1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "locator_fuzzer.h"
17
18 #include "accesstoken_kit.h"
19 #include "if_system_ability_manager.h"
20 #include "iservice_registry.h"
21 #include "message_option.h"
22 #include "message_parcel.h"
23 #include "nativetoken_kit.h"
24 #include "system_ability_definition.h"
25 #include "token_setproc.h"
26
27 #ifdef FEATURE_GNSS_SUPPORT
28 #include "cached_locations_callback_napi.h"
29 #endif
30 #include "common_utils.h"
31 #include "constant_definition.h"
32 #include "country_code_callback_napi.h"
33 #ifdef FEATURE_GEOCODE_SUPPORT
34 #include "geo_address.h"
35 #include "geo_coding_mock_info.h"
36 #endif
37 #ifdef FEATURE_GNSS_SUPPORT
38 #include "gnss_status_callback_napi.h"
39 #endif
40 #include "i_locator_callback.h"
41 #include "location.h"
42 #include "location_switch_callback_napi.h"
43 #include "locator_callback_napi.h"
44 #include "location_log.h"
45 #ifdef FEATURE_GNSS_SUPPORT
46 #include "nmea_message_callback_napi.h"
47 #endif
48 #include "request_config.h"
49 #ifdef FEATURE_GNSS_SUPPORT
50 #include "satellite_status.h"
51 #endif
52 #include "permission_manager.h"
53
54 namespace OHOS {
55 using namespace OHOS::Location;
56 auto locatorCallbackHostForTest_ =
57 sptr<LocatorCallbackNapi>(new (std::nothrow) LocatorCallbackNapi());
58 bool g_isGrant = false;
59 const int32_t MAX_CODE_LEN = 512;
60 const int32_t MAX_CODE_NUM = 40;
61 const int32_t MIN_SIZE_NUM = 10;
62 const int32_t SWITCH_STATE_ON = 1;
63 const int32_t WAIT_TIME_SEC = 1000;
64 const int32_t COUNT = 10;
65
LocatorProxySendRequestTest(const uint8_t * data,size_t size)66 bool LocatorProxySendRequestTest(const uint8_t* data, size_t size)
67 {
68 if ((data == nullptr) || (size > MAX_CODE_LEN)) {
69 LBSLOGE(LOCATOR, "param error");
70 return false;
71 }
72 sptr<ISystemAbilityManager> systemAbilityManager =
73 SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
74 if (systemAbilityManager == nullptr) {
75 LBSLOGE(LOCATOR, "systemAbilityManager is nullptr");
76 return false;
77 }
78 sptr<IRemoteObject> object = systemAbilityManager->GetSystemAbility(LOCATION_LOCATOR_SA_ID);
79 auto client = std::make_unique<LocatorProxyTestFuzzer>(object);
80 if (client == nullptr) {
81 LBSLOGE(LOCATOR, "client is nullptr");
82 return false;
83 }
84 MessageParcel request;
85 if (!request.WriteInterfaceToken(client->GetDescriptor())) {
86 LBSLOGE(LOCATOR, "cannot write interface token");
87 return false;
88 }
89 MessageParcel reply;
90 MessageOption option;
91 sptr<IRemoteObject> remote = client->GetRemote();
92 if (remote == nullptr) {
93 LBSLOGE(LOCATOR, "cannot get remote object");
94 return false;
95 }
96 int index = 0;
97 int32_t result = remote->SendRequest(data[index++] % MAX_CODE_NUM, request, reply, option);
98 return result == SUCCESS;
99 }
100
AddPermission()101 void AddPermission()
102 {
103 if (!g_isGrant) {
104 const char *perms[] = {
105 ACCESS_LOCATION.c_str(), ACCESS_APPROXIMATELY_LOCATION.c_str(),
106 ACCESS_BACKGROUND_LOCATION.c_str(), MANAGE_SECURE_SETTINGS.c_str(),
107 };
108 NativeTokenInfoParams infoInstance = {
109 .dcapsNum = 0,
110 .permsNum = 4,
111 .aclsNum = 0,
112 .dcaps = nullptr,
113 .perms = perms,
114 .acls = nullptr,
115 .processName = "LocatorFuzzer",
116 .aplStr = "system_basic",
117 };
118 uint64_t tokenId = GetAccessTokenId(&infoInstance);
119 SetSelfTokenID(tokenId);
120 Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
121 g_isGrant = true;
122 }
123 }
124
125 #ifdef FEATURE_GNSS_SUPPORT
CachedLocationsCallbackHostFuzzerTest(const uint8_t * data,size_t size)126 bool CachedLocationsCallbackHostFuzzerTest(const uint8_t* data, size_t size)
127 {
128 int index = 0;
129 auto cachedCallbackHost =
130 sptr<CachedLocationsCallbackNapi>(new (std::nothrow) CachedLocationsCallbackNapi());
131 MessageParcel request;
132 MessageParcel reply;
133 MessageOption option;
134 cachedCallbackHost->OnRemoteRequest(data[index++], request, reply, option);
135 cachedCallbackHost->IsRemoteDied();
136
137 std::vector<std::unique_ptr<OHOS::Location::Location>> locationsForSend;
138 cachedCallbackHost->Send(locationsForSend);
139 std::vector<std::unique_ptr<OHOS::Location::Location>> locationsForReport;
140 cachedCallbackHost->OnCacheLocationsReport(locationsForReport);
141 cachedCallbackHost->DeleteHandler();
142 return true;
143 }
144 #endif
145
CountryCodeCallbackHostFuzzerTest(const uint8_t * data,size_t size)146 bool CountryCodeCallbackHostFuzzerTest(const uint8_t* data, size_t size)
147 {
148 int index = 0;
149 auto callbackHost =
150 sptr<CountryCodeCallbackNapi>(new (std::nothrow) CountryCodeCallbackNapi());
151 MessageParcel request;
152 MessageParcel reply;
153 MessageOption option;
154 callbackHost->OnRemoteRequest(data[index++], request, reply, option);
155
156 auto countryCodePtr = CountryCode::Unmarshalling(request);
157 callbackHost->Send(countryCodePtr);
158 callbackHost->SetEnv(nullptr);
159 callbackHost->SetCallback(nullptr);
160 callbackHost->OnCountryCodeChange(countryCodePtr);
161 callbackHost->DeleteHandler();
162 return true;
163 }
164
165 #ifdef FEATURE_GNSS_SUPPORT
GnssStatusCallbackHostFuzzerTest(const uint8_t * data,size_t size)166 bool GnssStatusCallbackHostFuzzerTest(const uint8_t* data, size_t size)
167 {
168 int index = 0;
169 auto gnssCallbackHost =
170 sptr<GnssStatusCallbackNapi>(new (std::nothrow) GnssStatusCallbackNapi());
171 MessageParcel request;
172 MessageParcel reply;
173 MessageOption option;
174 gnssCallbackHost->OnRemoteRequest(data[index++], request, reply, option);
175 gnssCallbackHost->IsRemoteDied();
176 std::unique_ptr<SatelliteStatus> statusInfo = nullptr;
177 gnssCallbackHost->Send(statusInfo);
178
179 gnssCallbackHost->OnStatusChange(statusInfo);
180 gnssCallbackHost->DeleteHandler();
181 return true;
182 }
183 #endif
184
LocationSwitchCallbackHostFuzzerTest(const uint8_t * data,size_t size)185 bool LocationSwitchCallbackHostFuzzerTest(const uint8_t* data, size_t size)
186 {
187 int index = 0;
188 auto switchCallbackHost =
189 sptr<LocationSwitchCallbackNapi>(new (std::nothrow) LocationSwitchCallbackNapi());
190 MessageParcel request;
191 MessageParcel reply;
192 MessageOption option;
193 switchCallbackHost->OnRemoteRequest(data[index++], request, reply, option);
194 switchCallbackHost->IsRemoteDied();
195 switchCallbackHost->PackResult(true);
196 switchCallbackHost->Send(SWITCH_STATE_ON);
197
198 switchCallbackHost->OnSwitchChange(SWITCH_STATE_ON);
199 switchCallbackHost->DeleteHandler();
200 return true;
201 }
202
LocationCallbackHostFuzzerTest(const uint8_t * data,size_t size)203 bool LocationCallbackHostFuzzerTest(const uint8_t* data, size_t size)
204 {
205 int index = 0;
206 auto callbackHost =
207 sptr<LocatorCallbackNapi>(new (std::nothrow) LocatorCallbackNapi());
208 MessageParcel request;
209 MessageParcel reply;
210 MessageOption option;
211 callbackHost->OnRemoteRequest(data[index++], request, reply, option);
212 callbackHost->OnErrorReport(SUCCESS);
213 std::unique_ptr<OHOS::Location::Location> location =
214 std::make_unique<OHOS::Location::Location>();
215 callbackHost->OnLocationReport(location);
216 callbackHost->OnLocatingStatusChange(SWITCH_STATE_ON);
217
218 callbackHost->DeleteAllCallbacks();
219 callbackHost->IsSystemGeoLocationApi();
220 callbackHost->IsSingleLocationRequest();
221 callbackHost->CountDown();
222 callbackHost->Wait(data[index++] % WAIT_TIME_SEC);
223 callbackHost->SetCount(data[index++] % COUNT);
224 callbackHost->GetCount();
225 return true;
226 }
227
228 #ifdef FEATURE_GNSS_SUPPORT
NmeaMessageCallbackHostFuzzerTest(const uint8_t * data,size_t size)229 bool NmeaMessageCallbackHostFuzzerTest(const uint8_t* data, size_t size)
230 {
231 int index = 0;
232 auto nmeaCallbackHost =
233 sptr<NmeaMessageCallbackNapi>(new (std::nothrow) NmeaMessageCallbackNapi());
234 MessageParcel request;
235 MessageParcel reply;
236 MessageOption option;
237 nmeaCallbackHost->OnRemoteRequest(data[index++], request, reply, option);
238 nmeaCallbackHost->IsRemoteDied();
239 std::string msg(reinterpret_cast<const char*>(data), size);
240 nmeaCallbackHost->PackResult(msg);
241 nmeaCallbackHost->Send(msg);
242 int64_t timestamp = 0;
243 nmeaCallbackHost->OnMessageChange(timestamp, msg);
244 nmeaCallbackHost->DeleteHandler();
245 return true;
246 }
247 #endif
248 } // namespace OHOS
249
250 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)251 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
252 {
253 if (size < OHOS::MIN_SIZE_NUM) {
254 return 0;
255 }
256 /* Run your code on data */
257 OHOS::AddPermission();
258 OHOS::LocatorProxySendRequestTest(data, size);
259 #ifdef FEATURE_GNSS_SUPPORT
260 OHOS::CachedLocationsCallbackHostFuzzerTest(data, size);
261 #endif
262 OHOS::CountryCodeCallbackHostFuzzerTest(data, size);
263 #ifdef FEATURE_GNSS_SUPPORT
264 OHOS::GnssStatusCallbackHostFuzzerTest(data, size);
265 #endif
266 OHOS::LocationSwitchCallbackHostFuzzerTest(data, size);
267 OHOS::LocationCallbackHostFuzzerTest(data, size);
268 #ifdef FEATURE_GNSS_SUPPORT
269 OHOS::NmeaMessageCallbackHostFuzzerTest(data, size);
270 #endif
271 return 0;
272 }
273
274