1/*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 *     http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16#include "samgrcoverage_fuzzer.h"
17
18#define private public
19#include "if_system_ability_manager.h"
20#include "itest_transaction_service.h"
21#include "sa_status_change_mock.h"
22#include "sam_mock_permission.h"
23#include "ability_death_recipient.h"
24#include "system_ability_manager.h"
25#include "iservice_registry.h"
26#include "hisysevent_adapter.h"
27
28#include <cinttypes>
29#include <cstddef>
30#include <cstdint>
31#include <unistd.h>
32#include <cstdlib>
33#include <fcntl.h>
34
35namespace OHOS {
36namespace Samgr {
37namespace {
38    constexpr size_t THRESHOLD = 10;
39    constexpr int32_t SAID = 1493;
40}
41
42int32_t BuildInt32FromData(const uint8_t* data, size_t size)
43{
44    if ((data == nullptr) || (size < sizeof(int32_t))) {
45        return 0;
46    }
47    int32_t int32Val = *reinterpret_cast<const int32_t *>(data);
48    return int32Val;
49}
50
51std::string BuildStringFromData(const uint8_t* data, size_t size)
52{
53    if ((data == nullptr) || (size == 0)) {
54        return "";
55    }
56    std::string strVal(reinterpret_cast<const char *>(data), size);
57    return strVal;
58}
59
60void FuzzOndemandLoad(const uint8_t* data, size_t size)
61{
62    sptr<SystemAbilityManager> saMgr = SystemAbilityManager::GetInstance();
63    if (saMgr == nullptr) {
64        return;
65    }
66    std::string procName = BuildStringFromData(data, size);
67    std::u16string procNameU16 = Str8ToStr16(procName);
68    int32_t saId = BuildInt32FromData(data, size);
69    SystemAbilityManager::AbilityItem abilityItem;
70    ISystemAbilityManager::SAExtraProp saExtraProp;
71    bool isExist = false;
72    saMgr->AddSamgrToAbilityMap();
73    saMgr->OndemandLoad();
74    saMgr->DoLoadForPerf();
75    saMgr->RemoveWhiteCommonEvent();
76    OnDemandEvent onDemandEvent;
77    SaControlInfo saControlInfo;
78    std::list<SaControlInfo> saControlList;
79    saControlList.emplace_back(saControlInfo);
80    saMgr->ProcessOnDemandEvent(onDemandEvent, saControlList);
81    saMgr->GetSystemAbilityFromRemote(saId);
82    saMgr->startingAbilityMap_[saId] = abilityItem;
83    saMgr->StartOnDemandAbility(procNameU16, saId);
84    saMgr->startingAbilityMap_.clear();
85    saMgr->StopOnDemandAbility(procNameU16, saId, onDemandEvent);
86    saMgr->AddOnDemandSystemAbilityInfo(saId, procNameU16);
87    saMgr->StartOnDemandAbility(saId, isExist);
88
89    sptr<IRemoteObject> testAbility = new TestTransactionService();
90    saMgr->AddSystemAbility(SAID, testAbility, saExtraProp);
91    nlohmann::json reason;
92    int32_t delayTime = 0;
93    saMgr->IdleSystemAbility(SAID, procNameU16, reason, delayTime);
94    saMgr->ActiveSystemAbility(SAID, procNameU16, reason);
95    saMgr->RemoveSystemAbility(SAID);
96    saMgr->AddSystemAbility(SAID, testAbility, saExtraProp);
97    saMgr->RemoveDiedSystemAbility(SAID);
98    saMgr->AddSystemAbility(SAID, testAbility, saExtraProp);
99    saMgr->RemoveSystemAbility(testAbility);
100}
101
102void FuzzRemoveSystemProcess(const uint8_t* data, size_t size)
103{
104    sptr<SystemAbilityManager> saMgr = SystemAbilityManager::GetInstance();
105    if (saMgr == nullptr) {
106        return;
107    }
108    std::string procName = BuildStringFromData(data, size);
109    std::u16string procNameU16 = Str8ToStr16(procName);
110    sptr<IRemoteObject> testAbility(new SaStatusChangeMock());
111    saMgr->AddSystemProcess(procNameU16, testAbility);
112    saMgr->RemoveSystemProcess(testAbility);
113
114    sptr<SaStatusChangeMock> callback(new SaStatusChangeMock());
115    saMgr->listenerMap_[SAID].push_back({callback, SAID});
116    auto& count = saMgr->subscribeCountMap_[SAID];
117    ++count;
118    saMgr->UnSubscribeSystemAbility(callback->AsObject());
119
120    u16string name = u"test";
121    string srcDeviceId = "srcDeviceId";
122    saMgr->startingProcessMap_.clear();
123    sptr<SystemAbilityLoadCallbackMock> callbackOne = new SystemAbilityLoadCallbackMock();
124    SystemAbilityManager::AbilityItem abilityItem;
125    abilityItem.callbackMap[srcDeviceId].push_back(make_pair(callbackOne, SAID));
126    saMgr->startingAbilityMap_[SAID] = abilityItem;
127    saMgr->CleanCallbackForLoadFailed(SAID, name, srcDeviceId, callbackOne);
128}
129
130void FuzzNotifySystemAbilityLoaded(const uint8_t* data, size_t size)
131{
132    sptr<SystemAbilityManager> saMgr = SystemAbilityManager::GetInstance();
133    if (saMgr == nullptr) {
134        return;
135    }
136    sptr<SystemAbilityLoadCallbackMock> callback = new SystemAbilityLoadCallbackMock();
137    sptr<IRemoteObject> remoteObject = new TestTransactionService();
138    saMgr->NotifySystemAbilityLoaded(SAID, remoteObject, callback);
139    string srcDeviceId = "srcDeviceId";
140    int32_t systemAbilityId = 401;
141    saMgr->LoadSystemAbilityFromRpc(srcDeviceId, systemAbilityId, callback);
142    saMgr->CheckSaIsImmediatelyRecycle(systemAbilityId);
143
144    saMgr->startingAbilityMap_.clear();
145    sptr<ISystemAbilityLoadCallback> mockLoadCallback1 = new SystemAbilityLoadCallbackMock();
146    std::map<std::string, SystemAbilityManager::CallbackList> mockCallbackMap1 = {
147        {"111111", {{mockLoadCallback1, 0}}}
148    };
149    SystemAbilityManager::AbilityItem mockAbilityItem1 = {
150        SystemAbilityManager::AbilityState::INIT, mockCallbackMap1
151    };
152    saMgr->startingAbilityMap_[SAID] = mockAbilityItem1;
153    saMgr->OnAbilityCallbackDied(mockLoadCallback1->AsObject());
154
155    saMgr->remoteCallbacks_.clear();
156    sptr<ISystemAbilityLoadCallback> mockLoadCallback2 = new SystemAbilityLoadCallbackMock();
157    saMgr->remoteCallbacks_ = {
158        {"11111", {mockLoadCallback2}}
159    };
160    saMgr->OnRemoteCallbackDied(mockLoadCallback2->AsObject());
161
162    sptr<SystemAbilityLoadCallbackMock> callback2 = new SystemAbilityLoadCallbackMock();
163    list<sptr<ISystemAbilityLoadCallback>> callbacks;
164    callbacks.push_back(callback2);
165    saMgr->remoteCallbackDeath_ = sptr<IRemoteObject::DeathRecipient>(new RemoteCallbackDeathRecipient());
166    saMgr->RemoveRemoteCallbackLocked(callbacks, callback2);
167}
168}
169}
170
171/* Fuzzer entry point */
172extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
173{
174    if (size < OHOS::Samgr::THRESHOLD) {
175        return 0;
176    }
177    OHOS::Samgr::FuzzOndemandLoad(data, size);
178    OHOS::Samgr::FuzzRemoveSystemProcess(data, size);
179    OHOS::Samgr::FuzzNotifySystemAbilityLoaded(data, size);
180    return 0;
181}
182
183