1 /*
2  * Copyright (c) 2022 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "networkability_fuzzer.h"
17 
18 #include "accesstoken_kit.h"
19 #include "if_system_ability_manager.h"
20 #include "iservice_registry.h"
21 #include "message_option.h"
22 #include "message_parcel.h"
23 #include "nativetoken_kit.h"
24 #include "system_ability_definition.h"
25 #include "token_setproc.h"
26 #include "locator_ability.h"
27 #include "locationhub_ipc_interface_code.h"
28 
29 #ifdef FEATURE_NETWORK_SUPPORT
30 #include "network_ability.h"
31 #endif
32 #include "permission_manager.h"
33 #include "work_record_statistic.h"
34 
35 
36 namespace OHOS {
37 using namespace OHOS::Location;
38 const int32_t MAX_MEM_SIZE = 4 * 1024 * 1024;
39 const int32_t SLEEP_TIMES = 1000;
40 const int32_t LOCATION_PERM_NUM = 4;
41 
MockNativePermission()42 void MockNativePermission()
43 {
44     const char *perms[] = {
45         ACCESS_LOCATION.c_str(), ACCESS_APPROXIMATELY_LOCATION.c_str(),
46         ACCESS_BACKGROUND_LOCATION.c_str(), MANAGE_SECURE_SETTINGS.c_str(),
47     };
48     NativeTokenInfoParams infoInstance = {
49         .dcapsNum = 0,
50         .permsNum = LOCATION_PERM_NUM,
51         .aclsNum = 0,
52         .dcaps = nullptr,
53         .perms = perms,
54         .acls = nullptr,
55         .processName = "NetworkAbility_FuzzTest",
56         .aplStr = "system_basic",
57     };
58     auto tokenId = GetAccessTokenId(&infoInstance);
59     SetSelfTokenID(tokenId);
60     Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
61     LocatorAbility::GetInstance()->EnableAbility(true);
62 }
63 
ParseData(const uint8_t* data, size_t size)64 char* ParseData(const uint8_t* data, size_t size)
65 {
66     if (data == nullptr) {
67         return nullptr;
68     }
69 
70     if (size > MAX_MEM_SIZE) {
71         return nullptr;
72     }
73 
74     char* ch = (char *)malloc(size + 1);
75     if (ch == nullptr) {
76         return nullptr;
77     }
78 
79     (void)memset_s(ch, size + 1, 0x00, size + 1);
80     if (memcpy_s(ch, size, data, size) != EOK) {
81         free(ch);
82         ch = nullptr;
83         return nullptr;
84     }
85     return ch;
86 }
87 
88 #ifdef FEATURE_NETWORK_SUPPORT
NetworkAbility001FuzzTest(const char* data, size_t size)89 bool NetworkAbility001FuzzTest(const char* data, size_t size)
90 {
91     MessageParcel requestParcel;
92     requestParcel.WriteInterfaceToken(u"location.INetworkAbility");
93     requestParcel.WriteBuffer(data, size);
94     requestParcel.RewindRead(0);
95 
96     MessageParcel reply;
97     MessageOption option;
98     auto ability = sptr<NetworkAbility>(new (std::nothrow) NetworkAbility());
99     ability->OnRemoteRequest(static_cast<uint32_t>(NetworkInterfaceCode::SEND_LOCATION_REQUEST),
100         requestParcel, reply, option);
101     WorkRecordStatistic::DestroyInstance();
102     return true;
103 }
104 
NetworkAbility002FuzzTest(const char* data, size_t size)105 bool NetworkAbility002FuzzTest(const char* data, size_t size)
106 {
107     MessageParcel requestParcel;
108     requestParcel.WriteInterfaceToken(u"location.INetworkAbility");
109     requestParcel.WriteBuffer(data, size);
110     requestParcel.RewindRead(0);
111 
112     MessageParcel reply;
113     MessageOption option;
114     auto ability = sptr<NetworkAbility>(new (std::nothrow) NetworkAbility());
115     ability->OnRemoteRequest(static_cast<uint32_t>(NetworkInterfaceCode::SET_MOCKED_LOCATIONS),
116         requestParcel, reply, option);
117     WorkRecordStatistic::DestroyInstance();
118     return true;
119 }
120 
NetworkAbility003FuzzTest(const char* data, size_t size)121 bool NetworkAbility003FuzzTest(const char* data, size_t size)
122 {
123     MessageParcel requestParcel;
124     requestParcel.WriteInterfaceToken(u"location.INetworkAbility");
125     requestParcel.WriteBuffer(data, size);
126     requestParcel.RewindRead(0);
127 
128     MessageParcel reply;
129     MessageOption option;
130     auto ability = sptr<NetworkAbility>(new (std::nothrow) NetworkAbility());
131     ability->OnRemoteRequest(static_cast<uint32_t>(NetworkInterfaceCode::SELF_REQUEST),
132         requestParcel, reply, option);
133     std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
134     WorkRecordStatistic::DestroyInstance();
135     return true;
136 }
137 
NetworkAbility004FuzzTest(const char* data, size_t size)138 bool NetworkAbility004FuzzTest(const char* data, size_t size)
139 {
140     MessageParcel requestParcel;
141     requestParcel.WriteInterfaceToken(u"location.INetworkAbility");
142     requestParcel.WriteBuffer(data, size);
143     requestParcel.RewindRead(0);
144 
145     MessageParcel reply;
146     MessageOption option;
147     auto ability = sptr<NetworkAbility>(new (std::nothrow) NetworkAbility());
148     ability->OnRemoteRequest(static_cast<uint32_t>(NetworkInterfaceCode::SET_ENABLE),
149         requestParcel, reply, option);
150     std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
151     WorkRecordStatistic::DestroyInstance();
152     return true;
153 }
154 
NetworkAbility005FuzzTest(const char* data, size_t size)155 bool NetworkAbility005FuzzTest(const char* data, size_t size)
156 {
157     MessageParcel requestParcel;
158     requestParcel.WriteInterfaceToken(u"location.INetworkAbility");
159     requestParcel.WriteBuffer(data, size);
160     requestParcel.RewindRead(0);
161 
162     MessageParcel reply;
163     MessageOption option;
164     auto ability = sptr<NetworkAbility>(new (std::nothrow) NetworkAbility());
165     ability->OnRemoteRequest(static_cast<uint32_t>(NetworkInterfaceCode::ENABLE_LOCATION_MOCK),
166         requestParcel, reply, option);
167     std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
168     WorkRecordStatistic::DestroyInstance();
169     return true;
170 }
171 
NetworkAbility006FuzzTest(const char* data, size_t size)172 bool NetworkAbility006FuzzTest(const char* data, size_t size)
173 {
174     MessageParcel requestParcel;
175     requestParcel.WriteInterfaceToken(u"location.INetworkAbility");
176     requestParcel.WriteBuffer(data, size);
177     requestParcel.RewindRead(0);
178 
179     MessageParcel reply;
180     MessageOption option;
181     auto ability = sptr<NetworkAbility>(new (std::nothrow) NetworkAbility());
182     ability->OnRemoteRequest(static_cast<uint32_t>(NetworkInterfaceCode::DISABLE_LOCATION_MOCK),
183         requestParcel, reply, option);
184     std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
185     WorkRecordStatistic::DestroyInstance();
186     return true;
187 }
188 #endif
189 } // namespace OHOS
190 
191 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)192 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
193 {
194     OHOS::MockNativePermission();
195     char* ch = OHOS::ParseData(data, size);
196     if (ch != nullptr) {
197 #ifdef FEATURE_NETWORK_SUPPORT
198         OHOS::NetworkAbility001FuzzTest(ch, size);
199         OHOS::NetworkAbility002FuzzTest(ch, size);
200         OHOS::NetworkAbility003FuzzTest(ch, size);
201         OHOS::NetworkAbility004FuzzTest(ch, size);
202         OHOS::NetworkAbility005FuzzTest(ch, size);
203         OHOS::NetworkAbility006FuzzTest(ch, size);
204 #endif
205         free(ch);
206         ch = nullptr;
207     }
208     return 0;
209 }
210 
211