1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "gnssability_fuzzer.h"
17
18 #include "if_system_ability_manager.h"
19 #include "iservice_registry.h"
20 #include "message_option.h"
21 #include "message_parcel.h"
22 #include "system_ability_definition.h"
23 #include "locator_ability.h"
24 #include "locationhub_ipc_interface_code.h"
25 #include "accesstoken_kit.h"
26 #include "nativetoken_kit.h"
27 #include "token_setproc.h"
28
29 #ifdef FEATURE_GNSS_SUPPORT
30 #include "gnss_ability.h"
31 #endif
32 #include "permission_manager.h"
33 #include "work_record_statistic.h"
34
35 namespace OHOS {
36 using namespace OHOS::Location;
37 const int32_t MAX_MEM_SIZE = 4 * 1024 * 1024;
38 const int32_t SLEEP_TIMES = 1000;
39 const int32_t LOCATION_PERM_NUM = 4;
MockNativePermission()40 void MockNativePermission()
41 {
42 const char *perms[] = {
43 ACCESS_LOCATION.c_str(), ACCESS_APPROXIMATELY_LOCATION.c_str(),
44 ACCESS_BACKGROUND_LOCATION.c_str(), MANAGE_SECURE_SETTINGS.c_str(),
45 };
46 NativeTokenInfoParams infoInstance = {
47 .dcapsNum = 0,
48 .permsNum = LOCATION_PERM_NUM,
49 .aclsNum = 0,
50 .dcaps = nullptr,
51 .perms = perms,
52 .acls = nullptr,
53 .processName = "GnssAbility_FuzzTest",
54 .aplStr = "system_basic",
55 };
56 auto tokenId = GetAccessTokenId(&infoInstance);
57 SetSelfTokenID(tokenId);
58 Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
59 LocatorAbility::GetInstance()->EnableAbility(true);
60 }
61
ParseData(const uint8_t* data, size_t size)62 char* ParseData(const uint8_t* data, size_t size)
63 {
64 if (data == nullptr) {
65 return nullptr;
66 }
67
68 if (size > MAX_MEM_SIZE) {
69 return nullptr;
70 }
71
72 char* ch = (char *)malloc(size + 1);
73 if (ch == nullptr) {
74 return nullptr;
75 }
76
77 (void)memset_s(ch, size + 1, 0x00, size + 1);
78 if (memcpy_s(ch, size, data, size) != EOK) {
79 free(ch);
80 ch = nullptr;
81 return nullptr;
82 }
83 return ch;
84 }
85
86 #ifdef FEATURE_GNSS_SUPPORT
GnssAbility001FuzzTest(const char* data, size_t size)87 bool GnssAbility001FuzzTest(const char* data, size_t size)
88 {
89 MessageParcel requestParcel;
90 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
91 requestParcel.WriteBuffer(data, size);
92 requestParcel.RewindRead(0);
93 MessageParcel reply;
94 MessageOption option;
95
96 auto ability = GnssAbility::GetInstance();
97 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::SET_MOCKED_LOCATIONS),
98 requestParcel, reply, option);
99 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
100 WorkRecordStatistic::DestroyInstance();
101 return true;
102 }
103
GnssAbility002FuzzTest(const char* data, size_t size)104 bool GnssAbility002FuzzTest(const char* data, size_t size)
105 {
106 MessageParcel requestParcel;
107 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
108 requestParcel.WriteBuffer(data, size);
109 requestParcel.RewindRead(0);
110 MessageParcel reply;
111 MessageOption option;
112
113 auto ability = GnssAbility::GetInstance();
114 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::SEND_LOCATION_REQUEST),
115 requestParcel, reply, option);
116
117 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
118 WorkRecordStatistic::DestroyInstance();
119 return true;
120 }
121
GnssAbility003FuzzTest(const char* data, size_t size)122 bool GnssAbility003FuzzTest(const char* data, size_t size)
123 {
124 MessageParcel requestParcel;
125 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
126 requestParcel.WriteBuffer(data, size);
127 requestParcel.RewindRead(0);
128 MessageParcel reply;
129 MessageOption option;
130
131 auto ability = GnssAbility::GetInstance();
132 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::SET_ENABLE),
133 requestParcel, reply, option);
134
135 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
136 WorkRecordStatistic::DestroyInstance();
137 return true;
138 }
139
GnssAbility004FuzzTest(const char* data, size_t size)140 bool GnssAbility004FuzzTest(const char* data, size_t size)
141 {
142 MessageParcel requestParcel;
143 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
144 requestParcel.WriteBuffer(data, size);
145 requestParcel.RewindRead(0);
146 MessageParcel reply;
147 MessageOption option;
148
149 auto ability = GnssAbility::GetInstance();
150 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REFRESH_REQUESTS),
151 requestParcel, reply, option);
152
153 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
154 WorkRecordStatistic::DestroyInstance();
155 return true;
156 }
157
GnssAbility005FuzzTest(const char* data, size_t size)158 bool GnssAbility005FuzzTest(const char* data, size_t size)
159 {
160 MessageParcel requestParcel;
161 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
162 requestParcel.WriteBuffer(data, size);
163 requestParcel.RewindRead(0);
164 MessageParcel reply;
165 MessageOption option;
166
167 auto ability = GnssAbility::GetInstance();
168 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REG_GNSS_STATUS),
169 requestParcel, reply, option);
170
171 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
172 WorkRecordStatistic::DestroyInstance();
173 return true;
174 }
175
GnssAbility006FuzzTest(const char* data, size_t size)176 bool GnssAbility006FuzzTest(const char* data, size_t size)
177 {
178 MessageParcel requestParcel;
179 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
180 requestParcel.WriteBuffer(data, size);
181 requestParcel.RewindRead(0);
182 MessageParcel reply;
183 MessageOption option;
184
185 auto ability = GnssAbility::GetInstance();
186 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::UNREG_GNSS_STATUS),
187 requestParcel, reply, option);
188
189 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
190 WorkRecordStatistic::DestroyInstance();
191 return true;
192 }
193
GnssAbility007FuzzTest(const char* data, size_t size)194 bool GnssAbility007FuzzTest(const char* data, size_t size)
195 {
196 MessageParcel requestParcel;
197 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
198 requestParcel.WriteBuffer(data, size);
199 requestParcel.RewindRead(0);
200 MessageParcel reply;
201 MessageOption option;
202
203 auto ability = GnssAbility::GetInstance();
204 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REG_NMEA),
205 requestParcel, reply, option);
206 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
207 WorkRecordStatistic::DestroyInstance();
208 return true;
209 }
210
GnssAbility008FuzzTest(const char* data, size_t size)211 bool GnssAbility008FuzzTest(const char* data, size_t size)
212 {
213 MessageParcel requestParcel;
214 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
215 requestParcel.WriteBuffer(data, size);
216 requestParcel.RewindRead(0);
217 MessageParcel reply;
218 MessageOption option;
219
220 auto ability = GnssAbility::GetInstance();
221 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::UNREG_NMEA),
222 requestParcel, reply, option);
223
224 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
225 WorkRecordStatistic::DestroyInstance();
226 return true;
227 }
228
GnssAbility009FuzzTest(const char* data, size_t size)229 bool GnssAbility009FuzzTest(const char* data, size_t size)
230 {
231 MessageParcel requestParcel;
232 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
233 requestParcel.WriteBuffer(data, size);
234 requestParcel.RewindRead(0);
235 MessageParcel reply;
236 MessageOption option;
237
238 auto ability = GnssAbility::GetInstance();
239 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REG_CACHED),
240 requestParcel, reply, option);
241
242 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
243 WorkRecordStatistic::DestroyInstance();
244 return true;
245 }
246
GnssAbility010FuzzTest(const char* data, size_t size)247 bool GnssAbility010FuzzTest(const char* data, size_t size)
248 {
249 MessageParcel requestParcel;
250 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
251 requestParcel.WriteBuffer(data, size);
252 requestParcel.RewindRead(0);
253 MessageParcel reply;
254 MessageOption option;
255
256 auto ability = GnssAbility::GetInstance();
257 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::UNREG_CACHED),
258 requestParcel, reply, option);
259
260 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
261 WorkRecordStatistic::DestroyInstance();
262 return true;
263 }
264
GnssAbility011FuzzTest(const char* data, size_t size)265 bool GnssAbility011FuzzTest(const char* data, size_t size)
266 {
267 MessageParcel requestParcel;
268 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
269 requestParcel.WriteBuffer(data, size);
270 requestParcel.RewindRead(0);
271 MessageParcel reply;
272 MessageOption option;
273
274 auto ability = GnssAbility::GetInstance();
275 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::GET_CACHED_SIZE),
276 requestParcel, reply, option);
277
278 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
279 WorkRecordStatistic::DestroyInstance();
280 return true;
281 }
282
GnssAbility012FuzzTest(const char* data, size_t size)283 bool GnssAbility012FuzzTest(const char* data, size_t size)
284 {
285 MessageParcel requestParcel;
286 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
287 requestParcel.WriteBuffer(data, size);
288 requestParcel.RewindRead(0);
289 MessageParcel reply;
290 MessageOption option;
291
292 auto ability = GnssAbility::GetInstance();
293 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::FLUSH_CACHED),
294 requestParcel, reply, option);
295
296 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
297 WorkRecordStatistic::DestroyInstance();
298 return true;
299 }
300
GnssAbility013FuzzTest(const char* data, size_t size)301 bool GnssAbility013FuzzTest(const char* data, size_t size)
302 {
303 MessageParcel requestParcel;
304 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
305 requestParcel.WriteBuffer(data, size);
306 requestParcel.RewindRead(0);
307 MessageParcel reply;
308 MessageOption option;
309
310 auto ability = GnssAbility::GetInstance();
311 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::SEND_COMMANDS),
312 requestParcel, reply, option);
313
314 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
315 WorkRecordStatistic::DestroyInstance();
316 return true;
317 }
318
GnssAbility014FuzzTest(const char* data, size_t size)319 bool GnssAbility014FuzzTest(const char* data, size_t size)
320 {
321 MessageParcel requestParcel;
322 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
323 requestParcel.WriteBuffer(data, size);
324 requestParcel.RewindRead(0);
325 MessageParcel reply;
326 MessageOption option;
327
328 auto ability = GnssAbility::GetInstance();
329 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::ENABLE_LOCATION_MOCK),
330 requestParcel, reply, option);
331
332 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
333 WorkRecordStatistic::DestroyInstance();
334 return true;
335 }
336
GnssAbility015FuzzTest(const char* data, size_t size)337 bool GnssAbility015FuzzTest(const char* data, size_t size)
338 {
339 MessageParcel requestParcel;
340 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
341 requestParcel.WriteBuffer(data, size);
342 requestParcel.RewindRead(0);
343 MessageParcel reply;
344 MessageOption option;
345
346 auto ability = GnssAbility::GetInstance();
347 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::DISABLE_LOCATION_MOCK),
348 requestParcel, reply, option);
349
350 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
351 WorkRecordStatistic::DestroyInstance();
352 return true;
353 }
354
GnssAbility016FuzzTest(const char* data, size_t size)355 bool GnssAbility016FuzzTest(const char* data, size_t size)
356 {
357 MessageParcel requestParcel;
358 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
359 requestParcel.WriteBuffer(data, size);
360 requestParcel.RewindRead(0);
361 MessageParcel reply;
362 MessageOption option;
363
364 auto ability = GnssAbility::GetInstance();
365 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::ADD_FENCE_INFO),
366 requestParcel, reply, option);
367
368 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
369 WorkRecordStatistic::DestroyInstance();
370 return true;
371 }
372
GnssAbility017FuzzTest(const char* data, size_t size)373 bool GnssAbility017FuzzTest(const char* data, size_t size)
374 {
375 MessageParcel requestParcel;
376 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
377 requestParcel.WriteBuffer(data, size);
378 requestParcel.RewindRead(0);
379 MessageParcel reply;
380 MessageOption option;
381
382 auto ability = GnssAbility::GetInstance();
383 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REMOVE_FENCE_INFO),
384 requestParcel, reply, option);
385
386 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
387 WorkRecordStatistic::DestroyInstance();
388 return true;
389 }
390
GnssAbility018FuzzTest(const char* data, size_t size)391 bool GnssAbility018FuzzTest(const char* data, size_t size)
392 {
393 MessageParcel requestParcel;
394 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
395 requestParcel.WriteBuffer(data, size);
396 requestParcel.RewindRead(0);
397 MessageParcel reply;
398 MessageOption option;
399
400 auto ability = GnssAbility::GetInstance();
401 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::ADD_GNSS_GEOFENCE),
402 requestParcel, reply, option);
403
404 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
405 WorkRecordStatistic::DestroyInstance();
406 return true;
407 }
408
GnssAbility019FuzzTest(const char* data, size_t size)409 bool GnssAbility019FuzzTest(const char* data, size_t size)
410 {
411 MessageParcel requestParcel;
412 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
413 requestParcel.WriteBuffer(data, size);
414 requestParcel.RewindRead(0);
415 MessageParcel reply;
416 MessageOption option;
417
418 auto ability = GnssAbility::GetInstance();
419 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REMOVE_GNSS_GEOFENCE),
420 requestParcel, reply, option);
421
422 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
423 WorkRecordStatistic::DestroyInstance();
424 return true;
425 }
426
GnssAbility020FuzzTest(const char* data, size_t size)427 bool GnssAbility020FuzzTest(const char* data, size_t size)
428 {
429 MessageParcel requestParcel;
430 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
431 requestParcel.WriteBuffer(data, size);
432 requestParcel.RewindRead(0);
433 MessageParcel reply;
434 MessageOption option;
435
436 auto ability = GnssAbility::GetInstance();
437 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::GET_GEOFENCE_SUPPORT_COORDINATE_SYSTEM_TYPE),
438 requestParcel, reply, option);
439
440 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
441 WorkRecordStatistic::DestroyInstance();
442 return true;
443 }
444
GnssAbility021FuzzTest(const char* data, size_t size)445 bool GnssAbility021FuzzTest(const char* data, size_t size)
446 {
447 MessageParcel requestParcel;
448 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
449 requestParcel.WriteBuffer(data, size);
450 requestParcel.RewindRead(0);
451 MessageParcel reply;
452 MessageOption option;
453
454 auto ability = GnssAbility::GetInstance();
455 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::SEND_NETWORK_LOCATION),
456 requestParcel, reply, option);
457
458 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
459 WorkRecordStatistic::DestroyInstance();
460 return true;
461 }
462 #endif
463 } // namespace OHOS
464
465 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)466 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
467 {
468 OHOS::MockNativePermission();
469 char* ch = OHOS::ParseData(data, size);
470 if (ch != nullptr) {
471 #ifdef FEATURE_GNSS_SUPPORT
472 OHOS::GnssAbility001FuzzTest(ch, size);
473 OHOS::GnssAbility002FuzzTest(ch, size);
474 OHOS::GnssAbility003FuzzTest(ch, size);
475 OHOS::GnssAbility004FuzzTest(ch, size);
476 OHOS::GnssAbility005FuzzTest(ch, size);
477 OHOS::GnssAbility006FuzzTest(ch, size);
478 OHOS::GnssAbility007FuzzTest(ch, size);
479 OHOS::GnssAbility008FuzzTest(ch, size);
480 OHOS::GnssAbility009FuzzTest(ch, size);
481 OHOS::GnssAbility010FuzzTest(ch, size);
482 OHOS::GnssAbility011FuzzTest(ch, size);
483 OHOS::GnssAbility012FuzzTest(ch, size);
484 OHOS::GnssAbility013FuzzTest(ch, size);
485 OHOS::GnssAbility014FuzzTest(ch, size);
486 OHOS::GnssAbility015FuzzTest(ch, size);
487 OHOS::GnssAbility016FuzzTest(ch, size);
488 OHOS::GnssAbility017FuzzTest(ch, size);
489 OHOS::GnssAbility018FuzzTest(ch, size);
490 OHOS::GnssAbility019FuzzTest(ch, size);
491 OHOS::GnssAbility020FuzzTest(ch, size);
492 OHOS::GnssAbility021FuzzTest(ch, size);
493 #endif
494 free(ch);
495 ch = nullptr;
496 }
497 return 0;
498 }
499
500