1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "systemabilityfwk_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20 #include <cstdlib>
21 #include <fcntl.h>
22 #include <unistd.h>
23
24 #define private public
25 #include "string_ex.h"
26 #include "local_ability_manager.h"
27 #include "sa_mock_permission.h"
28 #include "mock_sa_realize.h"
29 #include "securec.h"
30
31 namespace OHOS {
32 namespace Samgr {
33 namespace {
34 constexpr size_t THRESHOLD = 10;
35 constexpr uint8_t MAX_CALL_TRANSACTION = 16;
36 constexpr int32_t OFFSET = 4;
37 constexpr int32_t USLEEP_NUM = 200000;
38 constexpr int32_t SHIFT_FIRST = 24;
39 constexpr int32_t SHIFT_SECOND = 16;
40 constexpr int32_t SHIFT_THIRD = 8;
41 constexpr int32_t ZERO_NUM = 0;
42 constexpr int32_t FIRST_NUM = 1;
43 constexpr int32_t SECOND_NUM = 2;
44 constexpr int32_t THIRD_NUM = 3;
45 const std::u16string LOCAL_ABILITY_MANAGER_INTERFACE_TOKEN = u"ohos.localabilitymanager.accessToken";
46 const uint8_t *g_baseFuzzData = nullptr;
47 size_t g_baseFuzzSize = 0;
48 size_t g_baseFuzzPos;
49 }
50
GetData()51 template <class T> T GetData()
52 {
53 T object{};
54 size_t objectSize = sizeof(object);
55 if (g_baseFuzzData == nullptr || objectSize > g_baseFuzzSize - g_baseFuzzPos) {
56 return object;
57 }
58 errno_t ret = memcpy_s(&object, objectSize, g_baseFuzzData + g_baseFuzzPos, objectSize);
59 if (ret != EOK) {
60 return {};
61 }
62 g_baseFuzzPos += objectSize;
63 return object;
64 }
65
BuildStringFromData(const uint8_t* data, size_t size)66 std::string BuildStringFromData(const uint8_t* data, size_t size)
67 {
68 if ((data == nullptr) || (size == 0)) {
69 return "";
70 }
71 std::string strVal(reinterpret_cast<const char *>(data), size);
72 return strVal;
73 }
74
ConvertToUint32(const uint8_t* ptr)75 uint32_t ConvertToUint32(const uint8_t* ptr)
76 {
77 if (ptr == nullptr) {
78 return 0;
79 }
80 return (ptr[ZERO_NUM] << SHIFT_FIRST) | (ptr[FIRST_NUM] << SHIFT_SECOND) |
81 (ptr[SECOND_NUM] << SHIFT_THIRD) | (ptr[THIRD_NUM]);
82 }
83
FuzzLocalAbilityManager(const uint8_t* rawData, size_t size)84 void FuzzLocalAbilityManager(const uint8_t* rawData, size_t size)
85 {
86 SaMockPermission::MockPermission();
87 g_baseFuzzData = rawData;
88 g_baseFuzzSize = size;
89 g_baseFuzzPos = 0;
90 int32_t systemAbilityId = GetData<int32_t>();
91 int32_t listenSaId = GetData<int32_t>();
92 int32_t dependSaId = GetData<int32_t>();
93 std::vector<int32_t> dependSas = {dependSaId};
94 std::string strVal = BuildStringFromData(rawData, size);
95 std::string profilePath = strVal;
96 std::string procName = strVal;
97 std::string eventStr = strVal;
98 SaProfile saProfile = {Str8ToStr16(procName), systemAbilityId};
99 std::list<SaProfile> saInfos = {saProfile};
100
101 MockSaRealize *ability = new MockSaRealize(systemAbilityId, false);
102 LocalAbilityManager::GetInstance().AddAbility(ability);
103 LocalAbilityManager::GetInstance().DoStartSAProcess(profilePath, systemAbilityId);
104 LocalAbilityManager::GetInstance().GetTraceTag(profilePath);
105 LocalAbilityManager::GetInstance().InitializeSaProfiles(systemAbilityId);
106 LocalAbilityManager::GetInstance().CheckTrustSa(profilePath, procName, saInfos);
107 LocalAbilityManager::GetInstance().RemoveAbility(systemAbilityId);
108 LocalAbilityManager::GetInstance().GetRunningStatus(systemAbilityId);
109
110 LocalAbilityManager::GetInstance().AddSystemAbilityListener(systemAbilityId, listenSaId);
111 LocalAbilityManager::GetInstance().RemoveSystemAbilityListener(systemAbilityId, listenSaId);
112 LocalAbilityManager::GetInstance().CheckDependencyStatus(dependSas);
113 LocalAbilityManager::GetInstance().StartSystemAbilityTask(ability);
114 LocalAbilityManager::GetInstance().CheckSystemAbilityManagerReady();
115 LocalAbilityManager::GetInstance().InitSystemAbilityProfiles(profilePath, systemAbilityId);
116 LocalAbilityManager::GetInstance().ClearResource();
117 LocalAbilityManager::GetInstance().StartOndemandSystemAbility(systemAbilityId);
118 LocalAbilityManager::GetInstance().StopOndemandSystemAbility(systemAbilityId);
119
120 LocalAbilityManager::GetInstance().GetStartReason(systemAbilityId);
121 LocalAbilityManager::GetInstance().GetStopReason(systemAbilityId);
122 LocalAbilityManager::GetInstance().JsonToOnDemandReason(nullptr);
123 LocalAbilityManager::GetInstance().SetStartReason(systemAbilityId, nullptr);
124 LocalAbilityManager::GetInstance().SetStopReason(systemAbilityId, nullptr);
125 LocalAbilityManager::GetInstance().OnStartAbility(systemAbilityId);
126 LocalAbilityManager::GetInstance().OnStopAbility(systemAbilityId);
127 LocalAbilityManager::GetInstance().StartAbility(systemAbilityId, eventStr);
128 LocalAbilityManager::GetInstance().StopAbility(systemAbilityId, eventStr);
129 LocalAbilityManager::GetInstance().InitializeOnDemandSaProfile(systemAbilityId);
130 LocalAbilityManager::GetInstance().InitializeSaProfilesInnerLocked(saProfile);
131 LocalAbilityManager::GetInstance().StartDependSaTask(ability);
132 LocalAbilityManager::GetInstance().RegisterOnDemandSystemAbility(systemAbilityId);
133 LocalAbilityManager::GetInstance().NeedRegisterOnDemand(saProfile, systemAbilityId);
134 LocalAbilityManager::GetInstance().Run(systemAbilityId);
135 LocalAbilityManager::GetInstance().AddLocalAbilityManager();
136 }
137
FuzzIpcStatCmdProc(const uint8_t* rawData, size_t size)138 void FuzzIpcStatCmdProc(const uint8_t* rawData, size_t size)
139 {
140 SaMockPermission::MockPermission();
141 g_baseFuzzData = rawData;
142 g_baseFuzzSize = size;
143 g_baseFuzzPos = 0;
144 MessageParcel data;
145 data.WriteInterfaceToken(LOCAL_ABILITY_MANAGER_INTERFACE_TOKEN);
146 int32_t fd = GetData<int32_t>();
147 data.WriteFileDescriptor(fd);
148 int32_t cmd = GetData<int32_t>();
149 data.WriteInt32(cmd);
150 MessageParcel reply;
151 MessageOption option;
152 LocalAbilityManager::GetInstance().OnRemoteRequest(static_cast<uint32_t>(
153 SafwkInterfaceCode::IPC_STAT_CMD_TRANSACTION), data, reply, option);
154 }
155
FuzzSystemAbilityFwk(const uint8_t* rawData, size_t size)156 void FuzzSystemAbilityFwk(const uint8_t* rawData, size_t size)
157 {
158 SaMockPermission::MockPermission();
159 uint32_t code = ConvertToUint32(rawData);
160 rawData = rawData + OFFSET;
161 size = size - OFFSET;
162 MessageParcel data;
163 data.WriteInterfaceToken(LOCAL_ABILITY_MANAGER_INTERFACE_TOKEN);
164 data.WriteBuffer(rawData, size);
165 data.RewindRead(0);
166 MessageParcel reply;
167 MessageOption option;
168 LocalAbilityManager::GetInstance().OnRemoteRequest(code % MAX_CALL_TRANSACTION, data, reply, option);
169 usleep(USLEEP_NUM);
170 }
171 }
172 }
173
174 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)175 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
176 {
177 if (size < OHOS::Samgr::THRESHOLD) {
178 return 0;
179 }
180
181 OHOS::Samgr::FuzzSystemAbilityFwk(data, size);
182 OHOS::Samgr::FuzzIpcStatCmdProc(data, size);
183 OHOS::Samgr::FuzzLocalAbilityManager(data, size);
184 return 0;
185 }
186
187