You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3.3 KiB
3.3 KiB
Fuzzer for libaaudioservice
Plugin Design Considerations
The fuzzer plugin for libaaudioservice is designed based on the understanding of the service and tries to achieve the following:
Maximize code coverage
The configuration parameters are not hardcoded, but instead selected based on incoming data. This ensures more code paths are reached by the fuzzer.
AAudio Service request contains the following parameters:
- AAudioFormat
- UserId
- ProcessId
- InService
- DeviceId
- SampleRate
- SamplesPerFrame
- Direction
- SharingMode
- Usage
- ContentType
- InputPreset
- BufferCapacity
Parameter | Valid Input Values | Configured Value |
---|---|---|
AAudioFormat |
AAUDIO_FORMAT_UNSPECIFIED , AAUDIO_FORMAT_PCM_I16 , AAUDIO_FORMAT_PCM_FLOAT |
Value chosen from valid values by obtaining index from FuzzedDataProvider |
UserId |
INT32_MIN to INT32_MAX |
Value obtained from getuid() |
ProcessId |
INT32_MIN to INT32_MAX |
Value obtained from getpid() |
InService |
bool |
Value obtained from FuzzedDataProvider |
DeviceId |
INT32_MIN to INT32_MAX |
Value obtained from FuzzedDataProvider |
SampleRate |
INT32_MIN to INT32_MAX |
Value obtained from FuzzedDataProvider |
SamplesPerFrame |
INT32_MIN to INT32_MAX |
Value obtained from FuzzedDataProvider |
Direction |
AAUDIO_DIRECTION_OUTPUT , AAUDIO_DIRECTION_INPUT |
Value chosen from valid values by obtaining index from FuzzedDataProvider |
SharingMode |
AAUDIO_SHARING_MODE_EXCLUSIVE , AAUDIO_SHARING_MODE_SHARED |
Value chosen from valid values by obtaining index from FuzzedDataProvider |
Usage |
AAUDIO_USAGE_MEDIA , AAUDIO_USAGE_VOICE_COMMUNICATION , AAUDIO_USAGE_VOICE_COMMUNICATION_SIGNALLING , AAUDIO_USAGE_ALARM , AAUDIO_USAGE_NOTIFICATION , AAUDIO_USAGE_NOTIFICATION_RINGTONE , AAUDIO_USAGE_NOTIFICATION_EVENT , AAUDIO_USAGE_ASSISTANCE_ACCESSIBILITY , AAUDIO_USAGE_ASSISTANCE_NAVIGATION_GUIDANCE , AAUDIO_USAGE_ASSISTANCE_SONIFICATION , AAUDIO_USAGE_GAME , AAUDIO_USAGE_ASSISTANT , AAUDIO_SYSTEM_USAGE_EMERGENCY , AAUDIO_SYSTEM_USAGE_SAFETY , AAUDIO_SYSTEM_USAGE_VEHICLE_STATUS , AAUDIO_SYSTEM_USAGE_ANNOUNCEMENT |
Value chosen from valid values by obtaining index from FuzzedDataProvider |
ContentType |
AAUDIO_CONTENT_TYPE_SPEECH , AAUDIO_CONTENT_TYPE_MUSIC , AAUDIO_CONTENT_TYPE_MOVIE , AAUDIO_CONTENT_TYPE_SONIFICATION |
Value chosen from valid values by obtaining index from FuzzedDataProvider |
InputPreset |
AAUDIO_INPUT_PRESET_GENERIC , AAUDIO_INPUT_PRESET_CAMCORDER , AAUDIO_INPUT_PRESET_VOICE_RECOGNITION , AAUDIO_INPUT_PRESET_VOICE_COMMUNICATION , AAUDIO_INPUT_PRESET_UNPROCESSED , AAUDIO_INPUT_PRESET_VOICE_PERFORMANCE |
Value chosen from valid values by obtaining index from FuzzedDataProvider |
BufferCapacity |
INT32_MIN to INT32_MAX |
Value obtained from FuzzedDataProvider |
This also ensures that the plugin is always deterministic for any given input.
Build
This describes steps to build oboeservice_fuzzer binary.
Android
Steps to build
Build the fuzzer
$ mm -j$(nproc) oboeservice_fuzzer
Steps to run
To run on device
$ adb sync data
$ adb shell /data/fuzz/arm64/oboeservice_fuzzer/oboeservice_fuzzer