142103316Sopenharmony_ci/* 242103316Sopenharmony_ci * Copyright (c) 2022 Huawei Device Co., Ltd. 342103316Sopenharmony_ci * Licensed under the Apache License, Version 2.0 (the "License"); 442103316Sopenharmony_ci * you may not use this file except in compliance with the License. 542103316Sopenharmony_ci * You may obtain a copy of the License at 642103316Sopenharmony_ci * 742103316Sopenharmony_ci * http://www.apache.org/licenses/LICENSE-2.0 842103316Sopenharmony_ci * 942103316Sopenharmony_ci * Unless required by applicable law or agreed to in writing, software 1042103316Sopenharmony_ci * distributed under the License is distributed on an "AS IS" BASIS, 1142103316Sopenharmony_ci * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1242103316Sopenharmony_ci * See the License for the specific language governing permissions and 1342103316Sopenharmony_ci * limitations under the License. 1442103316Sopenharmony_ci */ 1542103316Sopenharmony_ci 1642103316Sopenharmony_ci#include "usbmgrbulkcancel_fuzzer.h" 1742103316Sopenharmony_ci 1842103316Sopenharmony_ci#include <array> 1942103316Sopenharmony_ci#include <optional> 2042103316Sopenharmony_ci 2142103316Sopenharmony_ci#include "ashmem.h" 2242103316Sopenharmony_ci#include "iremote_object.h" 2342103316Sopenharmony_ci#include "usb_callback_test.h" 2442103316Sopenharmony_ci#include "usb_common_fuzz.h" 2542103316Sopenharmony_ci#include "usb_errors.h" 2642103316Sopenharmony_ci 2742103316Sopenharmony_cinamespace { 2842103316Sopenharmony_ciconst uint32_t OFFSET = 4; 2942103316Sopenharmony_ciconstexpr size_t THRESHOLD = 10; 3042103316Sopenharmony_ciconst uint32_t ASHMEM_MAX_SIZE = 1024; 3142103316Sopenharmony_ciconst uint32_t MEM_DATA = 1024 * 1024; 3242103316Sopenharmony_ci} 3342103316Sopenharmony_cinamespace OHOS { 3442103316Sopenharmony_cinamespace USB { 3542103316Sopenharmony_ci sptr<Ashmem> GetSharedMem() 3642103316Sopenharmony_ci { 3742103316Sopenharmony_ci sptr<Ashmem> asmptr = Ashmem::CreateAshmem("ttashmem001", MEM_DATA); 3842103316Sopenharmony_ci if (asmptr == nullptr) { 3942103316Sopenharmony_ci USB_HILOGE(MODULE_USB_SERVICE, "InitAshmemOne CreateAshmem failed"); 4042103316Sopenharmony_ci return nullptr; 4142103316Sopenharmony_ci } 4242103316Sopenharmony_ci 4342103316Sopenharmony_ci asmptr->MapReadAndWriteAshmem(); 4442103316Sopenharmony_ci 4542103316Sopenharmony_ci std::array<uint8_t, ASHMEM_MAX_SIZE> tdata; 4642103316Sopenharmony_ci tdata.fill('Y'); 4742103316Sopenharmony_ci uint32_t offset = 0; 4842103316Sopenharmony_ci while (offset < MEM_DATA) { 4942103316Sopenharmony_ci uint32_t tlen = (MEM_DATA - offset) < ASHMEM_MAX_SIZE ? (MEM_DATA - offset) : ASHMEM_MAX_SIZE; 5042103316Sopenharmony_ci asmptr->WriteToAshmem(tdata.data(), tlen, offset); 5142103316Sopenharmony_ci offset += tlen; 5242103316Sopenharmony_ci } 5342103316Sopenharmony_ci return asmptr; 5442103316Sopenharmony_ci } 5542103316Sopenharmony_ci 5642103316Sopenharmony_ci bool UsbMgrBulkCancelFuzzTest(const uint8_t* data, size_t /* size */) 5742103316Sopenharmony_ci { 5842103316Sopenharmony_ci auto[res, pipe, interface] = UsbMgrPrepareFuzzEnv(); 5942103316Sopenharmony_ci if (!res) { 6042103316Sopenharmony_ci USB_HILOGE(MODULE_USB_SERVICE, "prepare error"); 6142103316Sopenharmony_ci return false; 6242103316Sopenharmony_ci } 6342103316Sopenharmony_ci 6442103316Sopenharmony_ci auto& usbSrvClient = UsbSrvClient::GetInstance(); 6542103316Sopenharmony_ci sptr<UsbCallbackTest> cb = new UsbCallbackTest(); 6642103316Sopenharmony_ci USBEndpoint point = const_cast<UsbInterface &>(interface).GetEndpoints().at(1); 6742103316Sopenharmony_ci auto ret = usbSrvClient.RegBulkCallback(const_cast<USBDevicePipe &>(pipe), point, cb); 6842103316Sopenharmony_ci if (ret != UEC_OK) { 6942103316Sopenharmony_ci USB_HILOGE(MODULE_USB_SERVICE, "RegBulkCallback failed ret=%{public}d", ret); 7042103316Sopenharmony_ci return false; 7142103316Sopenharmony_ci } 7242103316Sopenharmony_ci 7342103316Sopenharmony_ci auto sharedMem = GetSharedMem(); 7442103316Sopenharmony_ci if (sharedMem == nullptr) { 7542103316Sopenharmony_ci USB_HILOGE(MODULE_USB_SERVICE, "GetSharedMem failed ret=%{public}d", ret); 7642103316Sopenharmony_ci return false; 7742103316Sopenharmony_ci } 7842103316Sopenharmony_ci 7942103316Sopenharmony_ci ret = usbSrvClient.BulkWrite(const_cast<USBDevicePipe &>(pipe), point, sharedMem); 8042103316Sopenharmony_ci if (ret != UEC_OK) { 8142103316Sopenharmony_ci USB_HILOGE(MODULE_USB_SERVICE, "BulkWrite failed ret=%{public}d", ret); 8242103316Sopenharmony_ci return false; 8342103316Sopenharmony_ci } 8442103316Sopenharmony_ci 8542103316Sopenharmony_ci if (usbSrvClient.BulkCancel(reinterpret_cast<USBDevicePipe &>(data), 8642103316Sopenharmony_ci reinterpret_cast<const USBEndpoint&>(std::move(data + OFFSET))) == UEC_OK) { 8742103316Sopenharmony_ci return false; 8842103316Sopenharmony_ci } 8942103316Sopenharmony_ci return true; 9042103316Sopenharmony_ci } 9142103316Sopenharmony_ci} // USB 9242103316Sopenharmony_ci} // OHOS 9342103316Sopenharmony_ci 9442103316Sopenharmony_ci/* Fuzzer entry point */ 9542103316Sopenharmony_ciextern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) 9642103316Sopenharmony_ci{ 9742103316Sopenharmony_ci if (size < THRESHOLD) { 9842103316Sopenharmony_ci return 0; 9942103316Sopenharmony_ci } 10042103316Sopenharmony_ci /* Run your code on data */ 10142103316Sopenharmony_ci OHOS::USB::UsbMgrBulkCancelFuzzTest(data, size); 10242103316Sopenharmony_ci return 0; 10342103316Sopenharmony_ci} 104