diff options
| -rw-r--r-- | libs/sensor/Android.bp | 3 | ||||
| -rw-r--r-- | services/sensorservice/aidl/Android.bp | 3 | ||||
| -rw-r--r-- | services/sensorservice/aidl/EventQueue.cpp | 2 | ||||
| -rw-r--r-- | services/sensorservice/aidl/fuzzer/Android.bp | 52 | ||||
| -rw-r--r-- | services/sensorservice/aidl/fuzzer/fuzzer.cpp | 53 |
5 files changed, 110 insertions, 3 deletions
diff --git a/libs/sensor/Android.bp b/libs/sensor/Android.bp index 2b93c6e85e..b6b9cc4099 100644 --- a/libs/sensor/Android.bp +++ b/libs/sensor/Android.bp @@ -21,9 +21,10 @@ package { default_applicable_licenses: ["frameworks_native_license"], } -cc_library_shared { +cc_library { name: "libsensor", + host_supported: true, cflags: [ "-Wall", "-Werror", diff --git a/services/sensorservice/aidl/Android.bp b/services/sensorservice/aidl/Android.bp index bbf49dac9e..34d1de72f9 100644 --- a/services/sensorservice/aidl/Android.bp +++ b/services/sensorservice/aidl/Android.bp @@ -7,7 +7,7 @@ package { default_applicable_licenses: ["frameworks_native_license"], } -cc_library_shared { +cc_library { name: "libsensorserviceaidl", srcs: [ "EventQueue.cpp", @@ -15,6 +15,7 @@ cc_library_shared { "SensorManager.cpp", "utils.cpp", ], + host_supported: true, cflags: [ "-Wall", "-Werror", diff --git a/services/sensorservice/aidl/EventQueue.cpp b/services/sensorservice/aidl/EventQueue.cpp index d4e8906b69..88ab7a7e41 100644 --- a/services/sensorservice/aidl/EventQueue.cpp +++ b/services/sensorservice/aidl/EventQueue.cpp @@ -34,7 +34,7 @@ public: std::shared_ptr<IEventQueueCallback> callback) : mQueue(queue), mCallback(callback) {} - int handleEvent(__unused int fd, __unused int events, __unused void* data) { + int handleEvent(int /* fd */, int /* events */, void* /* data */) { ASensorEvent event; ssize_t actual; diff --git a/services/sensorservice/aidl/fuzzer/Android.bp b/services/sensorservice/aidl/fuzzer/Android.bp new file mode 100644 index 0000000000..0d6e476e70 --- /dev/null +++ b/services/sensorservice/aidl/fuzzer/Android.bp @@ -0,0 +1,52 @@ +package { + // See: http://go/android-license-faq + // A large-scale-change added 'default_applicable_licenses' to import + // all of the 'license_kinds' from "frameworks_native_license" + // to get the below license kinds: + // SPDX-license-identifier-Apache-2.0 + default_applicable_licenses: ["frameworks_native_license"], +} + +cc_fuzz { + name: "libsensorserviceaidl_fuzzer", + defaults: [ + "service_fuzzer_defaults", + ], + host_supported: true, + static_libs: [ + "libsensorserviceaidl", + "libpermission", + "android.frameworks.sensorservice-V1-ndk", + "android.hardware.sensors-V1-convert", + "android.hardware.sensors-V1-ndk", + "android.hardware.common-V2-ndk", + "libsensor", + "libfakeservicemanager", + "libcutils", + "liblog", + ], + srcs: [ + "fuzzer.cpp", + ], + fuzz_config: { + cc: [ + "android-sensors@google.com", + "devinmoore@google.com", + ], + }, + sanitize: { + misc_undefined: [ + "signed-integer-overflow", + "unsigned-integer-overflow", + ], + diag: { + misc_undefined: [ + "signed-integer-overflow", + "unsigned-integer-overflow", + ], + }, + address: true, + integer_overflow: true, + }, + +} diff --git a/services/sensorservice/aidl/fuzzer/fuzzer.cpp b/services/sensorservice/aidl/fuzzer/fuzzer.cpp new file mode 100644 index 0000000000..1b63d76953 --- /dev/null +++ b/services/sensorservice/aidl/fuzzer/fuzzer.cpp @@ -0,0 +1,53 @@ +/* + * Copyright (C) 2022 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include <fuzzbinder/libbinder_ndk_driver.h> +#include <fuzzer/FuzzedDataProvider.h> + +#include <ServiceManager.h> +#include <android-base/logging.h> +#include <android/binder_interface_utils.h> +#include <fuzzbinder/random_binder.h> +#include <sensorserviceaidl/SensorManagerAidl.h> + +using android::fuzzService; +using android::frameworks::sensorservice::implementation::SensorManagerAidl; +using ndk::SharedRefBase; + +[[clang::no_destroy]] static std::once_flag gSmOnce; + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + static android::sp<android::ServiceManager> fakeServiceManager = new android::ServiceManager(); + std::call_once(gSmOnce, [&] { setDefaultServiceManager(fakeServiceManager); }); + fakeServiceManager->clear(); + + FuzzedDataProvider fdp(data, size); + android::sp<android::IBinder> binder = android::getRandomBinder(&fdp); + if (binder == nullptr) { + // Nothing to do if we get a null binder. It will cause SensorManager to + // hang while trying to get sensorservice. + return 0; + } + + CHECK(android::NO_ERROR == fakeServiceManager->addService(android::String16("sensorservice"), + binder)); + + std::shared_ptr<SensorManagerAidl> sensorService = + ndk::SharedRefBase::make<SensorManagerAidl>(nullptr); + + fuzzService(sensorService->asBinder().get(), std::move(fdp)); + + return 0; +} |