1/*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 *     http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16#include "passiveability_fuzzer.h"
17
18#include "accesstoken_kit.h"
19#include "if_system_ability_manager.h"
20#include "iservice_registry.h"
21#include "message_option.h"
22#include "message_parcel.h"
23#include "nativetoken_kit.h"
24#include "system_ability_definition.h"
25#include "token_setproc.h"
26#include "locator_ability.h"
27#include "locationhub_ipc_interface_code.h"
28
29#ifdef FEATURE_PASSIVE_SUPPORT
30#include "passive_ability.h"
31#endif
32#include "permission_manager.h"
33#include "work_record_statistic.h"
34
35namespace OHOS {
36using namespace OHOS::Location;
37const int32_t MAX_MEM_SIZE = 4 * 1024 * 1024;
38const int32_t SLEEP_TIMES = 1000;
39const int32_t LOCATION_PERM_NUM = 4;
40
41void MockNativePermission()
42{
43    const char *perms[] = {
44        ACCESS_LOCATION.c_str(), ACCESS_APPROXIMATELY_LOCATION.c_str(),
45        ACCESS_BACKGROUND_LOCATION.c_str(), MANAGE_SECURE_SETTINGS.c_str(),
46    };
47    NativeTokenInfoParams infoInstance = {
48        .dcapsNum = 0,
49        .permsNum = LOCATION_PERM_NUM,
50        .aclsNum = 0,
51        .dcaps = nullptr,
52        .perms = perms,
53        .acls = nullptr,
54        .processName = "GnssAbility_FuzzTest",
55        .aplStr = "system_basic",
56    };
57    auto tokenId = GetAccessTokenId(&infoInstance);
58    SetSelfTokenID(tokenId);
59    Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
60    LocatorAbility::GetInstance()->EnableAbility(true);
61}
62
63char* ParseData(const uint8_t* data, size_t size)
64{
65    if (data == nullptr) {
66        return nullptr;
67    }
68
69    if (size > MAX_MEM_SIZE) {
70        return nullptr;
71    }
72
73    char* ch = (char *)malloc(size + 1);
74    if (ch == nullptr) {
75        return nullptr;
76    }
77
78    (void)memset_s(ch, size + 1, 0x00, size + 1);
79    if (memcpy_s(ch, size, data, size) != EOK) {
80        free(ch);
81        ch = nullptr;
82        return nullptr;
83    }
84    return ch;
85}
86
87#ifdef FEATURE_PASSIVE_SUPPORT
88bool PassiveAbility001FuzzTest(const char* data, size_t size)
89{
90    MessageParcel requestParcel;
91    requestParcel.WriteInterfaceToken(u"location.IPassiveAbility");
92    requestParcel.WriteBuffer(data, size);
93    requestParcel.RewindRead(0);
94
95    MessageParcel reply;
96    MessageOption option;
97
98    auto ability = sptr<PassiveAbility>(new (std::nothrow) PassiveAbility());
99    ability->OnRemoteRequest(static_cast<uint32_t>(PassiveInterfaceCode::SEND_LOCATION_REQUEST),
100        requestParcel, reply, option);
101    std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
102    WorkRecordStatistic::DestroyInstance();
103    return true;
104}
105
106bool PassiveAbility002FuzzTest(const char* data, size_t size)
107{
108    MessageParcel requestParcel;
109    requestParcel.WriteInterfaceToken(u"location.IPassiveAbility");
110    requestParcel.WriteBuffer(data, size);
111    requestParcel.RewindRead(0);
112
113    MessageParcel reply;
114    MessageOption option;
115
116    auto ability = sptr<PassiveAbility>(new (std::nothrow) PassiveAbility());
117    ability->OnRemoteRequest(static_cast<uint32_t>(PassiveInterfaceCode::SET_ENABLE),
118        requestParcel, reply, option);
119    std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
120    WorkRecordStatistic::DestroyInstance();
121    return true;
122}
123
124bool PassiveAbility003FuzzTest(const char* data, size_t size)
125{
126    MessageParcel requestParcel;
127    requestParcel.WriteInterfaceToken(u"location.IPassiveAbility");
128    requestParcel.WriteBuffer(data, size);
129    requestParcel.RewindRead(0);
130
131    MessageParcel reply;
132    MessageOption option;
133
134    auto ability = sptr<PassiveAbility>(new (std::nothrow) PassiveAbility());
135    ability->OnRemoteRequest(static_cast<uint32_t>(PassiveInterfaceCode::ENABLE_LOCATION_MOCK),
136        requestParcel, reply, option);
137    std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
138    WorkRecordStatistic::DestroyInstance();
139    return true;
140}
141
142bool PassiveAbility004FuzzTest(const char* data, size_t size)
143{
144    MessageParcel requestParcel;
145    requestParcel.WriteInterfaceToken(u"location.IPassiveAbility");
146    requestParcel.WriteBuffer(data, size);
147    requestParcel.RewindRead(0);
148
149    MessageParcel reply;
150    MessageOption option;
151
152    auto ability = sptr<PassiveAbility>(new (std::nothrow) PassiveAbility());
153    ability->OnRemoteRequest(static_cast<uint32_t>(PassiveInterfaceCode::DISABLE_LOCATION_MOCK),
154        requestParcel, reply, option);
155    std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
156    WorkRecordStatistic::DestroyInstance();
157    return true;
158}
159
160bool PassiveAbility005FuzzTest(const char* data, size_t size)
161{
162    MessageParcel requestParcel;
163    requestParcel.WriteInterfaceToken(u"location.IPassiveAbility");
164    requestParcel.WriteBuffer(data, size);
165    requestParcel.RewindRead(0);
166
167    MessageParcel reply;
168    MessageOption option;
169
170    auto ability = sptr<PassiveAbility>(new (std::nothrow) PassiveAbility());
171    ability->OnRemoteRequest(static_cast<uint32_t>(PassiveInterfaceCode::SET_MOCKED_LOCATIONS),
172        requestParcel, reply, option);
173    std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
174    WorkRecordStatistic::DestroyInstance();
175    return true;
176}
177#endif
178} // namespace OHOS
179
180/* Fuzzer entry point */
181extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
182{
183    OHOS::MockNativePermission();
184    char* ch = OHOS::ParseData(data, size);
185    if (ch != nullptr) {
186#ifdef FEATURE_PASSIVE_SUPPORT
187        OHOS::PassiveAbility001FuzzTest(ch, size);
188        OHOS::PassiveAbility002FuzzTest(ch, size);
189        OHOS::PassiveAbility003FuzzTest(ch, size);
190        OHOS::PassiveAbility004FuzzTest(ch, size);
191        OHOS::PassiveAbility005FuzzTest(ch, size);
192#endif
193        free(ch);
194        ch = nullptr;
195    }
196    return 0;
197}
198
199