1# Fuzzers for libbtdevice 2 3## Plugin Design Considerations 4The fuzzer plugin for `libbtdevice` is designed based on the understanding of the 5source code and tries to achieve the following: 6 7##### Maximize code coverage 8The configuration parameters are not hard-coded, but instead selected based on 9incoming data. This ensures more code paths are reached by the fuzzers. 10 11Fuzzer assigns values to the following parameters to pass on to libbtdevice: 121. Bluetooth Interop Feature (parameter name: `interopFeature`) 132. Bluetooth Esco Codec (parameter name: `escoCodec`) 14 15| Parameter| Valid Values| Configured Value| 16|------------- |-------------| ----- | 17| `interopFeature` | 0.`INTEROP_DISABLE_LE_SECURE_CONNECTIONS` 1.`INTEROP_AUTO_RETRY_PAIRING` 2.`INTEROP_DISABLE_ABSOLUTE_VOLUME` 3.`INTEROP_DISABLE_AUTO_PAIRING` 4.`INTEROP_KEYBOARD_REQUIRES_FIXED_PIN` 5.`INTEROP_2MBPS_LINK_ONLY` 6.`INTEROP_HID_PREF_CONN_SUP_TIMEOUT_3S` 7.`INTEROP_GATTC_NO_SERVICE_CHANGED_IND` 8.`INTEROP_DISABLE_AVDTP_RECONFIGURE` 9.`INTEROP_DYNAMIC_ROLE_SWITCH` 10.`INTEROP_DISABLE_ROLE_SWITCH` 11.`INTEROP_HID_HOST_LIMIT_SNIFF_INTERVAL` 12.`INTEROP_DISABLE_NAME_REQUEST` 13.`INTEROP_AVRCP_1_4_ONLY` 14.`INTEROP_DISABLE_SNIFF` 15.`INTEROP_DISABLE_AVDTP_SUSPEND` 16.`INTEROP_SLC_SKIP_BIND_COMMAND` 17.`INTEROP_AVRCP_1_3_ONLY`| Value obtained from FuzzedDataProvider | 18| `escoCodec` | 0.`SCO_CODEC_CVSD_D1` 1.`ESCO_CODEC_CVSD_S3` 2.`ESCO_CODEC_CVSD_S4` 3.`ESCO_CODEC_MSBC_T1` 4.`ESCO_CODEC_MSBC_T2`| Value obtained from FuzzedDataProvider | 19This also ensures that the plugins are always deterministic for any given input. 20 21##### Maximize utilization of input data 22The plugin feed the entire input data to the module. 23This ensures that the plugin tolerates any kind of input (empty, huge, 24malformed, etc) and doesn't `exit()` on any input and thereby increasing the 25chance of identifying vulnerabilities. 26 27## Build 28 29This describes steps to build btdevice_esco_fuzzer binary. 30 31### Android 32 33#### Steps to build 34Build the fuzzer 35``` 36 $ mm -j$(nproc) btdevice_esco_fuzzer 37``` 38### Steps to run 39 40To run on device 41``` 42 $ adb sync data 43 $ adb shell /data/fuzz/arm64/btdevice_esco_fuzzer/btdevice_esco_fuzzer 44``` 45 46## References: 47 * http://llvm.org/docs/LibFuzzer.html 48 * https://github.com/google/oss-fuzz 49