKeys(deviceId, sourceMask, keyCodes, outFlags);
83 }
84
requestRefreshConfiguration(ConfigurationChanges changes)85 void requestRefreshConfiguration(ConfigurationChanges changes) {
86 reader->requestRefreshConfiguration(changes);
87 }
88
vibrate(int32_t deviceId,const VibrationSequence & sequence,ssize_t repeat,int32_t token)89 void vibrate(int32_t deviceId, const VibrationSequence& sequence, ssize_t repeat,
90 int32_t token) {
91 reader->vibrate(deviceId, sequence, repeat, token);
92 }
93
cancelVibrate(int32_t deviceId,int32_t token)94 void cancelVibrate(int32_t deviceId, int32_t token) { reader->cancelVibrate(deviceId, token); }
95
isVibrating(int32_t deviceId)96 bool isVibrating(int32_t deviceId) { return reader->isVibrating(deviceId); }
97
getVibratorIds(int32_t deviceId)98 std::vector<int32_t> getVibratorIds(int32_t deviceId) {
99 return reader->getVibratorIds(deviceId);
100 }
101
getBatteryCapacity(int32_t deviceId)102 std::optional<int32_t> getBatteryCapacity(int32_t deviceId) {
103 return reader->getBatteryCapacity(deviceId);
104 }
105
getBatteryStatus(int32_t deviceId)106 std::optional<int32_t> getBatteryStatus(int32_t deviceId) {
107 return reader->getBatteryStatus(deviceId);
108 }
109
getBatteryDevicePath(int32_t deviceId)110 std::optional<std::string> getBatteryDevicePath(int32_t deviceId) {
111 return reader->getBatteryDevicePath(deviceId);
112 }
113
getLights(int32_t deviceId)114 std::vector<InputDeviceLightInfo> getLights(int32_t deviceId) {
115 return reader->getLights(deviceId);
116 }
117
getSensors(int32_t deviceId)118 std::vector<InputDeviceSensorInfo> getSensors(int32_t deviceId) {
119 return reader->getSensors(deviceId);
120 }
121
canDispatchToDisplay(int32_t deviceId,int32_t displayId)122 bool canDispatchToDisplay(int32_t deviceId, int32_t displayId) {
123 return reader->canDispatchToDisplay(deviceId, displayId);
124 }
125
enableSensor(int32_t deviceId,InputDeviceSensorType sensorType,std::chrono::microseconds samplingPeriod,std::chrono::microseconds maxBatchReportLatency)126 bool enableSensor(int32_t deviceId, InputDeviceSensorType sensorType,
127 std::chrono::microseconds samplingPeriod,
128 std::chrono::microseconds maxBatchReportLatency) {
129 return reader->enableSensor(deviceId, sensorType, samplingPeriod, maxBatchReportLatency);
130 }
131
disableSensor(int32_t deviceId,InputDeviceSensorType sensorType)132 void disableSensor(int32_t deviceId, InputDeviceSensorType sensorType) {
133 return reader->disableSensor(deviceId, sensorType);
134 }
135
flushSensor(int32_t deviceId,InputDeviceSensorType sensorType)136 void flushSensor(int32_t deviceId, InputDeviceSensorType sensorType) {
137 return reader->flushSensor(deviceId, sensorType);
138 }
139
setLightColor(int32_t deviceId,int32_t lightId,int32_t color)140 bool setLightColor(int32_t deviceId, int32_t lightId, int32_t color) {
141 return reader->setLightColor(deviceId, lightId, color);
142 }
143
setLightPlayerId(int32_t deviceId,int32_t lightId,int32_t playerId)144 bool setLightPlayerId(int32_t deviceId, int32_t lightId, int32_t playerId) {
145 return reader->setLightPlayerId(deviceId, lightId, playerId);
146 }
147
getLightColor(int32_t deviceId,int32_t lightId)148 std::optional<int32_t> getLightColor(int32_t deviceId, int32_t lightId) {
149 return reader->getLightColor(deviceId, lightId);
150 }
151
getLightPlayerId(int32_t deviceId,int32_t lightId)152 std::optional<int32_t> getLightPlayerId(int32_t deviceId, int32_t lightId) {
153 return reader->getLightPlayerId(deviceId, lightId);
154 }
155
addKeyRemapping(int32_t deviceId,int32_t fromKeyCode,int32_t toKeyCode) const156 void addKeyRemapping(int32_t deviceId, int32_t fromKeyCode, int32_t toKeyCode) const {
157 reader->addKeyRemapping(deviceId, fromKeyCode, toKeyCode);
158 }
159
getKeyCodeForKeyLocation(int32_t deviceId,int32_t locationKeyCode) const160 int32_t getKeyCodeForKeyLocation(int32_t deviceId, int32_t locationKeyCode) const {
161 return reader->getKeyCodeForKeyLocation(deviceId, locationKeyCode);
162 }
163
getBluetoothAddress(int32_t deviceId) const164 std::optional<std::string> getBluetoothAddress(int32_t deviceId) const {
165 return reader->getBluetoothAddress(deviceId);
166 }
167
sysfsNodeChanged(const std::string & sysfsNodePath)168 void sysfsNodeChanged(const std::string& sysfsNodePath) {
169 reader->sysfsNodeChanged(sysfsNodePath);
170 }
171
172 private:
173 std::unique_ptr<InputReaderInterface> reader;
174 };
175
LLVMFuzzerTestOneInput(uint8_t * data,size_t size)176 extern "C" int LLVMFuzzerTestOneInput(uint8_t* data, size_t size) {
177 std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp =
178 std::make_shared<ThreadSafeFuzzedDataProvider>(data, size);
179
180 FuzzInputListener fuzzListener;
181 sp<FuzzInputReaderPolicy> fuzzPolicy = sp<FuzzInputReaderPolicy>::make(fdp);
182 std::shared_ptr<FuzzEventHub> fuzzEventHub = std::make_shared<FuzzEventHub>(fdp);
183 std::unique_ptr<FuzzInputReader> reader =
184 std::make_unique<FuzzInputReader>(fuzzEventHub, fuzzPolicy, fuzzListener);
185 size_t patternCount = fdp->ConsumeIntegralInRange<size_t>(1, 260);
186 VibrationSequence pattern(patternCount);
187 for (size_t i = 0; i < patternCount; ++i) {
188 VibrationElement element(i);
189 element.addChannel(/*vibratorId=*/fdp->ConsumeIntegral<int32_t>(),
190 /*amplitude=*/fdp->ConsumeIntegral<uint8_t>());
191 pattern.addElement(element);
192 }
193 reader->vibrate(fdp->ConsumeIntegral<int32_t>(), pattern,
194 /*repeat=*/fdp->ConsumeIntegral<ssize_t>(),
195 /*token=*/fdp->ConsumeIntegral<int32_t>());
196 reader->start();
197
198 // Loop through mapper operations until randomness is exhausted.
199 while (fdp->remaining_bytes() > 0) {
200 fdp->PickValueInArray<std::function<void()>>({
201 [&]() -> void {
202 std::string dump;
203 reader->dump(dump);
204 },
205 [&]() -> void { reader->monitor(); },
206 [&]() -> void { reader->getInputDevices(); },
207 [&]() -> void { reader->isInputDeviceEnabled(fdp->ConsumeIntegral<int32_t>()); },
208 [&]() -> void {
209 reader->getScanCodeState(fdp->ConsumeIntegral<int32_t>(),
210 fdp->ConsumeIntegral<uint32_t>(),
211 fdp->ConsumeIntegral<int32_t>());
212 },
213 [&]() -> void {
214 reader->getKeyCodeState(fdp->ConsumeIntegral<int32_t>(),
215 fdp->ConsumeIntegral<uint32_t>(),
216 fdp->ConsumeIntegral<int32_t>());
217 },
218 [&]() -> void {
219 reader->getSwitchState(fdp->ConsumeIntegral<int32_t>(),
220 fdp->ConsumeIntegral<uint32_t>(),
221 fdp->ConsumeIntegral<int32_t>());
222 },
223 [&]() -> void { reader->toggleCapsLockState(fdp->ConsumeIntegral<int32_t>()); },
224 [&]() -> void {
225 size_t count = fdp->ConsumeIntegralInRange<size_t>(1, 1024);
226 std::vector<uint8_t> outFlags(count);
227 std::vector<int32_t> keyCodes;
228 for (size_t i = 0; i < count; ++i) {
229 keyCodes.push_back(fdp->ConsumeIntegral<int32_t>());
230 }
231 reader->hasKeys(fdp->ConsumeIntegral<int32_t>(),
232 fdp->ConsumeIntegral<uint32_t>(), keyCodes, outFlags.data());
233 },
234 [&]() -> void {
235 reader->requestRefreshConfiguration(
236 InputReaderConfiguration::Change(fdp->ConsumeIntegral<uint32_t>()));
237 },
238 [&]() -> void {
239 reader->cancelVibrate(fdp->ConsumeIntegral<int32_t>(),
240 fdp->ConsumeIntegral<int32_t>());
241 },
242 [&]() -> void {
243 reader->canDispatchToDisplay(fdp->ConsumeIntegral<int32_t>(),
244 fdp->ConsumeIntegral<int32_t>());
245 },
246 [&]() -> void {
247 reader->getKeyCodeForKeyLocation(fdp->ConsumeIntegral<int32_t>(),
248 fdp->ConsumeIntegral<int32_t>());
249 },
250 [&]() -> void { reader->getBatteryCapacity(fdp->ConsumeIntegral<int32_t>()); },
251 [&]() -> void { reader->getBatteryStatus(fdp->ConsumeIntegral<int32_t>()); },
252 [&]() -> void { reader->getBatteryDevicePath(fdp->ConsumeIntegral<int32_t>()); },
253 [&]() -> void { reader->getLights(fdp->ConsumeIntegral<int32_t>()); },
254 [&]() -> void { reader->getSensors(fdp->ConsumeIntegral<int32_t>()); },
255 [&]() -> void {
256 reader->getLightPlayerId(fdp->ConsumeIntegral<int32_t>(),
257 fdp->ConsumeIntegral<int32_t>());
258 },
259 [&]() -> void {
260 reader->getLightColor(fdp->ConsumeIntegral<int32_t>(),
261 fdp->ConsumeIntegral<int32_t>());
262 },
263 [&]() -> void {
264 reader->setLightPlayerId(fdp->ConsumeIntegral<int32_t>(),
265 fdp->ConsumeIntegral<int32_t>(),
266 fdp->ConsumeIntegral<int32_t>());
267 },
268 [&]() -> void {
269 reader->setLightColor(fdp->ConsumeIntegral<int32_t>(),
270 fdp->ConsumeIntegral<int32_t>(),
271 fdp->ConsumeIntegral<int32_t>());
272 },
273 [&]() -> void {
274 reader->flushSensor(fdp->ConsumeIntegral<int32_t>(),
275 fdp->PickValueInArray<InputDeviceSensorType>(
276 kInputDeviceSensorType));
277 },
278 [&]() -> void {
279 reader->disableSensor(fdp->ConsumeIntegral<int32_t>(),
280 fdp->PickValueInArray<InputDeviceSensorType>(
281 kInputDeviceSensorType));
282 },
283 [&]() -> void {
284 reader->enableSensor(fdp->ConsumeIntegral<int32_t>(),
285 fdp->PickValueInArray<InputDeviceSensorType>(
286 kInputDeviceSensorType),
287 std::chrono::microseconds(fdp->ConsumeIntegral<size_t>()),
288 std::chrono::microseconds(fdp->ConsumeIntegral<size_t>()));
289 },
290 [&]() -> void { reader->getBluetoothAddress(fdp->ConsumeIntegral<int32_t>()); },
291 })();
292 }
293
294 reader->stop();
295 return 0;
296 }
297
298 } // namespace android
299