15ba71b47Sopenharmony_ci/*
25ba71b47Sopenharmony_ci * Copyright (c) 2022 Huawei Device Co., Ltd.
35ba71b47Sopenharmony_ci * Licensed under the Apache License, Version 2.0 (the "License");
45ba71b47Sopenharmony_ci * you may not use this file except in compliance with the License.
55ba71b47Sopenharmony_ci * You may obtain a copy of the License at
65ba71b47Sopenharmony_ci *
75ba71b47Sopenharmony_ci *     http://www.apache.org/licenses/LICENSE-2.0
85ba71b47Sopenharmony_ci *
95ba71b47Sopenharmony_ci * Unless required by applicable law or agreed to in writing, software
105ba71b47Sopenharmony_ci * distributed under the License is distributed on an "AS IS" BASIS,
115ba71b47Sopenharmony_ci * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
125ba71b47Sopenharmony_ci * See the License for the specific language governing permissions and
135ba71b47Sopenharmony_ci * limitations under the License.
145ba71b47Sopenharmony_ci */
155ba71b47Sopenharmony_ci
165ba71b47Sopenharmony_ci#include "systemabilitymanager_fuzzer.h"
175ba71b47Sopenharmony_ci
185ba71b47Sopenharmony_ci#include "if_system_ability_manager.h"
195ba71b47Sopenharmony_ci#include "sam_mock_permission.h"
205ba71b47Sopenharmony_ci#include "system_ability_manager.h"
215ba71b47Sopenharmony_ci#include "iservice_registry.h"
225ba71b47Sopenharmony_ci#include "hisysevent_adapter.h"
235ba71b47Sopenharmony_ci
245ba71b47Sopenharmony_ci#include <cinttypes>
255ba71b47Sopenharmony_ci#include <cstddef>
265ba71b47Sopenharmony_ci#include <cstdint>
275ba71b47Sopenharmony_ci#include <unistd.h>
285ba71b47Sopenharmony_ci#include <cstdlib>
295ba71b47Sopenharmony_ci#include <fcntl.h>
305ba71b47Sopenharmony_ci
315ba71b47Sopenharmony_cinamespace OHOS {
325ba71b47Sopenharmony_cinamespace Samgr {
335ba71b47Sopenharmony_cinamespace {
345ba71b47Sopenharmony_ci    constexpr size_t THRESHOLD = 10;
355ba71b47Sopenharmony_ci    constexpr uint8_t MAX_CALL_TRANSACTION = 40;
365ba71b47Sopenharmony_ci    constexpr int32_t OFFSET = 4;
375ba71b47Sopenharmony_ci    constexpr int32_t INIT_TIME = 3;
385ba71b47Sopenharmony_ci    constexpr int32_t RETRY_TIME_OUT_NUMBER = 10;
395ba71b47Sopenharmony_ci    constexpr int32_t SLEEP_INTERVAL_TIME = 200000;
405ba71b47Sopenharmony_ci    constexpr int32_t DISTRIBUTED_HARDWARE_DEVICEMANAGER_SA_ID = 4802;
415ba71b47Sopenharmony_ci    constexpr uint8_t SEAT_ZERO = 0;
425ba71b47Sopenharmony_ci    constexpr uint8_t LIFT_OFFSET_ZERO = 24;
435ba71b47Sopenharmony_ci    constexpr uint8_t SEAT_ONE = 1;
445ba71b47Sopenharmony_ci    constexpr uint8_t LIFT_OFFSET_ONE = 16;
455ba71b47Sopenharmony_ci    constexpr uint8_t SEAT_TWO = 2;
465ba71b47Sopenharmony_ci    constexpr uint8_t LIFT_OFFSET_TWO = 8;
475ba71b47Sopenharmony_ci    constexpr uint8_t SEAT_THREE = 3;
485ba71b47Sopenharmony_ci    constexpr int64_t DURATION = 1;
495ba71b47Sopenharmony_ci    unsigned int g_dumpLevel = 0;
505ba71b47Sopenharmony_ci    const std::u16string SAMGR_INTERFACE_TOKEN = u"ohos.samgr.accessToken";
515ba71b47Sopenharmony_ci    bool g_flag = false;
525ba71b47Sopenharmony_ci}
535ba71b47Sopenharmony_ci
545ba71b47Sopenharmony_ciuint32_t Convert2Uint32(const uint8_t* ptr)
555ba71b47Sopenharmony_ci{
565ba71b47Sopenharmony_ci    if (ptr == nullptr) {
575ba71b47Sopenharmony_ci        return 0;
585ba71b47Sopenharmony_ci    }
595ba71b47Sopenharmony_ci    return (ptr[SEAT_ZERO] << LIFT_OFFSET_ZERO) | (ptr[SEAT_ONE] << LIFT_OFFSET_ONE) |
605ba71b47Sopenharmony_ci        (ptr[SEAT_TWO] << LIFT_OFFSET_TWO) | (ptr[SEAT_THREE]); // this is a general method of converting in fuzz
615ba71b47Sopenharmony_ci}
625ba71b47Sopenharmony_ci
635ba71b47Sopenharmony_cibool IsDmReady()
645ba71b47Sopenharmony_ci{
655ba71b47Sopenharmony_ci    auto dmProxy = SystemAbilityManager::GetInstance()->CheckSystemAbility(
665ba71b47Sopenharmony_ci        DISTRIBUTED_HARDWARE_DEVICEMANAGER_SA_ID);
675ba71b47Sopenharmony_ci    if (dmProxy != nullptr) {
685ba71b47Sopenharmony_ci        IPCObjectProxy* proxy = reinterpret_cast<IPCObjectProxy*>(dmProxy.GetRefPtr());
695ba71b47Sopenharmony_ci        if (proxy != nullptr && !proxy->IsObjectDead()) {
705ba71b47Sopenharmony_ci            return true;
715ba71b47Sopenharmony_ci        }
725ba71b47Sopenharmony_ci    }
735ba71b47Sopenharmony_ci    HILOGE("samgrFuzz:DM isn't ready");
745ba71b47Sopenharmony_ci    return false;
755ba71b47Sopenharmony_ci}
765ba71b47Sopenharmony_ci
775ba71b47Sopenharmony_civoid AddDeviceManager()
785ba71b47Sopenharmony_ci{
795ba71b47Sopenharmony_ci    if (IsDmReady()) {
805ba71b47Sopenharmony_ci        return;
815ba71b47Sopenharmony_ci    }
825ba71b47Sopenharmony_ci    sptr<ISystemAbilityManager> sm = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
835ba71b47Sopenharmony_ci    if (sm == nullptr) {
845ba71b47Sopenharmony_ci        HILOGE("samgrFuzz:GetSystemAbilityManager fail");
855ba71b47Sopenharmony_ci        return;
865ba71b47Sopenharmony_ci    }
875ba71b47Sopenharmony_ci    int32_t timeout = RETRY_TIME_OUT_NUMBER;
885ba71b47Sopenharmony_ci    int64_t begin = OHOS::GetTickCount();
895ba71b47Sopenharmony_ci    sptr<IRemoteObject> dmAbility = nullptr;
905ba71b47Sopenharmony_ci    do {
915ba71b47Sopenharmony_ci        dmAbility = sm->CheckSystemAbility(DISTRIBUTED_HARDWARE_DEVICEMANAGER_SA_ID);
925ba71b47Sopenharmony_ci        if (dmAbility != nullptr) {
935ba71b47Sopenharmony_ci            break;
945ba71b47Sopenharmony_ci        }
955ba71b47Sopenharmony_ci        usleep(SLEEP_INTERVAL_TIME);
965ba71b47Sopenharmony_ci    } while (timeout--);
975ba71b47Sopenharmony_ci    HILOGI("samgrFuzz:Add DM spend %{public}" PRId64 " ms", OHOS::GetTickCount() - begin);
985ba71b47Sopenharmony_ci    if (dmAbility == nullptr) {
995ba71b47Sopenharmony_ci        HILOGE("samgrFuzz:dmAbility is null");
1005ba71b47Sopenharmony_ci        return;
1015ba71b47Sopenharmony_ci    }
1025ba71b47Sopenharmony_ci    sptr<SystemAbilityManager> fuzzSAManager = SystemAbilityManager::GetInstance();
1035ba71b47Sopenharmony_ci    ISystemAbilityManager::SAExtraProp saExtra(false, g_dumpLevel, u"", u"");
1045ba71b47Sopenharmony_ci    int32_t ret = fuzzSAManager->AddSystemAbility(DISTRIBUTED_HARDWARE_DEVICEMANAGER_SA_ID, dmAbility, saExtra);
1055ba71b47Sopenharmony_ci    if (ret == ERR_OK) {
1065ba71b47Sopenharmony_ci        HILOGI("samgrFuzz:Add DM sucess");
1075ba71b47Sopenharmony_ci        return;
1085ba71b47Sopenharmony_ci    }
1095ba71b47Sopenharmony_ci    HILOGE("samgrFuzz:Add DM fail");
1105ba71b47Sopenharmony_ci}
1115ba71b47Sopenharmony_ci
1125ba71b47Sopenharmony_civoid FuzzSystemAbilityManager(const uint8_t* rawData, size_t size)
1135ba71b47Sopenharmony_ci{
1145ba71b47Sopenharmony_ci    SamMockPermission::MockPermission();
1155ba71b47Sopenharmony_ci    uint32_t code = Convert2Uint32(rawData);
1165ba71b47Sopenharmony_ci    rawData = rawData + OFFSET;
1175ba71b47Sopenharmony_ci    size = size - OFFSET;
1185ba71b47Sopenharmony_ci    MessageParcel data;
1195ba71b47Sopenharmony_ci    data.WriteInterfaceToken(SAMGR_INTERFACE_TOKEN);
1205ba71b47Sopenharmony_ci    data.WriteBuffer(rawData, size);
1215ba71b47Sopenharmony_ci    data.RewindRead(0);
1225ba71b47Sopenharmony_ci    MessageParcel reply;
1235ba71b47Sopenharmony_ci    MessageOption option;
1245ba71b47Sopenharmony_ci    sptr<SystemAbilityManager> manager = SystemAbilityManager::GetInstance();
1255ba71b47Sopenharmony_ci    if (!g_flag) {
1265ba71b47Sopenharmony_ci        HILOGI("samgrFuzz:Init");
1275ba71b47Sopenharmony_ci        manager->Init();
1285ba71b47Sopenharmony_ci        g_flag = true;
1295ba71b47Sopenharmony_ci        HILOGI("samgrFuzz:Init AddDeviceManager");
1305ba71b47Sopenharmony_ci        AddDeviceManager();
1315ba71b47Sopenharmony_ci        sleep(INIT_TIME);
1325ba71b47Sopenharmony_ci    } else {
1335ba71b47Sopenharmony_ci        HILOGI("samgrFuzz:SetFfrt");
1345ba71b47Sopenharmony_ci        manager->SetFfrt();
1355ba71b47Sopenharmony_ci        HILOGI("samgrFuzz:AddDeviceManager");
1365ba71b47Sopenharmony_ci        AddDeviceManager();
1375ba71b47Sopenharmony_ci    }
1385ba71b47Sopenharmony_ci    if (!IsDmReady()) {
1395ba71b47Sopenharmony_ci        HILOGE("samgrFuzz:dm no ready,return");
1405ba71b47Sopenharmony_ci        manager->CleanFfrt();
1415ba71b47Sopenharmony_ci        return;
1425ba71b47Sopenharmony_ci    }
1435ba71b47Sopenharmony_ci    HILOGI("samgrFuzz:code=%{public}u", code % MAX_CALL_TRANSACTION);
1445ba71b47Sopenharmony_ci    manager->OnRemoteRequest(code % MAX_CALL_TRANSACTION, data, reply, option);
1455ba71b47Sopenharmony_ci    HILOGI("samgrFuzz:OnRemoteRequest end,CleanFfrt");
1465ba71b47Sopenharmony_ci    manager->CleanFfrt();
1475ba71b47Sopenharmony_ci}
1485ba71b47Sopenharmony_ci}
1495ba71b47Sopenharmony_ci}
1505ba71b47Sopenharmony_ci
1515ba71b47Sopenharmony_ci/* Fuzzer entry point */
1525ba71b47Sopenharmony_ciextern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
1535ba71b47Sopenharmony_ci{
1545ba71b47Sopenharmony_ci    if (size < OHOS::Samgr::THRESHOLD) {
1555ba71b47Sopenharmony_ci        return 0;
1565ba71b47Sopenharmony_ci    }
1575ba71b47Sopenharmony_ci
1585ba71b47Sopenharmony_ci    OHOS::Samgr::FuzzSystemAbilityManager(data, size);
1595ba71b47Sopenharmony_ci
1605ba71b47Sopenharmony_ci    return 0;
1615ba71b47Sopenharmony_ci}
1625ba71b47Sopenharmony_ci
163