Fuzz Widevine AIDL drmFactory binder interface.

[Merged from http://go/wvgerrit/152150 ] Test: build and run test Bug: 226948319 Change-Id: I717d119cbf455fe76e4bb1f818d00141f4e7fa7c
2022-05-19 17:51:19 +00:00
parent 1c96d290bd
commit a285b363d9
6 changed files with 272 additions and 3 deletions
--- a/libwvdrmengine/aidl_src/fuzzer/README.md
+++ b/libwvdrmengine/aidl_src/fuzzer/README.md
@@ -0,0 +1,31 @@
+# About Widevine aidl binder fuzzer
+
+## Build the binaries
+
+See [go/build-fast][1] to setup the RBE environment.
+
+From Android root:
+
+1. source build/make/rbesetup.sh
+2. `SANITIZE_TARGET`=hwaddress m `android.hardware.drm-service.widevine.aidl_fuzzer` -j128
+
+## Push to target for testing
+
+adb push $(OUT)/data/fuzz/arm64/lib/ /data/fuzz/arm64/lib/
+
+## Run test
+
+adb shell<br>
+cd /data/fuzz/arm64<br>
+`LD_LIBRARY_PATH=/data/fuzz/arm65/lib /data/fuzz/arm64/android.hardware.drm-service.widevine.aidl_fuzzer/vendor/hw/android.hardware.drm-service.widevine.aidl_fuzzer`
+
+## Monitoring
+
+By using `cc_fuzz` in Android.bp, the fuzz binary and its dependency sanitized shared libraries will be installed on the device.<br>
+Libraries are installed in `/data/fuzz/<arch>/lib`, and the binary is installed in /data/fuzz/&ltarch&gt/&lt`binary_name`&gt/vendor/hw.<br>
+
+Within 24-48 hours of merge, you can monitor the coverage data [here][2].<br>
+Bugs will be filed automatically, and the owner of the fuzzer(the cc in the config section) will be notified.<br>
+
+[1]: https://g3doc.corp.google.com/company/teams/android/developing/update/build-fast.md?cl=head
+[2]: https://android-coverage.googleplex.com/
--- a/libwvdrmengine/aidl_src/fuzzer/fuzzer.cpp
+++ b/libwvdrmengine/aidl_src/fuzzer/fuzzer.cpp
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <android/binder_manager.h>
+#include <android/binder_process.h>
+#include <fuzzbinder/libbinder_ndk_driver.h>
+#include <fuzzer/FuzzedDataProvider.h>
+
+#include "WVCreatePluginFactories.h"
+
+using ::wvdrm::hardware::drm::widevine::createDrmFactory;
+using ::wvdrm::hardware::drm::widevine::WVDrmFactory;
+
+using android::fuzzService;
+using ndk::SharedRefBase;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  std::shared_ptr<WVDrmFactory> drmFactory = createDrmFactory();
+  fuzzService(drmFactory->asBinder().get(), FuzzedDataProvider(data, size));
+
+  return 0;
+}