Add fuzzer for EVS HAL

Bug: 147513710 Test: Follow go/android-fuzzing to build and test Change-Id: Ia2a64f73d3928bc529a1785e999ed7f032446f8a
2026-02-02 13:49:45 +00:00 · 2020-01-16 10:29:12 -08:00
parent 87880e82d0
commit 838c4c19d3
3 changed files with 191 additions and 0 deletions
--- a/automotive/evs/1.1/vts/fuzzing/Android.bp
+++ b/automotive/evs/1.1/vts/fuzzing/Android.bp
@@ -0,0 +1,50 @@
+//
+// Copyright 2020 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+cc_defaults {
+    name: "android.hardware.automotive.evs@fuzz-defaults",
+    defaults: ["VtsHalTargetTestDefaults"],
+    shared_libs: [
+        "libui",
+        "libcamera_metadata",
+    ],
+    static_libs: [
+        "android.hardware.automotive.evs@1.0",
+        "android.hardware.automotive.evs@1.1",
+        "android.hardware.automotive.evs@common-default-lib",
+        "android.hardware.graphics.common@1.0",
+        "android.hardware.graphics.common@1.1",
+        "android.hardware.graphics.common@1.2",
+        "android.hardware.camera.device@3.2",
+    ],
+    cflags: [
+        "-O0",
+        "-g",
+    ],
+}
+
+cc_fuzz {
+    name: "VtsHalEvsV1_1CameraOpenFuzz",
+    defaults: ["android.hardware.automotive.evs@fuzz-defaults"],
+    srcs: [
+        "VtsHalEvsV1_1CameraOpenFuzz.cpp",
+    ],
+    fuzz_config: {
+        // wait for Haiku device ready
+        fuzz_on_haiku_device: false,
+        fuzz_on_haiku_host: false,
+    },
+}
--- a/automotive/evs/1.1/vts/fuzzing/VtsHalEvsV1_1CameraOpenFuzz.cpp
+++ b/automotive/evs/1.1/vts/fuzzing/VtsHalEvsV1_1CameraOpenFuzz.cpp
@@ -0,0 +1,84 @@
+/*
+ * Copyright 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "common.h"
+
+using ::android::hardware::automotive::evs::V1_0::DisplayDesc;
+using ::android::hardware::camera::device::V3_2::Stream;
+using IEvsCamera_1_1 = ::android::hardware::automotive::evs::V1_1::IEvsCamera;
+
+extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
+    UNUSED(argc);
+    UNUSED(argv);
+    pEnumerator = IEvsEnumerator::getService(kEnumeratorName);
+    sp<EvsDeathRecipient> dr = new EvsDeathRecipient();
+
+    pEnumerator->linkToDeath(dr, 0);
+
+    loadCameraList();
+    return 0;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+    FuzzedDataProvider fdp(data, size);
+
+    std::vector<sp<IEvsCamera_1_1>> camList;
+    Stream nullCfg = {};
+
+    while (fdp.remaining_bytes() > 4) {
+        switch (fdp.ConsumeIntegralInRange<uint32_t>(0, 3)) {
+            case 0:  // open camera
+            {
+                uint32_t whichCam = fdp.ConsumeIntegralInRange<uint32_t>(0, cameraInfo.size() - 1);
+                sp<IEvsCamera_1_1> pCam =
+                        IEvsCamera_1_1::castFrom(pEnumerator->openCamera_1_1(
+                                                         cameraInfo[whichCam].v1.cameraId, nullCfg))
+                                .withDefault(nullptr);
+                camList.emplace_back(pCam);
+                break;
+            }
+            case 1:  // close camera
+            {
+                if (!camList.empty()) {
+                    uint32_t whichCam = fdp.ConsumeIntegralInRange<uint32_t>(0, camList.size() - 1);
+                    pEnumerator->closeCamera(camList[whichCam]);
+                }
+                break;
+            }
+            case 2:  // get camera info
+            {
+                if (!camList.empty()) {
+                    uint32_t whichCam = fdp.ConsumeIntegralInRange<uint32_t>(0, camList.size() - 1);
+                    camList[whichCam]->getCameraInfo_1_1([](CameraDesc desc) { UNUSED(desc); });
+                }
+                break;
+            }
+            case 3:  // setMaxFramesInFlight
+            {
+                if (!camList.empty()) {
+                    uint32_t whichCam = fdp.ConsumeIntegralInRange<uint32_t>(0, camList.size() - 1);
+                    int32_t numFrames = fdp.ConsumeIntegral<int32_t>();
+                    camList[whichCam]->setMaxFramesInFlight(numFrames);
+                }
+                break;
+            }
+            default:
+                break;
+        }
+    }
+
+    return 0;
+}
--- a/automotive/evs/1.1/vts/fuzzing/common.h
+++ b/automotive/evs/1.1/vts/fuzzing/common.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define LOG_TAG "VtsHalEvsTest"
+#define UNUSED(x) (void)(x)
+
+const static char kEnumeratorName[] = "EvsEnumeratorHw";
+
+#include <android/hardware/automotive/evs/1.1/IEvsEnumerator.h>
+#include <fuzzer/FuzzedDataProvider.h>
+#include <hidl/HidlTransportSupport.h>
+#include <utils/StrongPointer.h>
+
+using namespace ::android::hardware::automotive::evs::V1_1;
+
+using ::android::sp;
+using ::android::hardware::hidl_death_recipient;
+using ::android::hardware::hidl_vec;
+
+static sp<IEvsEnumerator> pEnumerator;
+static std::vector<CameraDesc> cameraInfo;
+
+class EvsDeathRecipient : public hidl_death_recipient {
+  public:
+    void serviceDied(uint64_t /*cookie*/,
+                     const android::wp<::android::hidl::base::V1_0::IBase>& /*who*/) override {
+        abort();
+    }
+};
+
+void loadCameraList() {
+    // SetUp() must run first!
+    assert(pEnumerator != nullptr);
+
+    // Get the camera list
+    pEnumerator->getCameraList_1_1([](hidl_vec<CameraDesc> cameraList) {
+        ALOGI("Camera list callback received %zu cameras", cameraList.size());
+        cameraInfo.reserve(cameraList.size());
+        for (auto&& cam : cameraList) {
+            ALOGI("Found camera %s", cam.v1.cameraId.c_str());
+            cameraInfo.push_back(cam);
+        }
+    });
+}