Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_av / c8c4f1f6d91a87970b9e37312756af78b9dd1417 / . / media / libaudioclient / fuzzer / audioflinger_fuzzer.cpp
blob: 7f18e9e6d3d5b20f4d6becc00e316330e2ef1c73 [file] [log] [blame]
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]1/*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 */
17
18/**
19 * NOTE
20 * 1) The input to AudioFlinger binder calls are fuzzed in this fuzzer
21 * 2) AudioFlinger crashes due to the fuzzer are detected by the
22 Binder DeathRecipient, where the fuzzer aborts if AudioFlinger dies
23 */
24
25#include <android_audio_policy_configuration_V7_0-enums.h>
Svet Ganov33761132021-05-13 22:51:08 +0000[diff] [blame]26#include <android/content/AttributionSourceState.h>
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]27#include <binder/IServiceManager.h>
28#include <binder/MemoryDealer.h>
Philip P. Moltmannbda45752020-07-17 16:41:18 -0700[diff] [blame]29#include <media/AidlConversion.h>
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]30#include <media/AudioEffect.h>
31#include <media/AudioRecord.h>
32#include <media/AudioSystem.h>
33#include <media/AudioTrack.h>
34#include <media/IAudioFlinger.h>
35#include "fuzzer/FuzzedDataProvider.h"
36
37#define MAX_STRING_LENGTH 256
38#define MAX_ARRAY_LENGTH 256
39
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]40constexpr int32_t kMinSampleRateHz = 4000;
41constexpr int32_t kMaxSampleRateHz = 192000;
42constexpr int32_t kSampleRateUnspecified = 0;
43
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]44using namespace std;
45using namespace android;
46
47namespace xsd {
48using namespace ::android::audio::policy::configuration::V7_0;
49}
50
Svet Ganov33761132021-05-13 22:51:08 +0000[diff] [blame]51using android::content::AttributionSourceState;
Philip P. Moltmannbda45752020-07-17 16:41:18 -0700[diff] [blame]52
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]53constexpr audio_unique_id_use_t kUniqueIds[] = {
54 AUDIO_UNIQUE_ID_USE_UNSPECIFIED, AUDIO_UNIQUE_ID_USE_SESSION, AUDIO_UNIQUE_ID_USE_MODULE,
55 AUDIO_UNIQUE_ID_USE_EFFECT, AUDIO_UNIQUE_ID_USE_PATCH, AUDIO_UNIQUE_ID_USE_OUTPUT,
56 AUDIO_UNIQUE_ID_USE_INPUT, AUDIO_UNIQUE_ID_USE_CLIENT, AUDIO_UNIQUE_ID_USE_MAX,
57};
58
59constexpr audio_mode_t kModes[] = {
60 AUDIO_MODE_INVALID, AUDIO_MODE_CURRENT, AUDIO_MODE_NORMAL, AUDIO_MODE_RINGTONE,
Eric Laurentc8c4f1f2021-11-09 11:51:34 +0100[diff] [blame^]61 AUDIO_MODE_IN_CALL, AUDIO_MODE_IN_COMMUNICATION, AUDIO_MODE_CALL_SCREEN,
62 AUDIO_MODE_CALL_REDIRECT, AUDIO_MODE_COMMUNICATION_REDIRECT};
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]63
64constexpr audio_session_t kSessionId[] = {AUDIO_SESSION_NONE, AUDIO_SESSION_OUTPUT_STAGE,
65 AUDIO_SESSION_DEVICE};
66
67constexpr audio_encapsulation_mode_t kEncapsulation[] = {
68 AUDIO_ENCAPSULATION_MODE_NONE,
69 AUDIO_ENCAPSULATION_MODE_ELEMENTARY_STREAM,
70 AUDIO_ENCAPSULATION_MODE_HANDLE,
71};
72
73constexpr audio_port_role_t kPortRoles[] = {
74 AUDIO_PORT_ROLE_NONE,
75 AUDIO_PORT_ROLE_SOURCE,
76 AUDIO_PORT_ROLE_SINK,
77};
78
79constexpr audio_port_type_t kPortTypes[] = {
80 AUDIO_PORT_TYPE_NONE,
81 AUDIO_PORT_TYPE_DEVICE,
82 AUDIO_PORT_TYPE_MIX,
83 AUDIO_PORT_TYPE_SESSION,
84};
85
86template <typename T, typename X, typename FUNC>
87std::vector<T> getFlags(const xsdc_enum_range<X> &range, const FUNC &func,
88 const std::string &findString = {}) {
89 std::vector<T> vec;
90 for (const auto &xsdEnumVal : range) {
91 T enumVal;
92 std::string enumString = toString(xsdEnumVal);
93 if (enumString.find(findString) != std::string::npos &&
94 func(enumString.c_str(), &enumVal)) {
95 vec.push_back(enumVal);
96 }
97 }
98 return vec;
99}
100
101static const std::vector<audio_stream_type_t> kStreamtypes =
102 getFlags<audio_stream_type_t, xsd::AudioStreamType, decltype(audio_stream_type_from_string)>(
103 xsdc_enum_range<xsd::AudioStreamType>{}, audio_stream_type_from_string);
104
105static const std::vector<audio_format_t> kFormats =
106 getFlags<audio_format_t, xsd::AudioFormat, decltype(audio_format_from_string)>(
107 xsdc_enum_range<xsd::AudioFormat>{}, audio_format_from_string);
108
109static const std::vector<audio_channel_mask_t> kChannelMasks =
110 getFlags<audio_channel_mask_t, xsd::AudioChannelMask, decltype(audio_channel_mask_from_string)>(
111 xsdc_enum_range<xsd::AudioChannelMask>{}, audio_channel_mask_from_string);
112
113static const std::vector<audio_usage_t> kUsages =
114 getFlags<audio_usage_t, xsd::AudioUsage, decltype(audio_usage_from_string)>(
115 xsdc_enum_range<xsd::AudioUsage>{}, audio_usage_from_string);
116
117static const std::vector<audio_content_type_t> kContentType =
118 getFlags<audio_content_type_t, xsd::AudioContentType, decltype(audio_content_type_from_string)>(
119 xsdc_enum_range<xsd::AudioContentType>{}, audio_content_type_from_string);
120
121static const std::vector<audio_source_t> kInputSources =
122 getFlags<audio_source_t, xsd::AudioSource, decltype(audio_source_from_string)>(
123 xsdc_enum_range<xsd::AudioSource>{}, audio_source_from_string);
124
125static const std::vector<audio_gain_mode_t> kGainModes =
126 getFlags<audio_gain_mode_t, xsd::AudioGainMode, decltype(audio_gain_mode_from_string)>(
127 xsdc_enum_range<xsd::AudioGainMode>{}, audio_gain_mode_from_string);
128
129static const std::vector<audio_devices_t> kDevices =
130 getFlags<audio_devices_t, xsd::AudioDevice, decltype(audio_device_from_string)>(
131 xsdc_enum_range<xsd::AudioDevice>{}, audio_device_from_string);
132
133static const std::vector<audio_input_flags_t> kInputFlags =
134 getFlags<audio_input_flags_t, xsd::AudioInOutFlag, decltype(audio_input_flag_from_string)>(
135 xsdc_enum_range<xsd::AudioInOutFlag>{}, audio_input_flag_from_string, "_INPUT_");
136
137static const std::vector<audio_output_flags_t> kOutputFlags =
138 getFlags<audio_output_flags_t, xsd::AudioInOutFlag, decltype(audio_output_flag_from_string)>(
139 xsdc_enum_range<xsd::AudioInOutFlag>{}, audio_output_flag_from_string, "_OUTPUT_");
140
141template <typename T, size_t size>
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]142T getValue(FuzzedDataProvider *fdp, const T (&arr)[size]) {
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]143 return arr[fdp->ConsumeIntegralInRange<int32_t>(0, size - 1)];
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]144}
145
146template <typename T>
147T getValue(FuzzedDataProvider *fdp, std::vector<T> vec) {
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]148 return vec[fdp->ConsumeIntegralInRange<int32_t>(0, vec.size() - 1)];
149}
150
151int32_t getSampleRate(FuzzedDataProvider *fdp) {
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]152 if (fdp->ConsumeBool()) {
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]153 return fdp->ConsumeIntegralInRange<int32_t>(kMinSampleRateHz, kMaxSampleRateHz);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]154 }
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]155 return kSampleRateUnspecified;
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]156}
157
158class DeathNotifier : public IBinder::DeathRecipient {
159 public:
160 void binderDied(const wp<IBinder> &) { abort(); }
161};
162
163class AudioFlingerFuzzer {
164 public:
165 AudioFlingerFuzzer(const uint8_t *data, size_t size);
166 void process();
167
168 private:
169 FuzzedDataProvider mFdp;
170 void invokeAudioTrack();
171 void invokeAudioRecord();
172 status_t invokeAudioEffect();
173 void invokeAudioSystem();
174 status_t invokeAudioInputDevice();
175 status_t invokeAudioOutputDevice();
176 void invokeAudioPatch();
177
178 sp<DeathNotifier> mDeathNotifier;
179};
180
181AudioFlingerFuzzer::AudioFlingerFuzzer(const uint8_t *data, size_t size) : mFdp(data, size) {
182 sp<IServiceManager> sm = defaultServiceManager();
183 sp<IBinder> binder = sm->getService(String16("media.audio_flinger"));
184 if (binder == nullptr) {
185 return;
186 }
187 mDeathNotifier = new DeathNotifier();
188 binder->linkToDeath(mDeathNotifier);
189}
190
191void AudioFlingerFuzzer::invokeAudioTrack() {
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]192 uint32_t sampleRate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]193 audio_format_t format = getValue(&mFdp, kFormats);
194 audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
195 size_t frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
196 int32_t notificationFrames = mFdp.ConsumeIntegral<int32_t>();
197 uint32_t useSharedBuffer = mFdp.ConsumeBool();
198 audio_output_flags_t flags = getValue(&mFdp, kOutputFlags);
199 audio_session_t sessionId = getValue(&mFdp, kSessionId);
200 audio_usage_t usage = getValue(&mFdp, kUsages);
201 audio_content_type_t contentType = getValue(&mFdp, kContentType);
202 audio_attributes_t attributes = {};
203 sp<IMemory> sharedBuffer;
204 sp<MemoryDealer> heap = nullptr;
205 audio_offload_info_t offloadInfo = AUDIO_INFO_INITIALIZER;
206
207 bool offload = false;
208 bool fast = ((flags & AUDIO_OUTPUT_FLAG_FAST) != 0);
209
210 if (useSharedBuffer != 0) {
211 size_t heapSize = audio_channel_count_from_out_mask(channelMask) *
212 audio_bytes_per_sample(format) * frameCount;
213 heap = new MemoryDealer(heapSize, "AudioTrack Heap Base");
214 sharedBuffer = heap->allocate(heapSize);
215 frameCount = 0;
216 notificationFrames = 0;
217 }
218 if ((flags & AUDIO_OUTPUT_FLAG_COMPRESS_OFFLOAD) != 0) {
219 offloadInfo.sample_rate = sampleRate;
220 offloadInfo.channel_mask = channelMask;
221 offloadInfo.format = format;
222 offload = true;
223 }
224
225 attributes.content_type = contentType;
226 attributes.usage = usage;
227 sp<AudioTrack> track = new AudioTrack();
228
Svet Ganov33761132021-05-13 22:51:08 +0000[diff] [blame]229 // TODO b/182392769: use attribution source util
230 AttributionSourceState attributionSource;
231 attributionSource.uid = VALUE_OR_FATAL(legacy2aidl_uid_t_int32_t(getuid()));
232 attributionSource.pid = VALUE_OR_FATAL(legacy2aidl_pid_t_int32_t(getpid()));
233 attributionSource.token = sp<BBinder>::make();
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]234 track->set(AUDIO_STREAM_DEFAULT, sampleRate, format, channelMask, frameCount, flags, nullptr,
235 nullptr, notificationFrames, sharedBuffer, false, sessionId,
236 ((fast && sharedBuffer == 0) || offload) ? AudioTrack::TRANSFER_CALLBACK
237 : AudioTrack::TRANSFER_DEFAULT,
Svet Ganov33761132021-05-13 22:51:08 +0000[diff] [blame]238 offload ? &offloadInfo : nullptr, attributionSource, &attributes, false, 1.0f,
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]239 AUDIO_PORT_HANDLE_NONE);
240
241 status_t status = track->initCheck();
242 if (status != NO_ERROR) {
243 track.clear();
244 return;
245 }
246 track->getSampleRate();
247 track->latency();
248 track->getUnderrunCount();
249 track->streamType();
250 track->channelCount();
251 track->getNotificationPeriodInFrames();
252 uint32_t bufferSizeInFrames = mFdp.ConsumeIntegral<uint32_t>();
253 track->setBufferSizeInFrames(bufferSizeInFrames);
254 track->getBufferSizeInFrames();
255
256 int64_t duration = mFdp.ConsumeIntegral<int64_t>();
257 track->getBufferDurationInUs(&duration);
258 sp<IMemory> sharedBuffer2 = track->sharedBuffer();
259 track->setCallerName(mFdp.ConsumeRandomLengthString(MAX_STRING_LENGTH));
260
261 track->setVolume(mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>());
262 track->setVolume(mFdp.ConsumeFloatingPoint<float>());
263 track->setAuxEffectSendLevel(mFdp.ConsumeFloatingPoint<float>());
264
265 float auxEffectSendLevel;
266 track->getAuxEffectSendLevel(&auxEffectSendLevel);
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]267 track->setSampleRate(getSampleRate(&mFdp));
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]268 track->getSampleRate();
269 track->getOriginalSampleRate();
270
271 AudioPlaybackRate playbackRate = {};
272 playbackRate.mSpeed = mFdp.ConsumeFloatingPoint<float>();
273 playbackRate.mPitch = mFdp.ConsumeFloatingPoint<float>();
274 track->setPlaybackRate(playbackRate);
275 track->getPlaybackRate();
276 track->setLoop(mFdp.ConsumeIntegral<uint32_t>(), mFdp.ConsumeIntegral<uint32_t>(),
277 mFdp.ConsumeIntegral<uint32_t>());
278 track->setMarkerPosition(mFdp.ConsumeIntegral<uint32_t>());
279
280 uint32_t marker = {};
281 track->getMarkerPosition(&marker);
282 track->setPositionUpdatePeriod(mFdp.ConsumeIntegral<uint32_t>());
283
284 uint32_t updatePeriod = {};
285 track->getPositionUpdatePeriod(&updatePeriod);
286 track->setPosition(mFdp.ConsumeIntegral<uint32_t>());
287 uint32_t position = {};
288 track->getPosition(&position);
289 track->getBufferPosition(&position);
290 track->reload();
291 track->start();
292 track->pause();
293 track->flush();
294 track->stop();
295 track->stopped();
296}
297
298void AudioFlingerFuzzer::invokeAudioRecord() {
299 int32_t notificationFrames = mFdp.ConsumeIntegral<int32_t>();
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]300 uint32_t sampleRate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]301 size_t frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
302 audio_format_t format = getValue(&mFdp, kFormats);
303 audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
304 audio_input_flags_t flags = getValue(&mFdp, kInputFlags);
305 audio_session_t sessionId = getValue(&mFdp, kSessionId);
306 audio_source_t inputSource = getValue(&mFdp, kInputSources);
307
308 audio_attributes_t attributes = {};
309 bool fast = ((flags & AUDIO_OUTPUT_FLAG_FAST) != 0);
310
311 attributes.source = inputSource;
312
Svet Ganov33761132021-05-13 22:51:08 +0000[diff] [blame]313 // TODO b/182392769: use attribution source util
314 AttributionSourceState attributionSource;
315 attributionSource.packageName = std::string(mFdp.ConsumeRandomLengthString().c_str());
316 attributionSource.token = sp<BBinder>::make();
317 sp<AudioRecord> record = new AudioRecord(attributionSource);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]318 record->set(AUDIO_SOURCE_DEFAULT, sampleRate, format, channelMask, frameCount, nullptr, nullptr,
319 notificationFrames, false, sessionId,
320 fast ? AudioRecord::TRANSFER_CALLBACK : AudioRecord::TRANSFER_DEFAULT, flags,
321 getuid(), getpid(), &attributes, AUDIO_PORT_HANDLE_NONE);
322 status_t status = record->initCheck();
323 if (status != NO_ERROR) {
324 return;
325 }
326 record->latency();
327 record->format();
328 record->channelCount();
329 record->frameCount();
330 record->frameSize();
331 record->inputSource();
332 record->getNotificationPeriodInFrames();
333 record->start();
334 record->stop();
335 record->stopped();
336
337 uint32_t marker = mFdp.ConsumeIntegral<uint32_t>();
338 record->setMarkerPosition(marker);
339 record->getMarkerPosition(&marker);
340
341 uint32_t updatePeriod = mFdp.ConsumeIntegral<uint32_t>();
342 record->setPositionUpdatePeriod(updatePeriod);
343 record->getPositionUpdatePeriod(&updatePeriod);
344
345 uint32_t position;
346 record->getPosition(&position);
347
348 ExtendedTimestamp timestamp;
349 record->getTimestamp(&timestamp);
350 record->getSessionId();
351 record->getCallerName();
352 android::AudioRecord::Buffer audioBuffer;
353 int32_t waitCount = mFdp.ConsumeIntegral<int32_t>();
354 size_t nonContig = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
355 audioBuffer.frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
356 record->obtainBuffer(&audioBuffer, waitCount, &nonContig);
357 bool blocking = false;
358 record->read(audioBuffer.raw, audioBuffer.size, blocking);
359 record->getInputFramesLost();
360 record->getFlags();
361
362 std::vector<media::MicrophoneInfo> activeMicrophones;
363 record->getActiveMicrophones(&activeMicrophones);
364 record->releaseBuffer(&audioBuffer);
365
366 audio_port_handle_t deviceId =
367 static_cast<audio_port_handle_t>(mFdp.ConsumeIntegral<int32_t>());
368 record->setInputDevice(deviceId);
369 record->getInputDevice();
370 record->getRoutedDeviceId();
371 record->getPortId();
372}
373
374struct EffectClient : public android::media::BnEffectClient {
375 EffectClient() {}
376 binder::Status controlStatusChanged(bool controlGranted __unused) override {
377 return binder::Status::ok();
378 }
379 binder::Status enableStatusChanged(bool enabled __unused) override {
380 return binder::Status::ok();
381 }
382 binder::Status commandExecuted(int32_t cmdCode __unused,
383 const std::vector<uint8_t> &cmdData __unused,
384 const std::vector<uint8_t> &replyData __unused) override {
385 return binder::Status::ok();
386 }
Eric Laurentde8caf42021-08-11 17:19:25 +0200[diff] [blame]387 binder::Status framesProcessed(int32_t frames __unused) override {
388 return binder::Status::ok();
389 }
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]390};
391
392status_t AudioFlingerFuzzer::invokeAudioEffect() {
393 effect_uuid_t type;
394 type.timeLow = mFdp.ConsumeIntegral<uint32_t>();
395 type.timeMid = mFdp.ConsumeIntegral<uint16_t>();
396 type.timeHiAndVersion = mFdp.ConsumeIntegral<uint16_t>();
397 type.clockSeq = mFdp.ConsumeIntegral<uint16_t>();
398 for (int i = 0; i < 6; ++i) {
399 type.node[i] = mFdp.ConsumeIntegral<uint8_t>();
400 }
401
402 effect_descriptor_t descriptor = {};
403 descriptor.type = type;
404 descriptor.uuid = *EFFECT_UUID_NULL;
405
406 sp<EffectClient> effectClient(new EffectClient());
407
408 const int32_t priority = mFdp.ConsumeIntegral<int32_t>();
409 audio_session_t sessionId = static_cast<audio_session_t>(mFdp.ConsumeIntegral<int32_t>());
410 const audio_io_handle_t io = mFdp.ConsumeIntegral<int32_t>();
Philip P. Moltmannbda45752020-07-17 16:41:18 -0700[diff] [blame]411 std::string opPackageName = static_cast<std::string>(mFdp.ConsumeRandomLengthString().c_str());
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]412 AudioDeviceTypeAddr device;
413
414 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
415 if (!af) {
416 return NO_ERROR;
417 }
418
419 media::CreateEffectRequest request{};
420 request.desc =
421 VALUE_OR_RETURN_STATUS(legacy2aidl_effect_descriptor_t_EffectDescriptor(descriptor));
422 request.client = effectClient;
423 request.priority = priority;
424 request.output = io;
425 request.sessionId = sessionId;
426 request.device = VALUE_OR_RETURN_STATUS(legacy2aidl_AudioDeviceTypeAddress(device));
Svet Ganov33761132021-05-13 22:51:08 +0000[diff] [blame]427 // TODO b/182392769: use attribution source util
428 request.attributionSource.packageName = opPackageName;
429 request.attributionSource.pid = VALUE_OR_RETURN_STATUS(legacy2aidl_pid_t_int32_t(getpid()));
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]430 request.probe = false;
Eric Laurentde8caf42021-08-11 17:19:25 +0200[diff] [blame]431 request.notifyFramesProcessed = false;
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]432
433 media::CreateEffectResponse response{};
434 status_t status = af->createEffect(request, &response);
435
436 if (status != OK) {
437 return NO_ERROR;
438 }
439
440 descriptor =
441 VALUE_OR_RETURN_STATUS(aidl2legacy_EffectDescriptor_effect_descriptor_t(response.desc));
442
443 uint32_t numEffects;
444 af->queryNumberEffects(&numEffects);
445
446 uint32_t queryIndex = mFdp.ConsumeIntegral<uint32_t>();
447 af->queryEffect(queryIndex, &descriptor);
448
449 effect_descriptor_t getDescriptor;
450 uint32_t preferredTypeFlag = mFdp.ConsumeIntegral<int32_t>();
451 af->getEffectDescriptor(&descriptor.uuid, &descriptor.type, preferredTypeFlag, &getDescriptor);
452
453 sessionId = static_cast<audio_session_t>(mFdp.ConsumeIntegral<int32_t>());
454 audio_io_handle_t srcOutput = mFdp.ConsumeIntegral<int32_t>();
455 audio_io_handle_t dstOutput = mFdp.ConsumeIntegral<int32_t>();
456 af->moveEffects(sessionId, srcOutput, dstOutput);
457
458 int effectId = mFdp.ConsumeIntegral<int32_t>();
459 sessionId = static_cast<audio_session_t>(mFdp.ConsumeIntegral<int32_t>());
460 af->setEffectSuspended(effectId, sessionId, mFdp.ConsumeBool());
461 return NO_ERROR;
462}
463
464void AudioFlingerFuzzer::invokeAudioSystem() {
465 AudioSystem::muteMicrophone(mFdp.ConsumeBool());
466 AudioSystem::setMasterMute(mFdp.ConsumeBool());
467 AudioSystem::setMasterVolume(mFdp.ConsumeFloatingPoint<float>());
468 AudioSystem::setMasterBalance(mFdp.ConsumeFloatingPoint<float>());
469 AudioSystem::setVoiceVolume(mFdp.ConsumeFloatingPoint<float>());
470
471 float volume;
472 AudioSystem::getMasterVolume(&volume);
473
474 bool state;
475 AudioSystem::getMasterMute(&state);
476 AudioSystem::isMicrophoneMuted(&state);
477
478 audio_stream_type_t stream = getValue(&mFdp, kStreamtypes);
479 AudioSystem::setStreamMute(getValue(&mFdp, kStreamtypes), mFdp.ConsumeBool());
480
481 stream = getValue(&mFdp, kStreamtypes);
482 AudioSystem::setStreamVolume(stream, mFdp.ConsumeFloatingPoint<float>(),
483 mFdp.ConsumeIntegral<int32_t>());
484
485 audio_mode_t mode = getValue(&mFdp, kModes);
486 AudioSystem::setMode(mode);
487
488 size_t frameCount;
489 stream = getValue(&mFdp, kStreamtypes);
490 AudioSystem::getOutputFrameCount(&frameCount, stream);
491
492 uint32_t latency;
493 stream = getValue(&mFdp, kStreamtypes);
494 AudioSystem::getOutputLatency(&latency, stream);
495
496 stream = getValue(&mFdp, kStreamtypes);
497 AudioSystem::getStreamVolume(stream, &volume, mFdp.ConsumeIntegral<int32_t>());
498
499 stream = getValue(&mFdp, kStreamtypes);
500 AudioSystem::getStreamMute(stream, &state);
501
502 uint32_t samplingRate;
503 AudioSystem::getSamplingRate(mFdp.ConsumeIntegral<int32_t>(), &samplingRate);
504
505 AudioSystem::getFrameCount(mFdp.ConsumeIntegral<int32_t>(), &frameCount);
506 AudioSystem::getLatency(mFdp.ConsumeIntegral<int32_t>(), &latency);
507 AudioSystem::setVoiceVolume(mFdp.ConsumeFloatingPoint<float>());
508
509 uint32_t halFrames;
510 uint32_t dspFrames;
511 AudioSystem::getRenderPosition(mFdp.ConsumeIntegral<int32_t>(), &halFrames, &dspFrames);
512
513 AudioSystem::getInputFramesLost(mFdp.ConsumeIntegral<int32_t>());
514 AudioSystem::getInputFramesLost(mFdp.ConsumeIntegral<int32_t>());
515
516 audio_unique_id_use_t uniqueIdUse = getValue(&mFdp, kUniqueIds);
517 AudioSystem::newAudioUniqueId(uniqueIdUse);
518
519 audio_session_t sessionId = getValue(&mFdp, kSessionId);
520 pid_t pid = mFdp.ConsumeBool() ? getpid() : mFdp.ConsumeIntegral<int32_t>();
521 uid_t uid = mFdp.ConsumeBool() ? getuid() : mFdp.ConsumeIntegral<int32_t>();
522 AudioSystem::acquireAudioSessionId(sessionId, pid, uid);
523
524 pid = mFdp.ConsumeBool() ? getpid() : mFdp.ConsumeIntegral<int32_t>();
525 sessionId = getValue(&mFdp, kSessionId);
526 AudioSystem::releaseAudioSessionId(sessionId, pid);
527
528 sessionId = getValue(&mFdp, kSessionId);
529 AudioSystem::getAudioHwSyncForSession(sessionId);
530
531 AudioSystem::systemReady();
532 AudioSystem::getFrameCountHAL(mFdp.ConsumeIntegral<int32_t>(), &frameCount);
533
534 size_t buffSize;
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]535 uint32_t sampleRate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]536 audio_format_t format = getValue(&mFdp, kFormats);
537 audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
538 AudioSystem::getInputBufferSize(sampleRate, format, channelMask, &buffSize);
539
540 AudioSystem::getPrimaryOutputSamplingRate();
541 AudioSystem::getPrimaryOutputFrameCount();
542 AudioSystem::setLowRamDevice(mFdp.ConsumeBool(), mFdp.ConsumeIntegral<int64_t>());
543
544 std::vector<media::MicrophoneInfo> microphones;
545 AudioSystem::getMicrophones(&microphones);
546
547 std::vector<pid_t> pids;
548 pids.insert(pids.begin(), getpid());
549 for (int i = 1; i < mFdp.ConsumeIntegralInRange<int32_t>(2, MAX_ARRAY_LENGTH); ++i) {
550 pids.insert(pids.begin() + i, static_cast<pid_t>(mFdp.ConsumeIntegral<int32_t>()));
551 }
552 AudioSystem::setAudioHalPids(pids);
553 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
554 if (!af) {
555 return;
556 }
557 af->setRecordSilenced(mFdp.ConsumeIntegral<uint32_t>(), mFdp.ConsumeBool());
558
559 float balance = mFdp.ConsumeFloatingPoint<float>();
560 af->getMasterBalance(&balance);
561 af->invalidateStream(static_cast<audio_stream_type_t>(mFdp.ConsumeIntegral<uint32_t>()));
562}
563
564status_t AudioFlingerFuzzer::invokeAudioInputDevice() {
565 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
566 if (!af) {
567 return NO_ERROR;
568 }
569
570 audio_config_t config = {};
571 audio_module_handle_t module = mFdp.ConsumeIntegral<int32_t>();
572 audio_io_handle_t input = mFdp.ConsumeIntegral<int32_t>();
573 config.frame_count = mFdp.ConsumeIntegral<uint32_t>();
574 String8 address = static_cast<String8>(mFdp.ConsumeRandomLengthString().c_str());
575
576 config.channel_mask = getValue(&mFdp, kChannelMasks);
577 config.format = getValue(&mFdp, kFormats);
578
579 config.offload_info = AUDIO_INFO_INITIALIZER;
580 config.offload_info.bit_rate = mFdp.ConsumeIntegral<uint32_t>();
581 config.offload_info.bit_width = mFdp.ConsumeIntegral<uint32_t>();
582 config.offload_info.content_id = mFdp.ConsumeIntegral<uint32_t>();
583 config.offload_info.channel_mask = getValue(&mFdp, kChannelMasks);
584 config.offload_info.duration_us = mFdp.ConsumeIntegral<int64_t>();
585 config.offload_info.encapsulation_mode = getValue(&mFdp, kEncapsulation);
586 config.offload_info.format = getValue(&mFdp, kFormats);
587 config.offload_info.has_video = mFdp.ConsumeBool();
588 config.offload_info.is_streaming = mFdp.ConsumeBool();
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]589 config.offload_info.sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]590 config.offload_info.sync_id = mFdp.ConsumeIntegral<uint32_t>();
591 config.offload_info.stream_type = getValue(&mFdp, kStreamtypes);
592 config.offload_info.usage = getValue(&mFdp, kUsages);
593
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]594 config.sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]595
596 audio_devices_t device = getValue(&mFdp, kDevices);
597 audio_source_t source = getValue(&mFdp, kInputSources);
598 audio_input_flags_t flags = getValue(&mFdp, kInputFlags);
599
600 AudioDeviceTypeAddr deviceTypeAddr(device, address.c_str());
601
602 media::OpenInputRequest request{};
603 request.module = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_module_handle_t_int32_t(module));
604 request.input = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_io_handle_t_int32_t(input));
Mikhail Naganovde3fa182021-07-30 15:06:42 -0700[diff] [blame]605 request.config = VALUE_OR_RETURN_STATUS(
606 legacy2aidl_audio_config_t_AudioConfig(config, true /*isInput*/));
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]607 request.device = VALUE_OR_RETURN_STATUS(legacy2aidl_AudioDeviceTypeAddress(deviceTypeAddr));
Mikhail Naganovddceecc2021-09-03 13:58:56 -0700[diff] [blame]608 request.source = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_source_t_AudioSource(source));
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]609 request.flags = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_input_flags_t_int32_t_mask(flags));
610
611 media::OpenInputResponse response{};
612 status_t status = af->openInput(request, &response);
613 if (status != NO_ERROR) {
614 return NO_ERROR;
615 }
616
617 input = VALUE_OR_RETURN_STATUS(aidl2legacy_int32_t_audio_module_handle_t(response.input));
618 af->closeInput(input);
619 return NO_ERROR;
620}
621
622status_t AudioFlingerFuzzer::invokeAudioOutputDevice() {
623 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
624 if (!af) {
625 return NO_ERROR;
626 }
627
628 audio_config_t config = {};
629 audio_module_handle_t module = mFdp.ConsumeIntegral<int32_t>();
630 audio_io_handle_t output = mFdp.ConsumeIntegral<int32_t>();
631 config.frame_count = mFdp.ConsumeIntegral<uint32_t>();
632 String8 address = static_cast<String8>(mFdp.ConsumeRandomLengthString().c_str());
633
634 config.channel_mask = getValue(&mFdp, kChannelMasks);
635
636 config.offload_info = AUDIO_INFO_INITIALIZER;
637 config.offload_info.bit_rate = mFdp.ConsumeIntegral<uint32_t>();
638 config.offload_info.bit_width = mFdp.ConsumeIntegral<uint32_t>();
639 config.offload_info.channel_mask = getValue(&mFdp, kChannelMasks);
640 config.offload_info.content_id = mFdp.ConsumeIntegral<uint32_t>();
641 config.offload_info.duration_us = mFdp.ConsumeIntegral<int64_t>();
642 config.offload_info.encapsulation_mode = getValue(&mFdp, kEncapsulation);
643 config.offload_info.format = getValue(&mFdp, kFormats);
644 config.offload_info.has_video = mFdp.ConsumeBool();
645 config.offload_info.is_streaming = mFdp.ConsumeBool();
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]646 config.offload_info.sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]647 config.offload_info.stream_type = getValue(&mFdp, kStreamtypes);
648 config.offload_info.sync_id = mFdp.ConsumeIntegral<uint32_t>();
649 config.offload_info.usage = getValue(&mFdp, kUsages);
650
651 config.format = getValue(&mFdp, kFormats);
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]652 config.sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]653
654 sp<DeviceDescriptorBase> device = new DeviceDescriptorBase(getValue(&mFdp, kDevices));
655 audio_output_flags_t flags = getValue(&mFdp, kOutputFlags);
656
Eric Laurentf1f22e72021-07-13 14:04:14 +0200[diff] [blame]657 audio_config_base_t mixerConfig = AUDIO_CONFIG_BASE_INITIALIZER;
658
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]659 media::OpenOutputRequest request{};
660 media::OpenOutputResponse response{};
661
662 request.module = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_module_handle_t_int32_t(module));
Mikhail Naganovde3fa182021-07-30 15:06:42 -0700[diff] [blame]663 request.halConfig = VALUE_OR_RETURN_STATUS(
664 legacy2aidl_audio_config_t_AudioConfig(config, false /*isInput*/));
665 request.mixerConfig = VALUE_OR_RETURN_STATUS(
666 legacy2aidl_audio_config_base_t_AudioConfigBase(mixerConfig, false /*isInput*/));
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]667 request.device = VALUE_OR_RETURN_STATUS(legacy2aidl_DeviceDescriptorBase(device));
668 request.flags = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_output_flags_t_int32_t_mask(flags));
669
670 status_t status = af->openOutput(request, &response);
671 if (status != NO_ERROR) {
672 return NO_ERROR;
673 }
674 output = VALUE_OR_RETURN_STATUS(aidl2legacy_int32_t_audio_io_handle_t(response.output));
675
676 audio_io_handle_t output1 = mFdp.ConsumeIntegral<int32_t>();
677 af->openDuplicateOutput(output, output1);
678 af->suspendOutput(output);
679 af->restoreOutput(output);
680 af->closeOutput(output);
681 return NO_ERROR;
682}
683
684void AudioFlingerFuzzer::invokeAudioPatch() {
685 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
686 if (!af) {
687 return;
688 }
689 struct audio_patch patch = {};
690 audio_patch_handle_t handle = mFdp.ConsumeIntegral<int32_t>();
691
692 patch.id = mFdp.ConsumeIntegral<int32_t>();
693 patch.num_sources = mFdp.ConsumeIntegral<uint32_t>();
694 patch.num_sinks = mFdp.ConsumeIntegral<uint32_t>();
695
696 for (int i = 0; i < AUDIO_PATCH_PORTS_MAX; ++i) {
697 patch.sources[i].config_mask = mFdp.ConsumeIntegral<uint32_t>();
698 patch.sources[i].channel_mask = getValue(&mFdp, kChannelMasks);
699 patch.sources[i].format = getValue(&mFdp, kFormats);
700 patch.sources[i].gain.channel_mask = getValue(&mFdp, kChannelMasks);
701 patch.sources[i].gain.index = mFdp.ConsumeIntegral<int32_t>();
702 patch.sources[i].gain.mode = getValue(&mFdp, kGainModes);
703 patch.sources[i].gain.ramp_duration_ms = mFdp.ConsumeIntegral<uint32_t>();
704 patch.sources[i].id = static_cast<audio_format_t>(mFdp.ConsumeIntegral<int32_t>());
705 patch.sources[i].role = getValue(&mFdp, kPortRoles);
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]706 patch.sources[i].sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]707 patch.sources[i].type = getValue(&mFdp, kPortTypes);
708
709 patch.sinks[i].config_mask = mFdp.ConsumeIntegral<uint32_t>();
710 patch.sinks[i].channel_mask = getValue(&mFdp, kChannelMasks);
711 patch.sinks[i].format = getValue(&mFdp, kFormats);
712 patch.sinks[i].gain.channel_mask = getValue(&mFdp, kChannelMasks);
713 patch.sinks[i].gain.index = mFdp.ConsumeIntegral<int32_t>();
714 patch.sinks[i].gain.mode = getValue(&mFdp, kGainModes);
715 patch.sinks[i].gain.ramp_duration_ms = mFdp.ConsumeIntegral<uint32_t>();
716 patch.sinks[i].id = static_cast<audio_format_t>(mFdp.ConsumeIntegral<int32_t>());
717 patch.sinks[i].role = getValue(&mFdp, kPortRoles);
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]718 patch.sinks[i].sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]719 patch.sinks[i].type = getValue(&mFdp, kPortTypes);
720 }
721
722 status_t status = af->createAudioPatch(&patch, &handle);
723 if (status != NO_ERROR) {
724 return;
725 }
726
727 unsigned int num_patches = mFdp.ConsumeIntegral<uint32_t>();
728 struct audio_patch patches = {};
729 af->listAudioPatches(&num_patches, &patches);
730 af->releaseAudioPatch(handle);
731}
732
733void AudioFlingerFuzzer::process() {
734 invokeAudioEffect();
735 invokeAudioInputDevice();
736 invokeAudioOutputDevice();
737 invokeAudioPatch();
738 invokeAudioRecord();
739 invokeAudioSystem();
740 invokeAudioTrack();
741}
742
743extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
744 if (size < 1) {
745 return 0;
746 }
747 AudioFlingerFuzzer audioFuzzer(data, size);
748 audioFuzzer.process();
749 return 0;
750}