Add initial batch of inputFlinger fuzzers
This batch of fuzzers is focused on the input Mappers. These fuzzers are
not host_supported, and must be run on-device. Followup CLs containing
additional inputflinger fuzzers will rely on the FuzzContainer.h and
MapperHelpers.h header files.
Fuzzers included:
- CursorInputFuzzer
- KeyboardInputFuzzer
- MultiTouchInputFuzzer
- SwitchInputFuzzer
Test: Tested on a pixel 3a with HWASAN. Accurate % coverage information is
not available due to the large number of shared libraries included
in runs built with hwasan interfering with PC Count information
(increasing the total PC count to ~682,000).
Summary of updates:
Coverage improvements: 75% to 82%
Design changes:
[1] Refactored
- CursorInputFuzzer
- KeyboardInputFuzzer
- MultiTouchInputFuzzer
- SwitchInputFuzzer
in order to generate event as a combination of valid and invalid input.
[2] Used FuzzedDataProvider to generate values for events.
Signed-off-by: Michael Ensing <michael.ensing@leviathansecurity.com>
Change-Id: Id39205c691f54c516f8a452293cb098382019335
diff --git a/services/inputflinger/tests/fuzzers/SwitchInputFuzzer.cpp b/services/inputflinger/tests/fuzzers/SwitchInputFuzzer.cpp
new file mode 100644
index 0000000..e76bd72
--- /dev/null
+++ b/services/inputflinger/tests/fuzzers/SwitchInputFuzzer.cpp
@@ -0,0 +1,61 @@
+/*
+ * Copyright 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <FuzzContainer.h>
+#include <SwitchInputMapper.h>
+#include <fuzzer/FuzzedDataProvider.h>
+
+namespace android {
+
+extern "C" int LLVMFuzzerTestOneInput(uint8_t* data, size_t size) {
+ std::shared_ptr<FuzzedDataProvider> fdp = std::make_shared<FuzzedDataProvider>(data, size);
+ FuzzContainer fuzzer(fdp);
+
+ SwitchInputMapper& mapper = fuzzer.getMapper<SwitchInputMapper>();
+ auto policyConfig = fuzzer.getPolicyConfig();
+
+ // Loop through mapper operations until randomness is exhausted.
+ while (fdp->remaining_bytes() > 0) {
+ fdp->PickValueInArray<std::function<void()>>({
+ [&]() -> void {
+ std::string dump;
+ mapper.dump(dump);
+ },
+ [&]() -> void { mapper.getSources(); },
+ [&]() -> void {
+ int32_t type = fdp->ConsumeBool() ? fdp->PickValueInArray(kValidTypes)
+ : fdp->ConsumeIntegral<int32_t>();
+ int32_t code = fdp->ConsumeBool() ? fdp->PickValueInArray(kValidCodes)
+ : fdp->ConsumeIntegral<int32_t>();
+ RawEvent rawEvent{fdp->ConsumeIntegral<nsecs_t>(),
+ fdp->ConsumeIntegral<nsecs_t>(),
+ fdp->ConsumeIntegral<int32_t>(),
+ type,
+ code,
+ fdp->ConsumeIntegral<int32_t>()};
+ mapper.process(&rawEvent);
+ },
+ [&]() -> void {
+ mapper.getSwitchState(fdp->ConsumeIntegral<uint32_t>(),
+ fdp->ConsumeIntegral<int32_t>());
+ },
+ })();
+ }
+
+ return 0;
+}
+
+} // namespace android