1 /*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 */
17
18 /**
19 * NOTE
20 * 1) The input to AudioFlinger binder calls are fuzzed in this fuzzer
21 * 2) AudioFlinger crashes due to the fuzzer are detected by the
22 Binder DeathRecipient, where the fuzzer aborts if AudioFlinger dies
23 */
24
25 #include <android_audio_policy_configuration_V7_0-enums.h>
26 #include <android/content/AttributionSourceState.h>
27 #include <binder/IServiceManager.h>
28 #include <binder/MemoryDealer.h>
29 #include <com_android_media_audioserver.h>
30 #include <media/AidlConversion.h>
31 #include <media/AudioEffect.h>
32 #include <media/AudioRecord.h>
33 #include <media/AudioSystem.h>
34 #include <media/AudioTrack.h>
35 #include <media/IAudioFlinger.h>
36 #include "fuzzer/FuzzedDataProvider.h"
37
38 #define MAX_STRING_LENGTH 256
39 #define MAX_ARRAY_LENGTH 256
40
41 constexpr int32_t kMinSampleRateHz = 4000;
42 constexpr int32_t kMaxSampleRateHz = 192000;
43 constexpr int32_t kSampleRateUnspecified = 0;
44
45 namespace audioserver_flags = com::android::media::audioserver;
46
47 using namespace std;
48 using namespace android;
49
50 namespace xsd {
51 using namespace ::android::audio::policy::configuration::V7_0;
52 }
53
54 using android::content::AttributionSourceState;
55
56 constexpr audio_unique_id_use_t kUniqueIds[] = {
57 AUDIO_UNIQUE_ID_USE_UNSPECIFIED, AUDIO_UNIQUE_ID_USE_SESSION, AUDIO_UNIQUE_ID_USE_MODULE,
58 AUDIO_UNIQUE_ID_USE_EFFECT, AUDIO_UNIQUE_ID_USE_PATCH, AUDIO_UNIQUE_ID_USE_OUTPUT,
59 AUDIO_UNIQUE_ID_USE_INPUT, AUDIO_UNIQUE_ID_USE_CLIENT, AUDIO_UNIQUE_ID_USE_MAX,
60 };
61
62 constexpr audio_mode_t kModes[] = {
63 AUDIO_MODE_INVALID, AUDIO_MODE_CURRENT, AUDIO_MODE_NORMAL, AUDIO_MODE_RINGTONE,
64 AUDIO_MODE_IN_CALL, AUDIO_MODE_IN_COMMUNICATION, AUDIO_MODE_CALL_SCREEN,
65 AUDIO_MODE_CALL_REDIRECT, AUDIO_MODE_COMMUNICATION_REDIRECT};
66
67 constexpr audio_session_t kSessionId[] = {AUDIO_SESSION_NONE, AUDIO_SESSION_OUTPUT_STAGE,
68 AUDIO_SESSION_DEVICE};
69
70 constexpr audio_encapsulation_mode_t kEncapsulation[] = {
71 AUDIO_ENCAPSULATION_MODE_NONE,
72 AUDIO_ENCAPSULATION_MODE_ELEMENTARY_STREAM,
73 AUDIO_ENCAPSULATION_MODE_HANDLE,
74 };
75
76 constexpr audio_port_role_t kPortRoles[] = {
77 AUDIO_PORT_ROLE_NONE,
78 AUDIO_PORT_ROLE_SOURCE,
79 AUDIO_PORT_ROLE_SINK,
80 };
81
82 constexpr audio_port_type_t kPortTypes[] = {
83 AUDIO_PORT_TYPE_NONE,
84 AUDIO_PORT_TYPE_DEVICE,
85 AUDIO_PORT_TYPE_MIX,
86 AUDIO_PORT_TYPE_SESSION,
87 };
88
89 template <typename T, typename X, typename FUNC>
getFlags(const xsdc_enum_range<X> & range,const FUNC & func,const std::string & findString={},const std::set<X> & excludedValues={})90 std::vector<T> getFlags(const xsdc_enum_range<X>& range, const FUNC& func,
91 const std::string& findString = {},
92 const std::set<X>& excludedValues = {}) {
93 std::vector<T> vec;
94 for (const auto &xsdEnumVal : range) {
95 T enumVal;
96 std::string enumString = toString(xsdEnumVal);
97 if (enumString.find(findString) != std::string::npos &&
98 (excludedValues.find(xsdEnumVal) == excludedValues.end()) &&
99 func(enumString.c_str(), &enumVal)) {
100 vec.push_back(enumVal);
101 }
102 }
103 return vec;
104 }
105
106 static const std::vector<audio_stream_type_t> kStreamtypes =
107 getFlags<audio_stream_type_t, xsd::AudioStreamType, decltype(audio_stream_type_from_string)>(
108 xsdc_enum_range<xsd::AudioStreamType>{}, audio_stream_type_from_string);
109
110 /**
111 * AudioFormat - AUDIO_FORMAT_HE_AAC_V1 and AUDIO_FORMAT_HE_AAC_V2
112 * are excluded from kFormats[] in order to avoid the abort triggered
113 * for these two types of AudioFormat in
114 * AidlConversion::legacy2aidl_audio_format_t_AudioFormatDescription()
115 */
116 static const std::vector<audio_format_t> kFormats =
117 getFlags<audio_format_t, xsd::AudioFormat, decltype(audio_format_from_string)>(
118 xsdc_enum_range<xsd::AudioFormat>{}, audio_format_from_string, {},
119 {xsd::AudioFormat::AUDIO_FORMAT_HE_AAC_V1,
120 xsd::AudioFormat::AUDIO_FORMAT_HE_AAC_V2});
121
122 /**
123 * AudioChannelMask - AUDIO_CHANNEL_IN_6
124 * is excluded from kChannelMasks[] in order to avoid the abort triggered
125 * for this type of AudioChannelMask in
126 * AidlConversion::legacy2aidl_audio_channel_mask_t_AudioChannelLayout()
127 */
128 static const std::vector<audio_channel_mask_t> kChannelMasks =
129 getFlags<audio_channel_mask_t, xsd::AudioChannelMask,
130 decltype(audio_channel_mask_from_string)>(
131 xsdc_enum_range<xsd::AudioChannelMask>{}, audio_channel_mask_from_string, {},
132 {xsd::AudioChannelMask::AUDIO_CHANNEL_IN_6});
133
134 static const std::vector<audio_usage_t> kUsages =
135 getFlags<audio_usage_t, xsd::AudioUsage, decltype(audio_usage_from_string)>(
136 xsdc_enum_range<xsd::AudioUsage>{}, audio_usage_from_string);
137
138 static const std::vector<audio_content_type_t> kContentType =
139 getFlags<audio_content_type_t, xsd::AudioContentType, decltype(audio_content_type_from_string)>(
140 xsdc_enum_range<xsd::AudioContentType>{}, audio_content_type_from_string);
141
142 static const std::vector<audio_source_t> kInputSources =
143 getFlags<audio_source_t, xsd::AudioSource, decltype(audio_source_from_string)>(
144 xsdc_enum_range<xsd::AudioSource>{}, audio_source_from_string);
145
146 static const std::vector<audio_gain_mode_t> kGainModes =
147 getFlags<audio_gain_mode_t, xsd::AudioGainMode, decltype(audio_gain_mode_from_string)>(
148 xsdc_enum_range<xsd::AudioGainMode>{}, audio_gain_mode_from_string);
149
150 /**
151 * AudioDevice - AUDIO_DEVICE_IN_AMBIENT and AUDIO_DEVICE_IN_COMMUNICATION
152 * are excluded from kDevices[] in order to avoid the abort triggered
153 * for these two types of AudioDevice in
154 * AidlConversion::aidl2legacy_AudioDeviceDescription_audio_devices_t()
155 */
156 static const std::vector<audio_devices_t> kDevices =
157 getFlags<audio_devices_t, xsd::AudioDevice, decltype(audio_device_from_string)>(
158 xsdc_enum_range<xsd::AudioDevice>{}, audio_device_from_string, {},
159 {xsd::AudioDevice::AUDIO_DEVICE_IN_AMBIENT,
160 xsd::AudioDevice::AUDIO_DEVICE_IN_COMMUNICATION});
161
162 static const std::vector<audio_input_flags_t> kInputFlags =
163 getFlags<audio_input_flags_t, xsd::AudioInOutFlag, decltype(audio_input_flag_from_string)>(
164 xsdc_enum_range<xsd::AudioInOutFlag>{}, audio_input_flag_from_string, "_INPUT_");
165
166 static const std::vector<audio_output_flags_t> kOutputFlags =
167 getFlags<audio_output_flags_t, xsd::AudioInOutFlag, decltype(audio_output_flag_from_string)>(
168 xsdc_enum_range<xsd::AudioInOutFlag>{}, audio_output_flag_from_string, "_OUTPUT_");
169
170 template <typename T, size_t size>
getValue(FuzzedDataProvider * fdp,const T (& arr)[size])171 T getValue(FuzzedDataProvider *fdp, const T (&arr)[size]) {
172 return arr[fdp->ConsumeIntegralInRange<int32_t>(0, size - 1)];
173 }
174
175 template <typename T>
getValue(FuzzedDataProvider * fdp,std::vector<T> vec)176 T getValue(FuzzedDataProvider *fdp, std::vector<T> vec) {
177 return vec[fdp->ConsumeIntegralInRange<int32_t>(0, vec.size() - 1)];
178 }
179
getSampleRate(FuzzedDataProvider * fdp)180 int32_t getSampleRate(FuzzedDataProvider *fdp) {
181 if (fdp->ConsumeBool()) {
182 return fdp->ConsumeIntegralInRange<int32_t>(kMinSampleRateHz, kMaxSampleRateHz);
183 }
184 return kSampleRateUnspecified;
185 }
186
187 class DeathNotifier : public IBinder::DeathRecipient {
188 public:
binderDied(const wp<IBinder> &)189 void binderDied(const wp<IBinder> &) { abort(); }
190 };
191
192 class AudioFlingerFuzzer {
193 public:
194 AudioFlingerFuzzer(const uint8_t *data, size_t size);
195 void process();
196
197 private:
198 FuzzedDataProvider mFdp;
199 void invokeAudioTrack();
200 void invokeAudioRecord();
201 status_t invokeAudioEffect();
202 void invokeAudioSystem();
203 status_t invokeAudioInputDevice();
204 status_t invokeAudioOutputDevice();
205 void invokeAudioPatch();
206
207 sp<DeathNotifier> mDeathNotifier;
208 };
209
AudioFlingerFuzzer(const uint8_t * data,size_t size)210 AudioFlingerFuzzer::AudioFlingerFuzzer(const uint8_t *data, size_t size) : mFdp(data, size) {
211 sp<IServiceManager> sm = defaultServiceManager();
212 sp<IBinder> binder = sm->getService(String16("media.audio_flinger"));
213 if (binder == nullptr) {
214 return;
215 }
216 mDeathNotifier = new DeathNotifier();
217 binder->linkToDeath(mDeathNotifier);
218 }
219
invokeAudioTrack()220 void AudioFlingerFuzzer::invokeAudioTrack() {
221 uint32_t sampleRate = getSampleRate(&mFdp);
222 audio_format_t format = getValue(&mFdp, kFormats);
223 audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
224 size_t frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
225 int32_t notificationFrames = mFdp.ConsumeIntegral<int32_t>();
226 uint32_t useSharedBuffer = mFdp.ConsumeBool();
227 audio_output_flags_t flags = getValue(&mFdp, kOutputFlags);
228 audio_session_t sessionId = getValue(&mFdp, kSessionId);
229 audio_usage_t usage = getValue(&mFdp, kUsages);
230 audio_content_type_t contentType = getValue(&mFdp, kContentType);
231 audio_attributes_t attributes = {};
232 sp<IMemory> sharedBuffer;
233 sp<MemoryDealer> heap = nullptr;
234 audio_offload_info_t offloadInfo = AUDIO_INFO_INITIALIZER;
235
236 bool offload = false;
237 bool fast = ((flags & AUDIO_OUTPUT_FLAG_FAST) != 0);
238
239 if (useSharedBuffer != 0) {
240 size_t heapSize = audio_channel_count_from_out_mask(channelMask) *
241 audio_bytes_per_sample(format) * frameCount;
242 heap = new MemoryDealer(heapSize, "AudioTrack Heap Base");
243 sharedBuffer = heap->allocate(heapSize);
244 frameCount = 0;
245 notificationFrames = 0;
246 }
247 if ((flags & AUDIO_OUTPUT_FLAG_COMPRESS_OFFLOAD) != 0) {
248 offloadInfo.sample_rate = sampleRate;
249 offloadInfo.channel_mask = channelMask;
250 offloadInfo.format = format;
251 offload = true;
252 }
253
254 attributes.content_type = contentType;
255 attributes.usage = usage;
256 sp<AudioTrack> track = new AudioTrack();
257
258 // TODO b/182392769: use attribution source util
259 AttributionSourceState attributionSource;
260 attributionSource.uid = VALUE_OR_FATAL(legacy2aidl_uid_t_int32_t(getuid()));
261 attributionSource.pid = VALUE_OR_FATAL(legacy2aidl_pid_t_int32_t(getpid()));
262 attributionSource.token = sp<BBinder>::make();
263 track->set(AUDIO_STREAM_DEFAULT, sampleRate, format, channelMask, frameCount, flags, nullptr,
264 notificationFrames, sharedBuffer, false, sessionId,
265 ((fast && sharedBuffer == 0) || offload) ? AudioTrack::TRANSFER_CALLBACK
266 : AudioTrack::TRANSFER_DEFAULT,
267 offload ? &offloadInfo : nullptr, attributionSource, &attributes, false, 1.0f,
268 AUDIO_PORT_HANDLE_NONE);
269
270 status_t status = track->initCheck();
271 if (status != NO_ERROR) {
272 track.clear();
273 return;
274 }
275 track->getSampleRate();
276 track->latency();
277 track->getUnderrunCount();
278 track->streamType();
279 track->channelCount();
280 track->getNotificationPeriodInFrames();
281 uint32_t bufferSizeInFrames = mFdp.ConsumeIntegral<uint32_t>();
282 track->setBufferSizeInFrames(bufferSizeInFrames);
283 track->getBufferSizeInFrames();
284
285 int64_t duration = mFdp.ConsumeIntegral<int64_t>();
286 track->getBufferDurationInUs(&duration);
287 sp<IMemory> sharedBuffer2 = track->sharedBuffer();
288 track->setCallerName(mFdp.ConsumeRandomLengthString(MAX_STRING_LENGTH));
289
290 track->setVolume(mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>());
291 track->setVolume(mFdp.ConsumeFloatingPoint<float>());
292 track->setAuxEffectSendLevel(mFdp.ConsumeFloatingPoint<float>());
293
294 float auxEffectSendLevel;
295 track->getAuxEffectSendLevel(&auxEffectSendLevel);
296 track->setSampleRate(getSampleRate(&mFdp));
297 track->getSampleRate();
298 track->getOriginalSampleRate();
299
300 AudioPlaybackRate playbackRate = {};
301 playbackRate.mSpeed = mFdp.ConsumeFloatingPoint<float>();
302 playbackRate.mPitch = mFdp.ConsumeFloatingPoint<float>();
303 track->setPlaybackRate(playbackRate);
304 track->getPlaybackRate();
305 track->setLoop(mFdp.ConsumeIntegral<uint32_t>(), mFdp.ConsumeIntegral<uint32_t>(),
306 mFdp.ConsumeIntegral<uint32_t>());
307 track->setMarkerPosition(mFdp.ConsumeIntegral<uint32_t>());
308
309 uint32_t marker = {};
310 track->getMarkerPosition(&marker);
311 track->setPositionUpdatePeriod(mFdp.ConsumeIntegral<uint32_t>());
312
313 uint32_t updatePeriod = {};
314 track->getPositionUpdatePeriod(&updatePeriod);
315 track->setPosition(mFdp.ConsumeIntegral<uint32_t>());
316 uint32_t position = {};
317 track->getPosition(&position);
318 track->getBufferPosition(&position);
319 track->reload();
320 track->start();
321 track->pause();
322 track->flush();
323 track->stop();
324 track->stopped();
325 }
326
invokeAudioRecord()327 void AudioFlingerFuzzer::invokeAudioRecord() {
328 int32_t notificationFrames = mFdp.ConsumeIntegral<int32_t>();
329 uint32_t sampleRate = getSampleRate(&mFdp);
330 size_t frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
331 audio_format_t format = getValue(&mFdp, kFormats);
332 audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
333 audio_input_flags_t flags = getValue(&mFdp, kInputFlags);
334 audio_session_t sessionId = getValue(&mFdp, kSessionId);
335 audio_source_t inputSource = getValue(&mFdp, kInputSources);
336
337 audio_attributes_t attributes = {};
338 bool fast = ((flags & AUDIO_OUTPUT_FLAG_FAST) != 0);
339
340 attributes.source = inputSource;
341
342 // TODO b/182392769: use attribution source util
343 AttributionSourceState attributionSource;
344 attributionSource.packageName = std::string(mFdp.ConsumeRandomLengthString().c_str());
345 attributionSource.token = sp<BBinder>::make();
346 sp<AudioRecord> record = new AudioRecord(attributionSource);
347 record->set(AUDIO_SOURCE_DEFAULT, sampleRate, format, channelMask, frameCount, nullptr,
348 notificationFrames, false, sessionId,
349 fast ? AudioRecord::TRANSFER_CALLBACK : AudioRecord::TRANSFER_DEFAULT, flags,
350 getuid(), getpid(), &attributes, AUDIO_PORT_HANDLE_NONE);
351 status_t status = record->initCheck();
352 if (status != NO_ERROR) {
353 return;
354 }
355 record->latency();
356 record->format();
357 record->channelCount();
358 record->frameCount();
359 record->frameSize();
360 record->inputSource();
361 record->getNotificationPeriodInFrames();
362 record->start();
363 record->stop();
364 record->stopped();
365
366 uint32_t marker = mFdp.ConsumeIntegral<uint32_t>();
367 record->setMarkerPosition(marker);
368 record->getMarkerPosition(&marker);
369
370 uint32_t updatePeriod = mFdp.ConsumeIntegral<uint32_t>();
371 record->setPositionUpdatePeriod(updatePeriod);
372 record->getPositionUpdatePeriod(&updatePeriod);
373
374 uint32_t position;
375 record->getPosition(&position);
376
377 ExtendedTimestamp timestamp;
378 record->getTimestamp(×tamp);
379 record->getSessionId();
380 record->getCallerName();
381 android::AudioRecord::Buffer audioBuffer;
382 int32_t waitCount = mFdp.ConsumeIntegral<int32_t>();
383 size_t nonContig = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
384 audioBuffer.frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
385 record->obtainBuffer(&audioBuffer, waitCount, &nonContig);
386 bool blocking = false;
387 record->read(audioBuffer.data(), audioBuffer.size(), blocking);
388 record->getInputFramesLost();
389 record->getFlags();
390
391 std::vector<media::MicrophoneInfoFw> activeMicrophones;
392 record->getActiveMicrophones(&activeMicrophones);
393 record->releaseBuffer(&audioBuffer);
394
395 audio_port_handle_t deviceId =
396 static_cast<audio_port_handle_t>(mFdp.ConsumeIntegral<int32_t>());
397 record->setInputDevice(deviceId);
398 record->getInputDevice();
399 record->getRoutedDeviceIds();
400 record->getPortId();
401 }
402
403 struct EffectClient : public android::media::BnEffectClient {
EffectClientEffectClient404 EffectClient() {}
controlStatusChangedEffectClient405 binder::Status controlStatusChanged(bool controlGranted __unused) override {
406 return binder::Status::ok();
407 }
enableStatusChangedEffectClient408 binder::Status enableStatusChanged(bool enabled __unused) override {
409 return binder::Status::ok();
410 }
commandExecutedEffectClient411 binder::Status commandExecuted(int32_t cmdCode __unused,
412 const std::vector<uint8_t> &cmdData __unused,
413 const std::vector<uint8_t> &replyData __unused) override {
414 return binder::Status::ok();
415 }
framesProcessedEffectClient416 binder::Status framesProcessed(int32_t frames __unused) override {
417 return binder::Status::ok();
418 }
419 };
420
invokeAudioEffect()421 status_t AudioFlingerFuzzer::invokeAudioEffect() {
422 effect_uuid_t type;
423 type.timeLow = mFdp.ConsumeIntegral<uint32_t>();
424 type.timeMid = mFdp.ConsumeIntegral<uint16_t>();
425 type.timeHiAndVersion = mFdp.ConsumeIntegral<uint16_t>();
426 type.clockSeq = mFdp.ConsumeIntegral<uint16_t>();
427 for (int i = 0; i < 6; ++i) {
428 type.node[i] = mFdp.ConsumeIntegral<uint8_t>();
429 }
430
431 effect_descriptor_t descriptor = {};
432 descriptor.type = type;
433 descriptor.uuid = *EFFECT_UUID_NULL;
434
435 sp<EffectClient> effectClient(new EffectClient());
436
437 const int32_t priority = mFdp.ConsumeIntegral<int32_t>();
438 audio_session_t sessionId = static_cast<audio_session_t>(mFdp.ConsumeIntegral<int32_t>());
439 const audio_io_handle_t io = mFdp.ConsumeIntegral<int32_t>();
440 std::string opPackageName = static_cast<std::string>(mFdp.ConsumeRandomLengthString().c_str());
441 AudioDeviceTypeAddr device;
442
443 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
444 if (!af) {
445 return NO_ERROR;
446 }
447
448 media::CreateEffectRequest request{};
449 request.desc =
450 VALUE_OR_RETURN_STATUS(legacy2aidl_effect_descriptor_t_EffectDescriptor(descriptor));
451 request.client = effectClient;
452 request.priority = priority;
453 request.output = io;
454 request.sessionId = sessionId;
455 request.device = VALUE_OR_RETURN_STATUS(legacy2aidl_AudioDeviceTypeAddress(device));
456 // TODO b/182392769: use attribution source util
457 request.attributionSource.packageName = opPackageName;
458 request.attributionSource.pid = VALUE_OR_RETURN_STATUS(legacy2aidl_pid_t_int32_t(getpid()));
459 request.probe = false;
460 request.notifyFramesProcessed = false;
461
462 media::CreateEffectResponse response{};
463 status_t status = af->createEffect(request, &response);
464
465 if (status != OK) {
466 return NO_ERROR;
467 }
468
469 descriptor =
470 VALUE_OR_RETURN_STATUS(aidl2legacy_EffectDescriptor_effect_descriptor_t(response.desc));
471
472 uint32_t numEffects;
473 af->queryNumberEffects(&numEffects);
474
475 uint32_t queryIndex = mFdp.ConsumeIntegral<uint32_t>();
476 af->queryEffect(queryIndex, &descriptor);
477
478 effect_descriptor_t getDescriptor;
479 uint32_t preferredTypeFlag = mFdp.ConsumeIntegral<int32_t>();
480 af->getEffectDescriptor(&descriptor.uuid, &descriptor.type, preferredTypeFlag, &getDescriptor);
481
482 sessionId = static_cast<audio_session_t>(mFdp.ConsumeIntegral<int32_t>());
483 audio_io_handle_t srcOutput = mFdp.ConsumeIntegral<int32_t>();
484 audio_io_handle_t dstOutput = mFdp.ConsumeIntegral<int32_t>();
485 af->moveEffects(sessionId, srcOutput, dstOutput);
486
487 int effectId = mFdp.ConsumeIntegral<int32_t>();
488 sessionId = static_cast<audio_session_t>(mFdp.ConsumeIntegral<int32_t>());
489 af->setEffectSuspended(effectId, sessionId, mFdp.ConsumeBool());
490 return NO_ERROR;
491 }
492
invokeAudioSystem()493 void AudioFlingerFuzzer::invokeAudioSystem() {
494 AudioSystem::muteMicrophone(mFdp.ConsumeBool());
495 AudioSystem::setMasterMute(mFdp.ConsumeBool());
496 AudioSystem::setMasterVolume(mFdp.ConsumeFloatingPoint<float>());
497 AudioSystem::setMasterBalance(mFdp.ConsumeFloatingPoint<float>());
498 AudioSystem::setVoiceVolume(mFdp.ConsumeFloatingPoint<float>());
499
500 float volume;
501 AudioSystem::getMasterVolume(&volume);
502
503 bool state;
504 AudioSystem::getMasterMute(&state);
505 AudioSystem::isMicrophoneMuted(&state);
506
507 audio_stream_type_t stream ;
508 if (!audioserver_flags::portid_volume_management()) {
509 stream = getValue(&mFdp, kStreamtypes);
510 AudioSystem::setStreamMute(getValue(&mFdp, kStreamtypes), mFdp.ConsumeBool());
511
512 stream = getValue(&mFdp, kStreamtypes);
513 AudioSystem::setStreamVolume(stream, mFdp.ConsumeFloatingPoint<float>(),
514 mFdp.ConsumeBool(), mFdp.ConsumeIntegral<int32_t>());
515 } else {
516 std::vector <audio_port_handle_t> portsForVolumeChange{};
517 AudioSystem::setPortsVolume(portsForVolumeChange, mFdp.ConsumeFloatingPoint<float>(),
518 mFdp.ConsumeBool(), mFdp.ConsumeIntegral<int32_t>());
519 }
520 audio_mode_t mode = getValue(&mFdp, kModes);
521 AudioSystem::setMode(mode);
522
523 size_t frameCount;
524 stream = getValue(&mFdp, kStreamtypes);
525 AudioSystem::getOutputFrameCount(&frameCount, stream);
526
527 uint32_t latency;
528 stream = getValue(&mFdp, kStreamtypes);
529 AudioSystem::getOutputLatency(&latency, stream);
530
531 uint32_t samplingRate;
532 AudioSystem::getSamplingRate(mFdp.ConsumeIntegral<int32_t>(), &samplingRate);
533
534 AudioSystem::getFrameCount(mFdp.ConsumeIntegral<int32_t>(), &frameCount);
535 AudioSystem::getLatency(mFdp.ConsumeIntegral<int32_t>(), &latency);
536 AudioSystem::setVoiceVolume(mFdp.ConsumeFloatingPoint<float>());
537
538 uint32_t halFrames;
539 uint32_t dspFrames;
540 AudioSystem::getRenderPosition(mFdp.ConsumeIntegral<int32_t>(), &halFrames, &dspFrames);
541
542 AudioSystem::getInputFramesLost(mFdp.ConsumeIntegral<int32_t>());
543 AudioSystem::getInputFramesLost(mFdp.ConsumeIntegral<int32_t>());
544
545 audio_unique_id_use_t uniqueIdUse = getValue(&mFdp, kUniqueIds);
546 AudioSystem::newAudioUniqueId(uniqueIdUse);
547
548 audio_session_t sessionId = getValue(&mFdp, kSessionId);
549 pid_t pid = mFdp.ConsumeBool() ? getpid() : mFdp.ConsumeIntegral<int32_t>();
550 uid_t uid = mFdp.ConsumeBool() ? getuid() : mFdp.ConsumeIntegral<int32_t>();
551 AudioSystem::acquireAudioSessionId(sessionId, pid, uid);
552
553 pid = mFdp.ConsumeBool() ? getpid() : mFdp.ConsumeIntegral<int32_t>();
554 sessionId = getValue(&mFdp, kSessionId);
555 AudioSystem::releaseAudioSessionId(sessionId, pid);
556
557 sessionId = getValue(&mFdp, kSessionId);
558 AudioSystem::getAudioHwSyncForSession(sessionId);
559
560 AudioSystem::systemReady();
561 AudioSystem::getFrameCountHAL(mFdp.ConsumeIntegral<int32_t>(), &frameCount);
562
563 size_t buffSize;
564 uint32_t sampleRate = getSampleRate(&mFdp);
565 audio_format_t format = getValue(&mFdp, kFormats);
566 audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
567 AudioSystem::getInputBufferSize(sampleRate, format, channelMask, &buffSize);
568
569 AudioSystem::getPrimaryOutputSamplingRate();
570 AudioSystem::getPrimaryOutputFrameCount();
571 AudioSystem::setLowRamDevice(mFdp.ConsumeBool(), mFdp.ConsumeIntegral<int64_t>());
572
573 std::vector<media::MicrophoneInfoFw> microphones;
574 AudioSystem::getMicrophones(µphones);
575
576 std::vector<pid_t> pids;
577 pids.insert(pids.begin(), getpid());
578 for (int i = 1; i < mFdp.ConsumeIntegralInRange<int32_t>(2, MAX_ARRAY_LENGTH); ++i) {
579 pids.insert(pids.begin() + i, static_cast<pid_t>(mFdp.ConsumeIntegral<int32_t>()));
580 }
581 AudioSystem::setAudioHalPids(pids);
582 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
583 if (!af) {
584 return;
585 }
586 af->setRecordSilenced(mFdp.ConsumeIntegral<uint32_t>(), mFdp.ConsumeBool());
587
588 float balance = mFdp.ConsumeFloatingPoint<float>();
589 af->getMasterBalance(&balance);
590
591 std::vector<audio_port_handle_t> tracks;
592 for (int i = 0; i < mFdp.ConsumeIntegralInRange<int32_t>(0, MAX_ARRAY_LENGTH); ++i) {
593 tracks.push_back(static_cast<audio_port_handle_t>(mFdp.ConsumeIntegral<int32_t>()));
594 }
595 af->invalidateTracks(tracks);
596 }
597
invokeAudioInputDevice()598 status_t AudioFlingerFuzzer::invokeAudioInputDevice() {
599 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
600 if (!af) {
601 return NO_ERROR;
602 }
603
604 audio_config_t config = {};
605 audio_module_handle_t module = mFdp.ConsumeIntegral<int32_t>();
606 audio_io_handle_t input = mFdp.ConsumeIntegral<int32_t>();
607 config.frame_count = mFdp.ConsumeIntegral<uint32_t>();
608 String8 address = static_cast<String8>(mFdp.ConsumeRandomLengthString().c_str());
609
610 config.channel_mask = getValue(&mFdp, kChannelMasks);
611 config.format = getValue(&mFdp, kFormats);
612
613 config.offload_info = AUDIO_INFO_INITIALIZER;
614 config.offload_info.bit_rate = mFdp.ConsumeIntegral<uint32_t>();
615 config.offload_info.bit_width = mFdp.ConsumeIntegral<uint32_t>();
616 config.offload_info.content_id = mFdp.ConsumeIntegral<uint32_t>();
617 config.offload_info.channel_mask = getValue(&mFdp, kChannelMasks);
618 config.offload_info.duration_us = mFdp.ConsumeIntegral<int64_t>();
619 config.offload_info.encapsulation_mode = getValue(&mFdp, kEncapsulation);
620 config.offload_info.format = getValue(&mFdp, kFormats);
621 config.offload_info.has_video = mFdp.ConsumeBool();
622 config.offload_info.is_streaming = mFdp.ConsumeBool();
623 config.offload_info.sample_rate = getSampleRate(&mFdp);
624 config.offload_info.sync_id = mFdp.ConsumeIntegral<uint32_t>();
625 config.offload_info.stream_type = getValue(&mFdp, kStreamtypes);
626 config.offload_info.usage = getValue(&mFdp, kUsages);
627
628 config.sample_rate = getSampleRate(&mFdp);
629
630 audio_devices_t device = getValue(&mFdp, kDevices);
631 audio_source_t source = getValue(&mFdp, kInputSources);
632 audio_input_flags_t flags = getValue(&mFdp, kInputFlags);
633
634 AudioDeviceTypeAddr deviceTypeAddr(device, address.c_str());
635
636 media::OpenInputRequest request{};
637 request.module = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_module_handle_t_int32_t(module));
638 request.input = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_io_handle_t_int32_t(input));
639 request.config = VALUE_OR_RETURN_STATUS(
640 legacy2aidl_audio_config_t_AudioConfig(config, true /*isInput*/));
641 request.device = VALUE_OR_RETURN_STATUS(legacy2aidl_AudioDeviceTypeAddress(deviceTypeAddr));
642 request.source = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_source_t_AudioSource(source));
643 request.flags = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_input_flags_t_int32_t_mask(flags));
644
645 media::OpenInputResponse response{};
646 status_t status = af->openInput(request, &response);
647 if (status != NO_ERROR) {
648 return NO_ERROR;
649 }
650
651 input = VALUE_OR_RETURN_STATUS(aidl2legacy_int32_t_audio_module_handle_t(response.input));
652 af->closeInput(input);
653 return NO_ERROR;
654 }
655
invokeAudioOutputDevice()656 status_t AudioFlingerFuzzer::invokeAudioOutputDevice() {
657 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
658 if (!af) {
659 return NO_ERROR;
660 }
661
662 audio_config_t config = {};
663 audio_module_handle_t module = mFdp.ConsumeIntegral<int32_t>();
664 audio_io_handle_t output = mFdp.ConsumeIntegral<int32_t>();
665 config.frame_count = mFdp.ConsumeIntegral<uint32_t>();
666 String8 address = static_cast<String8>(mFdp.ConsumeRandomLengthString().c_str());
667
668 config.channel_mask = getValue(&mFdp, kChannelMasks);
669
670 config.offload_info = AUDIO_INFO_INITIALIZER;
671 config.offload_info.bit_rate = mFdp.ConsumeIntegral<uint32_t>();
672 config.offload_info.bit_width = mFdp.ConsumeIntegral<uint32_t>();
673 config.offload_info.channel_mask = getValue(&mFdp, kChannelMasks);
674 config.offload_info.content_id = mFdp.ConsumeIntegral<uint32_t>();
675 config.offload_info.duration_us = mFdp.ConsumeIntegral<int64_t>();
676 config.offload_info.encapsulation_mode = getValue(&mFdp, kEncapsulation);
677 config.offload_info.format = getValue(&mFdp, kFormats);
678 config.offload_info.has_video = mFdp.ConsumeBool();
679 config.offload_info.is_streaming = mFdp.ConsumeBool();
680 config.offload_info.sample_rate = getSampleRate(&mFdp);
681 config.offload_info.stream_type = getValue(&mFdp, kStreamtypes);
682 config.offload_info.sync_id = mFdp.ConsumeIntegral<uint32_t>();
683 config.offload_info.usage = getValue(&mFdp, kUsages);
684
685 config.format = getValue(&mFdp, kFormats);
686 config.sample_rate = getSampleRate(&mFdp);
687
688 sp<DeviceDescriptorBase> device = new DeviceDescriptorBase(getValue(&mFdp, kDevices));
689 audio_output_flags_t flags = getValue(&mFdp, kOutputFlags);
690
691 audio_config_base_t mixerConfig = AUDIO_CONFIG_BASE_INITIALIZER;
692
693 media::OpenOutputRequest request{};
694 media::OpenOutputResponse response{};
695
696 request.module = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_module_handle_t_int32_t(module));
697 request.halConfig = VALUE_OR_RETURN_STATUS(
698 legacy2aidl_audio_config_t_AudioConfig(config, false /*isInput*/));
699 request.mixerConfig = VALUE_OR_RETURN_STATUS(
700 legacy2aidl_audio_config_base_t_AudioConfigBase(mixerConfig, false /*isInput*/));
701 request.device = VALUE_OR_RETURN_STATUS(legacy2aidl_DeviceDescriptorBase(device));
702 request.flags = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_output_flags_t_int32_t_mask(flags));
703
704 status_t status = af->openOutput(request, &response);
705 if (status != NO_ERROR) {
706 return NO_ERROR;
707 }
708 output = VALUE_OR_RETURN_STATUS(aidl2legacy_int32_t_audio_io_handle_t(response.output));
709
710 audio_io_handle_t output1 = mFdp.ConsumeIntegral<int32_t>();
711 af->openDuplicateOutput(output, output1);
712 af->suspendOutput(output);
713 af->restoreOutput(output);
714 af->closeOutput(output);
715 return NO_ERROR;
716 }
717
invokeAudioPatch()718 void AudioFlingerFuzzer::invokeAudioPatch() {
719 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
720 if (!af) {
721 return;
722 }
723 struct audio_patch patch = {};
724 audio_patch_handle_t handle = mFdp.ConsumeIntegral<int32_t>();
725
726 patch.id = mFdp.ConsumeIntegral<int32_t>();
727 patch.num_sources = mFdp.ConsumeIntegral<uint32_t>();
728 patch.num_sinks = mFdp.ConsumeIntegral<uint32_t>();
729
730 for (int i = 0; i < AUDIO_PATCH_PORTS_MAX; ++i) {
731 patch.sources[i].config_mask = mFdp.ConsumeIntegral<uint32_t>();
732 patch.sources[i].channel_mask = getValue(&mFdp, kChannelMasks);
733 patch.sources[i].format = getValue(&mFdp, kFormats);
734 patch.sources[i].gain.channel_mask = getValue(&mFdp, kChannelMasks);
735 patch.sources[i].gain.index = mFdp.ConsumeIntegral<int32_t>();
736 patch.sources[i].gain.mode = getValue(&mFdp, kGainModes);
737 patch.sources[i].gain.ramp_duration_ms = mFdp.ConsumeIntegral<uint32_t>();
738 patch.sources[i].id = static_cast<audio_format_t>(mFdp.ConsumeIntegral<int32_t>());
739 patch.sources[i].role = getValue(&mFdp, kPortRoles);
740 patch.sources[i].sample_rate = getSampleRate(&mFdp);
741 patch.sources[i].type = getValue(&mFdp, kPortTypes);
742
743 patch.sinks[i].config_mask = mFdp.ConsumeIntegral<uint32_t>();
744 patch.sinks[i].channel_mask = getValue(&mFdp, kChannelMasks);
745 patch.sinks[i].format = getValue(&mFdp, kFormats);
746 patch.sinks[i].gain.channel_mask = getValue(&mFdp, kChannelMasks);
747 patch.sinks[i].gain.index = mFdp.ConsumeIntegral<int32_t>();
748 patch.sinks[i].gain.mode = getValue(&mFdp, kGainModes);
749 patch.sinks[i].gain.ramp_duration_ms = mFdp.ConsumeIntegral<uint32_t>();
750 patch.sinks[i].id = static_cast<audio_format_t>(mFdp.ConsumeIntegral<int32_t>());
751 patch.sinks[i].role = getValue(&mFdp, kPortRoles);
752 patch.sinks[i].sample_rate = getSampleRate(&mFdp);
753 patch.sinks[i].type = getValue(&mFdp, kPortTypes);
754 }
755
756 status_t status = af->createAudioPatch(&patch, &handle);
757 if (status != NO_ERROR) {
758 return;
759 }
760
761 unsigned int num_patches = mFdp.ConsumeIntegral<uint32_t>();
762 struct audio_patch patches = {};
763 af->listAudioPatches(&num_patches, &patches);
764 af->releaseAudioPatch(handle);
765 }
766
process()767 void AudioFlingerFuzzer::process() {
768 invokeAudioEffect();
769 invokeAudioInputDevice();
770 invokeAudioOutputDevice();
771 invokeAudioPatch();
772 invokeAudioRecord();
773 invokeAudioSystem();
774 invokeAudioTrack();
775 }
776
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)777 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
778 if (size < 1) {
779 return 0;
780 }
781 AudioFlingerFuzzer audioFuzzer(data, size);
782 audioFuzzer.process();
783 return 0;
784 }
785