1 /*
2 * Copyright 2022 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <InputReader.h>
18 #include <MapperHelpers.h>
19 #include <fuzzer/FuzzedDataProvider.h>
20 #include <input/InputDevice.h>
21 #include <chrono>
22 #include <thread>
23
24 namespace android {
25
26 constexpr InputDeviceSensorType kInputDeviceSensorType[] = {
27 InputDeviceSensorType::ACCELEROMETER,
28 InputDeviceSensorType::MAGNETIC_FIELD,
29 InputDeviceSensorType::ORIENTATION,
30 InputDeviceSensorType::GYROSCOPE,
31 InputDeviceSensorType::LIGHT,
32 InputDeviceSensorType::PRESSURE,
33 InputDeviceSensorType::TEMPERATURE,
34 InputDeviceSensorType::PROXIMITY,
35 InputDeviceSensorType::GRAVITY,
36 InputDeviceSensorType::LINEAR_ACCELERATION,
37 InputDeviceSensorType::ROTATION_VECTOR,
38 InputDeviceSensorType::RELATIVE_HUMIDITY,
39 InputDeviceSensorType::AMBIENT_TEMPERATURE,
40 InputDeviceSensorType::MAGNETIC_FIELD_UNCALIBRATED,
41 InputDeviceSensorType::GAME_ROTATION_VECTOR,
42 InputDeviceSensorType::GYROSCOPE_UNCALIBRATED,
43 InputDeviceSensorType::SIGNIFICANT_MOTION,
44 };
45
46 class FuzzInputReader : public InputReaderInterface {
47 public:
FuzzInputReader(std::shared_ptr<EventHubInterface> fuzzEventHub,const sp<InputReaderPolicyInterface> & fuzzPolicy,InputListenerInterface & fuzzListener)48 FuzzInputReader(std::shared_ptr<EventHubInterface> fuzzEventHub,
49 const sp<InputReaderPolicyInterface>& fuzzPolicy,
50 InputListenerInterface& fuzzListener) {
51 reader = std::make_unique<InputReader>(fuzzEventHub, fuzzPolicy, fuzzListener);
52 }
53
dump(std::string & dump)54 void dump(std::string& dump) { reader->dump(dump); }
55
monitor()56 void monitor() { reader->monitor(); }
57
start()58 status_t start() { return reader->start(); }
59
stop()60 status_t stop() { return reader->stop(); }
61
getInputDevices() const62 std::vector<InputDeviceInfo> getInputDevices() const { return reader->getInputDevices(); }
63
getScanCodeState(int32_t deviceId,uint32_t sourceMask,int32_t scanCode)64 int32_t getScanCodeState(int32_t deviceId, uint32_t sourceMask, int32_t scanCode) {
65 return reader->getScanCodeState(deviceId, sourceMask, scanCode);
66 }
67
getKeyCodeState(int32_t deviceId,uint32_t sourceMask,int32_t keyCode)68 int32_t getKeyCodeState(int32_t deviceId, uint32_t sourceMask, int32_t keyCode) {
69 return reader->getKeyCodeState(deviceId, sourceMask, keyCode);
70 }
71
getSwitchState(int32_t deviceId,uint32_t sourceMask,int32_t sw)72 int32_t getSwitchState(int32_t deviceId, uint32_t sourceMask, int32_t sw) {
73 return reader->getSwitchState(deviceId, sourceMask, sw);
74 }
75
toggleCapsLockState(int32_t deviceId)76 void toggleCapsLockState(int32_t deviceId) { reader->toggleCapsLockState(deviceId); }
77
resetLockedModifierState()78 void resetLockedModifierState() { reader->resetLockedModifierState(); }
79
hasKeys(int32_t deviceId,uint32_t sourceMask,const std::vector<int32_t> & keyCodes,uint8_t * outFlags)80 bool hasKeys(int32_t deviceId, uint32_t sourceMask, const std::vector<int32_t>& keyCodes,
81 uint8_t* outFlags) {
82 return reader->hasKeys(deviceId, sourceMask, keyCodes, outFlags);
83 }
84
requestRefreshConfiguration(ConfigurationChanges changes)85 void requestRefreshConfiguration(ConfigurationChanges changes) {
86 reader->requestRefreshConfiguration(changes);
87 }
88
vibrate(int32_t deviceId,const VibrationSequence & sequence,ssize_t repeat,int32_t token)89 void vibrate(int32_t deviceId, const VibrationSequence& sequence, ssize_t repeat,
90 int32_t token) {
91 reader->vibrate(deviceId, sequence, repeat, token);
92 }
93
cancelVibrate(int32_t deviceId,int32_t token)94 void cancelVibrate(int32_t deviceId, int32_t token) { reader->cancelVibrate(deviceId, token); }
95
isVibrating(int32_t deviceId)96 bool isVibrating(int32_t deviceId) { return reader->isVibrating(deviceId); }
97
getVibratorIds(int32_t deviceId)98 std::vector<int32_t> getVibratorIds(int32_t deviceId) {
99 return reader->getVibratorIds(deviceId);
100 }
101
getBatteryCapacity(int32_t deviceId)102 std::optional<int32_t> getBatteryCapacity(int32_t deviceId) {
103 return reader->getBatteryCapacity(deviceId);
104 }
105
getBatteryStatus(int32_t deviceId)106 std::optional<int32_t> getBatteryStatus(int32_t deviceId) {
107 return reader->getBatteryStatus(deviceId);
108 }
109
getBatteryDevicePath(int32_t deviceId)110 std::optional<std::string> getBatteryDevicePath(int32_t deviceId) {
111 return reader->getBatteryDevicePath(deviceId);
112 }
113
getLights(int32_t deviceId)114 std::vector<InputDeviceLightInfo> getLights(int32_t deviceId) {
115 return reader->getLights(deviceId);
116 }
117
getSensors(int32_t deviceId)118 std::vector<InputDeviceSensorInfo> getSensors(int32_t deviceId) {
119 return reader->getSensors(deviceId);
120 }
121
getTouchpadHardwareProperties(int32_t deviceId)122 std::optional<HardwareProperties> getTouchpadHardwareProperties(int32_t deviceId) {
123 return reader->getTouchpadHardwareProperties(deviceId);
124 }
125
canDispatchToDisplay(int32_t deviceId,ui::LogicalDisplayId displayId)126 bool canDispatchToDisplay(int32_t deviceId, ui::LogicalDisplayId displayId) {
127 return reader->canDispatchToDisplay(deviceId, displayId);
128 }
129
enableSensor(int32_t deviceId,InputDeviceSensorType sensorType,std::chrono::microseconds samplingPeriod,std::chrono::microseconds maxBatchReportLatency)130 bool enableSensor(int32_t deviceId, InputDeviceSensorType sensorType,
131 std::chrono::microseconds samplingPeriod,
132 std::chrono::microseconds maxBatchReportLatency) {
133 return reader->enableSensor(deviceId, sensorType, samplingPeriod, maxBatchReportLatency);
134 }
135
disableSensor(int32_t deviceId,InputDeviceSensorType sensorType)136 void disableSensor(int32_t deviceId, InputDeviceSensorType sensorType) {
137 return reader->disableSensor(deviceId, sensorType);
138 }
139
flushSensor(int32_t deviceId,InputDeviceSensorType sensorType)140 void flushSensor(int32_t deviceId, InputDeviceSensorType sensorType) {
141 return reader->flushSensor(deviceId, sensorType);
142 }
143
setLightColor(int32_t deviceId,int32_t lightId,int32_t color)144 bool setLightColor(int32_t deviceId, int32_t lightId, int32_t color) {
145 return reader->setLightColor(deviceId, lightId, color);
146 }
147
setLightPlayerId(int32_t deviceId,int32_t lightId,int32_t playerId)148 bool setLightPlayerId(int32_t deviceId, int32_t lightId, int32_t playerId) {
149 return reader->setLightPlayerId(deviceId, lightId, playerId);
150 }
151
getLightColor(int32_t deviceId,int32_t lightId)152 std::optional<int32_t> getLightColor(int32_t deviceId, int32_t lightId) {
153 return reader->getLightColor(deviceId, lightId);
154 }
155
getLightPlayerId(int32_t deviceId,int32_t lightId)156 std::optional<int32_t> getLightPlayerId(int32_t deviceId, int32_t lightId) {
157 return reader->getLightPlayerId(deviceId, lightId);
158 }
159
getKeyCodeForKeyLocation(int32_t deviceId,int32_t locationKeyCode) const160 int32_t getKeyCodeForKeyLocation(int32_t deviceId, int32_t locationKeyCode) const {
161 return reader->getKeyCodeForKeyLocation(deviceId, locationKeyCode);
162 }
163
getBluetoothAddress(int32_t deviceId) const164 std::optional<std::string> getBluetoothAddress(int32_t deviceId) const {
165 return reader->getBluetoothAddress(deviceId);
166 }
167
sysfsNodeChanged(const std::string & sysfsNodePath)168 void sysfsNodeChanged(const std::string& sysfsNodePath) {
169 reader->sysfsNodeChanged(sysfsNodePath);
170 }
171
getLastUsedInputDeviceId()172 DeviceId getLastUsedInputDeviceId() override { return reader->getLastUsedInputDeviceId(); }
173
notifyMouseCursorFadedOnTyping()174 void notifyMouseCursorFadedOnTyping() override { reader->notifyMouseCursorFadedOnTyping(); }
175
setKernelWakeEnabled(int32_t deviceId,bool enabled)176 bool setKernelWakeEnabled(int32_t deviceId, bool enabled) override {
177 return reader->setKernelWakeEnabled(deviceId, enabled);
178 }
179
180 private:
181 std::unique_ptr<InputReaderInterface> reader;
182 };
183
LLVMFuzzerTestOneInput(uint8_t * data,size_t size)184 extern "C" int LLVMFuzzerTestOneInput(uint8_t* data, size_t size) {
185 std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp =
186 std::make_shared<ThreadSafeFuzzedDataProvider>(data, size);
187
188 FuzzInputListener fuzzListener;
189 sp<FuzzInputReaderPolicy> fuzzPolicy = sp<FuzzInputReaderPolicy>::make(fdp);
190 std::shared_ptr<FuzzEventHub> fuzzEventHub = std::make_shared<FuzzEventHub>(fdp);
191 std::unique_ptr<FuzzInputReader> reader =
192 std::make_unique<FuzzInputReader>(fuzzEventHub, fuzzPolicy, fuzzListener);
193 size_t patternCount = fdp->ConsumeIntegralInRange<size_t>(1, 260);
194 VibrationSequence pattern(patternCount);
195 for (size_t i = 0; i < patternCount; ++i) {
196 VibrationElement element(i);
197 element.addChannel(/*vibratorId=*/fdp->ConsumeIntegral<int32_t>(),
198 /*amplitude=*/fdp->ConsumeIntegral<uint8_t>());
199 pattern.addElement(element);
200 }
201 reader->vibrate(fdp->ConsumeIntegral<int32_t>(), pattern,
202 /*repeat=*/fdp->ConsumeIntegral<ssize_t>(),
203 /*token=*/fdp->ConsumeIntegral<int32_t>());
204 reader->start();
205
206 // Loop through mapper operations until randomness is exhausted.
207 while (fdp->remaining_bytes() > 0) {
208 fdp->PickValueInArray<std::function<void()>>({
209 [&]() -> void {
210 std::string dump;
211 reader->dump(dump);
212 },
213 [&]() -> void { reader->monitor(); },
214 [&]() -> void { reader->getInputDevices(); },
215 [&]() -> void {
216 reader->getScanCodeState(fdp->ConsumeIntegral<int32_t>(),
217 fdp->ConsumeIntegral<uint32_t>(),
218 fdp->ConsumeIntegral<int32_t>());
219 },
220 [&]() -> void {
221 reader->getKeyCodeState(fdp->ConsumeIntegral<int32_t>(),
222 fdp->ConsumeIntegral<uint32_t>(),
223 fdp->ConsumeIntegral<int32_t>());
224 },
225 [&]() -> void {
226 reader->getSwitchState(fdp->ConsumeIntegral<int32_t>(),
227 fdp->ConsumeIntegral<uint32_t>(),
228 fdp->ConsumeIntegral<int32_t>());
229 },
230 [&]() -> void { reader->toggleCapsLockState(fdp->ConsumeIntegral<int32_t>()); },
231 [&]() -> void { reader->resetLockedModifierState(); },
232 [&]() -> void {
233 size_t count = fdp->ConsumeIntegralInRange<size_t>(1, 1024);
234 std::vector<uint8_t> outFlags(count);
235 std::vector<int32_t> keyCodes;
236 for (size_t i = 0; i < count; ++i) {
237 keyCodes.push_back(fdp->ConsumeIntegral<int32_t>());
238 }
239 reader->hasKeys(fdp->ConsumeIntegral<int32_t>(),
240 fdp->ConsumeIntegral<uint32_t>(), keyCodes, outFlags.data());
241 },
242 [&]() -> void {
243 reader->requestRefreshConfiguration(
244 InputReaderConfiguration::Change(fdp->ConsumeIntegral<uint32_t>()));
245 },
246 [&]() -> void {
247 reader->cancelVibrate(fdp->ConsumeIntegral<int32_t>(),
248 fdp->ConsumeIntegral<int32_t>());
249 },
250 [&]() -> void {
251 reader->canDispatchToDisplay(fdp->ConsumeIntegral<int32_t>(),
252 ui::LogicalDisplayId{
253 fdp->ConsumeIntegral<int32_t>()});
254 },
255 [&]() -> void {
256 reader->getKeyCodeForKeyLocation(fdp->ConsumeIntegral<int32_t>(),
257 fdp->ConsumeIntegral<int32_t>());
258 },
259 [&]() -> void { reader->getBatteryCapacity(fdp->ConsumeIntegral<int32_t>()); },
260 [&]() -> void { reader->getBatteryStatus(fdp->ConsumeIntegral<int32_t>()); },
261 [&]() -> void { reader->getBatteryDevicePath(fdp->ConsumeIntegral<int32_t>()); },
262 [&]() -> void { reader->getLights(fdp->ConsumeIntegral<int32_t>()); },
263 [&]() -> void { reader->getSensors(fdp->ConsumeIntegral<int32_t>()); },
264 [&]() -> void {
265 reader->getLightPlayerId(fdp->ConsumeIntegral<int32_t>(),
266 fdp->ConsumeIntegral<int32_t>());
267 },
268 [&]() -> void {
269 reader->getLightColor(fdp->ConsumeIntegral<int32_t>(),
270 fdp->ConsumeIntegral<int32_t>());
271 },
272 [&]() -> void {
273 reader->setLightPlayerId(fdp->ConsumeIntegral<int32_t>(),
274 fdp->ConsumeIntegral<int32_t>(),
275 fdp->ConsumeIntegral<int32_t>());
276 },
277 [&]() -> void {
278 reader->setLightColor(fdp->ConsumeIntegral<int32_t>(),
279 fdp->ConsumeIntegral<int32_t>(),
280 fdp->ConsumeIntegral<int32_t>());
281 },
282 [&]() -> void {
283 reader->flushSensor(fdp->ConsumeIntegral<int32_t>(),
284 fdp->PickValueInArray<InputDeviceSensorType>(
285 kInputDeviceSensorType));
286 },
287 [&]() -> void {
288 reader->disableSensor(fdp->ConsumeIntegral<int32_t>(),
289 fdp->PickValueInArray<InputDeviceSensorType>(
290 kInputDeviceSensorType));
291 },
292 [&]() -> void {
293 reader->enableSensor(fdp->ConsumeIntegral<int32_t>(),
294 fdp->PickValueInArray<InputDeviceSensorType>(
295 kInputDeviceSensorType),
296 std::chrono::microseconds(fdp->ConsumeIntegral<size_t>()),
297 std::chrono::microseconds(fdp->ConsumeIntegral<size_t>()));
298 },
299 [&]() -> void { reader->getBluetoothAddress(fdp->ConsumeIntegral<int32_t>()); },
300 })();
301 }
302
303 reader->stop();
304 return 0;
305 }
306
307 } // namespace android
308