Add fuzzer for AIDL broadcast radio
Refactored Android.bp file and added fuzzer for default AIDL broadcast
radio HAL.
Bug: 246857025
Test: SANITIZE_TARGET=address make android.hardware.broadcastradio-service.default_fuzzer
cd ${ANDROID_PRODUCT_OUT}
adb root && adb sync data
adb shell /data/fuzz/x86_64/android.hardware.broadcastradio-service.default_fuzzer/vendor/android.hardware.broadcastradio-service.default_fuzzer --test_env=ENABLE_BLAZE_TEST_FUZZING=1 --test_arg=--minloglevel=0
Change-Id: I443fe6fccccb51626e6a58819f3f28ce11b0bff8
diff --git a/broadcastradio/aidl/default/Android.bp b/broadcastradio/aidl/default/Android.bp
index 720aa8a..1d1bef7 100644
--- a/broadcastradio/aidl/default/Android.bp
+++ b/broadcastradio/aidl/default/Android.bp
@@ -23,23 +23,8 @@
default_applicable_licenses: ["hardware_interfaces_license"],
}
-cc_binary {
- name: "android.hardware.broadcastradio-service.default",
- relative_install_path: "hw",
- init_rc: ["broadcastradio-default.rc"],
- vintf_fragments: ["broadcastradio-default.xml"],
- vendor: true,
- cflags: [
- "-Wall",
- "-Wextra",
- "-Werror",
- ],
- srcs: [
- "BroadcastRadio.cpp",
- "main.cpp",
- "VirtualProgram.cpp",
- "VirtualRadio.cpp",
- ],
+cc_defaults {
+ name: "BroadcastRadioHalDefaults",
static_libs: [
"android.hardware.broadcastradio@common-utils-aidl-lib",
"android.hardware.broadcastradio@common-utils-lib",
@@ -51,4 +36,61 @@
"liblog",
"libcutils",
],
+ cflags: [
+ "-Wall",
+ "-Wextra",
+ "-Werror",
+ ],
+}
+
+cc_binary {
+ name: "android.hardware.broadcastradio-service.default",
+ relative_install_path: "hw",
+ init_rc: ["broadcastradio-default.rc"],
+ vintf_fragments: ["broadcastradio-default.xml"],
+ vendor: true,
+ defaults: [
+ "BroadcastRadioHalDefaults",
+ ],
+ srcs: [
+ "main.cpp",
+ ],
+ static_libs: [
+ "DefaultBroadcastRadioHal",
+ ],
+}
+
+cc_library {
+ name: "DefaultBroadcastRadioHal",
+ vendor: true,
+ export_include_dirs: ["."],
+ defaults: [
+ "BroadcastRadioHalDefaults",
+ ],
+ srcs: [
+ "BroadcastRadio.cpp",
+ "VirtualProgram.cpp",
+ "VirtualRadio.cpp",
+ ],
+}
+
+cc_fuzz {
+ name: "android.hardware.broadcastradio-service.default_fuzzer",
+ vendor: true,
+ defaults: [
+ "BroadcastRadioHalDefaults",
+ "service_fuzzer_defaults",
+ ],
+ static_libs: [
+ "DefaultBroadcastRadioHal",
+ "android.hardware.broadcastradio-V1-ndk",
+ ],
+ srcs: [
+ "fuzzer.cpp",
+ ],
+ fuzz_config: {
+ cc: [
+ "xuweilin@google.com",
+ ],
+ },
}
diff --git a/broadcastradio/aidl/default/fuzzer.cpp b/broadcastradio/aidl/default/fuzzer.cpp
new file mode 100644
index 0000000..d535432
--- /dev/null
+++ b/broadcastradio/aidl/default/fuzzer.cpp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <fuzzbinder/libbinder_ndk_driver.h>
+#include <fuzzer/FuzzedDataProvider.h>
+#include "BroadcastRadio.h"
+#include "VirtualRadio.h"
+
+using ::aidl::android::hardware::broadcastradio::BroadcastRadio;
+using ::aidl::android::hardware::broadcastradio::VirtualRadio;
+using ::android::fuzzService;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+ const VirtualRadio& amFmRadioMock = VirtualRadio::getAmFmRadio();
+ std::shared_ptr<BroadcastRadio> amFmRadio =
+ ::ndk::SharedRefBase::make<BroadcastRadio>(amFmRadioMock);
+ const VirtualRadio& dabRadioMock = VirtualRadio::getDabRadio();
+ std::shared_ptr<BroadcastRadio> dabRadio =
+ ::ndk::SharedRefBase::make<BroadcastRadio>(dabRadioMock);
+
+ std::vector<ndk::SpAIBinder> binder_services = {amFmRadio->asBinder(), dabRadio->asBinder()};
+
+ fuzzService(binder_services, FuzzedDataProvider(data, size));
+
+ return 0;
+}