1 /*
2  * Copyright (c) 2022 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "passiveability_fuzzer.h"
17 
18 #include "accesstoken_kit.h"
19 #include "if_system_ability_manager.h"
20 #include "iservice_registry.h"
21 #include "message_option.h"
22 #include "message_parcel.h"
23 #include "nativetoken_kit.h"
24 #include "system_ability_definition.h"
25 #include "token_setproc.h"
26 #include "locator_ability.h"
27 #include "locationhub_ipc_interface_code.h"
28 
29 #ifdef FEATURE_PASSIVE_SUPPORT
30 #include "passive_ability.h"
31 #endif
32 #include "permission_manager.h"
33 #include "work_record_statistic.h"
34 
35 namespace OHOS {
36 using namespace OHOS::Location;
37 const int32_t MAX_MEM_SIZE = 4 * 1024 * 1024;
38 const int32_t SLEEP_TIMES = 1000;
39 const int32_t LOCATION_PERM_NUM = 4;
40 
MockNativePermission()41 void MockNativePermission()
42 {
43     const char *perms[] = {
44         ACCESS_LOCATION.c_str(), ACCESS_APPROXIMATELY_LOCATION.c_str(),
45         ACCESS_BACKGROUND_LOCATION.c_str(), MANAGE_SECURE_SETTINGS.c_str(),
46     };
47     NativeTokenInfoParams infoInstance = {
48         .dcapsNum = 0,
49         .permsNum = LOCATION_PERM_NUM,
50         .aclsNum = 0,
51         .dcaps = nullptr,
52         .perms = perms,
53         .acls = nullptr,
54         .processName = "GnssAbility_FuzzTest",
55         .aplStr = "system_basic",
56     };
57     auto tokenId = GetAccessTokenId(&infoInstance);
58     SetSelfTokenID(tokenId);
59     Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
60     LocatorAbility::GetInstance()->EnableAbility(true);
61 }
62 
ParseData(const uint8_t* data, size_t size)63 char* ParseData(const uint8_t* data, size_t size)
64 {
65     if (data == nullptr) {
66         return nullptr;
67     }
68 
69     if (size > MAX_MEM_SIZE) {
70         return nullptr;
71     }
72 
73     char* ch = (char *)malloc(size + 1);
74     if (ch == nullptr) {
75         return nullptr;
76     }
77 
78     (void)memset_s(ch, size + 1, 0x00, size + 1);
79     if (memcpy_s(ch, size, data, size) != EOK) {
80         free(ch);
81         ch = nullptr;
82         return nullptr;
83     }
84     return ch;
85 }
86 
87 #ifdef FEATURE_PASSIVE_SUPPORT
PassiveAbility001FuzzTest(const char* data, size_t size)88 bool PassiveAbility001FuzzTest(const char* data, size_t size)
89 {
90     MessageParcel requestParcel;
91     requestParcel.WriteInterfaceToken(u"location.IPassiveAbility");
92     requestParcel.WriteBuffer(data, size);
93     requestParcel.RewindRead(0);
94 
95     MessageParcel reply;
96     MessageOption option;
97 
98     auto ability = sptr<PassiveAbility>(new (std::nothrow) PassiveAbility());
99     ability->OnRemoteRequest(static_cast<uint32_t>(PassiveInterfaceCode::SEND_LOCATION_REQUEST),
100         requestParcel, reply, option);
101     std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
102     WorkRecordStatistic::DestroyInstance();
103     return true;
104 }
105 
PassiveAbility002FuzzTest(const char* data, size_t size)106 bool PassiveAbility002FuzzTest(const char* data, size_t size)
107 {
108     MessageParcel requestParcel;
109     requestParcel.WriteInterfaceToken(u"location.IPassiveAbility");
110     requestParcel.WriteBuffer(data, size);
111     requestParcel.RewindRead(0);
112 
113     MessageParcel reply;
114     MessageOption option;
115 
116     auto ability = sptr<PassiveAbility>(new (std::nothrow) PassiveAbility());
117     ability->OnRemoteRequest(static_cast<uint32_t>(PassiveInterfaceCode::SET_ENABLE),
118         requestParcel, reply, option);
119     std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
120     WorkRecordStatistic::DestroyInstance();
121     return true;
122 }
123 
PassiveAbility003FuzzTest(const char* data, size_t size)124 bool PassiveAbility003FuzzTest(const char* data, size_t size)
125 {
126     MessageParcel requestParcel;
127     requestParcel.WriteInterfaceToken(u"location.IPassiveAbility");
128     requestParcel.WriteBuffer(data, size);
129     requestParcel.RewindRead(0);
130 
131     MessageParcel reply;
132     MessageOption option;
133 
134     auto ability = sptr<PassiveAbility>(new (std::nothrow) PassiveAbility());
135     ability->OnRemoteRequest(static_cast<uint32_t>(PassiveInterfaceCode::ENABLE_LOCATION_MOCK),
136         requestParcel, reply, option);
137     std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
138     WorkRecordStatistic::DestroyInstance();
139     return true;
140 }
141 
PassiveAbility004FuzzTest(const char* data, size_t size)142 bool PassiveAbility004FuzzTest(const char* data, size_t size)
143 {
144     MessageParcel requestParcel;
145     requestParcel.WriteInterfaceToken(u"location.IPassiveAbility");
146     requestParcel.WriteBuffer(data, size);
147     requestParcel.RewindRead(0);
148 
149     MessageParcel reply;
150     MessageOption option;
151 
152     auto ability = sptr<PassiveAbility>(new (std::nothrow) PassiveAbility());
153     ability->OnRemoteRequest(static_cast<uint32_t>(PassiveInterfaceCode::DISABLE_LOCATION_MOCK),
154         requestParcel, reply, option);
155     std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
156     WorkRecordStatistic::DestroyInstance();
157     return true;
158 }
159 
PassiveAbility005FuzzTest(const char* data, size_t size)160 bool PassiveAbility005FuzzTest(const char* data, size_t size)
161 {
162     MessageParcel requestParcel;
163     requestParcel.WriteInterfaceToken(u"location.IPassiveAbility");
164     requestParcel.WriteBuffer(data, size);
165     requestParcel.RewindRead(0);
166 
167     MessageParcel reply;
168     MessageOption option;
169 
170     auto ability = sptr<PassiveAbility>(new (std::nothrow) PassiveAbility());
171     ability->OnRemoteRequest(static_cast<uint32_t>(PassiveInterfaceCode::SET_MOCKED_LOCATIONS),
172         requestParcel, reply, option);
173     std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
174     WorkRecordStatistic::DestroyInstance();
175     return true;
176 }
177 #endif
178 } // namespace OHOS
179 
180 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)181 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
182 {
183     OHOS::MockNativePermission();
184     char* ch = OHOS::ParseData(data, size);
185     if (ch != nullptr) {
186 #ifdef FEATURE_PASSIVE_SUPPORT
187         OHOS::PassiveAbility001FuzzTest(ch, size);
188         OHOS::PassiveAbility002FuzzTest(ch, size);
189         OHOS::PassiveAbility003FuzzTest(ch, size);
190         OHOS::PassiveAbility004FuzzTest(ch, size);
191         OHOS::PassiveAbility005FuzzTest(ch, size);
192 #endif
193         free(ch);
194         ch = nullptr;
195     }
196     return 0;
197 }
198 
199