1# Fuzzers for libbtdevice
2
3## Plugin Design Considerations
4The fuzzer plugin for `libbtdevice` is designed based on the understanding of the
5source code and tries to achieve the following:
6
7##### Maximize code coverage
8The configuration parameters are not hard-coded, but instead selected based on
9incoming data. This ensures more code paths are reached by the fuzzers.
10
11Fuzzer assigns values to the following parameters to pass on to libbtdevice:
121. Bluetooth Interop Feature (parameter name: `interopFeature`)
132. Bluetooth Esco Codec (parameter name: `escoCodec`)
14
15| Parameter| Valid Values| Configured Value|
16|------------- |-------------| ----- |
17| `interopFeature` | 0.`INTEROP_DISABLE_LE_SECURE_CONNECTIONS` 1.`INTEROP_AUTO_RETRY_PAIRING` 2.`INTEROP_DISABLE_ABSOLUTE_VOLUME` 3.`INTEROP_DISABLE_AUTO_PAIRING` 4.`INTEROP_KEYBOARD_REQUIRES_FIXED_PIN` 5.`INTEROP_2MBPS_LINK_ONLY` 6.`INTEROP_HID_PREF_CONN_SUP_TIMEOUT_3S` 7.`INTEROP_GATTC_NO_SERVICE_CHANGED_IND` 8.`INTEROP_DISABLE_AVDTP_RECONFIGURE` 9.`INTEROP_DYNAMIC_ROLE_SWITCH` 10.`INTEROP_DISABLE_ROLE_SWITCH` 11.`INTEROP_HID_HOST_LIMIT_SNIFF_INTERVAL` 12.`INTEROP_DISABLE_NAME_REQUEST` 13.`INTEROP_AVRCP_1_4_ONLY` 14.`INTEROP_DISABLE_SNIFF` 15.`INTEROP_DISABLE_AVDTP_SUSPEND` 16.`INTEROP_SLC_SKIP_BIND_COMMAND` 17.`INTEROP_AVRCP_1_3_ONLY`| Value obtained from FuzzedDataProvider |
18| `escoCodec` | 0.`SCO_CODEC_CVSD_D1` 1.`ESCO_CODEC_CVSD_S3` 2.`ESCO_CODEC_CVSD_S4` 3.`ESCO_CODEC_MSBC_T1` 4.`ESCO_CODEC_MSBC_T2`| Value obtained from FuzzedDataProvider |
19This also ensures that the plugins are always deterministic for any given input.
20
21##### Maximize utilization of input data
22The plugin feed the entire input data to the module.
23This ensures that the plugin tolerates any kind of input (empty, huge,
24malformed, etc) and doesn't `exit()` on any input and thereby increasing the
25chance of identifying vulnerabilities.
26
27## Build
28
29This describes steps to build btdevice_esco_fuzzer binary.
30
31### Android
32
33#### Steps to build
34Build the fuzzer
35```
36  $ mm -j$(nproc) btdevice_esco_fuzzer
37```
38### Steps to run
39
40To run on device
41```
42  $ adb sync data
43  $ adb shell /data/fuzz/arm64/btdevice_esco_fuzzer/btdevice_esco_fuzzer
44```
45
46## References:
47 * http://llvm.org/docs/LibFuzzer.html
48 * https://github.com/google/oss-fuzz
49