1/* 2 * Copyright (c) 2022 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16#include "amsmgrscheduler_fuzzer.h" 17 18#include <cstddef> 19#include <cstdint> 20 21#define private public 22#include "ams_mgr_scheduler.h" 23#undef private 24#include "ability_record.h" 25#include "param.h" 26#include "parcel.h" 27#include "securec.h" 28 29using namespace OHOS::AAFwk; 30using namespace OHOS::AppExecFwk; 31 32namespace OHOS { 33namespace { 34constexpr int INPUT_ZERO = 0; 35constexpr int INPUT_ONE = 1; 36constexpr int INPUT_THREE = 3; 37constexpr size_t FOO_MAX_LEN = 1024; 38constexpr size_t U32_AT_SIZE = 4; 39constexpr uint8_t ENABLE = 2; 40constexpr size_t OFFSET_ZERO = 24; 41constexpr size_t OFFSET_ONE = 16; 42constexpr size_t OFFSET_TWO = 8; 43} 44uint32_t GetU32Data(const char* ptr) 45{ 46 // convert fuzz input data to an integer 47 return (ptr[INPUT_ZERO] << OFFSET_ZERO) | (ptr[INPUT_ONE] << OFFSET_ONE) | (ptr[ENABLE] << OFFSET_TWO) | 48 ptr[INPUT_THREE]; 49} 50sptr<Token> GetFuzzAbilityToken() 51{ 52 sptr<Token> token = nullptr; 53 54 AbilityRequest abilityRequest; 55 abilityRequest.appInfo.bundleName = "com.example.fuzzTest"; 56 abilityRequest.abilityInfo.name = "MainAbility"; 57 abilityRequest.abilityInfo.type = AbilityType::PAGE; 58 std::shared_ptr<AbilityRecord> abilityRecord = AbilityRecord::CreateAbilityRecord(abilityRequest); 59 if (abilityRecord) { 60 token = abilityRecord->GetToken(); 61 } 62 63 return token; 64} 65std::shared_ptr<AmsMgrScheduler> DoSomethingInterestingWithMyAPI1(sptr<IRemoteObject> token, 66 sptr<IRemoteObject> preToken, const char* data) 67{ 68 std::shared_ptr<AppMgrServiceInner> mgrServiceInner; 69 std::shared_ptr<AAFwk::TaskHandlerWrap> handler; 70 std::shared_ptr<AmsMgrScheduler> amsMgrScheduler = std::make_shared<AmsMgrScheduler>(mgrServiceInner, handler); 71 sptr<IStartSpecifiedAbilityResponse> response; 72 amsMgrScheduler->RegisterStartSpecifiedAbilityResponse(response); 73 std::shared_ptr<AbilityInfo> abilityInfoptr; 74 std::shared_ptr<ApplicationInfo> appInfo; 75 std::shared_ptr<AAFwk::Want> wantptr; 76 int32_t abilityRecordId = static_cast<int32_t>(GetU32Data(data)); 77 AbilityRuntime::LoadParam loadParam; 78 loadParam.abilityRecordId = abilityRecordId; 79 loadParam.token = token; 80 loadParam.preToken = preToken; 81 auto loadParamPtr = std::make_shared<AbilityRuntime::LoadParam>(loadParam); 82 amsMgrScheduler->LoadAbility(abilityInfoptr, appInfo, wantptr, loadParamPtr); 83 bool clearMissionFlag = *data % ENABLE; 84 amsMgrScheduler->TerminateAbility(token, clearMissionFlag); 85 return amsMgrScheduler; 86} 87 88bool DoSomethingInterestingWithMyAPI(const char* data, size_t size) 89{ 90 sptr<IRemoteObject> token = GetFuzzAbilityToken(); 91 sptr<IRemoteObject> preToken = nullptr; 92 auto amsMgrScheduler = DoSomethingInterestingWithMyAPI1(token, preToken, data); 93 AppExecFwk::AbilityState state = AppExecFwk::AbilityState::ABILITY_STATE_READY; 94 amsMgrScheduler->UpdateAbilityState(token, state); 95 AppExecFwk::ExtensionState extensionState = AppExecFwk::ExtensionState::EXTENSION_STATE_READY; 96 amsMgrScheduler->UpdateExtensionState(token, extensionState); 97 bool clearMissionFlag = *data % ENABLE; 98 amsMgrScheduler->TerminateAbility(token, clearMissionFlag); 99 sptr<IAppStateCallback> callback; 100 amsMgrScheduler->RegisterAppStateCallback(callback); 101 int32_t userId = static_cast<int32_t>(GetU32Data(data)); 102 amsMgrScheduler->KillProcessesByUserId(userId); 103 std::string bundleName(data, size); 104 int accountId = static_cast<int>(GetU32Data(data)); 105 amsMgrScheduler->KillProcessWithAccount(bundleName, accountId); 106 amsMgrScheduler->AbilityAttachTimeOut(token); 107 amsMgrScheduler->PrepareTerminate(token); 108 amsMgrScheduler->KillApplication(bundleName); 109 int uid = static_cast<int>(GetU32Data(data)); 110 amsMgrScheduler->KillApplicationByUid(bundleName, uid); 111 amsMgrScheduler->KillApplicationSelf(); 112 AppExecFwk::RunningProcessInfo info; 113 amsMgrScheduler->GetRunningProcessInfoByToken(token, info); 114 Parcel wantParcel; 115 Want* want = nullptr; 116 if (wantParcel.WriteBuffer(data, size)) { 117 want = Want::Unmarshalling(wantParcel); 118 if (!want) { 119 return false; 120 } 121 } 122 AbilityInfo abilityInfo; 123 amsMgrScheduler->StartSpecifiedAbility(*want, abilityInfo); 124 int pid = static_cast<int>(GetU32Data(data)); 125 AppExecFwk::ApplicationInfo application; 126 bool debug; 127 amsMgrScheduler->GetApplicationInfoByProcessID(pid, application, debug); 128 if (want) { 129 delete want; 130 want = nullptr; 131 } 132 return amsMgrScheduler->IsReady(); 133} 134} 135 136/* Fuzzer entry point */ 137extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) 138{ 139 /* Run your code on data */ 140 if (data == nullptr) { 141 std::cout << "invalid data" << std::endl; 142 return 0; 143 } 144 145 /* Validate the length of size */ 146 if (size > OHOS::FOO_MAX_LEN || size < OHOS::U32_AT_SIZE) { 147 return 0; 148 } 149 150 char* ch = (char*)malloc(size + 1); 151 if (ch == nullptr) { 152 std::cout << "malloc failed." << std::endl; 153 return 0; 154 } 155 156 (void)memset_s(ch, size + 1, 0x00, size + 1); 157 if (memcpy_s(ch, size, data, size) != EOK) { 158 std::cout << "copy failed." << std::endl; 159 free(ch); 160 ch = nullptr; 161 return 0; 162 } 163 164 OHOS::DoSomethingInterestingWithMyAPI(ch, size); 165 free(ch); 166 ch = nullptr; 167 return 0; 168} 169 170