commit 7c58e6569790cd8c42fe6107b2e1ecf460a83ca5
author Michael Ensing <michael.ensing@leviathansecurity.com> Tue May 12 00:41:30 2020 -0700
committer Hamzeh Zawawy <hamzeh@google.com> Tue Feb 09 21:49:02 2021 +0000
tree b15c347f92a25f02c8634ea050630a8cce67a674
parent f1cfae86f21f38705aa57b204e38fb7715ae8388

DO NOT MERGE Add initial batch of inputFlinger fuzzers

This batch of fuzzers is focused on the input Mappers. These fuzzers are
not host_supported, and must be run on-device. Followup CLs containing
additional inputflinger fuzzers will rely on the FuzzContainer.h and
MapperHelpers.h header files.

Fuzzers included:
 - CursorInputFuzzer
 - KeyboardInputFuzzer
 - MultiTouchInputFuzzer
 - SwitchInputFuzzer

Test: Tested on a pixel 3a with HWASAN. Accurate % coverage information is
      not available due to the large number of shared libraries included
      in runs built with hwasan interfering with PC Count information
      (increasing the total PC count to ~682,000).

Signed-off-by: Michael Ensing <michael.ensing@leviathansecurity.com>
Change-Id: Id39205c691f54c516f8a452293cb098382019335

services/inputflinger/tests/fuzzers/KeyboardInputFuzzer.cpp

diff --git a/services/inputflinger/tests/fuzzers/KeyboardInputFuzzer.cpp b/services/inputflinger/tests/fuzzers/KeyboardInputFuzzer.cpp
new file mode 100644
index 0000000..854e2fd
--- /dev/null
+++ b/services/inputflinger/tests/fuzzers/KeyboardInputFuzzer.cpp
@@ -0,0 +1,99 @@
+/*
+ * Copyright 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <FuzzContainer.h>
+#include <KeyboardInputMapper.h>
+#include <fuzzer/FuzzedDataProvider.h>
+
+namespace android {
+
+void addProperty(FuzzContainer& fuzzer, std::shared_ptr<FuzzedDataProvider> fdp) {
+    // Pick a random property to set for the mapper to have set.
+    fdp->PickValueInArray<std::function<void()>>(
+            {[&]() -> void {
+                 fuzzer.addProperty(String8("keyboard.orientationAware"), String8("1"));
+             },
+             [&]() -> void {
+                 fuzzer.addProperty(String8("keyboard.orientationAware"),
+                                    String8(fdp->ConsumeRandomLengthString(100).data()));
+             },
+             [&]() -> void {
+                 fuzzer.addProperty(String8("keyboard.doNotWakeByDefault"),
+                                    String8(fdp->ConsumeRandomLengthString(100).data()));
+             },
+             [&]() -> void {
+                 fuzzer.addProperty(String8("keyboard.handlesKeyRepeat"),
+                                    String8(fdp->ConsumeRandomLengthString(100).data()));
+             }})();
+}
+
+extern "C" int LLVMFuzzerTestOneInput(uint8_t* data, size_t size) {
+    std::shared_ptr<FuzzedDataProvider> fdp = std::make_shared<FuzzedDataProvider>(data, size);
+    FuzzContainer fuzzer = FuzzContainer(fdp);
+
+    KeyboardInputMapper& mapper =
+            fuzzer.getMapper<KeyboardInputMapper>(fdp->ConsumeIntegral<uint32_t>(),
+                                                  fdp->ConsumeIntegral<int32_t>());
+    auto policyConfig = fuzzer.getPolicyConfig();
+
+    // Loop through mapper operations until randomness is exhausted.
+    while (fdp->remaining_bytes() > 0) {
+        fdp->PickValueInArray<std::function<void()>>({
+                [&]() -> void { addProperty(fuzzer, fdp); },
+                [&]() -> void {
+                    std::string dump;
+                    mapper.dump(dump);
+                },
+                [&]() -> void {
+                    InputDeviceInfo info;
+                    mapper.populateDeviceInfo(&info);
+                },
+                [&]() -> void { mapper.getSources(); },
+                [&]() -> void {
+                    mapper.configure(fdp->ConsumeIntegral<nsecs_t>(), &policyConfig,
+                                     fdp->ConsumeIntegral<uint32_t>());
+                },
+                [&]() -> void { mapper.reset(fdp->ConsumeIntegral<nsecs_t>()); },
+                [&]() -> void {
+                    RawEvent rawEvent{fdp->ConsumeIntegral<nsecs_t>(),
+                                      fdp->ConsumeIntegral<int32_t>(),
+                                      fdp->ConsumeIntegral<int32_t>(),
+                                      fdp->ConsumeIntegral<int32_t>(),
+                                      fdp->ConsumeIntegral<int32_t>()};
+                    mapper.process(&rawEvent);
+                },
+                [&]() -> void {
+                    mapper.getKeyCodeState(fdp->ConsumeIntegral<uint32_t>(),
+                                           fdp->ConsumeIntegral<int32_t>());
+                },
+                [&]() -> void {
+                    mapper.getScanCodeState(fdp->ConsumeIntegral<uint32_t>(),
+                                            fdp->ConsumeIntegral<int32_t>());
+                },
+                [&]() -> void {
+                    mapper.markSupportedKeyCodes(fdp->ConsumeIntegral<uint32_t>(),
+                                                 fdp->ConsumeIntegral<size_t>(), nullptr, nullptr);
+                },
+                [&]() -> void { mapper.getMetaState(); },
+                [&]() -> void { mapper.updateMetaState(fdp->ConsumeIntegral<int32_t>()); },
+                [&]() -> void { mapper.getAssociatedDisplayId(); },
+        })();
+    }
+
+    return 0;
+}
+
+} // namespace android