Fuzzer for libaaudio

Plugin Design Considerations

The fuzzer plugin for libaaudio are designed based on the understanding of the source code and tries to achieve the following:

Maximize code coverage

The configuration parameters are not hardcoded, but instead selected based on incoming data. This ensures more code paths are reached by the fuzzer.

Fuzzers assigns values to the following parameters to pass on to libaaudio:

  1. Device Id (parameter name: deviceId)
  2. Sampling Rate (parameter name: sampleRate)
  3. Number of channels (parameter name: channelCount)
  4. Audio Travel Direction (parameter name: direction)
  5. Audio Format (parameter name: format)
  6. Audio Sharing Mode (parameter name: sharingMode)
  7. Audio Usage (parameter name: usage)
  8. Audio Content type (parameter name: contentType)
  9. Audio Input Preset (parameter name: inputPreset)
  10. Audio Privacy Sensitivity (parameter name: privacySensitive)
  11. Buffer Capacity In Frames (parameter name: frames)
  12. Performance Mode (parameter name: mode)
  13. Allowed Capture Policy (parameter name: allowedCapturePolicy)
  14. Session Id (parameter name: sessionId)
  15. Frames per Data Callback (parameter name: framesPerDataCallback)
  16. MMap Policy (parameter name: policy)
ParameterValid ValuesConfigured Value
deviceIdAny value of type int32_tValue obtained from FuzzedDataProvider
sampleRateAny value of type int32_tValue obtained from FuzzedDataProvider
channelCountAny value of type int32_tValue obtained from FuzzedDataProvider
direction0. AAUDIO_DIRECTION_OUTPUT 1. AAUDIO_DIRECTION_INPUTValue obtained from FuzzedDataProvider
format0. AAUDIO_FORMAT_INVALID 1. AAUDIO_FORMAT_UNSPECIFIED 2. AAUDIO_FORMAT_PCM_I16 3. AAUDIO_FORMAT_PCM_FLOATValue obtained from FuzzedDataProvider
sharingMode0. AAUDIO_SHARING_MODE_EXCLUSIVE 1. AAUDIO_SHARING_MODE_SHAREDValue obtained from FuzzedDataProvider
usage0. AAUDIO_USAGE_MEDIA 1. AAUDIO_USAGE_VOICE_COMMUNICATION 2. AAUDIO_USAGE_VOICE_COMMUNICATION_SIGNALLING 3. AAUDIO_USAGE_ALARM 4. AAUDIO_USAGE_NOTIFICATION 5. AAUDIO_USAGE_NOTIFICATION_RINGTONE 6. AAUDIO_USAGE_NOTIFICATION_EVENT 7. AAUDIO_USAGE_ASSISTANCE_ACCESSIBILITY 8. AAUDIO_USAGE_ASSISTANCE_NAVIGATION_GUIDANCE 9. AAUDIO_USAGE_ASSISTANCE_SONIFICATION 10. AAUDIO_USAGE_GAME 11. AAUDIO_USAGE_ASSISTANT 12. AAUDIO_SYSTEM_USAGE_EMERGENCY 13. AAUDIO_SYSTEM_USAGE_SAFETY 14. AAUDIO_SYSTEM_USAGE_VEHICLE_STATUS 15. AAUDIO_SYSTEM_USAGE_ANNOUNCEMENTValue obtained from FuzzedDataProvider
contentType0. AAUDIO_CONTENT_TYPE_SPEECH 1. AAUDIO_CONTENT_TYPE_MUSIC 2. AAUDIO_CONTENT_TYPE_MOVIE 3. AAUDIO_CONTENT_TYPE_SONIFICATIONValue obtained from FuzzedDataProvider
inputPreset0. AAUDIO_INPUT_PRESET_GENERIC 1. AAUDIO_INPUT_PRESET_CAMCORDER 2. AAUDIO_INPUT_PRESET_VOICE_RECOGNITION 3. AAUDIO_INPUT_PRESET_VOICE_COMMUNICATION 4. AAUDIO_INPUT_PRESET_UNPROCESSED 5. AAUDIO_INPUT_PRESET_VOICE_PERFORMANCEValue obtained from FuzzedDataProvider
privacySensitive0. true 1. falseValue obtained from FuzzedDataProvider
framesAny value of type int32_tValue obtained from FuzzedDataProvider
mode0. AAUDIO_PERFORMANCE_MODE_NONE 1. AAUDIO_PERFORMANCE_MODE_POWER_SAVING 2. AAUDIO_PERFORMANCE_MODE_LOW_LATENCYValue obtained from FuzzedDataProvider
allowedCapturePolicy0. AAUDIO_ALLOW_CAPTURE_BY_ALL 1. AAUDIO_ALLOW_CAPTURE_BY_SYSTEM 2. AAUDIO_ALLOW_CAPTURE_BY_NONEValue obtained from FuzzedDataProvider
sessionId0. AAUDIO_SESSION_ID_NONE 1. AAUDIO_SESSION_ID_ALLOCATEValue obtained from FuzzedDataProvider
framesPerDataCallbackAny value of type int32_tValue obtained from FuzzedDataProvider
policy0. AAUDIO_POLICY_NEVER 1. AAUDIO_POLICY_AUTO 2. AAUDIO_POLICY_ALWAYSValue obtained from FuzzedDataProvider

This also ensures that the plugin is always deterministic for any given input.

Maximize utilization of input data

The plugin feed the entire input data to the module. This ensures that the plugins tolerates any kind of input (empty, huge, malformed, etc) and doesn't exit() on any input and thereby increasing the chance of identifying vulnerabilities.

Build

This describes steps to build libaaudio_fuzzer binary.

Android

Steps to build

Build the fuzzer

  $ mm -j$(nproc) libaaudio_fuzzer

Steps to run

To run on device

  $ adb sync data
  $ adb shell /data/fuzz/arm64/libaaudio_fuzzer/libaaudio_fuzzer

References: