Gitiles
Code Review Sign In
review.evervolv.com / android_frameworks_av / bda4575c36ad11b0870ccdb50dcb3a04573d6782 / . / media / libaudioclient / fuzzer / audioflinger_fuzzer.cpp
blob: 1b75917d2f9fcd1beeaf44725d27fcbbb242a67f [file] [log] [blame]
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]1/*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 */
17
18/**
19 * NOTE
20 * 1) The input to AudioFlinger binder calls are fuzzed in this fuzzer
21 * 2) AudioFlinger crashes due to the fuzzer are detected by the
22 Binder DeathRecipient, where the fuzzer aborts if AudioFlinger dies
23 */
24
25#include <android_audio_policy_configuration_V7_0-enums.h>
Philip P. Moltmannbda45752020-07-17 16:41:18 -0700[diff] [blame^]26#include <android/media/permission/Identity.h>
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]27#include <binder/IServiceManager.h>
28#include <binder/MemoryDealer.h>
Philip P. Moltmannbda45752020-07-17 16:41:18 -0700[diff] [blame^]29#include <media/AidlConversion.h>
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]30#include <media/AudioEffect.h>
31#include <media/AudioRecord.h>
32#include <media/AudioSystem.h>
33#include <media/AudioTrack.h>
34#include <media/IAudioFlinger.h>
35#include "fuzzer/FuzzedDataProvider.h"
36
37#define MAX_STRING_LENGTH 256
38#define MAX_ARRAY_LENGTH 256
39
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]40constexpr int32_t kMinSampleRateHz = 4000;
41constexpr int32_t kMaxSampleRateHz = 192000;
42constexpr int32_t kSampleRateUnspecified = 0;
43
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]44using namespace std;
45using namespace android;
46
47namespace xsd {
48using namespace ::android::audio::policy::configuration::V7_0;
49}
50
Philip P. Moltmannbda45752020-07-17 16:41:18 -0700[diff] [blame^]51using media::permission::Identity;
52
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]53constexpr audio_unique_id_use_t kUniqueIds[] = {
54 AUDIO_UNIQUE_ID_USE_UNSPECIFIED, AUDIO_UNIQUE_ID_USE_SESSION, AUDIO_UNIQUE_ID_USE_MODULE,
55 AUDIO_UNIQUE_ID_USE_EFFECT, AUDIO_UNIQUE_ID_USE_PATCH, AUDIO_UNIQUE_ID_USE_OUTPUT,
56 AUDIO_UNIQUE_ID_USE_INPUT, AUDIO_UNIQUE_ID_USE_CLIENT, AUDIO_UNIQUE_ID_USE_MAX,
57};
58
59constexpr audio_mode_t kModes[] = {
60 AUDIO_MODE_INVALID, AUDIO_MODE_CURRENT, AUDIO_MODE_NORMAL, AUDIO_MODE_RINGTONE,
61 AUDIO_MODE_IN_CALL, AUDIO_MODE_IN_COMMUNICATION, AUDIO_MODE_CALL_SCREEN};
62
63constexpr audio_session_t kSessionId[] = {AUDIO_SESSION_NONE, AUDIO_SESSION_OUTPUT_STAGE,
64 AUDIO_SESSION_DEVICE};
65
66constexpr audio_encapsulation_mode_t kEncapsulation[] = {
67 AUDIO_ENCAPSULATION_MODE_NONE,
68 AUDIO_ENCAPSULATION_MODE_ELEMENTARY_STREAM,
69 AUDIO_ENCAPSULATION_MODE_HANDLE,
70};
71
72constexpr audio_port_role_t kPortRoles[] = {
73 AUDIO_PORT_ROLE_NONE,
74 AUDIO_PORT_ROLE_SOURCE,
75 AUDIO_PORT_ROLE_SINK,
76};
77
78constexpr audio_port_type_t kPortTypes[] = {
79 AUDIO_PORT_TYPE_NONE,
80 AUDIO_PORT_TYPE_DEVICE,
81 AUDIO_PORT_TYPE_MIX,
82 AUDIO_PORT_TYPE_SESSION,
83};
84
85template <typename T, typename X, typename FUNC>
86std::vector<T> getFlags(const xsdc_enum_range<X> &range, const FUNC &func,
87 const std::string &findString = {}) {
88 std::vector<T> vec;
89 for (const auto &xsdEnumVal : range) {
90 T enumVal;
91 std::string enumString = toString(xsdEnumVal);
92 if (enumString.find(findString) != std::string::npos &&
93 func(enumString.c_str(), &enumVal)) {
94 vec.push_back(enumVal);
95 }
96 }
97 return vec;
98}
99
100static const std::vector<audio_stream_type_t> kStreamtypes =
101 getFlags<audio_stream_type_t, xsd::AudioStreamType, decltype(audio_stream_type_from_string)>(
102 xsdc_enum_range<xsd::AudioStreamType>{}, audio_stream_type_from_string);
103
104static const std::vector<audio_format_t> kFormats =
105 getFlags<audio_format_t, xsd::AudioFormat, decltype(audio_format_from_string)>(
106 xsdc_enum_range<xsd::AudioFormat>{}, audio_format_from_string);
107
108static const std::vector<audio_channel_mask_t> kChannelMasks =
109 getFlags<audio_channel_mask_t, xsd::AudioChannelMask, decltype(audio_channel_mask_from_string)>(
110 xsdc_enum_range<xsd::AudioChannelMask>{}, audio_channel_mask_from_string);
111
112static const std::vector<audio_usage_t> kUsages =
113 getFlags<audio_usage_t, xsd::AudioUsage, decltype(audio_usage_from_string)>(
114 xsdc_enum_range<xsd::AudioUsage>{}, audio_usage_from_string);
115
116static const std::vector<audio_content_type_t> kContentType =
117 getFlags<audio_content_type_t, xsd::AudioContentType, decltype(audio_content_type_from_string)>(
118 xsdc_enum_range<xsd::AudioContentType>{}, audio_content_type_from_string);
119
120static const std::vector<audio_source_t> kInputSources =
121 getFlags<audio_source_t, xsd::AudioSource, decltype(audio_source_from_string)>(
122 xsdc_enum_range<xsd::AudioSource>{}, audio_source_from_string);
123
124static const std::vector<audio_gain_mode_t> kGainModes =
125 getFlags<audio_gain_mode_t, xsd::AudioGainMode, decltype(audio_gain_mode_from_string)>(
126 xsdc_enum_range<xsd::AudioGainMode>{}, audio_gain_mode_from_string);
127
128static const std::vector<audio_devices_t> kDevices =
129 getFlags<audio_devices_t, xsd::AudioDevice, decltype(audio_device_from_string)>(
130 xsdc_enum_range<xsd::AudioDevice>{}, audio_device_from_string);
131
132static const std::vector<audio_input_flags_t> kInputFlags =
133 getFlags<audio_input_flags_t, xsd::AudioInOutFlag, decltype(audio_input_flag_from_string)>(
134 xsdc_enum_range<xsd::AudioInOutFlag>{}, audio_input_flag_from_string, "_INPUT_");
135
136static const std::vector<audio_output_flags_t> kOutputFlags =
137 getFlags<audio_output_flags_t, xsd::AudioInOutFlag, decltype(audio_output_flag_from_string)>(
138 xsdc_enum_range<xsd::AudioInOutFlag>{}, audio_output_flag_from_string, "_OUTPUT_");
139
140template <typename T, size_t size>
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]141T getValue(FuzzedDataProvider *fdp, const T (&arr)[size]) {
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]142 return arr[fdp->ConsumeIntegralInRange<int32_t>(0, size - 1)];
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]143}
144
145template <typename T>
146T getValue(FuzzedDataProvider *fdp, std::vector<T> vec) {
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]147 return vec[fdp->ConsumeIntegralInRange<int32_t>(0, vec.size() - 1)];
148}
149
150int32_t getSampleRate(FuzzedDataProvider *fdp) {
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]151 if (fdp->ConsumeBool()) {
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]152 return fdp->ConsumeIntegralInRange<int32_t>(kMinSampleRateHz, kMaxSampleRateHz);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]153 }
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]154 return kSampleRateUnspecified;
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]155}
156
157class DeathNotifier : public IBinder::DeathRecipient {
158 public:
159 void binderDied(const wp<IBinder> &) { abort(); }
160};
161
162class AudioFlingerFuzzer {
163 public:
164 AudioFlingerFuzzer(const uint8_t *data, size_t size);
165 void process();
166
167 private:
168 FuzzedDataProvider mFdp;
169 void invokeAudioTrack();
170 void invokeAudioRecord();
171 status_t invokeAudioEffect();
172 void invokeAudioSystem();
173 status_t invokeAudioInputDevice();
174 status_t invokeAudioOutputDevice();
175 void invokeAudioPatch();
176
177 sp<DeathNotifier> mDeathNotifier;
178};
179
180AudioFlingerFuzzer::AudioFlingerFuzzer(const uint8_t *data, size_t size) : mFdp(data, size) {
181 sp<IServiceManager> sm = defaultServiceManager();
182 sp<IBinder> binder = sm->getService(String16("media.audio_flinger"));
183 if (binder == nullptr) {
184 return;
185 }
186 mDeathNotifier = new DeathNotifier();
187 binder->linkToDeath(mDeathNotifier);
188}
189
190void AudioFlingerFuzzer::invokeAudioTrack() {
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]191 uint32_t sampleRate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]192 audio_format_t format = getValue(&mFdp, kFormats);
193 audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
194 size_t frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
195 int32_t notificationFrames = mFdp.ConsumeIntegral<int32_t>();
196 uint32_t useSharedBuffer = mFdp.ConsumeBool();
197 audio_output_flags_t flags = getValue(&mFdp, kOutputFlags);
198 audio_session_t sessionId = getValue(&mFdp, kSessionId);
199 audio_usage_t usage = getValue(&mFdp, kUsages);
200 audio_content_type_t contentType = getValue(&mFdp, kContentType);
201 audio_attributes_t attributes = {};
202 sp<IMemory> sharedBuffer;
203 sp<MemoryDealer> heap = nullptr;
204 audio_offload_info_t offloadInfo = AUDIO_INFO_INITIALIZER;
205
206 bool offload = false;
207 bool fast = ((flags & AUDIO_OUTPUT_FLAG_FAST) != 0);
208
209 if (useSharedBuffer != 0) {
210 size_t heapSize = audio_channel_count_from_out_mask(channelMask) *
211 audio_bytes_per_sample(format) * frameCount;
212 heap = new MemoryDealer(heapSize, "AudioTrack Heap Base");
213 sharedBuffer = heap->allocate(heapSize);
214 frameCount = 0;
215 notificationFrames = 0;
216 }
217 if ((flags & AUDIO_OUTPUT_FLAG_COMPRESS_OFFLOAD) != 0) {
218 offloadInfo.sample_rate = sampleRate;
219 offloadInfo.channel_mask = channelMask;
220 offloadInfo.format = format;
221 offload = true;
222 }
223
224 attributes.content_type = contentType;
225 attributes.usage = usage;
226 sp<AudioTrack> track = new AudioTrack();
227
Philip P. Moltmannbda45752020-07-17 16:41:18 -0700[diff] [blame^]228 // TODO b/182392769: use identity util
229 Identity i;
230 i.uid = VALUE_OR_FATAL(legacy2aidl_uid_t_int32_t(getuid()));
231 i.pid = VALUE_OR_FATAL(legacy2aidl_pid_t_int32_t(getpid()));
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]232 track->set(AUDIO_STREAM_DEFAULT, sampleRate, format, channelMask, frameCount, flags, nullptr,
233 nullptr, notificationFrames, sharedBuffer, false, sessionId,
234 ((fast && sharedBuffer == 0) || offload) ? AudioTrack::TRANSFER_CALLBACK
235 : AudioTrack::TRANSFER_DEFAULT,
Philip P. Moltmannbda45752020-07-17 16:41:18 -0700[diff] [blame^]236 offload ? &offloadInfo : nullptr, i, &attributes, false, 1.0f,
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]237 AUDIO_PORT_HANDLE_NONE);
238
239 status_t status = track->initCheck();
240 if (status != NO_ERROR) {
241 track.clear();
242 return;
243 }
244 track->getSampleRate();
245 track->latency();
246 track->getUnderrunCount();
247 track->streamType();
248 track->channelCount();
249 track->getNotificationPeriodInFrames();
250 uint32_t bufferSizeInFrames = mFdp.ConsumeIntegral<uint32_t>();
251 track->setBufferSizeInFrames(bufferSizeInFrames);
252 track->getBufferSizeInFrames();
253
254 int64_t duration = mFdp.ConsumeIntegral<int64_t>();
255 track->getBufferDurationInUs(&duration);
256 sp<IMemory> sharedBuffer2 = track->sharedBuffer();
257 track->setCallerName(mFdp.ConsumeRandomLengthString(MAX_STRING_LENGTH));
258
259 track->setVolume(mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>());
260 track->setVolume(mFdp.ConsumeFloatingPoint<float>());
261 track->setAuxEffectSendLevel(mFdp.ConsumeFloatingPoint<float>());
262
263 float auxEffectSendLevel;
264 track->getAuxEffectSendLevel(&auxEffectSendLevel);
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]265 track->setSampleRate(getSampleRate(&mFdp));
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]266 track->getSampleRate();
267 track->getOriginalSampleRate();
268
269 AudioPlaybackRate playbackRate = {};
270 playbackRate.mSpeed = mFdp.ConsumeFloatingPoint<float>();
271 playbackRate.mPitch = mFdp.ConsumeFloatingPoint<float>();
272 track->setPlaybackRate(playbackRate);
273 track->getPlaybackRate();
274 track->setLoop(mFdp.ConsumeIntegral<uint32_t>(), mFdp.ConsumeIntegral<uint32_t>(),
275 mFdp.ConsumeIntegral<uint32_t>());
276 track->setMarkerPosition(mFdp.ConsumeIntegral<uint32_t>());
277
278 uint32_t marker = {};
279 track->getMarkerPosition(&marker);
280 track->setPositionUpdatePeriod(mFdp.ConsumeIntegral<uint32_t>());
281
282 uint32_t updatePeriod = {};
283 track->getPositionUpdatePeriod(&updatePeriod);
284 track->setPosition(mFdp.ConsumeIntegral<uint32_t>());
285 uint32_t position = {};
286 track->getPosition(&position);
287 track->getBufferPosition(&position);
288 track->reload();
289 track->start();
290 track->pause();
291 track->flush();
292 track->stop();
293 track->stopped();
294}
295
296void AudioFlingerFuzzer::invokeAudioRecord() {
297 int32_t notificationFrames = mFdp.ConsumeIntegral<int32_t>();
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]298 uint32_t sampleRate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]299 size_t frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
300 audio_format_t format = getValue(&mFdp, kFormats);
301 audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
302 audio_input_flags_t flags = getValue(&mFdp, kInputFlags);
303 audio_session_t sessionId = getValue(&mFdp, kSessionId);
304 audio_source_t inputSource = getValue(&mFdp, kInputSources);
305
306 audio_attributes_t attributes = {};
307 bool fast = ((flags & AUDIO_OUTPUT_FLAG_FAST) != 0);
308
309 attributes.source = inputSource;
310
Philip P. Moltmannbda45752020-07-17 16:41:18 -0700[diff] [blame^]311 // TODO b/182392769: use identity util
312 Identity i;
313 i.packageName = std::string(mFdp.ConsumeRandomLengthString().c_str());
314 sp<AudioRecord> record = new AudioRecord(i);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]315 record->set(AUDIO_SOURCE_DEFAULT, sampleRate, format, channelMask, frameCount, nullptr, nullptr,
316 notificationFrames, false, sessionId,
317 fast ? AudioRecord::TRANSFER_CALLBACK : AudioRecord::TRANSFER_DEFAULT, flags,
318 getuid(), getpid(), &attributes, AUDIO_PORT_HANDLE_NONE);
319 status_t status = record->initCheck();
320 if (status != NO_ERROR) {
321 return;
322 }
323 record->latency();
324 record->format();
325 record->channelCount();
326 record->frameCount();
327 record->frameSize();
328 record->inputSource();
329 record->getNotificationPeriodInFrames();
330 record->start();
331 record->stop();
332 record->stopped();
333
334 uint32_t marker = mFdp.ConsumeIntegral<uint32_t>();
335 record->setMarkerPosition(marker);
336 record->getMarkerPosition(&marker);
337
338 uint32_t updatePeriod = mFdp.ConsumeIntegral<uint32_t>();
339 record->setPositionUpdatePeriod(updatePeriod);
340 record->getPositionUpdatePeriod(&updatePeriod);
341
342 uint32_t position;
343 record->getPosition(&position);
344
345 ExtendedTimestamp timestamp;
346 record->getTimestamp(&timestamp);
347 record->getSessionId();
348 record->getCallerName();
349 android::AudioRecord::Buffer audioBuffer;
350 int32_t waitCount = mFdp.ConsumeIntegral<int32_t>();
351 size_t nonContig = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
352 audioBuffer.frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
353 record->obtainBuffer(&audioBuffer, waitCount, &nonContig);
354 bool blocking = false;
355 record->read(audioBuffer.raw, audioBuffer.size, blocking);
356 record->getInputFramesLost();
357 record->getFlags();
358
359 std::vector<media::MicrophoneInfo> activeMicrophones;
360 record->getActiveMicrophones(&activeMicrophones);
361 record->releaseBuffer(&audioBuffer);
362
363 audio_port_handle_t deviceId =
364 static_cast<audio_port_handle_t>(mFdp.ConsumeIntegral<int32_t>());
365 record->setInputDevice(deviceId);
366 record->getInputDevice();
367 record->getRoutedDeviceId();
368 record->getPortId();
369}
370
371struct EffectClient : public android::media::BnEffectClient {
372 EffectClient() {}
373 binder::Status controlStatusChanged(bool controlGranted __unused) override {
374 return binder::Status::ok();
375 }
376 binder::Status enableStatusChanged(bool enabled __unused) override {
377 return binder::Status::ok();
378 }
379 binder::Status commandExecuted(int32_t cmdCode __unused,
380 const std::vector<uint8_t> &cmdData __unused,
381 const std::vector<uint8_t> &replyData __unused) override {
382 return binder::Status::ok();
383 }
384};
385
386status_t AudioFlingerFuzzer::invokeAudioEffect() {
387 effect_uuid_t type;
388 type.timeLow = mFdp.ConsumeIntegral<uint32_t>();
389 type.timeMid = mFdp.ConsumeIntegral<uint16_t>();
390 type.timeHiAndVersion = mFdp.ConsumeIntegral<uint16_t>();
391 type.clockSeq = mFdp.ConsumeIntegral<uint16_t>();
392 for (int i = 0; i < 6; ++i) {
393 type.node[i] = mFdp.ConsumeIntegral<uint8_t>();
394 }
395
396 effect_descriptor_t descriptor = {};
397 descriptor.type = type;
398 descriptor.uuid = *EFFECT_UUID_NULL;
399
400 sp<EffectClient> effectClient(new EffectClient());
401
402 const int32_t priority = mFdp.ConsumeIntegral<int32_t>();
403 audio_session_t sessionId = static_cast<audio_session_t>(mFdp.ConsumeIntegral<int32_t>());
404 const audio_io_handle_t io = mFdp.ConsumeIntegral<int32_t>();
Philip P. Moltmannbda45752020-07-17 16:41:18 -0700[diff] [blame^]405 std::string opPackageName = static_cast<std::string>(mFdp.ConsumeRandomLengthString().c_str());
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]406 AudioDeviceTypeAddr device;
407
408 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
409 if (!af) {
410 return NO_ERROR;
411 }
412
413 media::CreateEffectRequest request{};
414 request.desc =
415 VALUE_OR_RETURN_STATUS(legacy2aidl_effect_descriptor_t_EffectDescriptor(descriptor));
416 request.client = effectClient;
417 request.priority = priority;
418 request.output = io;
419 request.sessionId = sessionId;
420 request.device = VALUE_OR_RETURN_STATUS(legacy2aidl_AudioDeviceTypeAddress(device));
Philip P. Moltmannbda45752020-07-17 16:41:18 -0700[diff] [blame^]421 // TODO b/182392769: use identity util
422 request.identity.packageName = opPackageName;
423 request.identity.pid = VALUE_OR_RETURN_STATUS(legacy2aidl_pid_t_int32_t(getpid()));
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]424 request.probe = false;
425
426 media::CreateEffectResponse response{};
427 status_t status = af->createEffect(request, &response);
428
429 if (status != OK) {
430 return NO_ERROR;
431 }
432
433 descriptor =
434 VALUE_OR_RETURN_STATUS(aidl2legacy_EffectDescriptor_effect_descriptor_t(response.desc));
435
436 uint32_t numEffects;
437 af->queryNumberEffects(&numEffects);
438
439 uint32_t queryIndex = mFdp.ConsumeIntegral<uint32_t>();
440 af->queryEffect(queryIndex, &descriptor);
441
442 effect_descriptor_t getDescriptor;
443 uint32_t preferredTypeFlag = mFdp.ConsumeIntegral<int32_t>();
444 af->getEffectDescriptor(&descriptor.uuid, &descriptor.type, preferredTypeFlag, &getDescriptor);
445
446 sessionId = static_cast<audio_session_t>(mFdp.ConsumeIntegral<int32_t>());
447 audio_io_handle_t srcOutput = mFdp.ConsumeIntegral<int32_t>();
448 audio_io_handle_t dstOutput = mFdp.ConsumeIntegral<int32_t>();
449 af->moveEffects(sessionId, srcOutput, dstOutput);
450
451 int effectId = mFdp.ConsumeIntegral<int32_t>();
452 sessionId = static_cast<audio_session_t>(mFdp.ConsumeIntegral<int32_t>());
453 af->setEffectSuspended(effectId, sessionId, mFdp.ConsumeBool());
454 return NO_ERROR;
455}
456
457void AudioFlingerFuzzer::invokeAudioSystem() {
458 AudioSystem::muteMicrophone(mFdp.ConsumeBool());
459 AudioSystem::setMasterMute(mFdp.ConsumeBool());
460 AudioSystem::setMasterVolume(mFdp.ConsumeFloatingPoint<float>());
461 AudioSystem::setMasterBalance(mFdp.ConsumeFloatingPoint<float>());
462 AudioSystem::setVoiceVolume(mFdp.ConsumeFloatingPoint<float>());
463
464 float volume;
465 AudioSystem::getMasterVolume(&volume);
466
467 bool state;
468 AudioSystem::getMasterMute(&state);
469 AudioSystem::isMicrophoneMuted(&state);
470
471 audio_stream_type_t stream = getValue(&mFdp, kStreamtypes);
472 AudioSystem::setStreamMute(getValue(&mFdp, kStreamtypes), mFdp.ConsumeBool());
473
474 stream = getValue(&mFdp, kStreamtypes);
475 AudioSystem::setStreamVolume(stream, mFdp.ConsumeFloatingPoint<float>(),
476 mFdp.ConsumeIntegral<int32_t>());
477
478 audio_mode_t mode = getValue(&mFdp, kModes);
479 AudioSystem::setMode(mode);
480
481 size_t frameCount;
482 stream = getValue(&mFdp, kStreamtypes);
483 AudioSystem::getOutputFrameCount(&frameCount, stream);
484
485 uint32_t latency;
486 stream = getValue(&mFdp, kStreamtypes);
487 AudioSystem::getOutputLatency(&latency, stream);
488
489 stream = getValue(&mFdp, kStreamtypes);
490 AudioSystem::getStreamVolume(stream, &volume, mFdp.ConsumeIntegral<int32_t>());
491
492 stream = getValue(&mFdp, kStreamtypes);
493 AudioSystem::getStreamMute(stream, &state);
494
495 uint32_t samplingRate;
496 AudioSystem::getSamplingRate(mFdp.ConsumeIntegral<int32_t>(), &samplingRate);
497
498 AudioSystem::getFrameCount(mFdp.ConsumeIntegral<int32_t>(), &frameCount);
499 AudioSystem::getLatency(mFdp.ConsumeIntegral<int32_t>(), &latency);
500 AudioSystem::setVoiceVolume(mFdp.ConsumeFloatingPoint<float>());
501
502 uint32_t halFrames;
503 uint32_t dspFrames;
504 AudioSystem::getRenderPosition(mFdp.ConsumeIntegral<int32_t>(), &halFrames, &dspFrames);
505
506 AudioSystem::getInputFramesLost(mFdp.ConsumeIntegral<int32_t>());
507 AudioSystem::getInputFramesLost(mFdp.ConsumeIntegral<int32_t>());
508
509 audio_unique_id_use_t uniqueIdUse = getValue(&mFdp, kUniqueIds);
510 AudioSystem::newAudioUniqueId(uniqueIdUse);
511
512 audio_session_t sessionId = getValue(&mFdp, kSessionId);
513 pid_t pid = mFdp.ConsumeBool() ? getpid() : mFdp.ConsumeIntegral<int32_t>();
514 uid_t uid = mFdp.ConsumeBool() ? getuid() : mFdp.ConsumeIntegral<int32_t>();
515 AudioSystem::acquireAudioSessionId(sessionId, pid, uid);
516
517 pid = mFdp.ConsumeBool() ? getpid() : mFdp.ConsumeIntegral<int32_t>();
518 sessionId = getValue(&mFdp, kSessionId);
519 AudioSystem::releaseAudioSessionId(sessionId, pid);
520
521 sessionId = getValue(&mFdp, kSessionId);
522 AudioSystem::getAudioHwSyncForSession(sessionId);
523
524 AudioSystem::systemReady();
525 AudioSystem::getFrameCountHAL(mFdp.ConsumeIntegral<int32_t>(), &frameCount);
526
527 size_t buffSize;
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]528 uint32_t sampleRate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]529 audio_format_t format = getValue(&mFdp, kFormats);
530 audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
531 AudioSystem::getInputBufferSize(sampleRate, format, channelMask, &buffSize);
532
533 AudioSystem::getPrimaryOutputSamplingRate();
534 AudioSystem::getPrimaryOutputFrameCount();
535 AudioSystem::setLowRamDevice(mFdp.ConsumeBool(), mFdp.ConsumeIntegral<int64_t>());
536
537 std::vector<media::MicrophoneInfo> microphones;
538 AudioSystem::getMicrophones(&microphones);
539
540 std::vector<pid_t> pids;
541 pids.insert(pids.begin(), getpid());
542 for (int i = 1; i < mFdp.ConsumeIntegralInRange<int32_t>(2, MAX_ARRAY_LENGTH); ++i) {
543 pids.insert(pids.begin() + i, static_cast<pid_t>(mFdp.ConsumeIntegral<int32_t>()));
544 }
545 AudioSystem::setAudioHalPids(pids);
546 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
547 if (!af) {
548 return;
549 }
550 af->setRecordSilenced(mFdp.ConsumeIntegral<uint32_t>(), mFdp.ConsumeBool());
551
552 float balance = mFdp.ConsumeFloatingPoint<float>();
553 af->getMasterBalance(&balance);
554 af->invalidateStream(static_cast<audio_stream_type_t>(mFdp.ConsumeIntegral<uint32_t>()));
555}
556
557status_t AudioFlingerFuzzer::invokeAudioInputDevice() {
558 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
559 if (!af) {
560 return NO_ERROR;
561 }
562
563 audio_config_t config = {};
564 audio_module_handle_t module = mFdp.ConsumeIntegral<int32_t>();
565 audio_io_handle_t input = mFdp.ConsumeIntegral<int32_t>();
566 config.frame_count = mFdp.ConsumeIntegral<uint32_t>();
567 String8 address = static_cast<String8>(mFdp.ConsumeRandomLengthString().c_str());
568
569 config.channel_mask = getValue(&mFdp, kChannelMasks);
570 config.format = getValue(&mFdp, kFormats);
571
572 config.offload_info = AUDIO_INFO_INITIALIZER;
573 config.offload_info.bit_rate = mFdp.ConsumeIntegral<uint32_t>();
574 config.offload_info.bit_width = mFdp.ConsumeIntegral<uint32_t>();
575 config.offload_info.content_id = mFdp.ConsumeIntegral<uint32_t>();
576 config.offload_info.channel_mask = getValue(&mFdp, kChannelMasks);
577 config.offload_info.duration_us = mFdp.ConsumeIntegral<int64_t>();
578 config.offload_info.encapsulation_mode = getValue(&mFdp, kEncapsulation);
579 config.offload_info.format = getValue(&mFdp, kFormats);
580 config.offload_info.has_video = mFdp.ConsumeBool();
581 config.offload_info.is_streaming = mFdp.ConsumeBool();
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]582 config.offload_info.sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]583 config.offload_info.sync_id = mFdp.ConsumeIntegral<uint32_t>();
584 config.offload_info.stream_type = getValue(&mFdp, kStreamtypes);
585 config.offload_info.usage = getValue(&mFdp, kUsages);
586
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]587 config.sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]588
589 audio_devices_t device = getValue(&mFdp, kDevices);
590 audio_source_t source = getValue(&mFdp, kInputSources);
591 audio_input_flags_t flags = getValue(&mFdp, kInputFlags);
592
593 AudioDeviceTypeAddr deviceTypeAddr(device, address.c_str());
594
595 media::OpenInputRequest request{};
596 request.module = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_module_handle_t_int32_t(module));
597 request.input = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_io_handle_t_int32_t(input));
598 request.config = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_config_t_AudioConfig(config));
599 request.device = VALUE_OR_RETURN_STATUS(legacy2aidl_AudioDeviceTypeAddress(deviceTypeAddr));
600 request.source = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_source_t_AudioSourceType(source));
601 request.flags = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_input_flags_t_int32_t_mask(flags));
602
603 media::OpenInputResponse response{};
604 status_t status = af->openInput(request, &response);
605 if (status != NO_ERROR) {
606 return NO_ERROR;
607 }
608
609 input = VALUE_OR_RETURN_STATUS(aidl2legacy_int32_t_audio_module_handle_t(response.input));
610 af->closeInput(input);
611 return NO_ERROR;
612}
613
614status_t AudioFlingerFuzzer::invokeAudioOutputDevice() {
615 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
616 if (!af) {
617 return NO_ERROR;
618 }
619
620 audio_config_t config = {};
621 audio_module_handle_t module = mFdp.ConsumeIntegral<int32_t>();
622 audio_io_handle_t output = mFdp.ConsumeIntegral<int32_t>();
623 config.frame_count = mFdp.ConsumeIntegral<uint32_t>();
624 String8 address = static_cast<String8>(mFdp.ConsumeRandomLengthString().c_str());
625
626 config.channel_mask = getValue(&mFdp, kChannelMasks);
627
628 config.offload_info = AUDIO_INFO_INITIALIZER;
629 config.offload_info.bit_rate = mFdp.ConsumeIntegral<uint32_t>();
630 config.offload_info.bit_width = mFdp.ConsumeIntegral<uint32_t>();
631 config.offload_info.channel_mask = getValue(&mFdp, kChannelMasks);
632 config.offload_info.content_id = mFdp.ConsumeIntegral<uint32_t>();
633 config.offload_info.duration_us = mFdp.ConsumeIntegral<int64_t>();
634 config.offload_info.encapsulation_mode = getValue(&mFdp, kEncapsulation);
635 config.offload_info.format = getValue(&mFdp, kFormats);
636 config.offload_info.has_video = mFdp.ConsumeBool();
637 config.offload_info.is_streaming = mFdp.ConsumeBool();
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]638 config.offload_info.sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]639 config.offload_info.stream_type = getValue(&mFdp, kStreamtypes);
640 config.offload_info.sync_id = mFdp.ConsumeIntegral<uint32_t>();
641 config.offload_info.usage = getValue(&mFdp, kUsages);
642
643 config.format = getValue(&mFdp, kFormats);
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]644 config.sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]645
646 sp<DeviceDescriptorBase> device = new DeviceDescriptorBase(getValue(&mFdp, kDevices));
647 audio_output_flags_t flags = getValue(&mFdp, kOutputFlags);
648
649 media::OpenOutputRequest request{};
650 media::OpenOutputResponse response{};
651
652 request.module = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_module_handle_t_int32_t(module));
653 request.config = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_config_t_AudioConfig(config));
654 request.device = VALUE_OR_RETURN_STATUS(legacy2aidl_DeviceDescriptorBase(device));
655 request.flags = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_output_flags_t_int32_t_mask(flags));
656
657 status_t status = af->openOutput(request, &response);
658 if (status != NO_ERROR) {
659 return NO_ERROR;
660 }
661 output = VALUE_OR_RETURN_STATUS(aidl2legacy_int32_t_audio_io_handle_t(response.output));
662
663 audio_io_handle_t output1 = mFdp.ConsumeIntegral<int32_t>();
664 af->openDuplicateOutput(output, output1);
665 af->suspendOutput(output);
666 af->restoreOutput(output);
667 af->closeOutput(output);
668 return NO_ERROR;
669}
670
671void AudioFlingerFuzzer::invokeAudioPatch() {
672 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
673 if (!af) {
674 return;
675 }
676 struct audio_patch patch = {};
677 audio_patch_handle_t handle = mFdp.ConsumeIntegral<int32_t>();
678
679 patch.id = mFdp.ConsumeIntegral<int32_t>();
680 patch.num_sources = mFdp.ConsumeIntegral<uint32_t>();
681 patch.num_sinks = mFdp.ConsumeIntegral<uint32_t>();
682
683 for (int i = 0; i < AUDIO_PATCH_PORTS_MAX; ++i) {
684 patch.sources[i].config_mask = mFdp.ConsumeIntegral<uint32_t>();
685 patch.sources[i].channel_mask = getValue(&mFdp, kChannelMasks);
686 patch.sources[i].format = getValue(&mFdp, kFormats);
687 patch.sources[i].gain.channel_mask = getValue(&mFdp, kChannelMasks);
688 patch.sources[i].gain.index = mFdp.ConsumeIntegral<int32_t>();
689 patch.sources[i].gain.mode = getValue(&mFdp, kGainModes);
690 patch.sources[i].gain.ramp_duration_ms = mFdp.ConsumeIntegral<uint32_t>();
691 patch.sources[i].id = static_cast<audio_format_t>(mFdp.ConsumeIntegral<int32_t>());
692 patch.sources[i].role = getValue(&mFdp, kPortRoles);
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]693 patch.sources[i].sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]694 patch.sources[i].type = getValue(&mFdp, kPortTypes);
695
696 patch.sinks[i].config_mask = mFdp.ConsumeIntegral<uint32_t>();
697 patch.sinks[i].channel_mask = getValue(&mFdp, kChannelMasks);
698 patch.sinks[i].format = getValue(&mFdp, kFormats);
699 patch.sinks[i].gain.channel_mask = getValue(&mFdp, kChannelMasks);
700 patch.sinks[i].gain.index = mFdp.ConsumeIntegral<int32_t>();
701 patch.sinks[i].gain.mode = getValue(&mFdp, kGainModes);
702 patch.sinks[i].gain.ramp_duration_ms = mFdp.ConsumeIntegral<uint32_t>();
703 patch.sinks[i].id = static_cast<audio_format_t>(mFdp.ConsumeIntegral<int32_t>());
704 patch.sinks[i].role = getValue(&mFdp, kPortRoles);
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]705 patch.sinks[i].sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]706 patch.sinks[i].type = getValue(&mFdp, kPortTypes);
707 }
708
709 status_t status = af->createAudioPatch(&patch, &handle);
710 if (status != NO_ERROR) {
711 return;
712 }
713
714 unsigned int num_patches = mFdp.ConsumeIntegral<uint32_t>();
715 struct audio_patch patches = {};
716 af->listAudioPatches(&num_patches, &patches);
717 af->releaseAudioPatch(handle);
718}
719
720void AudioFlingerFuzzer::process() {
721 invokeAudioEffect();
722 invokeAudioInputDevice();
723 invokeAudioOutputDevice();
724 invokeAudioPatch();
725 invokeAudioRecord();
726 invokeAudioSystem();
727 invokeAudioTrack();
728}
729
730extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
731 if (size < 1) {
732 return 0;
733 }
734 AudioFlingerFuzzer audioFuzzer(data, size);
735 audioFuzzer.process();
736 return 0;
737}