Fuzzer for libaudiopolicy

Plugin Design Considerations

The fuzzer plugin for libaudiopolicy is designed based on the understanding of the service and tries to achieve the following:

Maximize code coverage

The configuration parameters are not hardcoded, but instead selected based on incoming data. This ensures more code paths are reached by the fuzzer.

AudioPolicy APIs contain the following parameters:

  1. AudioFormats
  2. AudioChannelMasks
  3. AudioOutputFlags
  4. AudioDevices
  5. MixTypes
  6. MixRouteFlags
  7. SampleRates
  8. AudioUsages
  9. AudioContentTypes
  10. AudioSources
  11. AudioFlagMasks
  12. AudioPolicyDeviceStates
ParameterValid Input ValuesConfigured Value
AudioFormat77 values of type audio_format_tValue chosen from valid values by obtaining index from FuzzedDataProvider
AudioChannelMask83 values of type audio_channel_mask_tValue chosen from valid values by obtaining index from FuzzedDataProvider
AudioOutputFlag16 values of type audio_output_flags_tValue chosen from valid values by obtaining index from FuzzedDataProvider
AudioDeviceAUDIO_DEVICE_OUT_AUX_DIGITAL, AUDIO_DEVICE_OUT_STUB, AUDIO_DEVICE_IN_VOICE_CALL, AUDIO_DEVICE_IN_AUX_DIGITAL, AUDIO_DEVICE_IN_STUBValue chosen from valid values by obtaining index from FuzzedDataProvider
MixTypeMIX_TYPE_PLAYERS, MIX_TYPE_RECORDERSValue chosen from valid values by obtaining index from FuzzedDataProvider
MixRouteFlagMIX_ROUTE_FLAG_RENDER, MIX_ROUTE_FLAG_LOOP_BACK, MIX_ROUTE_FLAG_LOOP_BACK_AND_RENDER, MIX_ROUTE_FLAG_ALLValue chosen from valid values by obtaining index from FuzzedDataProvider
SampleRate0 to UINT32_MAXValue obtained from FuzzedDataProvider
AudioUsageAUDIO_USAGE_NOTIFICATION_COMMUNICATION_REQUEST, AUDIO_USAGE_NOTIFICATION_COMMUNICATION_INSTANT, AUDIO_USAGE_NOTIFICATION_COMMUNICATION_DELAYED, AUDIO_USAGE_NOTIFICATION_EVENTValue chosen from valid values by obtaining index from FuzzedDataProvider
AudioContentTypeAUDIO_CONTENT_TYPE_UNKNOWN, AUDIO_CONTENT_TYPE_SPEECH, AUDIO_CONTENT_TYPE_MUSIC, AUDIO_CONTENT_TYPE_MOVIE, AUDIO_CONTENT_TYPE_SONIFICATIONValue chosen from valid values by obtaining index from FuzzedDataProvider
AudioSource14 values of type audio_source_tValue chosen from valid values by obtaining index from FuzzedDataProvider
AudioFlagMask15 values of type audio_flags_mask_tValue chosen from valid values by obtaining index from FuzzedDataProvider
AudioPolicyDeviceStatesAUDIO_POLICY_DEVICE_STATE_UNAVAILABLE, AUDIO_POLICY_DEVICE_STATE_AVAILABLE, AUDIO_POLICY_DEVICE_STATE_CNTValue chosen from valid values by obtaining index from FuzzedDataProvider

This also ensures that the plugin is always deterministic for any given input.

Build

This describes steps to build audiopolicy_fuzzer binary.

Android

Steps to build

Build the fuzzer

  $ mm -j$(nproc) audiopolicy_fuzzer

Steps to run

To run on device

  $ adb sync data
  $ adb shell /data/fuzz/arm64/audiopolicy_fuzzer/audiopolicy_fuzzer

References: