1 /*
2 * Copyright 2022 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <InputReader.h>
18 #include <MapperHelpers.h>
19 #include <fuzzer/FuzzedDataProvider.h>
20 #include <input/InputDevice.h>
21 #include <chrono>
22 #include <thread>
23
24 namespace android {
25
26 constexpr InputDeviceSensorType kInputDeviceSensorType[] = {
27 InputDeviceSensorType::ACCELEROMETER,
28 InputDeviceSensorType::MAGNETIC_FIELD,
29 InputDeviceSensorType::ORIENTATION,
30 InputDeviceSensorType::GYROSCOPE,
31 InputDeviceSensorType::LIGHT,
32 InputDeviceSensorType::PRESSURE,
33 InputDeviceSensorType::TEMPERATURE,
34 InputDeviceSensorType::PROXIMITY,
35 InputDeviceSensorType::GRAVITY,
36 InputDeviceSensorType::LINEAR_ACCELERATION,
37 InputDeviceSensorType::ROTATION_VECTOR,
38 InputDeviceSensorType::RELATIVE_HUMIDITY,
39 InputDeviceSensorType::AMBIENT_TEMPERATURE,
40 InputDeviceSensorType::MAGNETIC_FIELD_UNCALIBRATED,
41 InputDeviceSensorType::GAME_ROTATION_VECTOR,
42 InputDeviceSensorType::GYROSCOPE_UNCALIBRATED,
43 InputDeviceSensorType::SIGNIFICANT_MOTION,
44 };
45
46 class FuzzInputReader : public InputReaderInterface {
47 public:
FuzzInputReader(std::shared_ptr<EventHubInterface> fuzzEventHub,const sp<InputReaderPolicyInterface> & fuzzPolicy,InputListenerInterface & fuzzListener)48 FuzzInputReader(std::shared_ptr<EventHubInterface> fuzzEventHub,
49 const sp<InputReaderPolicyInterface>& fuzzPolicy,
50 InputListenerInterface& fuzzListener) {
51 reader = std::make_unique<InputReader>(fuzzEventHub, fuzzPolicy, fuzzListener);
52 }
53
dump(std::string & dump)54 void dump(std::string& dump) { reader->dump(dump); }
55
monitor()56 void monitor() { reader->monitor(); }
57
start()58 status_t start() { return reader->start(); }
59
stop()60 status_t stop() { return reader->stop(); }
61
getInputDevices() const62 std::vector<InputDeviceInfo> getInputDevices() const { return reader->getInputDevices(); }
63
getScanCodeState(int32_t deviceId,uint32_t sourceMask,int32_t scanCode)64 int32_t getScanCodeState(int32_t deviceId, uint32_t sourceMask, int32_t scanCode) {
65 return reader->getScanCodeState(deviceId, sourceMask, scanCode);
66 }
67
getKeyCodeState(int32_t deviceId,uint32_t sourceMask,int32_t keyCode)68 int32_t getKeyCodeState(int32_t deviceId, uint32_t sourceMask, int32_t keyCode) {
69 return reader->getKeyCodeState(deviceId, sourceMask, keyCode);
70 }
71
getSwitchState(int32_t deviceId,uint32_t sourceMask,int32_t sw)72 int32_t getSwitchState(int32_t deviceId, uint32_t sourceMask, int32_t sw) {
73 return reader->getSwitchState(deviceId, sourceMask, sw);
74 }
75
toggleCapsLockState(int32_t deviceId)76 void toggleCapsLockState(int32_t deviceId) { reader->toggleCapsLockState(deviceId); }
77
hasKeys(int32_t deviceId,uint32_t sourceMask,const std::vector<int32_t> & keyCodes,uint8_t * outFlags)78 bool hasKeys(int32_t deviceId, uint32_t sourceMask, const std::vector<int32_t>& keyCodes,
79 uint8_t* outFlags) {
80 return reader->hasKeys(deviceId, sourceMask, keyCodes, outFlags);
81 }
82
requestRefreshConfiguration(ConfigurationChanges changes)83 void requestRefreshConfiguration(ConfigurationChanges changes) {
84 reader->requestRefreshConfiguration(changes);
85 }
86
vibrate(int32_t deviceId,const VibrationSequence & sequence,ssize_t repeat,int32_t token)87 void vibrate(int32_t deviceId, const VibrationSequence& sequence, ssize_t repeat,
88 int32_t token) {
89 reader->vibrate(deviceId, sequence, repeat, token);
90 }
91
cancelVibrate(int32_t deviceId,int32_t token)92 void cancelVibrate(int32_t deviceId, int32_t token) { reader->cancelVibrate(deviceId, token); }
93
isVibrating(int32_t deviceId)94 bool isVibrating(int32_t deviceId) { return reader->isVibrating(deviceId); }
95
getVibratorIds(int32_t deviceId)96 std::vector<int32_t> getVibratorIds(int32_t deviceId) {
97 return reader->getVibratorIds(deviceId);
98 }
99
getBatteryCapacity(int32_t deviceId)100 std::optional<int32_t> getBatteryCapacity(int32_t deviceId) {
101 return reader->getBatteryCapacity(deviceId);
102 }
103
getBatteryStatus(int32_t deviceId)104 std::optional<int32_t> getBatteryStatus(int32_t deviceId) {
105 return reader->getBatteryStatus(deviceId);
106 }
107
getBatteryDevicePath(int32_t deviceId)108 std::optional<std::string> getBatteryDevicePath(int32_t deviceId) {
109 return reader->getBatteryDevicePath(deviceId);
110 }
111
getLights(int32_t deviceId)112 std::vector<InputDeviceLightInfo> getLights(int32_t deviceId) {
113 return reader->getLights(deviceId);
114 }
115
getSensors(int32_t deviceId)116 std::vector<InputDeviceSensorInfo> getSensors(int32_t deviceId) {
117 return reader->getSensors(deviceId);
118 }
119
canDispatchToDisplay(int32_t deviceId,ui::LogicalDisplayId displayId)120 bool canDispatchToDisplay(int32_t deviceId, ui::LogicalDisplayId displayId) {
121 return reader->canDispatchToDisplay(deviceId, displayId);
122 }
123
enableSensor(int32_t deviceId,InputDeviceSensorType sensorType,std::chrono::microseconds samplingPeriod,std::chrono::microseconds maxBatchReportLatency)124 bool enableSensor(int32_t deviceId, InputDeviceSensorType sensorType,
125 std::chrono::microseconds samplingPeriod,
126 std::chrono::microseconds maxBatchReportLatency) {
127 return reader->enableSensor(deviceId, sensorType, samplingPeriod, maxBatchReportLatency);
128 }
129
disableSensor(int32_t deviceId,InputDeviceSensorType sensorType)130 void disableSensor(int32_t deviceId, InputDeviceSensorType sensorType) {
131 return reader->disableSensor(deviceId, sensorType);
132 }
133
flushSensor(int32_t deviceId,InputDeviceSensorType sensorType)134 void flushSensor(int32_t deviceId, InputDeviceSensorType sensorType) {
135 return reader->flushSensor(deviceId, sensorType);
136 }
137
setLightColor(int32_t deviceId,int32_t lightId,int32_t color)138 bool setLightColor(int32_t deviceId, int32_t lightId, int32_t color) {
139 return reader->setLightColor(deviceId, lightId, color);
140 }
141
setLightPlayerId(int32_t deviceId,int32_t lightId,int32_t playerId)142 bool setLightPlayerId(int32_t deviceId, int32_t lightId, int32_t playerId) {
143 return reader->setLightPlayerId(deviceId, lightId, playerId);
144 }
145
getLightColor(int32_t deviceId,int32_t lightId)146 std::optional<int32_t> getLightColor(int32_t deviceId, int32_t lightId) {
147 return reader->getLightColor(deviceId, lightId);
148 }
149
getLightPlayerId(int32_t deviceId,int32_t lightId)150 std::optional<int32_t> getLightPlayerId(int32_t deviceId, int32_t lightId) {
151 return reader->getLightPlayerId(deviceId, lightId);
152 }
153
addKeyRemapping(int32_t deviceId,int32_t fromKeyCode,int32_t toKeyCode) const154 void addKeyRemapping(int32_t deviceId, int32_t fromKeyCode, int32_t toKeyCode) const {
155 reader->addKeyRemapping(deviceId, fromKeyCode, toKeyCode);
156 }
157
getKeyCodeForKeyLocation(int32_t deviceId,int32_t locationKeyCode) const158 int32_t getKeyCodeForKeyLocation(int32_t deviceId, int32_t locationKeyCode) const {
159 return reader->getKeyCodeForKeyLocation(deviceId, locationKeyCode);
160 }
161
getBluetoothAddress(int32_t deviceId) const162 std::optional<std::string> getBluetoothAddress(int32_t deviceId) const {
163 return reader->getBluetoothAddress(deviceId);
164 }
165
sysfsNodeChanged(const std::string & sysfsNodePath)166 void sysfsNodeChanged(const std::string& sysfsNodePath) {
167 reader->sysfsNodeChanged(sysfsNodePath);
168 }
169
getLastUsedInputDeviceId()170 DeviceId getLastUsedInputDeviceId() override { return reader->getLastUsedInputDeviceId(); }
171
172 private:
173 std::unique_ptr<InputReaderInterface> reader;
174 };
175
LLVMFuzzerTestOneInput(uint8_t * data,size_t size)176 extern "C" int LLVMFuzzerTestOneInput(uint8_t* data, size_t size) {
177 std::shared_ptr<ThreadSafeFuzzedDataProvider> fdp =
178 std::make_shared<ThreadSafeFuzzedDataProvider>(data, size);
179
180 FuzzInputListener fuzzListener;
181 sp<FuzzInputReaderPolicy> fuzzPolicy = sp<FuzzInputReaderPolicy>::make(fdp);
182 std::shared_ptr<FuzzEventHub> fuzzEventHub = std::make_shared<FuzzEventHub>(fdp);
183 std::unique_ptr<FuzzInputReader> reader =
184 std::make_unique<FuzzInputReader>(fuzzEventHub, fuzzPolicy, fuzzListener);
185 size_t patternCount = fdp->ConsumeIntegralInRange<size_t>(1, 260);
186 VibrationSequence pattern(patternCount);
187 for (size_t i = 0; i < patternCount; ++i) {
188 VibrationElement element(i);
189 element.addChannel(/*vibratorId=*/fdp->ConsumeIntegral<int32_t>(),
190 /*amplitude=*/fdp->ConsumeIntegral<uint8_t>());
191 pattern.addElement(element);
192 }
193 reader->vibrate(fdp->ConsumeIntegral<int32_t>(), pattern,
194 /*repeat=*/fdp->ConsumeIntegral<ssize_t>(),
195 /*token=*/fdp->ConsumeIntegral<int32_t>());
196 reader->start();
197
198 // Loop through mapper operations until randomness is exhausted.
199 while (fdp->remaining_bytes() > 0) {
200 fdp->PickValueInArray<std::function<void()>>({
201 [&]() -> void {
202 std::string dump;
203 reader->dump(dump);
204 },
205 [&]() -> void { reader->monitor(); },
206 [&]() -> void { reader->getInputDevices(); },
207 [&]() -> void {
208 reader->getScanCodeState(fdp->ConsumeIntegral<int32_t>(),
209 fdp->ConsumeIntegral<uint32_t>(),
210 fdp->ConsumeIntegral<int32_t>());
211 },
212 [&]() -> void {
213 reader->getKeyCodeState(fdp->ConsumeIntegral<int32_t>(),
214 fdp->ConsumeIntegral<uint32_t>(),
215 fdp->ConsumeIntegral<int32_t>());
216 },
217 [&]() -> void {
218 reader->getSwitchState(fdp->ConsumeIntegral<int32_t>(),
219 fdp->ConsumeIntegral<uint32_t>(),
220 fdp->ConsumeIntegral<int32_t>());
221 },
222 [&]() -> void { reader->toggleCapsLockState(fdp->ConsumeIntegral<int32_t>()); },
223 [&]() -> void {
224 size_t count = fdp->ConsumeIntegralInRange<size_t>(1, 1024);
225 std::vector<uint8_t> outFlags(count);
226 std::vector<int32_t> keyCodes;
227 for (size_t i = 0; i < count; ++i) {
228 keyCodes.push_back(fdp->ConsumeIntegral<int32_t>());
229 }
230 reader->hasKeys(fdp->ConsumeIntegral<int32_t>(),
231 fdp->ConsumeIntegral<uint32_t>(), keyCodes, outFlags.data());
232 },
233 [&]() -> void {
234 reader->requestRefreshConfiguration(
235 InputReaderConfiguration::Change(fdp->ConsumeIntegral<uint32_t>()));
236 },
237 [&]() -> void {
238 reader->cancelVibrate(fdp->ConsumeIntegral<int32_t>(),
239 fdp->ConsumeIntegral<int32_t>());
240 },
241 [&]() -> void {
242 reader->canDispatchToDisplay(fdp->ConsumeIntegral<int32_t>(),
243 ui::LogicalDisplayId{
244 fdp->ConsumeIntegral<int32_t>()});
245 },
246 [&]() -> void {
247 reader->getKeyCodeForKeyLocation(fdp->ConsumeIntegral<int32_t>(),
248 fdp->ConsumeIntegral<int32_t>());
249 },
250 [&]() -> void { reader->getBatteryCapacity(fdp->ConsumeIntegral<int32_t>()); },
251 [&]() -> void { reader->getBatteryStatus(fdp->ConsumeIntegral<int32_t>()); },
252 [&]() -> void { reader->getBatteryDevicePath(fdp->ConsumeIntegral<int32_t>()); },
253 [&]() -> void { reader->getLights(fdp->ConsumeIntegral<int32_t>()); },
254 [&]() -> void { reader->getSensors(fdp->ConsumeIntegral<int32_t>()); },
255 [&]() -> void {
256 reader->getLightPlayerId(fdp->ConsumeIntegral<int32_t>(),
257 fdp->ConsumeIntegral<int32_t>());
258 },
259 [&]() -> void {
260 reader->getLightColor(fdp->ConsumeIntegral<int32_t>(),
261 fdp->ConsumeIntegral<int32_t>());
262 },
263 [&]() -> void {
264 reader->setLightPlayerId(fdp->ConsumeIntegral<int32_t>(),
265 fdp->ConsumeIntegral<int32_t>(),
266 fdp->ConsumeIntegral<int32_t>());
267 },
268 [&]() -> void {
269 reader->setLightColor(fdp->ConsumeIntegral<int32_t>(),
270 fdp->ConsumeIntegral<int32_t>(),
271 fdp->ConsumeIntegral<int32_t>());
272 },
273 [&]() -> void {
274 reader->flushSensor(fdp->ConsumeIntegral<int32_t>(),
275 fdp->PickValueInArray<InputDeviceSensorType>(
276 kInputDeviceSensorType));
277 },
278 [&]() -> void {
279 reader->disableSensor(fdp->ConsumeIntegral<int32_t>(),
280 fdp->PickValueInArray<InputDeviceSensorType>(
281 kInputDeviceSensorType));
282 },
283 [&]() -> void {
284 reader->enableSensor(fdp->ConsumeIntegral<int32_t>(),
285 fdp->PickValueInArray<InputDeviceSensorType>(
286 kInputDeviceSensorType),
287 std::chrono::microseconds(fdp->ConsumeIntegral<size_t>()),
288 std::chrono::microseconds(fdp->ConsumeIntegral<size_t>()));
289 },
290 [&]() -> void { reader->getBluetoothAddress(fdp->ConsumeIntegral<int32_t>()); },
291 })();
292 }
293
294 reader->stop();
295 return 0;
296 }
297
298 } // namespace android
299