services/oboeservice/fuzzer/oboeservice_fuzzer.cpp

/******************************************************************************
 *
 * Copyright (C) 2020 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 *****************************************************************************
 * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore
 */
#include <fuzzer/FuzzedDataProvider.h>
#include <stdio.h>

#include <AAudioService.h>
#include <aaudio/AAudio.h>
#include "aaudio/BnAAudioClient.h"
#include <android/content/AttributionSourceState.h>

#define UNUSED_PARAM __attribute__((unused))

using namespace android;
using namespace aaudio;

aaudio_format_t kAAudioFormats[] = {
    AAUDIO_FORMAT_UNSPECIFIED,
    AAUDIO_FORMAT_PCM_I16,
    AAUDIO_FORMAT_PCM_FLOAT,
    AAUDIO_FORMAT_PCM_I24_PACKED,
    AAUDIO_FORMAT_PCM_I32,
    AAUDIO_FORMAT_IEC61937
};

aaudio_usage_t kAAudioUsages[] = {
    AAUDIO_USAGE_MEDIA,
    AAUDIO_USAGE_VOICE_COMMUNICATION,
    AAUDIO_USAGE_VOICE_COMMUNICATION_SIGNALLING,
    AAUDIO_USAGE_ALARM,
    AAUDIO_USAGE_NOTIFICATION,
    AAUDIO_USAGE_NOTIFICATION_RINGTONE,
    AAUDIO_USAGE_NOTIFICATION_EVENT,
    AAUDIO_USAGE_ASSISTANCE_ACCESSIBILITY,
    AAUDIO_USAGE_ASSISTANCE_NAVIGATION_GUIDANCE,
    AAUDIO_USAGE_ASSISTANCE_SONIFICATION,
    AAUDIO_USAGE_GAME,
    AAUDIO_USAGE_ASSISTANT,
    AAUDIO_SYSTEM_USAGE_EMERGENCY,
    AAUDIO_SYSTEM_USAGE_SAFETY,
    AAUDIO_SYSTEM_USAGE_VEHICLE_STATUS,
    AAUDIO_SYSTEM_USAGE_ANNOUNCEMENT,
};

aaudio_content_type_t kAAudioContentTypes[] = {
    AAUDIO_CONTENT_TYPE_SPEECH,
    AAUDIO_CONTENT_TYPE_MUSIC,
    AAUDIO_CONTENT_TYPE_MOVIE,
    AAUDIO_CONTENT_TYPE_SONIFICATION,
};

aaudio_input_preset_t kAAudioInputPresets[] = {
    AAUDIO_INPUT_PRESET_GENERIC,           AAUDIO_INPUT_PRESET_CAMCORDER,
    AAUDIO_INPUT_PRESET_VOICE_RECOGNITION, AAUDIO_INPUT_PRESET_VOICE_COMMUNICATION,
    AAUDIO_INPUT_PRESET_UNPROCESSED,       AAUDIO_INPUT_PRESET_VOICE_PERFORMANCE,
};

aaudio_channel_mask_t kAAudioChannelMasks[] = {
    AAUDIO_UNSPECIFIED,
    AAUDIO_CHANNEL_INDEX_MASK_1,
    AAUDIO_CHANNEL_INDEX_MASK_2,
    AAUDIO_CHANNEL_INDEX_MASK_3,
    AAUDIO_CHANNEL_INDEX_MASK_4,
    AAUDIO_CHANNEL_INDEX_MASK_5,
    AAUDIO_CHANNEL_INDEX_MASK_6,
    AAUDIO_CHANNEL_INDEX_MASK_7,
    AAUDIO_CHANNEL_INDEX_MASK_8,
    AAUDIO_CHANNEL_INDEX_MASK_9,
    AAUDIO_CHANNEL_INDEX_MASK_10,
    AAUDIO_CHANNEL_INDEX_MASK_11,
    AAUDIO_CHANNEL_INDEX_MASK_12,
    AAUDIO_CHANNEL_INDEX_MASK_13,
    AAUDIO_CHANNEL_INDEX_MASK_14,
    AAUDIO_CHANNEL_INDEX_MASK_15,
    AAUDIO_CHANNEL_INDEX_MASK_16,
    AAUDIO_CHANNEL_INDEX_MASK_17,
    AAUDIO_CHANNEL_INDEX_MASK_18,
    AAUDIO_CHANNEL_INDEX_MASK_19,
    AAUDIO_CHANNEL_INDEX_MASK_20,
    AAUDIO_CHANNEL_INDEX_MASK_21,
    AAUDIO_CHANNEL_INDEX_MASK_22,
    AAUDIO_CHANNEL_INDEX_MASK_23,
    AAUDIO_CHANNEL_INDEX_MASK_24,
    AAUDIO_CHANNEL_MONO,
    AAUDIO_CHANNEL_STEREO,
    AAUDIO_CHANNEL_FRONT_BACK,
    AAUDIO_CHANNEL_2POINT0POINT2,
    AAUDIO_CHANNEL_2POINT1POINT2,
    AAUDIO_CHANNEL_3POINT0POINT2,
    AAUDIO_CHANNEL_3POINT1POINT2,
    AAUDIO_CHANNEL_5POINT1,
    AAUDIO_CHANNEL_MONO,
    AAUDIO_CHANNEL_STEREO,
    AAUDIO_CHANNEL_2POINT1,
    AAUDIO_CHANNEL_TRI,
    AAUDIO_CHANNEL_TRI_BACK,
    AAUDIO_CHANNEL_3POINT1,
    AAUDIO_CHANNEL_2POINT0POINT2,
    AAUDIO_CHANNEL_2POINT1POINT2,
    AAUDIO_CHANNEL_3POINT0POINT2,
    AAUDIO_CHANNEL_3POINT1POINT2,
    AAUDIO_CHANNEL_QUAD,
    AAUDIO_CHANNEL_QUAD_SIDE,
    AAUDIO_CHANNEL_SURROUND,
    AAUDIO_CHANNEL_PENTA,
    AAUDIO_CHANNEL_5POINT1,
    AAUDIO_CHANNEL_5POINT1_SIDE,
    AAUDIO_CHANNEL_5POINT1POINT2,
    AAUDIO_CHANNEL_5POINT1POINT4,
    AAUDIO_CHANNEL_6POINT1,
    AAUDIO_CHANNEL_7POINT1,
    AAUDIO_CHANNEL_7POINT1POINT2,
    AAUDIO_CHANNEL_7POINT1POINT4,
    AAUDIO_CHANNEL_9POINT1POINT4,
    AAUDIO_CHANNEL_9POINT1POINT6,
};

const size_t kNumAAudioFormats = std::size(kAAudioFormats);
const size_t kNumAAudioUsages = std::size(kAAudioUsages);
const size_t kNumAAudioContentTypes = std::size(kAAudioContentTypes);
const size_t kNumAAudioInputPresets = std::size(kAAudioInputPresets);
const size_t kNumAAudioChannelMasks = std::size(kAAudioChannelMasks);

class FuzzAAudioClient : public virtual RefBase, public AAudioServiceInterface {
   public:
    FuzzAAudioClient(sp<AAudioService> service);

    virtual ~FuzzAAudioClient();

    AAudioServiceInterface *getAAudioService();

    void dropAAudioService();

    void registerClient(const sp<IAAudioClient> &client UNUSED_PARAM) override {}

    aaudio_handle_t openStream(const AAudioStreamRequest &request,
                               AAudioStreamConfiguration &configurationOutput) override;

    aaudio_result_t closeStream(aaudio_handle_t streamHandle) override;

    aaudio_result_t getStreamDescription(aaudio_handle_t streamHandle,
                                         AudioEndpointParcelable &parcelable) override;

    aaudio_result_t startStream(aaudio_handle_t streamHandle) override;

    aaudio_result_t pauseStream(aaudio_handle_t streamHandle) override;

    aaudio_result_t stopStream(aaudio_handle_t streamHandle) override;

    aaudio_result_t flushStream(aaudio_handle_t streamHandle) override;

    aaudio_result_t registerAudioThread(aaudio_handle_t streamHandle, pid_t clientThreadId,
                                        int64_t periodNanoseconds) override;

    aaudio_result_t unregisterAudioThread(aaudio_handle_t streamHandle,
                                          pid_t clientThreadId) override;

    aaudio_result_t startClient(aaudio_handle_t streamHandle UNUSED_PARAM,
                                const AudioClient &client UNUSED_PARAM,
                                const audio_attributes_t *attr UNUSED_PARAM,
                                audio_port_handle_t *clientHandle UNUSED_PARAM) override {
        return AAUDIO_ERROR_UNAVAILABLE;
    }

    aaudio_result_t stopClient(aaudio_handle_t streamHandle UNUSED_PARAM,
                               audio_port_handle_t clientHandle UNUSED_PARAM) override {
        return AAUDIO_ERROR_UNAVAILABLE;
    }

    aaudio_result_t exitStandby(aaudio_handle_t streamHandle UNUSED_PARAM,
                                AudioEndpointParcelable &parcelable UNUSED_PARAM) override {
        return AAUDIO_ERROR_UNAVAILABLE;
    }

    void onStreamChange(aaudio_handle_t handle, int32_t opcode, int32_t value) {}

    int getDeathCount() { return mDeathCount; }

    void incDeathCount() { ++mDeathCount; }

    class AAudioClient : public IBinder::DeathRecipient, public BnAAudioClient {
       public:
        AAudioClient(wp<FuzzAAudioClient> fuzzAAudioClient) : mBinderClient(fuzzAAudioClient) {}

        virtual void binderDied(const wp<IBinder> &who UNUSED_PARAM) {
            sp<FuzzAAudioClient> client = mBinderClient.promote();
            if (client.get()) {
                client->dropAAudioService();
                client->incDeathCount();
            }
        }

        android::binder::Status onStreamChange(int32_t handle, int32_t opcode, int32_t value) {
            static_assert(std::is_same_v<aaudio_handle_t, int32_t>);
            android::sp<FuzzAAudioClient> client = mBinderClient.promote();
            if (client.get() != nullptr) {
                client->onStreamChange(handle, opcode, value);
            }
            return android::binder::Status::ok();
        }

       private:
        wp<FuzzAAudioClient> mBinderClient;
    };

   private:
    sp<AAudioService> mAAudioService;
    sp<AAudioClient> mAAudioClient;
    AAudioServiceInterface *mAAudioServiceInterface;
    int mDeathCount;
};

FuzzAAudioClient::FuzzAAudioClient(sp<AAudioService> service) : AAudioServiceInterface() {
    mAAudioService = service;
    mAAudioServiceInterface = &service->asAAudioServiceInterface();
    mAAudioClient = new AAudioClient(this);
    mDeathCount = 0;
    if (mAAudioClient.get() && mAAudioService.get()) {
        mAAudioService->linkToDeath(mAAudioClient);
        mAAudioService->registerClient(mAAudioClient);
    }
}

FuzzAAudioClient::~FuzzAAudioClient() { dropAAudioService(); }

AAudioServiceInterface *FuzzAAudioClient::getAAudioService() {
    if (!mAAudioServiceInterface && mAAudioService.get()) {
        mAAudioServiceInterface = &mAAudioService->asAAudioServiceInterface();
    }
    return mAAudioServiceInterface;
}

void FuzzAAudioClient::dropAAudioService() {
    mAAudioService.clear();
}

aaudio_handle_t FuzzAAudioClient::openStream(const AAudioStreamRequest &request,
                                             AAudioStreamConfiguration &configurationOutput) {
    aaudio_handle_t stream;
    for (int i = 0; i < 2; ++i) {
        AAudioServiceInterface *service = getAAudioService();
        if (!service) {
            return AAUDIO_ERROR_NO_SERVICE;
        }

        stream = service->openStream(request, configurationOutput);

        if (stream == AAUDIO_ERROR_NO_SERVICE) {
            dropAAudioService();
        } else {
            break;
        }
    }
    return stream;
}

aaudio_result_t FuzzAAudioClient::closeStream(aaudio_handle_t streamHandle) {
    AAudioServiceInterface *service = getAAudioService();
    if (!service) {
        return AAUDIO_ERROR_NO_SERVICE;
    }
    return service->closeStream(streamHandle);
}

aaudio_result_t FuzzAAudioClient::getStreamDescription(aaudio_handle_t streamHandle,
                                                       AudioEndpointParcelable &parcelable) {
    AAudioServiceInterface *service = getAAudioService();
    if (!service) {
        return AAUDIO_ERROR_NO_SERVICE;
    }
    return service->getStreamDescription(streamHandle, parcelable);
}

aaudio_result_t FuzzAAudioClient::startStream(aaudio_handle_t streamHandle) {
    AAudioServiceInterface *service = getAAudioService();
    if (!service) {
        return AAUDIO_ERROR_NO_SERVICE;
    }
    return service->startStream(streamHandle);
}

aaudio_result_t FuzzAAudioClient::pauseStream(aaudio_handle_t streamHandle) {
    AAudioServiceInterface *service = getAAudioService();
    if (!service) {
        return AAUDIO_ERROR_NO_SERVICE;
    }
    return service->pauseStream(streamHandle);
}

aaudio_result_t FuzzAAudioClient::stopStream(aaudio_handle_t streamHandle) {
    AAudioServiceInterface *service = getAAudioService();
    if (!service) {
        return AAUDIO_ERROR_NO_SERVICE;
    }
    return service->stopStream(streamHandle);
}

aaudio_result_t FuzzAAudioClient::flushStream(aaudio_handle_t streamHandle) {
    AAudioServiceInterface *service = getAAudioService();
    if (!service) {
        return AAUDIO_ERROR_NO_SERVICE;
    }
    return service->flushStream(streamHandle);
}

aaudio_result_t FuzzAAudioClient::registerAudioThread(aaudio_handle_t streamHandle,
                                                      pid_t clientThreadId,
                                                      int64_t periodNanoseconds) {
    AAudioServiceInterface *service = getAAudioService();
    if (!service) {
        return AAUDIO_ERROR_NO_SERVICE;
    }
    return service->registerAudioThread(streamHandle, clientThreadId, periodNanoseconds);
}

aaudio_result_t FuzzAAudioClient::unregisterAudioThread(aaudio_handle_t streamHandle,
                                                        pid_t clientThreadId) {
    AAudioServiceInterface *service = getAAudioService();
    if (!service) {
        return AAUDIO_ERROR_NO_SERVICE;
    }
    return service->unregisterAudioThread(streamHandle, clientThreadId);
}

class OboeserviceFuzzer {
   public:
    OboeserviceFuzzer();
    ~OboeserviceFuzzer() = default;
    void process(const uint8_t *data, size_t size);

   private:
    sp<FuzzAAudioClient> mClient;
};

OboeserviceFuzzer::OboeserviceFuzzer() {
    sp<AAudioService> service = new AAudioService();
    mClient = new FuzzAAudioClient(service);
}

void OboeserviceFuzzer::process(const uint8_t *data, size_t size) {
    FuzzedDataProvider fdp = FuzzedDataProvider(data, size);
    AAudioStreamRequest request;
    AAudioStreamConfiguration configurationOutput;

    // Initialize stream request
    request.getConfiguration().setFormat((audio_format_t)(
        fdp.ConsumeBool()
            ? fdp.ConsumeIntegral<int32_t>()
            : kAAudioFormats[fdp.ConsumeIntegralInRange<int32_t>(0, kNumAAudioFormats - 1)]));

    // TODO b/182392769: use attribution source util
    android::content::AttributionSourceState attributionSource;
    attributionSource.uid = getuid();
    attributionSource.pid = getpid();
    attributionSource.token = sp<BBinder>::make();
    request.setAttributionSource(attributionSource);
    request.setInService(fdp.ConsumeBool());

    request.getConfiguration().setDeviceId(fdp.ConsumeIntegral<int32_t>());
    request.getConfiguration().setSampleRate(fdp.ConsumeIntegral<int32_t>());
    request.getConfiguration().setChannelMask((aaudio_channel_mask_t)(
        fdp.ConsumeBool()
            ? fdp.ConsumeIntegral<int32_t>()
            : kAAudioChannelMasks[fdp.ConsumeIntegralInRange<int32_t>(
                    0, kNumAAudioChannelMasks - 1)]));
    request.getConfiguration().setDirection(
        fdp.ConsumeBool() ? fdp.ConsumeIntegral<int32_t>()
                          : (fdp.ConsumeBool() ? AAUDIO_DIRECTION_OUTPUT : AAUDIO_DIRECTION_INPUT));
    request.getConfiguration().setSharingMode(
        fdp.ConsumeBool()
            ? fdp.ConsumeIntegral<int32_t>()
            : (fdp.ConsumeBool() ? AAUDIO_SHARING_MODE_EXCLUSIVE : AAUDIO_SHARING_MODE_SHARED));

    request.getConfiguration().setUsage(
        fdp.ConsumeBool()
            ? fdp.ConsumeIntegral<int32_t>()
            : kAAudioUsages[fdp.ConsumeIntegralInRange<int32_t>(0, kNumAAudioUsages - 1)]);
    request.getConfiguration().setContentType(
        fdp.ConsumeBool() ? fdp.ConsumeIntegral<int32_t>()
                          : kAAudioContentTypes[fdp.ConsumeIntegralInRange<int32_t>(
                                0, kNumAAudioContentTypes - 1)]);
    request.getConfiguration().setInputPreset(
        fdp.ConsumeBool() ? fdp.ConsumeIntegral<int32_t>()
                          : kAAudioInputPresets[fdp.ConsumeIntegralInRange<int32_t>(
                                0, kNumAAudioInputPresets - 1)]);
    request.getConfiguration().setPrivacySensitive(fdp.ConsumeBool());

    request.getConfiguration().setBufferCapacity(fdp.ConsumeIntegral<int32_t>());

    request.getConfiguration().setHardwareSampleRate(fdp.ConsumeIntegral<int32_t>());
    request.getConfiguration().setHardwareSamplesPerFrame(fdp.ConsumeIntegral<int32_t>());
    request.getConfiguration().setHardwareFormat((audio_format_t)(
        fdp.ConsumeBool()
            ? fdp.ConsumeIntegral<int32_t>()
            : kAAudioFormats[fdp.ConsumeIntegralInRange<int32_t>(0, kNumAAudioFormats - 1)]));

    aaudio_handle_t stream = mClient->openStream(request, configurationOutput);
    if (stream < 0) {
        // invalid request, stream not opened.
        return;
    }
    while (fdp.remaining_bytes()) {
        AudioEndpointParcelable audioEndpointParcelable;
        int action = fdp.ConsumeIntegralInRange<int32_t>(0, 4);
        switch (action) {
            case 0:
                mClient->getStreamDescription(stream, audioEndpointParcelable);
                break;
            case 1:
                mClient->startStream(stream);
                break;
            case 2:
                mClient->pauseStream(stream);
                break;
            case 3:
                mClient->stopStream(stream);
                break;
            case 4:
                mClient->flushStream(stream);
                break;
        }
    }
    mClient->closeStream(stream);
    assert(mClient->getDeathCount() == 0);
}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
    if (size < 1) {
        return 0;
    }
    OboeserviceFuzzer oboeserviceFuzzer;
    oboeserviceFuzzer.process(data, size);
    return 0;
}