1/* 2 * Copyright (c) 2023 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16#include "systemabilityfwk_fuzzer.h" 17 18#include <cstddef> 19#include <cstdint> 20#include <cstdlib> 21#include <fcntl.h> 22#include <unistd.h> 23 24#define private public 25#include "string_ex.h" 26#include "local_ability_manager.h" 27#include "sa_mock_permission.h" 28#include "mock_sa_realize.h" 29#include "securec.h" 30 31namespace OHOS { 32namespace Samgr { 33namespace { 34constexpr size_t THRESHOLD = 10; 35constexpr uint8_t MAX_CALL_TRANSACTION = 16; 36constexpr int32_t OFFSET = 4; 37constexpr int32_t USLEEP_NUM = 200000; 38constexpr int32_t SHIFT_FIRST = 24; 39constexpr int32_t SHIFT_SECOND = 16; 40constexpr int32_t SHIFT_THIRD = 8; 41constexpr int32_t ZERO_NUM = 0; 42constexpr int32_t FIRST_NUM = 1; 43constexpr int32_t SECOND_NUM = 2; 44constexpr int32_t THIRD_NUM = 3; 45const std::u16string LOCAL_ABILITY_MANAGER_INTERFACE_TOKEN = u"ohos.localabilitymanager.accessToken"; 46const uint8_t *g_baseFuzzData = nullptr; 47size_t g_baseFuzzSize = 0; 48size_t g_baseFuzzPos; 49} 50 51template <class T> T GetData() 52{ 53 T object{}; 54 size_t objectSize = sizeof(object); 55 if (g_baseFuzzData == nullptr || objectSize > g_baseFuzzSize - g_baseFuzzPos) { 56 return object; 57 } 58 errno_t ret = memcpy_s(&object, objectSize, g_baseFuzzData + g_baseFuzzPos, objectSize); 59 if (ret != EOK) { 60 return {}; 61 } 62 g_baseFuzzPos += objectSize; 63 return object; 64} 65 66std::string BuildStringFromData(const uint8_t* data, size_t size) 67{ 68 if ((data == nullptr) || (size == 0)) { 69 return ""; 70 } 71 std::string strVal(reinterpret_cast<const char *>(data), size); 72 return strVal; 73} 74 75uint32_t ConvertToUint32(const uint8_t* ptr) 76{ 77 if (ptr == nullptr) { 78 return 0; 79 } 80 return (ptr[ZERO_NUM] << SHIFT_FIRST) | (ptr[FIRST_NUM] << SHIFT_SECOND) | 81 (ptr[SECOND_NUM] << SHIFT_THIRD) | (ptr[THIRD_NUM]); 82} 83 84void FuzzLocalAbilityManager(const uint8_t* rawData, size_t size) 85{ 86 SaMockPermission::MockPermission(); 87 g_baseFuzzData = rawData; 88 g_baseFuzzSize = size; 89 g_baseFuzzPos = 0; 90 int32_t systemAbilityId = GetData<int32_t>(); 91 int32_t listenSaId = GetData<int32_t>(); 92 int32_t dependSaId = GetData<int32_t>(); 93 std::vector<int32_t> dependSas = {dependSaId}; 94 std::string strVal = BuildStringFromData(rawData, size); 95 std::string profilePath = strVal; 96 std::string procName = strVal; 97 std::string eventStr = strVal; 98 SaProfile saProfile = {Str8ToStr16(procName), systemAbilityId}; 99 std::list<SaProfile> saInfos = {saProfile}; 100 101 MockSaRealize *ability = new MockSaRealize(systemAbilityId, false); 102 LocalAbilityManager::GetInstance().AddAbility(ability); 103 LocalAbilityManager::GetInstance().DoStartSAProcess(profilePath, systemAbilityId); 104 LocalAbilityManager::GetInstance().GetTraceTag(profilePath); 105 LocalAbilityManager::GetInstance().InitializeSaProfiles(systemAbilityId); 106 LocalAbilityManager::GetInstance().CheckTrustSa(profilePath, procName, saInfos); 107 LocalAbilityManager::GetInstance().RemoveAbility(systemAbilityId); 108 LocalAbilityManager::GetInstance().GetRunningStatus(systemAbilityId); 109 110 LocalAbilityManager::GetInstance().AddSystemAbilityListener(systemAbilityId, listenSaId); 111 LocalAbilityManager::GetInstance().RemoveSystemAbilityListener(systemAbilityId, listenSaId); 112 LocalAbilityManager::GetInstance().CheckDependencyStatus(dependSas); 113 LocalAbilityManager::GetInstance().StartSystemAbilityTask(ability); 114 LocalAbilityManager::GetInstance().CheckSystemAbilityManagerReady(); 115 LocalAbilityManager::GetInstance().InitSystemAbilityProfiles(profilePath, systemAbilityId); 116 LocalAbilityManager::GetInstance().ClearResource(); 117 LocalAbilityManager::GetInstance().StartOndemandSystemAbility(systemAbilityId); 118 LocalAbilityManager::GetInstance().StopOndemandSystemAbility(systemAbilityId); 119 120 LocalAbilityManager::GetInstance().GetStartReason(systemAbilityId); 121 LocalAbilityManager::GetInstance().GetStopReason(systemAbilityId); 122 LocalAbilityManager::GetInstance().JsonToOnDemandReason(nullptr); 123 LocalAbilityManager::GetInstance().SetStartReason(systemAbilityId, nullptr); 124 LocalAbilityManager::GetInstance().SetStopReason(systemAbilityId, nullptr); 125 LocalAbilityManager::GetInstance().OnStartAbility(systemAbilityId); 126 LocalAbilityManager::GetInstance().OnStopAbility(systemAbilityId); 127 LocalAbilityManager::GetInstance().StartAbility(systemAbilityId, eventStr); 128 LocalAbilityManager::GetInstance().StopAbility(systemAbilityId, eventStr); 129 LocalAbilityManager::GetInstance().InitializeOnDemandSaProfile(systemAbilityId); 130 LocalAbilityManager::GetInstance().InitializeSaProfilesInnerLocked(saProfile); 131 LocalAbilityManager::GetInstance().StartDependSaTask(ability); 132 LocalAbilityManager::GetInstance().RegisterOnDemandSystemAbility(systemAbilityId); 133 LocalAbilityManager::GetInstance().NeedRegisterOnDemand(saProfile, systemAbilityId); 134 LocalAbilityManager::GetInstance().Run(systemAbilityId); 135 LocalAbilityManager::GetInstance().AddLocalAbilityManager(); 136} 137 138void FuzzIpcStatCmdProc(const uint8_t* rawData, size_t size) 139{ 140 SaMockPermission::MockPermission(); 141 g_baseFuzzData = rawData; 142 g_baseFuzzSize = size; 143 g_baseFuzzPos = 0; 144 MessageParcel data; 145 data.WriteInterfaceToken(LOCAL_ABILITY_MANAGER_INTERFACE_TOKEN); 146 int32_t fd = GetData<int32_t>(); 147 data.WriteFileDescriptor(fd); 148 int32_t cmd = GetData<int32_t>(); 149 data.WriteInt32(cmd); 150 MessageParcel reply; 151 MessageOption option; 152 LocalAbilityManager::GetInstance().OnRemoteRequest(static_cast<uint32_t>( 153 SafwkInterfaceCode::IPC_STAT_CMD_TRANSACTION), data, reply, option); 154} 155 156void FuzzSystemAbilityFwk(const uint8_t* rawData, size_t size) 157{ 158 SaMockPermission::MockPermission(); 159 uint32_t code = ConvertToUint32(rawData); 160 rawData = rawData + OFFSET; 161 size = size - OFFSET; 162 MessageParcel data; 163 data.WriteInterfaceToken(LOCAL_ABILITY_MANAGER_INTERFACE_TOKEN); 164 data.WriteBuffer(rawData, size); 165 data.RewindRead(0); 166 MessageParcel reply; 167 MessageOption option; 168 LocalAbilityManager::GetInstance().OnRemoteRequest(code % MAX_CALL_TRANSACTION, data, reply, option); 169 usleep(USLEEP_NUM); 170} 171} 172} 173 174/* Fuzzer entry point */ 175extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) 176{ 177 if (size < OHOS::Samgr::THRESHOLD) { 178 return 0; 179 } 180 181 OHOS::Samgr::FuzzSystemAbilityFwk(data, size); 182 OHOS::Samgr::FuzzIpcStatCmdProc(data, size); 183 OHOS::Samgr::FuzzLocalAbilityManager(data, size); 184 return 0; 185} 186 187