1/* 2 * Copyright (c) 2023 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16#include "gnssability_fuzzer.h" 17 18#include "if_system_ability_manager.h" 19#include "iservice_registry.h" 20#include "message_option.h" 21#include "message_parcel.h" 22#include "system_ability_definition.h" 23#include "locator_ability.h" 24#include "locationhub_ipc_interface_code.h" 25#include "accesstoken_kit.h" 26#include "nativetoken_kit.h" 27#include "token_setproc.h" 28 29#ifdef FEATURE_GNSS_SUPPORT 30#include "gnss_ability.h" 31#endif 32#include "permission_manager.h" 33#include "work_record_statistic.h" 34 35namespace OHOS { 36using namespace OHOS::Location; 37const int32_t MAX_MEM_SIZE = 4 * 1024 * 1024; 38const int32_t SLEEP_TIMES = 1000; 39const int32_t LOCATION_PERM_NUM = 4; 40void MockNativePermission() 41{ 42 const char *perms[] = { 43 ACCESS_LOCATION.c_str(), ACCESS_APPROXIMATELY_LOCATION.c_str(), 44 ACCESS_BACKGROUND_LOCATION.c_str(), MANAGE_SECURE_SETTINGS.c_str(), 45 }; 46 NativeTokenInfoParams infoInstance = { 47 .dcapsNum = 0, 48 .permsNum = LOCATION_PERM_NUM, 49 .aclsNum = 0, 50 .dcaps = nullptr, 51 .perms = perms, 52 .acls = nullptr, 53 .processName = "GnssAbility_FuzzTest", 54 .aplStr = "system_basic", 55 }; 56 auto tokenId = GetAccessTokenId(&infoInstance); 57 SetSelfTokenID(tokenId); 58 Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo(); 59 LocatorAbility::GetInstance()->EnableAbility(true); 60} 61 62char* ParseData(const uint8_t* data, size_t size) 63{ 64 if (data == nullptr) { 65 return nullptr; 66 } 67 68 if (size > MAX_MEM_SIZE) { 69 return nullptr; 70 } 71 72 char* ch = (char *)malloc(size + 1); 73 if (ch == nullptr) { 74 return nullptr; 75 } 76 77 (void)memset_s(ch, size + 1, 0x00, size + 1); 78 if (memcpy_s(ch, size, data, size) != EOK) { 79 free(ch); 80 ch = nullptr; 81 return nullptr; 82 } 83 return ch; 84} 85 86#ifdef FEATURE_GNSS_SUPPORT 87bool GnssAbility001FuzzTest(const char* data, size_t size) 88{ 89 MessageParcel requestParcel; 90 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 91 requestParcel.WriteBuffer(data, size); 92 requestParcel.RewindRead(0); 93 MessageParcel reply; 94 MessageOption option; 95 96 auto ability = GnssAbility::GetInstance(); 97 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::SET_MOCKED_LOCATIONS), 98 requestParcel, reply, option); 99 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 100 WorkRecordStatistic::DestroyInstance(); 101 return true; 102} 103 104bool GnssAbility002FuzzTest(const char* data, size_t size) 105{ 106 MessageParcel requestParcel; 107 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 108 requestParcel.WriteBuffer(data, size); 109 requestParcel.RewindRead(0); 110 MessageParcel reply; 111 MessageOption option; 112 113 auto ability = GnssAbility::GetInstance(); 114 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::SEND_LOCATION_REQUEST), 115 requestParcel, reply, option); 116 117 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 118 WorkRecordStatistic::DestroyInstance(); 119 return true; 120} 121 122bool GnssAbility003FuzzTest(const char* data, size_t size) 123{ 124 MessageParcel requestParcel; 125 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 126 requestParcel.WriteBuffer(data, size); 127 requestParcel.RewindRead(0); 128 MessageParcel reply; 129 MessageOption option; 130 131 auto ability = GnssAbility::GetInstance(); 132 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::SET_ENABLE), 133 requestParcel, reply, option); 134 135 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 136 WorkRecordStatistic::DestroyInstance(); 137 return true; 138} 139 140bool GnssAbility004FuzzTest(const char* data, size_t size) 141{ 142 MessageParcel requestParcel; 143 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 144 requestParcel.WriteBuffer(data, size); 145 requestParcel.RewindRead(0); 146 MessageParcel reply; 147 MessageOption option; 148 149 auto ability = GnssAbility::GetInstance(); 150 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REFRESH_REQUESTS), 151 requestParcel, reply, option); 152 153 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 154 WorkRecordStatistic::DestroyInstance(); 155 return true; 156} 157 158bool GnssAbility005FuzzTest(const char* data, size_t size) 159{ 160 MessageParcel requestParcel; 161 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 162 requestParcel.WriteBuffer(data, size); 163 requestParcel.RewindRead(0); 164 MessageParcel reply; 165 MessageOption option; 166 167 auto ability = GnssAbility::GetInstance(); 168 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REG_GNSS_STATUS), 169 requestParcel, reply, option); 170 171 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 172 WorkRecordStatistic::DestroyInstance(); 173 return true; 174} 175 176bool GnssAbility006FuzzTest(const char* data, size_t size) 177{ 178 MessageParcel requestParcel; 179 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 180 requestParcel.WriteBuffer(data, size); 181 requestParcel.RewindRead(0); 182 MessageParcel reply; 183 MessageOption option; 184 185 auto ability = GnssAbility::GetInstance(); 186 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::UNREG_GNSS_STATUS), 187 requestParcel, reply, option); 188 189 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 190 WorkRecordStatistic::DestroyInstance(); 191 return true; 192} 193 194bool GnssAbility007FuzzTest(const char* data, size_t size) 195{ 196 MessageParcel requestParcel; 197 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 198 requestParcel.WriteBuffer(data, size); 199 requestParcel.RewindRead(0); 200 MessageParcel reply; 201 MessageOption option; 202 203 auto ability = GnssAbility::GetInstance(); 204 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REG_NMEA), 205 requestParcel, reply, option); 206 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 207 WorkRecordStatistic::DestroyInstance(); 208 return true; 209} 210 211bool GnssAbility008FuzzTest(const char* data, size_t size) 212{ 213 MessageParcel requestParcel; 214 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 215 requestParcel.WriteBuffer(data, size); 216 requestParcel.RewindRead(0); 217 MessageParcel reply; 218 MessageOption option; 219 220 auto ability = GnssAbility::GetInstance(); 221 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::UNREG_NMEA), 222 requestParcel, reply, option); 223 224 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 225 WorkRecordStatistic::DestroyInstance(); 226 return true; 227} 228 229bool GnssAbility009FuzzTest(const char* data, size_t size) 230{ 231 MessageParcel requestParcel; 232 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 233 requestParcel.WriteBuffer(data, size); 234 requestParcel.RewindRead(0); 235 MessageParcel reply; 236 MessageOption option; 237 238 auto ability = GnssAbility::GetInstance(); 239 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REG_CACHED), 240 requestParcel, reply, option); 241 242 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 243 WorkRecordStatistic::DestroyInstance(); 244 return true; 245} 246 247bool GnssAbility010FuzzTest(const char* data, size_t size) 248{ 249 MessageParcel requestParcel; 250 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 251 requestParcel.WriteBuffer(data, size); 252 requestParcel.RewindRead(0); 253 MessageParcel reply; 254 MessageOption option; 255 256 auto ability = GnssAbility::GetInstance(); 257 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::UNREG_CACHED), 258 requestParcel, reply, option); 259 260 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 261 WorkRecordStatistic::DestroyInstance(); 262 return true; 263} 264 265bool GnssAbility011FuzzTest(const char* data, size_t size) 266{ 267 MessageParcel requestParcel; 268 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 269 requestParcel.WriteBuffer(data, size); 270 requestParcel.RewindRead(0); 271 MessageParcel reply; 272 MessageOption option; 273 274 auto ability = GnssAbility::GetInstance(); 275 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::GET_CACHED_SIZE), 276 requestParcel, reply, option); 277 278 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 279 WorkRecordStatistic::DestroyInstance(); 280 return true; 281} 282 283bool GnssAbility012FuzzTest(const char* data, size_t size) 284{ 285 MessageParcel requestParcel; 286 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 287 requestParcel.WriteBuffer(data, size); 288 requestParcel.RewindRead(0); 289 MessageParcel reply; 290 MessageOption option; 291 292 auto ability = GnssAbility::GetInstance(); 293 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::FLUSH_CACHED), 294 requestParcel, reply, option); 295 296 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 297 WorkRecordStatistic::DestroyInstance(); 298 return true; 299} 300 301bool GnssAbility013FuzzTest(const char* data, size_t size) 302{ 303 MessageParcel requestParcel; 304 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 305 requestParcel.WriteBuffer(data, size); 306 requestParcel.RewindRead(0); 307 MessageParcel reply; 308 MessageOption option; 309 310 auto ability = GnssAbility::GetInstance(); 311 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::SEND_COMMANDS), 312 requestParcel, reply, option); 313 314 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 315 WorkRecordStatistic::DestroyInstance(); 316 return true; 317} 318 319bool GnssAbility014FuzzTest(const char* data, size_t size) 320{ 321 MessageParcel requestParcel; 322 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 323 requestParcel.WriteBuffer(data, size); 324 requestParcel.RewindRead(0); 325 MessageParcel reply; 326 MessageOption option; 327 328 auto ability = GnssAbility::GetInstance(); 329 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::ENABLE_LOCATION_MOCK), 330 requestParcel, reply, option); 331 332 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 333 WorkRecordStatistic::DestroyInstance(); 334 return true; 335} 336 337bool GnssAbility015FuzzTest(const char* data, size_t size) 338{ 339 MessageParcel requestParcel; 340 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 341 requestParcel.WriteBuffer(data, size); 342 requestParcel.RewindRead(0); 343 MessageParcel reply; 344 MessageOption option; 345 346 auto ability = GnssAbility::GetInstance(); 347 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::DISABLE_LOCATION_MOCK), 348 requestParcel, reply, option); 349 350 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 351 WorkRecordStatistic::DestroyInstance(); 352 return true; 353} 354 355bool GnssAbility016FuzzTest(const char* data, size_t size) 356{ 357 MessageParcel requestParcel; 358 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 359 requestParcel.WriteBuffer(data, size); 360 requestParcel.RewindRead(0); 361 MessageParcel reply; 362 MessageOption option; 363 364 auto ability = GnssAbility::GetInstance(); 365 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::ADD_FENCE_INFO), 366 requestParcel, reply, option); 367 368 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 369 WorkRecordStatistic::DestroyInstance(); 370 return true; 371} 372 373bool GnssAbility017FuzzTest(const char* data, size_t size) 374{ 375 MessageParcel requestParcel; 376 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 377 requestParcel.WriteBuffer(data, size); 378 requestParcel.RewindRead(0); 379 MessageParcel reply; 380 MessageOption option; 381 382 auto ability = GnssAbility::GetInstance(); 383 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REMOVE_FENCE_INFO), 384 requestParcel, reply, option); 385 386 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 387 WorkRecordStatistic::DestroyInstance(); 388 return true; 389} 390 391bool GnssAbility018FuzzTest(const char* data, size_t size) 392{ 393 MessageParcel requestParcel; 394 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 395 requestParcel.WriteBuffer(data, size); 396 requestParcel.RewindRead(0); 397 MessageParcel reply; 398 MessageOption option; 399 400 auto ability = GnssAbility::GetInstance(); 401 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::ADD_GNSS_GEOFENCE), 402 requestParcel, reply, option); 403 404 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 405 WorkRecordStatistic::DestroyInstance(); 406 return true; 407} 408 409bool GnssAbility019FuzzTest(const char* data, size_t size) 410{ 411 MessageParcel requestParcel; 412 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 413 requestParcel.WriteBuffer(data, size); 414 requestParcel.RewindRead(0); 415 MessageParcel reply; 416 MessageOption option; 417 418 auto ability = GnssAbility::GetInstance(); 419 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REMOVE_GNSS_GEOFENCE), 420 requestParcel, reply, option); 421 422 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 423 WorkRecordStatistic::DestroyInstance(); 424 return true; 425} 426 427bool GnssAbility020FuzzTest(const char* data, size_t size) 428{ 429 MessageParcel requestParcel; 430 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 431 requestParcel.WriteBuffer(data, size); 432 requestParcel.RewindRead(0); 433 MessageParcel reply; 434 MessageOption option; 435 436 auto ability = GnssAbility::GetInstance(); 437 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::GET_GEOFENCE_SUPPORT_COORDINATE_SYSTEM_TYPE), 438 requestParcel, reply, option); 439 440 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 441 WorkRecordStatistic::DestroyInstance(); 442 return true; 443} 444 445bool GnssAbility021FuzzTest(const char* data, size_t size) 446{ 447 MessageParcel requestParcel; 448 requestParcel.WriteInterfaceToken(u"location.IGnssAbility"); 449 requestParcel.WriteBuffer(data, size); 450 requestParcel.RewindRead(0); 451 MessageParcel reply; 452 MessageOption option; 453 454 auto ability = GnssAbility::GetInstance(); 455 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::SEND_NETWORK_LOCATION), 456 requestParcel, reply, option); 457 458 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES)); 459 WorkRecordStatistic::DestroyInstance(); 460 return true; 461} 462#endif 463} // namespace OHOS 464 465/* Fuzzer entry point */ 466extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) 467{ 468 OHOS::MockNativePermission(); 469 char* ch = OHOS::ParseData(data, size); 470 if (ch != nullptr) { 471#ifdef FEATURE_GNSS_SUPPORT 472 OHOS::GnssAbility001FuzzTest(ch, size); 473 OHOS::GnssAbility002FuzzTest(ch, size); 474 OHOS::GnssAbility003FuzzTest(ch, size); 475 OHOS::GnssAbility004FuzzTest(ch, size); 476 OHOS::GnssAbility005FuzzTest(ch, size); 477 OHOS::GnssAbility006FuzzTest(ch, size); 478 OHOS::GnssAbility007FuzzTest(ch, size); 479 OHOS::GnssAbility008FuzzTest(ch, size); 480 OHOS::GnssAbility009FuzzTest(ch, size); 481 OHOS::GnssAbility010FuzzTest(ch, size); 482 OHOS::GnssAbility011FuzzTest(ch, size); 483 OHOS::GnssAbility012FuzzTest(ch, size); 484 OHOS::GnssAbility013FuzzTest(ch, size); 485 OHOS::GnssAbility014FuzzTest(ch, size); 486 OHOS::GnssAbility015FuzzTest(ch, size); 487 OHOS::GnssAbility016FuzzTest(ch, size); 488 OHOS::GnssAbility017FuzzTest(ch, size); 489 OHOS::GnssAbility018FuzzTest(ch, size); 490 OHOS::GnssAbility019FuzzTest(ch, size); 491 OHOS::GnssAbility020FuzzTest(ch, size); 492 OHOS::GnssAbility021FuzzTest(ch, size); 493#endif 494 free(ch); 495 ch = nullptr; 496 } 497 return 0; 498} 499 500