Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_av / c44b3464b6a25d2a0b47f52471785d73a16aef44 / . / media / libaudioclient / fuzzer / audioflinger_fuzzer.cpp
blob: 47fe0f62bbe420d14eb7cd1d5d18e0761595d617 [file] [log] [blame]
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]1/*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 */
17
18/**
19 * NOTE
20 * 1) The input to AudioFlinger binder calls are fuzzed in this fuzzer
21 * 2) AudioFlinger crashes due to the fuzzer are detected by the
22 Binder DeathRecipient, where the fuzzer aborts if AudioFlinger dies
23 */
24
25#include <android_audio_policy_configuration_V7_0-enums.h>
Svet Ganov33761132021-05-13 22:51:08 +0000[diff] [blame]26#include <android/content/AttributionSourceState.h>
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]27#include <binder/IServiceManager.h>
28#include <binder/MemoryDealer.h>
Philip P. Moltmannbda45752020-07-17 16:41:18 -0700[diff] [blame]29#include <media/AidlConversion.h>
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]30#include <media/AudioEffect.h>
31#include <media/AudioRecord.h>
32#include <media/AudioSystem.h>
33#include <media/AudioTrack.h>
34#include <media/IAudioFlinger.h>
35#include "fuzzer/FuzzedDataProvider.h"
36
37#define MAX_STRING_LENGTH 256
38#define MAX_ARRAY_LENGTH 256
39
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]40constexpr int32_t kMinSampleRateHz = 4000;
41constexpr int32_t kMaxSampleRateHz = 192000;
42constexpr int32_t kSampleRateUnspecified = 0;
43
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]44using namespace std;
45using namespace android;
46
47namespace xsd {
48using namespace ::android::audio::policy::configuration::V7_0;
49}
50
Svet Ganov33761132021-05-13 22:51:08 +0000[diff] [blame]51using android::content::AttributionSourceState;
Philip P. Moltmannbda45752020-07-17 16:41:18 -0700[diff] [blame]52
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]53constexpr audio_unique_id_use_t kUniqueIds[] = {
54 AUDIO_UNIQUE_ID_USE_UNSPECIFIED, AUDIO_UNIQUE_ID_USE_SESSION, AUDIO_UNIQUE_ID_USE_MODULE,
55 AUDIO_UNIQUE_ID_USE_EFFECT, AUDIO_UNIQUE_ID_USE_PATCH, AUDIO_UNIQUE_ID_USE_OUTPUT,
56 AUDIO_UNIQUE_ID_USE_INPUT, AUDIO_UNIQUE_ID_USE_CLIENT, AUDIO_UNIQUE_ID_USE_MAX,
57};
58
59constexpr audio_mode_t kModes[] = {
60 AUDIO_MODE_INVALID, AUDIO_MODE_CURRENT, AUDIO_MODE_NORMAL, AUDIO_MODE_RINGTONE,
Eric Laurentc8c4f1f2021-11-09 11:51:34 +0100[diff] [blame]61 AUDIO_MODE_IN_CALL, AUDIO_MODE_IN_COMMUNICATION, AUDIO_MODE_CALL_SCREEN,
62 AUDIO_MODE_CALL_REDIRECT, AUDIO_MODE_COMMUNICATION_REDIRECT};
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]63
64constexpr audio_session_t kSessionId[] = {AUDIO_SESSION_NONE, AUDIO_SESSION_OUTPUT_STAGE,
65 AUDIO_SESSION_DEVICE};
66
67constexpr audio_encapsulation_mode_t kEncapsulation[] = {
68 AUDIO_ENCAPSULATION_MODE_NONE,
69 AUDIO_ENCAPSULATION_MODE_ELEMENTARY_STREAM,
70 AUDIO_ENCAPSULATION_MODE_HANDLE,
71};
72
73constexpr audio_port_role_t kPortRoles[] = {
74 AUDIO_PORT_ROLE_NONE,
75 AUDIO_PORT_ROLE_SOURCE,
76 AUDIO_PORT_ROLE_SINK,
77};
78
79constexpr audio_port_type_t kPortTypes[] = {
80 AUDIO_PORT_TYPE_NONE,
81 AUDIO_PORT_TYPE_DEVICE,
82 AUDIO_PORT_TYPE_MIX,
83 AUDIO_PORT_TYPE_SESSION,
84};
85
86template <typename T, typename X, typename FUNC>
Ayushi Khopkaraceccb22022-02-14 18:52:09 +0530[diff] [blame]87std::vector<T> getFlags(const xsdc_enum_range<X>& range, const FUNC& func,
88 const std::string& findString = {},
89 const std::set<X>& excludedValues = {}) {
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]90 std::vector<T> vec;
91 for (const auto &xsdEnumVal : range) {
92 T enumVal;
93 std::string enumString = toString(xsdEnumVal);
94 if (enumString.find(findString) != std::string::npos &&
Ayushi Khopkaraceccb22022-02-14 18:52:09 +0530[diff] [blame]95 (excludedValues.find(xsdEnumVal) == excludedValues.end()) &&
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]96 func(enumString.c_str(), &enumVal)) {
97 vec.push_back(enumVal);
98 }
99 }
100 return vec;
101}
102
103static const std::vector<audio_stream_type_t> kStreamtypes =
104 getFlags<audio_stream_type_t, xsd::AudioStreamType, decltype(audio_stream_type_from_string)>(
105 xsdc_enum_range<xsd::AudioStreamType>{}, audio_stream_type_from_string);
106
Ayushi Khopkaraceccb22022-02-14 18:52:09 +0530[diff] [blame]107/**
108 * AudioFormat - AUDIO_FORMAT_HE_AAC_V1 and AUDIO_FORMAT_HE_AAC_V2
109 * are excluded from kFormats[] in order to avoid the abort triggered
110 * for these two types of AudioFormat in
111 * AidlConversion::legacy2aidl_audio_format_t_AudioFormatDescription()
112 */
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]113static const std::vector<audio_format_t> kFormats =
Ayushi Khopkaraceccb22022-02-14 18:52:09 +0530[diff] [blame]114 getFlags<audio_format_t, xsd::AudioFormat, decltype(audio_format_from_string)>(
115 xsdc_enum_range<xsd::AudioFormat>{}, audio_format_from_string, {},
116 {xsd::AudioFormat::AUDIO_FORMAT_HE_AAC_V1,
117 xsd::AudioFormat::AUDIO_FORMAT_HE_AAC_V2});
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]118
Ayushi Khopkaraceccb22022-02-14 18:52:09 +0530[diff] [blame]119/**
120 * AudioChannelMask - AUDIO_CHANNEL_IN_6
121 * is excluded from kChannelMasks[] in order to avoid the abort triggered
122 * for this type of AudioChannelMask in
123 * AidlConversion::legacy2aidl_audio_channel_mask_t_AudioChannelLayout()
124 */
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]125static const std::vector<audio_channel_mask_t> kChannelMasks =
Ayushi Khopkaraceccb22022-02-14 18:52:09 +0530[diff] [blame]126 getFlags<audio_channel_mask_t, xsd::AudioChannelMask,
127 decltype(audio_channel_mask_from_string)>(
128 xsdc_enum_range<xsd::AudioChannelMask>{}, audio_channel_mask_from_string, {},
129 {xsd::AudioChannelMask::AUDIO_CHANNEL_IN_6});
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]130
131static const std::vector<audio_usage_t> kUsages =
132 getFlags<audio_usage_t, xsd::AudioUsage, decltype(audio_usage_from_string)>(
133 xsdc_enum_range<xsd::AudioUsage>{}, audio_usage_from_string);
134
135static const std::vector<audio_content_type_t> kContentType =
136 getFlags<audio_content_type_t, xsd::AudioContentType, decltype(audio_content_type_from_string)>(
137 xsdc_enum_range<xsd::AudioContentType>{}, audio_content_type_from_string);
138
139static const std::vector<audio_source_t> kInputSources =
140 getFlags<audio_source_t, xsd::AudioSource, decltype(audio_source_from_string)>(
141 xsdc_enum_range<xsd::AudioSource>{}, audio_source_from_string);
142
143static const std::vector<audio_gain_mode_t> kGainModes =
144 getFlags<audio_gain_mode_t, xsd::AudioGainMode, decltype(audio_gain_mode_from_string)>(
145 xsdc_enum_range<xsd::AudioGainMode>{}, audio_gain_mode_from_string);
146
Ayushi Khopkaraceccb22022-02-14 18:52:09 +0530[diff] [blame]147/**
148 * AudioDevice - AUDIO_DEVICE_IN_AMBIENT and AUDIO_DEVICE_IN_COMMUNICATION
149 * are excluded from kDevices[] in order to avoid the abort triggered
150 * for these two types of AudioDevice in
151 * AidlConversion::aidl2legacy_AudioDeviceDescription_audio_devices_t()
152 */
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]153static const std::vector<audio_devices_t> kDevices =
Ayushi Khopkaraceccb22022-02-14 18:52:09 +0530[diff] [blame]154 getFlags<audio_devices_t, xsd::AudioDevice, decltype(audio_device_from_string)>(
155 xsdc_enum_range<xsd::AudioDevice>{}, audio_device_from_string, {},
156 {xsd::AudioDevice::AUDIO_DEVICE_IN_AMBIENT,
157 xsd::AudioDevice::AUDIO_DEVICE_IN_COMMUNICATION});
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]158
159static const std::vector<audio_input_flags_t> kInputFlags =
160 getFlags<audio_input_flags_t, xsd::AudioInOutFlag, decltype(audio_input_flag_from_string)>(
161 xsdc_enum_range<xsd::AudioInOutFlag>{}, audio_input_flag_from_string, "_INPUT_");
162
163static const std::vector<audio_output_flags_t> kOutputFlags =
164 getFlags<audio_output_flags_t, xsd::AudioInOutFlag, decltype(audio_output_flag_from_string)>(
165 xsdc_enum_range<xsd::AudioInOutFlag>{}, audio_output_flag_from_string, "_OUTPUT_");
166
167template <typename T, size_t size>
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]168T getValue(FuzzedDataProvider *fdp, const T (&arr)[size]) {
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]169 return arr[fdp->ConsumeIntegralInRange<int32_t>(0, size - 1)];
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]170}
171
172template <typename T>
173T getValue(FuzzedDataProvider *fdp, std::vector<T> vec) {
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]174 return vec[fdp->ConsumeIntegralInRange<int32_t>(0, vec.size() - 1)];
175}
176
177int32_t getSampleRate(FuzzedDataProvider *fdp) {
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]178 if (fdp->ConsumeBool()) {
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]179 return fdp->ConsumeIntegralInRange<int32_t>(kMinSampleRateHz, kMaxSampleRateHz);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]180 }
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]181 return kSampleRateUnspecified;
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]182}
183
184class DeathNotifier : public IBinder::DeathRecipient {
185 public:
186 void binderDied(const wp<IBinder> &) { abort(); }
187};
188
189class AudioFlingerFuzzer {
190 public:
191 AudioFlingerFuzzer(const uint8_t *data, size_t size);
192 void process();
193
194 private:
195 FuzzedDataProvider mFdp;
196 void invokeAudioTrack();
197 void invokeAudioRecord();
198 status_t invokeAudioEffect();
199 void invokeAudioSystem();
200 status_t invokeAudioInputDevice();
201 status_t invokeAudioOutputDevice();
202 void invokeAudioPatch();
203
204 sp<DeathNotifier> mDeathNotifier;
205};
206
207AudioFlingerFuzzer::AudioFlingerFuzzer(const uint8_t *data, size_t size) : mFdp(data, size) {
208 sp<IServiceManager> sm = defaultServiceManager();
209 sp<IBinder> binder = sm->getService(String16("media.audio_flinger"));
210 if (binder == nullptr) {
211 return;
212 }
213 mDeathNotifier = new DeathNotifier();
214 binder->linkToDeath(mDeathNotifier);
215}
216
217void AudioFlingerFuzzer::invokeAudioTrack() {
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]218 uint32_t sampleRate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]219 audio_format_t format = getValue(&mFdp, kFormats);
220 audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
221 size_t frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
222 int32_t notificationFrames = mFdp.ConsumeIntegral<int32_t>();
223 uint32_t useSharedBuffer = mFdp.ConsumeBool();
224 audio_output_flags_t flags = getValue(&mFdp, kOutputFlags);
225 audio_session_t sessionId = getValue(&mFdp, kSessionId);
226 audio_usage_t usage = getValue(&mFdp, kUsages);
227 audio_content_type_t contentType = getValue(&mFdp, kContentType);
228 audio_attributes_t attributes = {};
229 sp<IMemory> sharedBuffer;
230 sp<MemoryDealer> heap = nullptr;
231 audio_offload_info_t offloadInfo = AUDIO_INFO_INITIALIZER;
232
233 bool offload = false;
234 bool fast = ((flags & AUDIO_OUTPUT_FLAG_FAST) != 0);
235
236 if (useSharedBuffer != 0) {
237 size_t heapSize = audio_channel_count_from_out_mask(channelMask) *
238 audio_bytes_per_sample(format) * frameCount;
239 heap = new MemoryDealer(heapSize, "AudioTrack Heap Base");
240 sharedBuffer = heap->allocate(heapSize);
241 frameCount = 0;
242 notificationFrames = 0;
243 }
244 if ((flags & AUDIO_OUTPUT_FLAG_COMPRESS_OFFLOAD) != 0) {
245 offloadInfo.sample_rate = sampleRate;
246 offloadInfo.channel_mask = channelMask;
247 offloadInfo.format = format;
248 offload = true;
249 }
250
251 attributes.content_type = contentType;
252 attributes.usage = usage;
253 sp<AudioTrack> track = new AudioTrack();
254
Svet Ganov33761132021-05-13 22:51:08 +0000[diff] [blame]255 // TODO b/182392769: use attribution source util
256 AttributionSourceState attributionSource;
257 attributionSource.uid = VALUE_OR_FATAL(legacy2aidl_uid_t_int32_t(getuid()));
258 attributionSource.pid = VALUE_OR_FATAL(legacy2aidl_pid_t_int32_t(getpid()));
259 attributionSource.token = sp<BBinder>::make();
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]260 track->set(AUDIO_STREAM_DEFAULT, sampleRate, format, channelMask, frameCount, flags, nullptr,
Atneya Nairc1bf42b2021-11-29 19:00:54 -0500[diff] [blame]261 notificationFrames, sharedBuffer, false, sessionId,
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]262 ((fast && sharedBuffer == 0) || offload) ? AudioTrack::TRANSFER_CALLBACK
263 : AudioTrack::TRANSFER_DEFAULT,
Svet Ganov33761132021-05-13 22:51:08 +0000[diff] [blame]264 offload ? &offloadInfo : nullptr, attributionSource, &attributes, false, 1.0f,
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]265 AUDIO_PORT_HANDLE_NONE);
266
267 status_t status = track->initCheck();
268 if (status != NO_ERROR) {
269 track.clear();
270 return;
271 }
272 track->getSampleRate();
273 track->latency();
274 track->getUnderrunCount();
275 track->streamType();
276 track->channelCount();
277 track->getNotificationPeriodInFrames();
278 uint32_t bufferSizeInFrames = mFdp.ConsumeIntegral<uint32_t>();
279 track->setBufferSizeInFrames(bufferSizeInFrames);
280 track->getBufferSizeInFrames();
281
282 int64_t duration = mFdp.ConsumeIntegral<int64_t>();
283 track->getBufferDurationInUs(&duration);
284 sp<IMemory> sharedBuffer2 = track->sharedBuffer();
285 track->setCallerName(mFdp.ConsumeRandomLengthString(MAX_STRING_LENGTH));
286
287 track->setVolume(mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>());
288 track->setVolume(mFdp.ConsumeFloatingPoint<float>());
289 track->setAuxEffectSendLevel(mFdp.ConsumeFloatingPoint<float>());
290
291 float auxEffectSendLevel;
292 track->getAuxEffectSendLevel(&auxEffectSendLevel);
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]293 track->setSampleRate(getSampleRate(&mFdp));
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]294 track->getSampleRate();
295 track->getOriginalSampleRate();
296
297 AudioPlaybackRate playbackRate = {};
298 playbackRate.mSpeed = mFdp.ConsumeFloatingPoint<float>();
299 playbackRate.mPitch = mFdp.ConsumeFloatingPoint<float>();
300 track->setPlaybackRate(playbackRate);
301 track->getPlaybackRate();
302 track->setLoop(mFdp.ConsumeIntegral<uint32_t>(), mFdp.ConsumeIntegral<uint32_t>(),
303 mFdp.ConsumeIntegral<uint32_t>());
304 track->setMarkerPosition(mFdp.ConsumeIntegral<uint32_t>());
305
306 uint32_t marker = {};
307 track->getMarkerPosition(&marker);
308 track->setPositionUpdatePeriod(mFdp.ConsumeIntegral<uint32_t>());
309
310 uint32_t updatePeriod = {};
311 track->getPositionUpdatePeriod(&updatePeriod);
312 track->setPosition(mFdp.ConsumeIntegral<uint32_t>());
313 uint32_t position = {};
314 track->getPosition(&position);
315 track->getBufferPosition(&position);
316 track->reload();
317 track->start();
318 track->pause();
319 track->flush();
320 track->stop();
321 track->stopped();
322}
323
324void AudioFlingerFuzzer::invokeAudioRecord() {
325 int32_t notificationFrames = mFdp.ConsumeIntegral<int32_t>();
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]326 uint32_t sampleRate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]327 size_t frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
328 audio_format_t format = getValue(&mFdp, kFormats);
329 audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
330 audio_input_flags_t flags = getValue(&mFdp, kInputFlags);
331 audio_session_t sessionId = getValue(&mFdp, kSessionId);
332 audio_source_t inputSource = getValue(&mFdp, kInputSources);
333
334 audio_attributes_t attributes = {};
335 bool fast = ((flags & AUDIO_OUTPUT_FLAG_FAST) != 0);
336
337 attributes.source = inputSource;
338
Svet Ganov33761132021-05-13 22:51:08 +0000[diff] [blame]339 // TODO b/182392769: use attribution source util
340 AttributionSourceState attributionSource;
341 attributionSource.packageName = std::string(mFdp.ConsumeRandomLengthString().c_str());
342 attributionSource.token = sp<BBinder>::make();
343 sp<AudioRecord> record = new AudioRecord(attributionSource);
Atneya Nair1dc20912022-01-26 18:34:56 -0500[diff] [blame]344 record->set(AUDIO_SOURCE_DEFAULT, sampleRate, format, channelMask, frameCount, nullptr,
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]345 notificationFrames, false, sessionId,
346 fast ? AudioRecord::TRANSFER_CALLBACK : AudioRecord::TRANSFER_DEFAULT, flags,
347 getuid(), getpid(), &attributes, AUDIO_PORT_HANDLE_NONE);
348 status_t status = record->initCheck();
349 if (status != NO_ERROR) {
350 return;
351 }
352 record->latency();
353 record->format();
354 record->channelCount();
355 record->frameCount();
356 record->frameSize();
357 record->inputSource();
358 record->getNotificationPeriodInFrames();
359 record->start();
360 record->stop();
361 record->stopped();
362
363 uint32_t marker = mFdp.ConsumeIntegral<uint32_t>();
364 record->setMarkerPosition(marker);
365 record->getMarkerPosition(&marker);
366
367 uint32_t updatePeriod = mFdp.ConsumeIntegral<uint32_t>();
368 record->setPositionUpdatePeriod(updatePeriod);
369 record->getPositionUpdatePeriod(&updatePeriod);
370
371 uint32_t position;
372 record->getPosition(&position);
373
374 ExtendedTimestamp timestamp;
375 record->getTimestamp(&timestamp);
376 record->getSessionId();
377 record->getCallerName();
378 android::AudioRecord::Buffer audioBuffer;
379 int32_t waitCount = mFdp.ConsumeIntegral<int32_t>();
380 size_t nonContig = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
381 audioBuffer.frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
382 record->obtainBuffer(&audioBuffer, waitCount, &nonContig);
383 bool blocking = false;
Atneya Nair03079272022-01-18 17:03:14 -0500[diff] [blame]384 record->read(audioBuffer.data(), audioBuffer.size(), blocking);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]385 record->getInputFramesLost();
386 record->getFlags();
387
388 std::vector<media::MicrophoneInfo> activeMicrophones;
389 record->getActiveMicrophones(&activeMicrophones);
390 record->releaseBuffer(&audioBuffer);
391
392 audio_port_handle_t deviceId =
393 static_cast<audio_port_handle_t>(mFdp.ConsumeIntegral<int32_t>());
394 record->setInputDevice(deviceId);
395 record->getInputDevice();
396 record->getRoutedDeviceId();
397 record->getPortId();
398}
399
400struct EffectClient : public android::media::BnEffectClient {
401 EffectClient() {}
402 binder::Status controlStatusChanged(bool controlGranted __unused) override {
403 return binder::Status::ok();
404 }
405 binder::Status enableStatusChanged(bool enabled __unused) override {
406 return binder::Status::ok();
407 }
408 binder::Status commandExecuted(int32_t cmdCode __unused,
409 const std::vector<uint8_t> &cmdData __unused,
410 const std::vector<uint8_t> &replyData __unused) override {
411 return binder::Status::ok();
412 }
Eric Laurentde8caf42021-08-11 17:19:25 +0200[diff] [blame]413 binder::Status framesProcessed(int32_t frames __unused) override {
414 return binder::Status::ok();
415 }
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]416};
417
418status_t AudioFlingerFuzzer::invokeAudioEffect() {
419 effect_uuid_t type;
420 type.timeLow = mFdp.ConsumeIntegral<uint32_t>();
421 type.timeMid = mFdp.ConsumeIntegral<uint16_t>();
422 type.timeHiAndVersion = mFdp.ConsumeIntegral<uint16_t>();
423 type.clockSeq = mFdp.ConsumeIntegral<uint16_t>();
424 for (int i = 0; i < 6; ++i) {
425 type.node[i] = mFdp.ConsumeIntegral<uint8_t>();
426 }
427
428 effect_descriptor_t descriptor = {};
429 descriptor.type = type;
430 descriptor.uuid = *EFFECT_UUID_NULL;
431
432 sp<EffectClient> effectClient(new EffectClient());
433
434 const int32_t priority = mFdp.ConsumeIntegral<int32_t>();
435 audio_session_t sessionId = static_cast<audio_session_t>(mFdp.ConsumeIntegral<int32_t>());
436 const audio_io_handle_t io = mFdp.ConsumeIntegral<int32_t>();
Philip P. Moltmannbda45752020-07-17 16:41:18 -0700[diff] [blame]437 std::string opPackageName = static_cast<std::string>(mFdp.ConsumeRandomLengthString().c_str());
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]438 AudioDeviceTypeAddr device;
439
440 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
441 if (!af) {
442 return NO_ERROR;
443 }
444
445 media::CreateEffectRequest request{};
446 request.desc =
447 VALUE_OR_RETURN_STATUS(legacy2aidl_effect_descriptor_t_EffectDescriptor(descriptor));
448 request.client = effectClient;
449 request.priority = priority;
450 request.output = io;
451 request.sessionId = sessionId;
452 request.device = VALUE_OR_RETURN_STATUS(legacy2aidl_AudioDeviceTypeAddress(device));
Svet Ganov33761132021-05-13 22:51:08 +0000[diff] [blame]453 // TODO b/182392769: use attribution source util
454 request.attributionSource.packageName = opPackageName;
455 request.attributionSource.pid = VALUE_OR_RETURN_STATUS(legacy2aidl_pid_t_int32_t(getpid()));
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]456 request.probe = false;
Eric Laurentde8caf42021-08-11 17:19:25 +0200[diff] [blame]457 request.notifyFramesProcessed = false;
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]458
459 media::CreateEffectResponse response{};
460 status_t status = af->createEffect(request, &response);
461
462 if (status != OK) {
463 return NO_ERROR;
464 }
465
466 descriptor =
467 VALUE_OR_RETURN_STATUS(aidl2legacy_EffectDescriptor_effect_descriptor_t(response.desc));
468
469 uint32_t numEffects;
470 af->queryNumberEffects(&numEffects);
471
472 uint32_t queryIndex = mFdp.ConsumeIntegral<uint32_t>();
473 af->queryEffect(queryIndex, &descriptor);
474
475 effect_descriptor_t getDescriptor;
476 uint32_t preferredTypeFlag = mFdp.ConsumeIntegral<int32_t>();
477 af->getEffectDescriptor(&descriptor.uuid, &descriptor.type, preferredTypeFlag, &getDescriptor);
478
479 sessionId = static_cast<audio_session_t>(mFdp.ConsumeIntegral<int32_t>());
480 audio_io_handle_t srcOutput = mFdp.ConsumeIntegral<int32_t>();
481 audio_io_handle_t dstOutput = mFdp.ConsumeIntegral<int32_t>();
482 af->moveEffects(sessionId, srcOutput, dstOutput);
483
484 int effectId = mFdp.ConsumeIntegral<int32_t>();
485 sessionId = static_cast<audio_session_t>(mFdp.ConsumeIntegral<int32_t>());
486 af->setEffectSuspended(effectId, sessionId, mFdp.ConsumeBool());
487 return NO_ERROR;
488}
489
490void AudioFlingerFuzzer::invokeAudioSystem() {
491 AudioSystem::muteMicrophone(mFdp.ConsumeBool());
492 AudioSystem::setMasterMute(mFdp.ConsumeBool());
493 AudioSystem::setMasterVolume(mFdp.ConsumeFloatingPoint<float>());
494 AudioSystem::setMasterBalance(mFdp.ConsumeFloatingPoint<float>());
495 AudioSystem::setVoiceVolume(mFdp.ConsumeFloatingPoint<float>());
496
497 float volume;
498 AudioSystem::getMasterVolume(&volume);
499
500 bool state;
501 AudioSystem::getMasterMute(&state);
502 AudioSystem::isMicrophoneMuted(&state);
503
504 audio_stream_type_t stream = getValue(&mFdp, kStreamtypes);
505 AudioSystem::setStreamMute(getValue(&mFdp, kStreamtypes), mFdp.ConsumeBool());
506
507 stream = getValue(&mFdp, kStreamtypes);
508 AudioSystem::setStreamVolume(stream, mFdp.ConsumeFloatingPoint<float>(),
509 mFdp.ConsumeIntegral<int32_t>());
510
511 audio_mode_t mode = getValue(&mFdp, kModes);
512 AudioSystem::setMode(mode);
513
514 size_t frameCount;
515 stream = getValue(&mFdp, kStreamtypes);
516 AudioSystem::getOutputFrameCount(&frameCount, stream);
517
518 uint32_t latency;
519 stream = getValue(&mFdp, kStreamtypes);
520 AudioSystem::getOutputLatency(&latency, stream);
521
522 stream = getValue(&mFdp, kStreamtypes);
523 AudioSystem::getStreamVolume(stream, &volume, mFdp.ConsumeIntegral<int32_t>());
524
525 stream = getValue(&mFdp, kStreamtypes);
526 AudioSystem::getStreamMute(stream, &state);
527
528 uint32_t samplingRate;
529 AudioSystem::getSamplingRate(mFdp.ConsumeIntegral<int32_t>(), &samplingRate);
530
531 AudioSystem::getFrameCount(mFdp.ConsumeIntegral<int32_t>(), &frameCount);
532 AudioSystem::getLatency(mFdp.ConsumeIntegral<int32_t>(), &latency);
533 AudioSystem::setVoiceVolume(mFdp.ConsumeFloatingPoint<float>());
534
535 uint32_t halFrames;
536 uint32_t dspFrames;
537 AudioSystem::getRenderPosition(mFdp.ConsumeIntegral<int32_t>(), &halFrames, &dspFrames);
538
539 AudioSystem::getInputFramesLost(mFdp.ConsumeIntegral<int32_t>());
540 AudioSystem::getInputFramesLost(mFdp.ConsumeIntegral<int32_t>());
541
542 audio_unique_id_use_t uniqueIdUse = getValue(&mFdp, kUniqueIds);
543 AudioSystem::newAudioUniqueId(uniqueIdUse);
544
545 audio_session_t sessionId = getValue(&mFdp, kSessionId);
546 pid_t pid = mFdp.ConsumeBool() ? getpid() : mFdp.ConsumeIntegral<int32_t>();
547 uid_t uid = mFdp.ConsumeBool() ? getuid() : mFdp.ConsumeIntegral<int32_t>();
548 AudioSystem::acquireAudioSessionId(sessionId, pid, uid);
549
550 pid = mFdp.ConsumeBool() ? getpid() : mFdp.ConsumeIntegral<int32_t>();
551 sessionId = getValue(&mFdp, kSessionId);
552 AudioSystem::releaseAudioSessionId(sessionId, pid);
553
554 sessionId = getValue(&mFdp, kSessionId);
555 AudioSystem::getAudioHwSyncForSession(sessionId);
556
557 AudioSystem::systemReady();
558 AudioSystem::getFrameCountHAL(mFdp.ConsumeIntegral<int32_t>(), &frameCount);
559
560 size_t buffSize;
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]561 uint32_t sampleRate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]562 audio_format_t format = getValue(&mFdp, kFormats);
563 audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
564 AudioSystem::getInputBufferSize(sampleRate, format, channelMask, &buffSize);
565
566 AudioSystem::getPrimaryOutputSamplingRate();
567 AudioSystem::getPrimaryOutputFrameCount();
568 AudioSystem::setLowRamDevice(mFdp.ConsumeBool(), mFdp.ConsumeIntegral<int64_t>());
569
570 std::vector<media::MicrophoneInfo> microphones;
571 AudioSystem::getMicrophones(&microphones);
572
573 std::vector<pid_t> pids;
574 pids.insert(pids.begin(), getpid());
575 for (int i = 1; i < mFdp.ConsumeIntegralInRange<int32_t>(2, MAX_ARRAY_LENGTH); ++i) {
576 pids.insert(pids.begin() + i, static_cast<pid_t>(mFdp.ConsumeIntegral<int32_t>()));
577 }
578 AudioSystem::setAudioHalPids(pids);
579 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
580 if (!af) {
581 return;
582 }
583 af->setRecordSilenced(mFdp.ConsumeIntegral<uint32_t>(), mFdp.ConsumeBool());
584
585 float balance = mFdp.ConsumeFloatingPoint<float>();
586 af->getMasterBalance(&balance);
jiabinc44b3462022-12-08 12:52:31 -0800[diff] [blame^]587
588 std::vector<audio_port_handle_t> tracks;
589 for (int i = 0; i < mFdp.ConsumeIntegralInRange<int32_t>(0, MAX_ARRAY_LENGTH); ++i) {
590 tracks.push_back(static_cast<audio_port_handle_t>(mFdp.ConsumeIntegral<int32_t>()));
591 }
592 af->invalidateTracks(tracks);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]593}
594
595status_t AudioFlingerFuzzer::invokeAudioInputDevice() {
596 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
597 if (!af) {
598 return NO_ERROR;
599 }
600
601 audio_config_t config = {};
602 audio_module_handle_t module = mFdp.ConsumeIntegral<int32_t>();
603 audio_io_handle_t input = mFdp.ConsumeIntegral<int32_t>();
604 config.frame_count = mFdp.ConsumeIntegral<uint32_t>();
605 String8 address = static_cast<String8>(mFdp.ConsumeRandomLengthString().c_str());
606
607 config.channel_mask = getValue(&mFdp, kChannelMasks);
608 config.format = getValue(&mFdp, kFormats);
609
610 config.offload_info = AUDIO_INFO_INITIALIZER;
611 config.offload_info.bit_rate = mFdp.ConsumeIntegral<uint32_t>();
612 config.offload_info.bit_width = mFdp.ConsumeIntegral<uint32_t>();
613 config.offload_info.content_id = mFdp.ConsumeIntegral<uint32_t>();
614 config.offload_info.channel_mask = getValue(&mFdp, kChannelMasks);
615 config.offload_info.duration_us = mFdp.ConsumeIntegral<int64_t>();
616 config.offload_info.encapsulation_mode = getValue(&mFdp, kEncapsulation);
617 config.offload_info.format = getValue(&mFdp, kFormats);
618 config.offload_info.has_video = mFdp.ConsumeBool();
619 config.offload_info.is_streaming = mFdp.ConsumeBool();
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]620 config.offload_info.sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]621 config.offload_info.sync_id = mFdp.ConsumeIntegral<uint32_t>();
622 config.offload_info.stream_type = getValue(&mFdp, kStreamtypes);
623 config.offload_info.usage = getValue(&mFdp, kUsages);
624
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]625 config.sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]626
627 audio_devices_t device = getValue(&mFdp, kDevices);
628 audio_source_t source = getValue(&mFdp, kInputSources);
629 audio_input_flags_t flags = getValue(&mFdp, kInputFlags);
630
631 AudioDeviceTypeAddr deviceTypeAddr(device, address.c_str());
632
633 media::OpenInputRequest request{};
634 request.module = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_module_handle_t_int32_t(module));
635 request.input = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_io_handle_t_int32_t(input));
Mikhail Naganovde3fa182021-07-30 15:06:42 -0700[diff] [blame]636 request.config = VALUE_OR_RETURN_STATUS(
637 legacy2aidl_audio_config_t_AudioConfig(config, true /*isInput*/));
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]638 request.device = VALUE_OR_RETURN_STATUS(legacy2aidl_AudioDeviceTypeAddress(deviceTypeAddr));
Mikhail Naganovddceecc2021-09-03 13:58:56 -0700[diff] [blame]639 request.source = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_source_t_AudioSource(source));
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]640 request.flags = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_input_flags_t_int32_t_mask(flags));
641
642 media::OpenInputResponse response{};
643 status_t status = af->openInput(request, &response);
644 if (status != NO_ERROR) {
645 return NO_ERROR;
646 }
647
648 input = VALUE_OR_RETURN_STATUS(aidl2legacy_int32_t_audio_module_handle_t(response.input));
649 af->closeInput(input);
650 return NO_ERROR;
651}
652
653status_t AudioFlingerFuzzer::invokeAudioOutputDevice() {
654 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
655 if (!af) {
656 return NO_ERROR;
657 }
658
659 audio_config_t config = {};
660 audio_module_handle_t module = mFdp.ConsumeIntegral<int32_t>();
661 audio_io_handle_t output = mFdp.ConsumeIntegral<int32_t>();
662 config.frame_count = mFdp.ConsumeIntegral<uint32_t>();
663 String8 address = static_cast<String8>(mFdp.ConsumeRandomLengthString().c_str());
664
665 config.channel_mask = getValue(&mFdp, kChannelMasks);
666
667 config.offload_info = AUDIO_INFO_INITIALIZER;
668 config.offload_info.bit_rate = mFdp.ConsumeIntegral<uint32_t>();
669 config.offload_info.bit_width = mFdp.ConsumeIntegral<uint32_t>();
670 config.offload_info.channel_mask = getValue(&mFdp, kChannelMasks);
671 config.offload_info.content_id = mFdp.ConsumeIntegral<uint32_t>();
672 config.offload_info.duration_us = mFdp.ConsumeIntegral<int64_t>();
673 config.offload_info.encapsulation_mode = getValue(&mFdp, kEncapsulation);
674 config.offload_info.format = getValue(&mFdp, kFormats);
675 config.offload_info.has_video = mFdp.ConsumeBool();
676 config.offload_info.is_streaming = mFdp.ConsumeBool();
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]677 config.offload_info.sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]678 config.offload_info.stream_type = getValue(&mFdp, kStreamtypes);
679 config.offload_info.sync_id = mFdp.ConsumeIntegral<uint32_t>();
680 config.offload_info.usage = getValue(&mFdp, kUsages);
681
682 config.format = getValue(&mFdp, kFormats);
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]683 config.sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]684
685 sp<DeviceDescriptorBase> device = new DeviceDescriptorBase(getValue(&mFdp, kDevices));
686 audio_output_flags_t flags = getValue(&mFdp, kOutputFlags);
687
Eric Laurentf1f22e72021-07-13 14:04:14 +0200[diff] [blame]688 audio_config_base_t mixerConfig = AUDIO_CONFIG_BASE_INITIALIZER;
689
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]690 media::OpenOutputRequest request{};
691 media::OpenOutputResponse response{};
692
693 request.module = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_module_handle_t_int32_t(module));
Mikhail Naganovde3fa182021-07-30 15:06:42 -0700[diff] [blame]694 request.halConfig = VALUE_OR_RETURN_STATUS(
695 legacy2aidl_audio_config_t_AudioConfig(config, false /*isInput*/));
696 request.mixerConfig = VALUE_OR_RETURN_STATUS(
697 legacy2aidl_audio_config_base_t_AudioConfigBase(mixerConfig, false /*isInput*/));
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]698 request.device = VALUE_OR_RETURN_STATUS(legacy2aidl_DeviceDescriptorBase(device));
699 request.flags = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_output_flags_t_int32_t_mask(flags));
700
701 status_t status = af->openOutput(request, &response);
702 if (status != NO_ERROR) {
703 return NO_ERROR;
704 }
705 output = VALUE_OR_RETURN_STATUS(aidl2legacy_int32_t_audio_io_handle_t(response.output));
706
707 audio_io_handle_t output1 = mFdp.ConsumeIntegral<int32_t>();
708 af->openDuplicateOutput(output, output1);
709 af->suspendOutput(output);
710 af->restoreOutput(output);
711 af->closeOutput(output);
712 return NO_ERROR;
713}
714
715void AudioFlingerFuzzer::invokeAudioPatch() {
716 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
717 if (!af) {
718 return;
719 }
720 struct audio_patch patch = {};
721 audio_patch_handle_t handle = mFdp.ConsumeIntegral<int32_t>();
722
723 patch.id = mFdp.ConsumeIntegral<int32_t>();
724 patch.num_sources = mFdp.ConsumeIntegral<uint32_t>();
725 patch.num_sinks = mFdp.ConsumeIntegral<uint32_t>();
726
727 for (int i = 0; i < AUDIO_PATCH_PORTS_MAX; ++i) {
728 patch.sources[i].config_mask = mFdp.ConsumeIntegral<uint32_t>();
729 patch.sources[i].channel_mask = getValue(&mFdp, kChannelMasks);
730 patch.sources[i].format = getValue(&mFdp, kFormats);
731 patch.sources[i].gain.channel_mask = getValue(&mFdp, kChannelMasks);
732 patch.sources[i].gain.index = mFdp.ConsumeIntegral<int32_t>();
733 patch.sources[i].gain.mode = getValue(&mFdp, kGainModes);
734 patch.sources[i].gain.ramp_duration_ms = mFdp.ConsumeIntegral<uint32_t>();
735 patch.sources[i].id = static_cast<audio_format_t>(mFdp.ConsumeIntegral<int32_t>());
736 patch.sources[i].role = getValue(&mFdp, kPortRoles);
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]737 patch.sources[i].sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]738 patch.sources[i].type = getValue(&mFdp, kPortTypes);
739
740 patch.sinks[i].config_mask = mFdp.ConsumeIntegral<uint32_t>();
741 patch.sinks[i].channel_mask = getValue(&mFdp, kChannelMasks);
742 patch.sinks[i].format = getValue(&mFdp, kFormats);
743 patch.sinks[i].gain.channel_mask = getValue(&mFdp, kChannelMasks);
744 patch.sinks[i].gain.index = mFdp.ConsumeIntegral<int32_t>();
745 patch.sinks[i].gain.mode = getValue(&mFdp, kGainModes);
746 patch.sinks[i].gain.ramp_duration_ms = mFdp.ConsumeIntegral<uint32_t>();
747 patch.sinks[i].id = static_cast<audio_format_t>(mFdp.ConsumeIntegral<int32_t>());
748 patch.sinks[i].role = getValue(&mFdp, kPortRoles);
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]749 patch.sinks[i].sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]750 patch.sinks[i].type = getValue(&mFdp, kPortTypes);
751 }
752
753 status_t status = af->createAudioPatch(&patch, &handle);
754 if (status != NO_ERROR) {
755 return;
756 }
757
758 unsigned int num_patches = mFdp.ConsumeIntegral<uint32_t>();
759 struct audio_patch patches = {};
760 af->listAudioPatches(&num_patches, &patches);
761 af->releaseAudioPatch(handle);
762}
763
764void AudioFlingerFuzzer::process() {
765 invokeAudioEffect();
766 invokeAudioInputDevice();
767 invokeAudioOutputDevice();
768 invokeAudioPatch();
769 invokeAudioRecord();
770 invokeAudioSystem();
771 invokeAudioTrack();
772}
773
774extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
775 if (size < 1) {
776 return 0;
777 }
778 AudioFlingerFuzzer audioFuzzer(data, size);
779 audioFuzzer.process();
780 return 0;
781}