Gitiles
Code Review Sign In
review.evervolv.com / android_frameworks_av / a676a9a14bf605ae8e5225839959764ee9fe37f9 / . / media / libaudioclient / fuzzer / audioflinger_fuzzer.cpp
blob: db2b0b8cb15fe36ace384386850314dbc9f10886 [file] [log] [blame]
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]1/*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 */
17
18/**
19 * NOTE
20 * 1) The input to AudioFlinger binder calls are fuzzed in this fuzzer
21 * 2) AudioFlinger crashes due to the fuzzer are detected by the
22 Binder DeathRecipient, where the fuzzer aborts if AudioFlinger dies
23 */
24
25#include <android_audio_policy_configuration_V7_0-enums.h>
26#include <binder/IServiceManager.h>
27#include <binder/MemoryDealer.h>
28#include <media/AudioEffect.h>
29#include <media/AudioRecord.h>
30#include <media/AudioSystem.h>
31#include <media/AudioTrack.h>
32#include <media/IAudioFlinger.h>
33#include "fuzzer/FuzzedDataProvider.h"
34
35#define MAX_STRING_LENGTH 256
36#define MAX_ARRAY_LENGTH 256
37
38using namespace std;
39using namespace android;
40
41namespace xsd {
42using namespace ::android::audio::policy::configuration::V7_0;
43}
44
45constexpr audio_unique_id_use_t kUniqueIds[] = {
46 AUDIO_UNIQUE_ID_USE_UNSPECIFIED, AUDIO_UNIQUE_ID_USE_SESSION, AUDIO_UNIQUE_ID_USE_MODULE,
47 AUDIO_UNIQUE_ID_USE_EFFECT, AUDIO_UNIQUE_ID_USE_PATCH, AUDIO_UNIQUE_ID_USE_OUTPUT,
48 AUDIO_UNIQUE_ID_USE_INPUT, AUDIO_UNIQUE_ID_USE_CLIENT, AUDIO_UNIQUE_ID_USE_MAX,
49};
50
51constexpr audio_mode_t kModes[] = {
52 AUDIO_MODE_INVALID, AUDIO_MODE_CURRENT, AUDIO_MODE_NORMAL, AUDIO_MODE_RINGTONE,
53 AUDIO_MODE_IN_CALL, AUDIO_MODE_IN_COMMUNICATION, AUDIO_MODE_CALL_SCREEN};
54
55constexpr audio_session_t kSessionId[] = {AUDIO_SESSION_NONE, AUDIO_SESSION_OUTPUT_STAGE,
56 AUDIO_SESSION_DEVICE};
57
58constexpr audio_encapsulation_mode_t kEncapsulation[] = {
59 AUDIO_ENCAPSULATION_MODE_NONE,
60 AUDIO_ENCAPSULATION_MODE_ELEMENTARY_STREAM,
61 AUDIO_ENCAPSULATION_MODE_HANDLE,
62};
63
64constexpr audio_port_role_t kPortRoles[] = {
65 AUDIO_PORT_ROLE_NONE,
66 AUDIO_PORT_ROLE_SOURCE,
67 AUDIO_PORT_ROLE_SINK,
68};
69
70constexpr audio_port_type_t kPortTypes[] = {
71 AUDIO_PORT_TYPE_NONE,
72 AUDIO_PORT_TYPE_DEVICE,
73 AUDIO_PORT_TYPE_MIX,
74 AUDIO_PORT_TYPE_SESSION,
75};
76
77template <typename T, typename X, typename FUNC>
78std::vector<T> getFlags(const xsdc_enum_range<X> &range, const FUNC &func,
79 const std::string &findString = {}) {
80 std::vector<T> vec;
81 for (const auto &xsdEnumVal : range) {
82 T enumVal;
83 std::string enumString = toString(xsdEnumVal);
84 if (enumString.find(findString) != std::string::npos &&
85 func(enumString.c_str(), &enumVal)) {
86 vec.push_back(enumVal);
87 }
88 }
89 return vec;
90}
91
92static const std::vector<audio_stream_type_t> kStreamtypes =
93 getFlags<audio_stream_type_t, xsd::AudioStreamType, decltype(audio_stream_type_from_string)>(
94 xsdc_enum_range<xsd::AudioStreamType>{}, audio_stream_type_from_string);
95
96static const std::vector<audio_format_t> kFormats =
97 getFlags<audio_format_t, xsd::AudioFormat, decltype(audio_format_from_string)>(
98 xsdc_enum_range<xsd::AudioFormat>{}, audio_format_from_string);
99
100static const std::vector<audio_channel_mask_t> kChannelMasks =
101 getFlags<audio_channel_mask_t, xsd::AudioChannelMask, decltype(audio_channel_mask_from_string)>(
102 xsdc_enum_range<xsd::AudioChannelMask>{}, audio_channel_mask_from_string);
103
104static const std::vector<audio_usage_t> kUsages =
105 getFlags<audio_usage_t, xsd::AudioUsage, decltype(audio_usage_from_string)>(
106 xsdc_enum_range<xsd::AudioUsage>{}, audio_usage_from_string);
107
108static const std::vector<audio_content_type_t> kContentType =
109 getFlags<audio_content_type_t, xsd::AudioContentType, decltype(audio_content_type_from_string)>(
110 xsdc_enum_range<xsd::AudioContentType>{}, audio_content_type_from_string);
111
112static const std::vector<audio_source_t> kInputSources =
113 getFlags<audio_source_t, xsd::AudioSource, decltype(audio_source_from_string)>(
114 xsdc_enum_range<xsd::AudioSource>{}, audio_source_from_string);
115
116static const std::vector<audio_gain_mode_t> kGainModes =
117 getFlags<audio_gain_mode_t, xsd::AudioGainMode, decltype(audio_gain_mode_from_string)>(
118 xsdc_enum_range<xsd::AudioGainMode>{}, audio_gain_mode_from_string);
119
120static const std::vector<audio_devices_t> kDevices =
121 getFlags<audio_devices_t, xsd::AudioDevice, decltype(audio_device_from_string)>(
122 xsdc_enum_range<xsd::AudioDevice>{}, audio_device_from_string);
123
124static const std::vector<audio_input_flags_t> kInputFlags =
125 getFlags<audio_input_flags_t, xsd::AudioInOutFlag, decltype(audio_input_flag_from_string)>(
126 xsdc_enum_range<xsd::AudioInOutFlag>{}, audio_input_flag_from_string, "_INPUT_");
127
128static const std::vector<audio_output_flags_t> kOutputFlags =
129 getFlags<audio_output_flags_t, xsd::AudioInOutFlag, decltype(audio_output_flag_from_string)>(
130 xsdc_enum_range<xsd::AudioInOutFlag>{}, audio_output_flag_from_string, "_OUTPUT_");
131
132template <typename T, size_t size>
133T getValueFromArray(FuzzedDataProvider *fdp, const T (&arr)[size]) {
134 return arr[fdp->ConsumeIntegralInRange<int32_t>(0, size - 1)];
135}
136
137template <typename T, size_t size>
138T getValue(FuzzedDataProvider *fdp, const T (&arr)[size]) {
139 if (fdp->ConsumeBool()) {
140 return static_cast<T>(fdp->ConsumeIntegral<int32_t>());
141 }
142 return getValueFromArray(fdp, arr);
143}
144
145template <typename T>
146T getValueFromVector(FuzzedDataProvider *fdp, std::vector<T> vec) {
147 return vec[fdp->ConsumeIntegralInRange<int32_t>(0, vec.size() - 1)];
148}
149
150template <typename T>
151T getValue(FuzzedDataProvider *fdp, std::vector<T> vec) {
152 if (fdp->ConsumeBool()) {
153 return static_cast<T>(fdp->ConsumeIntegral<int32_t>());
154 }
155 return getValueFromVector(fdp, vec);
156}
157
158class DeathNotifier : public IBinder::DeathRecipient {
159 public:
160 void binderDied(const wp<IBinder> &) { abort(); }
161};
162
163class AudioFlingerFuzzer {
164 public:
165 AudioFlingerFuzzer(const uint8_t *data, size_t size);
166 void process();
167
168 private:
169 FuzzedDataProvider mFdp;
170 void invokeAudioTrack();
171 void invokeAudioRecord();
172 status_t invokeAudioEffect();
173 void invokeAudioSystem();
174 status_t invokeAudioInputDevice();
175 status_t invokeAudioOutputDevice();
176 void invokeAudioPatch();
177
178 sp<DeathNotifier> mDeathNotifier;
179};
180
181AudioFlingerFuzzer::AudioFlingerFuzzer(const uint8_t *data, size_t size) : mFdp(data, size) {
182 sp<IServiceManager> sm = defaultServiceManager();
183 sp<IBinder> binder = sm->getService(String16("media.audio_flinger"));
184 if (binder == nullptr) {
185 return;
186 }
187 mDeathNotifier = new DeathNotifier();
188 binder->linkToDeath(mDeathNotifier);
189}
190
191void AudioFlingerFuzzer::invokeAudioTrack() {
192 uint32_t sampleRate = mFdp.ConsumeIntegral<uint32_t>();
193 audio_format_t format = getValue(&mFdp, kFormats);
194 audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
195 size_t frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
196 int32_t notificationFrames = mFdp.ConsumeIntegral<int32_t>();
197 uint32_t useSharedBuffer = mFdp.ConsumeBool();
198 audio_output_flags_t flags = getValue(&mFdp, kOutputFlags);
199 audio_session_t sessionId = getValue(&mFdp, kSessionId);
200 audio_usage_t usage = getValue(&mFdp, kUsages);
201 audio_content_type_t contentType = getValue(&mFdp, kContentType);
202 audio_attributes_t attributes = {};
203 sp<IMemory> sharedBuffer;
204 sp<MemoryDealer> heap = nullptr;
205 audio_offload_info_t offloadInfo = AUDIO_INFO_INITIALIZER;
206
207 bool offload = false;
208 bool fast = ((flags & AUDIO_OUTPUT_FLAG_FAST) != 0);
209
210 if (useSharedBuffer != 0) {
211 size_t heapSize = audio_channel_count_from_out_mask(channelMask) *
212 audio_bytes_per_sample(format) * frameCount;
213 heap = new MemoryDealer(heapSize, "AudioTrack Heap Base");
214 sharedBuffer = heap->allocate(heapSize);
215 frameCount = 0;
216 notificationFrames = 0;
217 }
218 if ((flags & AUDIO_OUTPUT_FLAG_COMPRESS_OFFLOAD) != 0) {
219 offloadInfo.sample_rate = sampleRate;
220 offloadInfo.channel_mask = channelMask;
221 offloadInfo.format = format;
222 offload = true;
223 }
224
225 attributes.content_type = contentType;
226 attributes.usage = usage;
227 sp<AudioTrack> track = new AudioTrack();
228
229 track->set(AUDIO_STREAM_DEFAULT, sampleRate, format, channelMask, frameCount, flags, nullptr,
230 nullptr, notificationFrames, sharedBuffer, false, sessionId,
231 ((fast && sharedBuffer == 0) || offload) ? AudioTrack::TRANSFER_CALLBACK
232 : AudioTrack::TRANSFER_DEFAULT,
233 offload ? &offloadInfo : nullptr, getuid(), getpid(), &attributes, false, 1.0f,
234 AUDIO_PORT_HANDLE_NONE);
235
236 status_t status = track->initCheck();
237 if (status != NO_ERROR) {
238 track.clear();
239 return;
240 }
241 track->getSampleRate();
242 track->latency();
243 track->getUnderrunCount();
244 track->streamType();
245 track->channelCount();
246 track->getNotificationPeriodInFrames();
247 uint32_t bufferSizeInFrames = mFdp.ConsumeIntegral<uint32_t>();
248 track->setBufferSizeInFrames(bufferSizeInFrames);
249 track->getBufferSizeInFrames();
250
251 int64_t duration = mFdp.ConsumeIntegral<int64_t>();
252 track->getBufferDurationInUs(&duration);
253 sp<IMemory> sharedBuffer2 = track->sharedBuffer();
254 track->setCallerName(mFdp.ConsumeRandomLengthString(MAX_STRING_LENGTH));
255
256 track->setVolume(mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>());
257 track->setVolume(mFdp.ConsumeFloatingPoint<float>());
258 track->setAuxEffectSendLevel(mFdp.ConsumeFloatingPoint<float>());
259
260 float auxEffectSendLevel;
261 track->getAuxEffectSendLevel(&auxEffectSendLevel);
262 track->setSampleRate(mFdp.ConsumeIntegral<uint32_t>());
263 track->getSampleRate();
264 track->getOriginalSampleRate();
265
266 AudioPlaybackRate playbackRate = {};
267 playbackRate.mSpeed = mFdp.ConsumeFloatingPoint<float>();
268 playbackRate.mPitch = mFdp.ConsumeFloatingPoint<float>();
269 track->setPlaybackRate(playbackRate);
270 track->getPlaybackRate();
271 track->setLoop(mFdp.ConsumeIntegral<uint32_t>(), mFdp.ConsumeIntegral<uint32_t>(),
272 mFdp.ConsumeIntegral<uint32_t>());
273 track->setMarkerPosition(mFdp.ConsumeIntegral<uint32_t>());
274
275 uint32_t marker = {};
276 track->getMarkerPosition(&marker);
277 track->setPositionUpdatePeriod(mFdp.ConsumeIntegral<uint32_t>());
278
279 uint32_t updatePeriod = {};
280 track->getPositionUpdatePeriod(&updatePeriod);
281 track->setPosition(mFdp.ConsumeIntegral<uint32_t>());
282 uint32_t position = {};
283 track->getPosition(&position);
284 track->getBufferPosition(&position);
285 track->reload();
286 track->start();
287 track->pause();
288 track->flush();
289 track->stop();
290 track->stopped();
291}
292
293void AudioFlingerFuzzer::invokeAudioRecord() {
294 int32_t notificationFrames = mFdp.ConsumeIntegral<int32_t>();
295 uint32_t sampleRate = mFdp.ConsumeIntegral<uint32_t>();
296 size_t frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
297 audio_format_t format = getValue(&mFdp, kFormats);
298 audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
299 audio_input_flags_t flags = getValue(&mFdp, kInputFlags);
300 audio_session_t sessionId = getValue(&mFdp, kSessionId);
301 audio_source_t inputSource = getValue(&mFdp, kInputSources);
302
303 audio_attributes_t attributes = {};
304 bool fast = ((flags & AUDIO_OUTPUT_FLAG_FAST) != 0);
305
306 attributes.source = inputSource;
307
308 sp<AudioRecord> record = new AudioRecord(String16(mFdp.ConsumeRandomLengthString().c_str()));
309 record->set(AUDIO_SOURCE_DEFAULT, sampleRate, format, channelMask, frameCount, nullptr, nullptr,
310 notificationFrames, false, sessionId,
311 fast ? AudioRecord::TRANSFER_CALLBACK : AudioRecord::TRANSFER_DEFAULT, flags,
312 getuid(), getpid(), &attributes, AUDIO_PORT_HANDLE_NONE);
313 status_t status = record->initCheck();
314 if (status != NO_ERROR) {
315 return;
316 }
317 record->latency();
318 record->format();
319 record->channelCount();
320 record->frameCount();
321 record->frameSize();
322 record->inputSource();
323 record->getNotificationPeriodInFrames();
324 record->start();
325 record->stop();
326 record->stopped();
327
328 uint32_t marker = mFdp.ConsumeIntegral<uint32_t>();
329 record->setMarkerPosition(marker);
330 record->getMarkerPosition(&marker);
331
332 uint32_t updatePeriod = mFdp.ConsumeIntegral<uint32_t>();
333 record->setPositionUpdatePeriod(updatePeriod);
334 record->getPositionUpdatePeriod(&updatePeriod);
335
336 uint32_t position;
337 record->getPosition(&position);
338
339 ExtendedTimestamp timestamp;
340 record->getTimestamp(&timestamp);
341 record->getSessionId();
342 record->getCallerName();
343 android::AudioRecord::Buffer audioBuffer;
344 int32_t waitCount = mFdp.ConsumeIntegral<int32_t>();
345 size_t nonContig = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
346 audioBuffer.frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
347 record->obtainBuffer(&audioBuffer, waitCount, &nonContig);
348 bool blocking = false;
349 record->read(audioBuffer.raw, audioBuffer.size, blocking);
350 record->getInputFramesLost();
351 record->getFlags();
352
353 std::vector<media::MicrophoneInfo> activeMicrophones;
354 record->getActiveMicrophones(&activeMicrophones);
355 record->releaseBuffer(&audioBuffer);
356
357 audio_port_handle_t deviceId =
358 static_cast<audio_port_handle_t>(mFdp.ConsumeIntegral<int32_t>());
359 record->setInputDevice(deviceId);
360 record->getInputDevice();
361 record->getRoutedDeviceId();
362 record->getPortId();
363}
364
365struct EffectClient : public android::media::BnEffectClient {
366 EffectClient() {}
367 binder::Status controlStatusChanged(bool controlGranted __unused) override {
368 return binder::Status::ok();
369 }
370 binder::Status enableStatusChanged(bool enabled __unused) override {
371 return binder::Status::ok();
372 }
373 binder::Status commandExecuted(int32_t cmdCode __unused,
374 const std::vector<uint8_t> &cmdData __unused,
375 const std::vector<uint8_t> &replyData __unused) override {
376 return binder::Status::ok();
377 }
378};
379
380status_t AudioFlingerFuzzer::invokeAudioEffect() {
381 effect_uuid_t type;
382 type.timeLow = mFdp.ConsumeIntegral<uint32_t>();
383 type.timeMid = mFdp.ConsumeIntegral<uint16_t>();
384 type.timeHiAndVersion = mFdp.ConsumeIntegral<uint16_t>();
385 type.clockSeq = mFdp.ConsumeIntegral<uint16_t>();
386 for (int i = 0; i < 6; ++i) {
387 type.node[i] = mFdp.ConsumeIntegral<uint8_t>();
388 }
389
390 effect_descriptor_t descriptor = {};
391 descriptor.type = type;
392 descriptor.uuid = *EFFECT_UUID_NULL;
393
394 sp<EffectClient> effectClient(new EffectClient());
395
396 const int32_t priority = mFdp.ConsumeIntegral<int32_t>();
397 audio_session_t sessionId = static_cast<audio_session_t>(mFdp.ConsumeIntegral<int32_t>());
398 const audio_io_handle_t io = mFdp.ConsumeIntegral<int32_t>();
399 String16 opPackageName = static_cast<String16>(mFdp.ConsumeRandomLengthString().c_str());
400 AudioDeviceTypeAddr device;
401
402 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
403 if (!af) {
404 return NO_ERROR;
405 }
406
407 media::CreateEffectRequest request{};
408 request.desc =
409 VALUE_OR_RETURN_STATUS(legacy2aidl_effect_descriptor_t_EffectDescriptor(descriptor));
410 request.client = effectClient;
411 request.priority = priority;
412 request.output = io;
413 request.sessionId = sessionId;
414 request.device = VALUE_OR_RETURN_STATUS(legacy2aidl_AudioDeviceTypeAddress(device));
415 request.opPackageName = VALUE_OR_RETURN_STATUS(legacy2aidl_String16_string(opPackageName));
416 request.pid = getpid();
417 request.probe = false;
418
419 media::CreateEffectResponse response{};
420 status_t status = af->createEffect(request, &response);
421
422 if (status != OK) {
423 return NO_ERROR;
424 }
425
426 descriptor =
427 VALUE_OR_RETURN_STATUS(aidl2legacy_EffectDescriptor_effect_descriptor_t(response.desc));
428
429 uint32_t numEffects;
430 af->queryNumberEffects(&numEffects);
431
432 uint32_t queryIndex = mFdp.ConsumeIntegral<uint32_t>();
433 af->queryEffect(queryIndex, &descriptor);
434
435 effect_descriptor_t getDescriptor;
436 uint32_t preferredTypeFlag = mFdp.ConsumeIntegral<int32_t>();
437 af->getEffectDescriptor(&descriptor.uuid, &descriptor.type, preferredTypeFlag, &getDescriptor);
438
439 sessionId = static_cast<audio_session_t>(mFdp.ConsumeIntegral<int32_t>());
440 audio_io_handle_t srcOutput = mFdp.ConsumeIntegral<int32_t>();
441 audio_io_handle_t dstOutput = mFdp.ConsumeIntegral<int32_t>();
442 af->moveEffects(sessionId, srcOutput, dstOutput);
443
444 int effectId = mFdp.ConsumeIntegral<int32_t>();
445 sessionId = static_cast<audio_session_t>(mFdp.ConsumeIntegral<int32_t>());
446 af->setEffectSuspended(effectId, sessionId, mFdp.ConsumeBool());
447 return NO_ERROR;
448}
449
450void AudioFlingerFuzzer::invokeAudioSystem() {
451 AudioSystem::muteMicrophone(mFdp.ConsumeBool());
452 AudioSystem::setMasterMute(mFdp.ConsumeBool());
453 AudioSystem::setMasterVolume(mFdp.ConsumeFloatingPoint<float>());
454 AudioSystem::setMasterBalance(mFdp.ConsumeFloatingPoint<float>());
455 AudioSystem::setVoiceVolume(mFdp.ConsumeFloatingPoint<float>());
456
457 float volume;
458 AudioSystem::getMasterVolume(&volume);
459
460 bool state;
461 AudioSystem::getMasterMute(&state);
462 AudioSystem::isMicrophoneMuted(&state);
463
464 audio_stream_type_t stream = getValue(&mFdp, kStreamtypes);
465 AudioSystem::setStreamMute(getValue(&mFdp, kStreamtypes), mFdp.ConsumeBool());
466
467 stream = getValue(&mFdp, kStreamtypes);
468 AudioSystem::setStreamVolume(stream, mFdp.ConsumeFloatingPoint<float>(),
469 mFdp.ConsumeIntegral<int32_t>());
470
471 audio_mode_t mode = getValue(&mFdp, kModes);
472 AudioSystem::setMode(mode);
473
474 size_t frameCount;
475 stream = getValue(&mFdp, kStreamtypes);
476 AudioSystem::getOutputFrameCount(&frameCount, stream);
477
478 uint32_t latency;
479 stream = getValue(&mFdp, kStreamtypes);
480 AudioSystem::getOutputLatency(&latency, stream);
481
482 stream = getValue(&mFdp, kStreamtypes);
483 AudioSystem::getStreamVolume(stream, &volume, mFdp.ConsumeIntegral<int32_t>());
484
485 stream = getValue(&mFdp, kStreamtypes);
486 AudioSystem::getStreamMute(stream, &state);
487
488 uint32_t samplingRate;
489 AudioSystem::getSamplingRate(mFdp.ConsumeIntegral<int32_t>(), &samplingRate);
490
491 AudioSystem::getFrameCount(mFdp.ConsumeIntegral<int32_t>(), &frameCount);
492 AudioSystem::getLatency(mFdp.ConsumeIntegral<int32_t>(), &latency);
493 AudioSystem::setVoiceVolume(mFdp.ConsumeFloatingPoint<float>());
494
495 uint32_t halFrames;
496 uint32_t dspFrames;
497 AudioSystem::getRenderPosition(mFdp.ConsumeIntegral<int32_t>(), &halFrames, &dspFrames);
498
499 AudioSystem::getInputFramesLost(mFdp.ConsumeIntegral<int32_t>());
500 AudioSystem::getInputFramesLost(mFdp.ConsumeIntegral<int32_t>());
501
502 audio_unique_id_use_t uniqueIdUse = getValue(&mFdp, kUniqueIds);
503 AudioSystem::newAudioUniqueId(uniqueIdUse);
504
505 audio_session_t sessionId = getValue(&mFdp, kSessionId);
506 pid_t pid = mFdp.ConsumeBool() ? getpid() : mFdp.ConsumeIntegral<int32_t>();
507 uid_t uid = mFdp.ConsumeBool() ? getuid() : mFdp.ConsumeIntegral<int32_t>();
508 AudioSystem::acquireAudioSessionId(sessionId, pid, uid);
509
510 pid = mFdp.ConsumeBool() ? getpid() : mFdp.ConsumeIntegral<int32_t>();
511 sessionId = getValue(&mFdp, kSessionId);
512 AudioSystem::releaseAudioSessionId(sessionId, pid);
513
514 sessionId = getValue(&mFdp, kSessionId);
515 AudioSystem::getAudioHwSyncForSession(sessionId);
516
517 AudioSystem::systemReady();
518 AudioSystem::getFrameCountHAL(mFdp.ConsumeIntegral<int32_t>(), &frameCount);
519
520 size_t buffSize;
521 uint32_t sampleRate = mFdp.ConsumeIntegral<uint32_t>();
522 audio_format_t format = getValue(&mFdp, kFormats);
523 audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
524 AudioSystem::getInputBufferSize(sampleRate, format, channelMask, &buffSize);
525
526 AudioSystem::getPrimaryOutputSamplingRate();
527 AudioSystem::getPrimaryOutputFrameCount();
528 AudioSystem::setLowRamDevice(mFdp.ConsumeBool(), mFdp.ConsumeIntegral<int64_t>());
529
530 std::vector<media::MicrophoneInfo> microphones;
531 AudioSystem::getMicrophones(&microphones);
532
533 std::vector<pid_t> pids;
534 pids.insert(pids.begin(), getpid());
535 for (int i = 1; i < mFdp.ConsumeIntegralInRange<int32_t>(2, MAX_ARRAY_LENGTH); ++i) {
536 pids.insert(pids.begin() + i, static_cast<pid_t>(mFdp.ConsumeIntegral<int32_t>()));
537 }
538 AudioSystem::setAudioHalPids(pids);
539 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
540 if (!af) {
541 return;
542 }
543 af->setRecordSilenced(mFdp.ConsumeIntegral<uint32_t>(), mFdp.ConsumeBool());
544
545 float balance = mFdp.ConsumeFloatingPoint<float>();
546 af->getMasterBalance(&balance);
547 af->invalidateStream(static_cast<audio_stream_type_t>(mFdp.ConsumeIntegral<uint32_t>()));
548}
549
550status_t AudioFlingerFuzzer::invokeAudioInputDevice() {
551 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
552 if (!af) {
553 return NO_ERROR;
554 }
555
556 audio_config_t config = {};
557 audio_module_handle_t module = mFdp.ConsumeIntegral<int32_t>();
558 audio_io_handle_t input = mFdp.ConsumeIntegral<int32_t>();
559 config.frame_count = mFdp.ConsumeIntegral<uint32_t>();
560 String8 address = static_cast<String8>(mFdp.ConsumeRandomLengthString().c_str());
561
562 config.channel_mask = getValue(&mFdp, kChannelMasks);
563 config.format = getValue(&mFdp, kFormats);
564
565 config.offload_info = AUDIO_INFO_INITIALIZER;
566 config.offload_info.bit_rate = mFdp.ConsumeIntegral<uint32_t>();
567 config.offload_info.bit_width = mFdp.ConsumeIntegral<uint32_t>();
568 config.offload_info.content_id = mFdp.ConsumeIntegral<uint32_t>();
569 config.offload_info.channel_mask = getValue(&mFdp, kChannelMasks);
570 config.offload_info.duration_us = mFdp.ConsumeIntegral<int64_t>();
571 config.offload_info.encapsulation_mode = getValue(&mFdp, kEncapsulation);
572 config.offload_info.format = getValue(&mFdp, kFormats);
573 config.offload_info.has_video = mFdp.ConsumeBool();
574 config.offload_info.is_streaming = mFdp.ConsumeBool();
575 config.offload_info.sample_rate = (mFdp.ConsumeIntegral<uint32_t>());
576 config.offload_info.sync_id = mFdp.ConsumeIntegral<uint32_t>();
577 config.offload_info.stream_type = getValue(&mFdp, kStreamtypes);
578 config.offload_info.usage = getValue(&mFdp, kUsages);
579
580 config.sample_rate = mFdp.ConsumeIntegral<uint32_t>();
581
582 audio_devices_t device = getValue(&mFdp, kDevices);
583 audio_source_t source = getValue(&mFdp, kInputSources);
584 audio_input_flags_t flags = getValue(&mFdp, kInputFlags);
585
586 AudioDeviceTypeAddr deviceTypeAddr(device, address.c_str());
587
588 media::OpenInputRequest request{};
589 request.module = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_module_handle_t_int32_t(module));
590 request.input = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_io_handle_t_int32_t(input));
591 request.config = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_config_t_AudioConfig(config));
592 request.device = VALUE_OR_RETURN_STATUS(legacy2aidl_AudioDeviceTypeAddress(deviceTypeAddr));
593 request.source = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_source_t_AudioSourceType(source));
594 request.flags = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_input_flags_t_int32_t_mask(flags));
595
596 media::OpenInputResponse response{};
597 status_t status = af->openInput(request, &response);
598 if (status != NO_ERROR) {
599 return NO_ERROR;
600 }
601
602 input = VALUE_OR_RETURN_STATUS(aidl2legacy_int32_t_audio_module_handle_t(response.input));
603 af->closeInput(input);
604 return NO_ERROR;
605}
606
607status_t AudioFlingerFuzzer::invokeAudioOutputDevice() {
608 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
609 if (!af) {
610 return NO_ERROR;
611 }
612
613 audio_config_t config = {};
614 audio_module_handle_t module = mFdp.ConsumeIntegral<int32_t>();
615 audio_io_handle_t output = mFdp.ConsumeIntegral<int32_t>();
616 config.frame_count = mFdp.ConsumeIntegral<uint32_t>();
617 String8 address = static_cast<String8>(mFdp.ConsumeRandomLengthString().c_str());
618
619 config.channel_mask = getValue(&mFdp, kChannelMasks);
620
621 config.offload_info = AUDIO_INFO_INITIALIZER;
622 config.offload_info.bit_rate = mFdp.ConsumeIntegral<uint32_t>();
623 config.offload_info.bit_width = mFdp.ConsumeIntegral<uint32_t>();
624 config.offload_info.channel_mask = getValue(&mFdp, kChannelMasks);
625 config.offload_info.content_id = mFdp.ConsumeIntegral<uint32_t>();
626 config.offload_info.duration_us = mFdp.ConsumeIntegral<int64_t>();
627 config.offload_info.encapsulation_mode = getValue(&mFdp, kEncapsulation);
628 config.offload_info.format = getValue(&mFdp, kFormats);
629 config.offload_info.has_video = mFdp.ConsumeBool();
630 config.offload_info.is_streaming = mFdp.ConsumeBool();
631 config.offload_info.sample_rate = mFdp.ConsumeIntegral<uint32_t>();
632 config.offload_info.stream_type = getValue(&mFdp, kStreamtypes);
633 config.offload_info.sync_id = mFdp.ConsumeIntegral<uint32_t>();
634 config.offload_info.usage = getValue(&mFdp, kUsages);
635
636 config.format = getValue(&mFdp, kFormats);
637 config.sample_rate = mFdp.ConsumeIntegral<uint32_t>();
638
639 sp<DeviceDescriptorBase> device = new DeviceDescriptorBase(getValue(&mFdp, kDevices));
640 audio_output_flags_t flags = getValue(&mFdp, kOutputFlags);
641
642 media::OpenOutputRequest request{};
643 media::OpenOutputResponse response{};
644
645 request.module = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_module_handle_t_int32_t(module));
646 request.config = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_config_t_AudioConfig(config));
647 request.device = VALUE_OR_RETURN_STATUS(legacy2aidl_DeviceDescriptorBase(device));
648 request.flags = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_output_flags_t_int32_t_mask(flags));
649
650 status_t status = af->openOutput(request, &response);
651 if (status != NO_ERROR) {
652 return NO_ERROR;
653 }
654 output = VALUE_OR_RETURN_STATUS(aidl2legacy_int32_t_audio_io_handle_t(response.output));
655
656 audio_io_handle_t output1 = mFdp.ConsumeIntegral<int32_t>();
657 af->openDuplicateOutput(output, output1);
658 af->suspendOutput(output);
659 af->restoreOutput(output);
660 af->closeOutput(output);
661 return NO_ERROR;
662}
663
664void AudioFlingerFuzzer::invokeAudioPatch() {
665 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
666 if (!af) {
667 return;
668 }
669 struct audio_patch patch = {};
670 audio_patch_handle_t handle = mFdp.ConsumeIntegral<int32_t>();
671
672 patch.id = mFdp.ConsumeIntegral<int32_t>();
673 patch.num_sources = mFdp.ConsumeIntegral<uint32_t>();
674 patch.num_sinks = mFdp.ConsumeIntegral<uint32_t>();
675
676 for (int i = 0; i < AUDIO_PATCH_PORTS_MAX; ++i) {
677 patch.sources[i].config_mask = mFdp.ConsumeIntegral<uint32_t>();
678 patch.sources[i].channel_mask = getValue(&mFdp, kChannelMasks);
679 patch.sources[i].format = getValue(&mFdp, kFormats);
680 patch.sources[i].gain.channel_mask = getValue(&mFdp, kChannelMasks);
681 patch.sources[i].gain.index = mFdp.ConsumeIntegral<int32_t>();
682 patch.sources[i].gain.mode = getValue(&mFdp, kGainModes);
683 patch.sources[i].gain.ramp_duration_ms = mFdp.ConsumeIntegral<uint32_t>();
684 patch.sources[i].id = static_cast<audio_format_t>(mFdp.ConsumeIntegral<int32_t>());
685 patch.sources[i].role = getValue(&mFdp, kPortRoles);
686 patch.sources[i].sample_rate = mFdp.ConsumeIntegral<uint32_t>();
687 patch.sources[i].type = getValue(&mFdp, kPortTypes);
688
689 patch.sinks[i].config_mask = mFdp.ConsumeIntegral<uint32_t>();
690 patch.sinks[i].channel_mask = getValue(&mFdp, kChannelMasks);
691 patch.sinks[i].format = getValue(&mFdp, kFormats);
692 patch.sinks[i].gain.channel_mask = getValue(&mFdp, kChannelMasks);
693 patch.sinks[i].gain.index = mFdp.ConsumeIntegral<int32_t>();
694 patch.sinks[i].gain.mode = getValue(&mFdp, kGainModes);
695 patch.sinks[i].gain.ramp_duration_ms = mFdp.ConsumeIntegral<uint32_t>();
696 patch.sinks[i].id = static_cast<audio_format_t>(mFdp.ConsumeIntegral<int32_t>());
697 patch.sinks[i].role = getValue(&mFdp, kPortRoles);
698 patch.sinks[i].sample_rate = mFdp.ConsumeIntegral<uint32_t>();
699 patch.sinks[i].type = getValue(&mFdp, kPortTypes);
700 }
701
702 status_t status = af->createAudioPatch(&patch, &handle);
703 if (status != NO_ERROR) {
704 return;
705 }
706
707 unsigned int num_patches = mFdp.ConsumeIntegral<uint32_t>();
708 struct audio_patch patches = {};
709 af->listAudioPatches(&num_patches, &patches);
710 af->releaseAudioPatch(handle);
711}
712
713void AudioFlingerFuzzer::process() {
714 invokeAudioEffect();
715 invokeAudioInputDevice();
716 invokeAudioOutputDevice();
717 invokeAudioPatch();
718 invokeAudioRecord();
719 invokeAudioSystem();
720 invokeAudioTrack();
721}
722
723extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
724 if (size < 1) {
725 return 0;
726 }
727 AudioFlingerFuzzer audioFuzzer(data, size);
728 audioFuzzer.process();
729 return 0;
730}