1/* 2 * Copyright (c) 2022 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16#include "abilityeventhandler_fuzzer.h" 17 18#include <cstddef> 19#include <cstdint> 20 21#define private public 22#include "ability_event_handler.h" 23#include "interceptor/ability_interceptor_executer.h" 24#include "ability_running_info.h" 25#include "ability_scheduler_proxy.h" 26#include "ams_configuration_parameter.h" 27#undef private 28 29#include "ability_record.h" 30#include "data_ability_observer_interface.h" 31#include "data_ability_predicates.h" 32 33using namespace OHOS::AAFwk; 34using namespace OHOS::AppExecFwk; 35 36namespace OHOS { 37namespace { 38constexpr int INPUT_ZERO = 0; 39constexpr int INPUT_ONE = 1; 40constexpr int INPUT_THREE = 3; 41constexpr size_t FOO_MAX_LEN = 1024; 42constexpr size_t U32_AT_SIZE = 4; 43constexpr uint8_t ENABLE = 2; 44constexpr int OFFSET_ZERO = 24; 45constexpr int OFFSET_ONE = 16; 46constexpr int OFFSET_TWO = 8; 47class DataAbilityObserver : public IDataAbilityObserver { 48public: 49 DataAbilityObserver() = default; 50 virtual ~DataAbilityObserver() = default; 51 void OnChange() override 52 {} 53 sptr<IRemoteObject> AsObject() override 54 { 55 return {}; 56 } 57}; 58} 59 60uint32_t GetU32Data(const char* ptr) 61{ 62 // convert fuzz input data to an integer 63 return (ptr[INPUT_ZERO] << OFFSET_ZERO) | (ptr[INPUT_ONE] << OFFSET_ONE) | (ptr[ENABLE] << OFFSET_TWO) | 64 ptr[INPUT_THREE]; 65} 66 67sptr<Token> GetFuzzAbilityToken() 68{ 69 sptr<Token> token = nullptr; 70 AbilityRequest abilityRequest; 71 abilityRequest.appInfo.bundleName = "com.example.fuzzTest"; 72 abilityRequest.abilityInfo.name = "MainAbility"; 73 abilityRequest.abilityInfo.type = AbilityType::DATA; 74 std::shared_ptr<AbilityRecord> abilityRecord = AbilityRecord::CreateAbilityRecord(abilityRequest); 75 if (abilityRecord) { 76 token = abilityRecord->GetToken(); 77 } 78 return token; 79} 80 81bool DoSomethingInterestingWithMyAPI(const char* data, size_t size) 82{ 83 bool boolParam = *data % ENABLE; 84 int intParam = static_cast<int>(GetU32Data(data)); 85 int32_t int32Param = static_cast<int32_t>(GetU32Data(data)); 86 int64_t int64Param = static_cast<int64_t>(GetU32Data(data)); 87 uint32_t uint32Param = GetU32Data(data); 88 std::string stringParam(data, size); 89 90 // fuzz for AbilityEventHandler 91 std::shared_ptr<TaskHandlerWrap> runner; 92 std::weak_ptr<AbilityManagerService> server; 93 auto abilityEventHandler = std::make_shared<AbilityEventHandler>(runner, server); 94 abilityEventHandler->ProcessLoadTimeOut(int64Param); 95 abilityEventHandler->ProcessActiveTimeOut(int64Param); 96 abilityEventHandler->ProcessInactiveTimeOut(int64Param); 97 abilityEventHandler->ProcessForegroundTimeOut(int64Param); 98 99 // fuzz for AbilityInterceptorExecuter 100 auto abilityInterceptorExecuter = std::make_shared<AbilityInterceptorExecuter>(); 101 std::shared_ptr<AbilityInterceptor> interceptor; 102 abilityInterceptorExecuter->AddInterceptor(interceptor); 103 Parcel wantParcel; 104 Want* want = nullptr; 105 if (wantParcel.WriteBuffer(data, size)) { 106 want = Want::Unmarshalling(wantParcel); 107 if (!want) { 108 return false; 109 } 110 } 111 112 AbilityInterceptorParam interceptorParam = AbilityInterceptorParam( 113 *want, intParam, int32Param, boolParam, nullptr, nullptr); 114 abilityInterceptorExecuter->DoProcess(interceptorParam); 115 116 // fuzz for AbilityRunningInfo 117 auto abilityRunningInfo = std::make_shared<AbilityRunningInfo>(); 118 Parcel parcel; 119 abilityRunningInfo->ReadFromParcel(parcel); 120 abilityRunningInfo->Unmarshalling(parcel); 121 abilityRunningInfo->Marshalling(parcel); 122 123 // fuzz for AbilitySchedulerProxy 124 sptr<IRemoteObject> impl = GetFuzzAbilityToken(); 125 auto abilitySchedulerProxy = std::make_shared<AbilitySchedulerProxy>(impl); 126 MessageParcel messageParcel; 127 abilitySchedulerProxy->WriteInterfaceToken(messageParcel); 128 LifeCycleStateInfo stateInfo; 129 abilitySchedulerProxy->ScheduleAbilityTransaction(*want, stateInfo); 130 abilitySchedulerProxy->SendResult(intParam, intParam, *want); 131 abilitySchedulerProxy->ScheduleConnectAbility(*want); 132 abilitySchedulerProxy->ScheduleDisconnectAbility(*want); 133 abilitySchedulerProxy->ScheduleCommandAbility(*want, boolParam, intParam); 134 abilitySchedulerProxy->ScheduleSaveAbilityState(); 135 PacMap inState; 136 abilitySchedulerProxy->ScheduleRestoreAbilityState(inState); 137 Uri uri(stringParam); 138 abilitySchedulerProxy->GetFileTypes(uri, stringParam); 139 abilitySchedulerProxy->OpenFile(uri, stringParam); 140 abilitySchedulerProxy->OpenRawFile(uri, stringParam); 141 PacMap pacMap; 142 abilitySchedulerProxy->Call(uri, stringParam, stringParam, pacMap); 143 NativeRdb::DataAbilityPredicates predicates; 144 abilitySchedulerProxy->Delete(uri, predicates); 145 std::vector<std::string> columns; 146 abilitySchedulerProxy->Query(uri, columns, predicates); 147 abilitySchedulerProxy->GetType(uri); 148 PacMap extras; 149 abilitySchedulerProxy->Reload(uri, extras); 150 sptr<IDataAbilityObserver> dataObserver(new DataAbilityObserver()); 151 abilitySchedulerProxy->ScheduleRegisterObserver(uri, dataObserver); 152 abilitySchedulerProxy->ScheduleUnregisterObserver(uri, dataObserver); 153 abilitySchedulerProxy->ScheduleNotifyChange(uri); 154 abilitySchedulerProxy->NormalizeUri(uri); 155 abilitySchedulerProxy->DenormalizeUri(uri); 156 std::vector<std::shared_ptr<AppExecFwk::DataAbilityOperation>> operations; 157 abilitySchedulerProxy->ExecuteBatch(operations); 158 abilitySchedulerProxy->ContinueAbility(stringParam, uint32Param); 159 abilitySchedulerProxy->NotifyContinuationResult(int32Param); 160 std::vector<std::string> stringVector; 161 abilitySchedulerProxy->DumpAbilityInfo(stringVector, stringVector); 162 abilitySchedulerProxy->CallRequest(); 163 // fuzz for AmsConfigurationParameter 164 AmsConfigurationParameter::GetInstance().NonConfigFile(); 165 AmsConfigurationParameter::GetInstance().GetMissionSaveTime(); 166 AmsConfigurationParameter::GetInstance().GetOrientation(); 167 AmsConfigurationParameter::GetInstance().GetANRTimeOutTime(); 168 AmsConfigurationParameter::GetInstance().GetAMSTimeOutTime(); 169 AmsConfigurationParameter::GetInstance().GetMaxRestartNum(true); 170 AmsConfigurationParameter::GetInstance().GetDeviceType(); 171 AmsConfigurationParameter::GetInstance().GetBootAnimationTimeoutTime(); 172 nlohmann::json Object; 173 AmsConfigurationParameter::GetInstance().LoadAppConfigurationForStartUpService(Object); 174 AmsConfigurationParameter::GetInstance().LoadAppConfigurationForMemoryThreshold(Object); 175 AmsConfigurationParameter::GetInstance().LoadSystemConfiguration(Object); 176 177 return true; 178} 179} 180 181/* Fuzzer entry point */ 182extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) 183{ 184 /* Run your code on data */ 185 if (data == nullptr) { 186 std::cout << "invalid data" << std::endl; 187 return 0; 188 } 189 190 /* Validate the length of size */ 191 if (size > OHOS::FOO_MAX_LEN || size < OHOS::U32_AT_SIZE) { 192 return 0; 193 } 194 195 char* ch = (char*)malloc(size + 1); 196 if (ch == nullptr) { 197 std::cout << "malloc failed." << std::endl; 198 return 0; 199 } 200 201 (void)memset_s(ch, size + 1, 0x00, size + 1); 202 if (memcpy_s(ch, size, data, size) != EOK) { 203 std::cout << "copy failed." << std::endl; 204 free(ch); 205 ch = nullptr; 206 return 0; 207 } 208 209 OHOS::DoSomethingInterestingWithMyAPI(ch, size); 210 free(ch); 211 ch = nullptr; 212 return 0; 213} 214 215