1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "storagemanager_fuzzer.h"
16
17 #include <cstddef>
18 #include <cstdint>
19 #include <cstring>
20
21 #include "message_parcel.h"
22 #include "storage_manager_stub.h"
23 #include "storage_manager.h"
24 #include "securec.h"
25 #include "nativetoken_kit.h"
26 #include "token_setproc.h"
27 #include "accesstoken_kit.h"
28
29 using namespace OHOS::StorageManager;
30
31 namespace OHOS::StorageManager {
32 constexpr size_t FOO_MAX_LEN = 1024;
33 constexpr uint8_t MAX_CALL_TRANSACTION = 64;
34 constexpr size_t U32_AT_SIZE = 4;
35 constexpr int32_t SERVICE_ID = 5003;
36
37 std::shared_ptr<StorageManager> storageManagerPtr =
38 std::make_shared<StorageManager>(SERVICE_ID, true);
39
GetU32Data(const char * ptr)40 uint32_t GetU32Data(const char* ptr)
41 {
42 // 将第0个数字左移24位,将第1个数字左移16位,将第2个数字左移8位,第3个数字不左移
43 return (ptr[0] << 24) | (ptr[1] << 16) | (ptr[2] << 8) | (ptr[3]);
44 }
45
46 enum {
47 TOKEN_INDEX_ONE = 0,
48 TOKEN_INDEX_TWO,
49 TOKEN_INDEX_THREE,
50 };
51
SetNativeToken()52 void SetNativeToken()
53 {
54 uint64_t tokenId;
55 const char **perms = new const char *[3];
56 perms[TOKEN_INDEX_ONE] = "ohos.permission.STORAGE_MANAGER";
57 perms[TOKEN_INDEX_TWO] = "ohos.permission.MOUNT_UNMOUNT_MANAGER";
58 perms[TOKEN_INDEX_THREE] = "ohos.permission.MOUNT_FORMAT_MANAGER";
59 NativeTokenInfoParams infoInstance = {
60 .dcapsNum = 0,
61 .permsNum = 1,
62 .aclsNum = 0,
63 .dcaps = nullptr,
64 .perms = perms,
65 .acls = nullptr,
66 .aplStr = "system_core",
67 };
68
69 infoInstance.processName = "StorageManagerFuzzTest";
70 tokenId = GetAccessTokenId(&infoInstance);
71 const uint64_t systemAppMask = (static_cast<uint64_t>(1) << 32);
72 tokenId |= systemAppMask;
73 SetSelfTokenID(tokenId);
74 OHOS::Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
75 delete[] perms;
76 }
77
StorageManagerFuzzTest(std::unique_ptr<char[]> data,size_t size)78 bool StorageManagerFuzzTest(std::unique_ptr<char[]> data, size_t size)
79 {
80 SetNativeToken();
81 uint32_t code = GetU32Data(data.get());
82 if (code == 0) {
83 return true;
84 }
85 MessageParcel datas;
86 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
87 datas.WriteBuffer(data.get(), size);
88 datas.RewindRead(0);
89 MessageParcel reply;
90 MessageOption option;
91 storageManagerPtr->OnRemoteRequest(code % MAX_CALL_TRANSACTION, datas, reply, option);
92
93 return true;
94 }
95
HandlePrepareAddUserFuzzTest(std::unique_ptr<char[]> data,size_t size)96 bool HandlePrepareAddUserFuzzTest(std::unique_ptr<char[]> data, size_t size)
97 {
98 MessageParcel datas;
99 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
100 datas.WriteBuffer(data.get(), size);
101 datas.RewindRead(0);
102 MessageParcel reply;
103
104 storageManagerPtr->HandlePrepareAddUser(datas, reply);
105 return true;
106 }
107
HandleRemoveUserFuzzTest(std::unique_ptr<char[]> data,size_t size)108 bool HandleRemoveUserFuzzTest(std::unique_ptr<char[]> data, size_t size)
109 {
110 MessageParcel datas;
111 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
112 datas.WriteBuffer(data.get(), size);
113 datas.RewindRead(0);
114 MessageParcel reply;
115
116 storageManagerPtr->HandleRemoveUser(datas, reply);
117 return true;
118 }
119
HandlePrepareStartUserFuzzTest(std::unique_ptr<char[]> data,size_t size)120 bool HandlePrepareStartUserFuzzTest(std::unique_ptr<char[]> data, size_t size)
121 {
122 MessageParcel datas;
123 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
124 datas.WriteBuffer(data.get(), size);
125 datas.RewindRead(0);
126 MessageParcel reply;
127
128 storageManagerPtr->HandlePrepareStartUser(datas, reply);
129 return true;
130 }
HandleStopUserFuzzTest(std::unique_ptr<char[]> data,size_t size)131 bool HandleStopUserFuzzTest(std::unique_ptr<char[]> data, size_t size)
132 {
133 MessageParcel datas;
134 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
135 datas.WriteBuffer(data.get(), size);
136 datas.RewindRead(0);
137 MessageParcel reply;
138
139 storageManagerPtr->HandleStopUser(datas, reply);
140 return true;
141 }
HandleGetCurrentBundleStatsFuzzTest(std::unique_ptr<char[]> data,size_t size)142 bool HandleGetCurrentBundleStatsFuzzTest(std::unique_ptr<char[]> data, size_t size)
143 {
144 MessageParcel datas;
145 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
146 datas.WriteBuffer(data.get(), size);
147 datas.RewindRead(0);
148 MessageParcel reply;
149
150 storageManagerPtr->HandleGetCurrentBundleStats(datas, reply);
151 return true;
152 }
153
HandleMountFuzzTest(std::unique_ptr<char[]> data,size_t size)154 bool HandleMountFuzzTest(std::unique_ptr<char[]> data, size_t size)
155 {
156 MessageParcel datas;
157 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
158 datas.WriteBuffer(data.get(), size);
159 datas.RewindRead(0);
160 MessageParcel reply;
161
162 storageManagerPtr->HandleMount(datas, reply);
163 return true;
164 }
165
HandleUnmountFuzzTest(std::unique_ptr<char[]> data,size_t size)166 bool HandleUnmountFuzzTest(std::unique_ptr<char[]> data, size_t size)
167 {
168 MessageParcel datas;
169 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
170 datas.WriteBuffer(data.get(), size);
171 datas.RewindRead(0);
172 MessageParcel reply;
173
174 storageManagerPtr->HandleUnmount(datas, reply);
175 return true;
176 }
177
HandlePartitionFuzzTest(std::unique_ptr<char[]> data,size_t size)178 bool HandlePartitionFuzzTest(std::unique_ptr<char[]> data, size_t size)
179 {
180 MessageParcel datas;
181 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
182 datas.WriteBuffer(data.get(), size);
183 datas.RewindRead(0);
184 MessageParcel reply;
185
186 storageManagerPtr->HandlePartition(datas, reply);
187 return true;
188 }
189
HandleFormatFuzzTest(std::unique_ptr<char[]> data,size_t size)190 bool HandleFormatFuzzTest(std::unique_ptr<char[]> data, size_t size)
191 {
192 MessageParcel datas;
193 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
194 datas.WriteBuffer(data.get(), size);
195 datas.RewindRead(0);
196 MessageParcel reply;
197
198 storageManagerPtr->HandleFormat(datas, reply);
199 return true;
200 }
201
HandleGenerateUserKeysFuzzTest(std::unique_ptr<char[]> data,size_t size)202 bool HandleGenerateUserKeysFuzzTest(std::unique_ptr<char[]> data, size_t size)
203 {
204 MessageParcel datas;
205 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
206 datas.WriteBuffer(data.get(), size);
207 datas.RewindRead(0);
208 MessageParcel reply;
209
210 storageManagerPtr->HandleGenerateUserKeys(datas, reply);
211 return true;
212 }
213
HandleDeleteUserKeysFuzzTest(std::unique_ptr<char[]> data,size_t size)214 bool HandleDeleteUserKeysFuzzTest(std::unique_ptr<char[]> data, size_t size)
215 {
216 MessageParcel datas;
217 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
218 datas.WriteBuffer(data.get(), size);
219 datas.RewindRead(0);
220 MessageParcel reply;
221
222 storageManagerPtr->HandleDeleteUserKeys(datas, reply);
223 return true;
224 }
225
HandleUpdateUserAuthFuzzTest(std::unique_ptr<char[]> data,size_t size)226 bool HandleUpdateUserAuthFuzzTest(std::unique_ptr<char[]> data, size_t size)
227 {
228 MessageParcel datas;
229 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
230 datas.WriteBuffer(data.get(), size);
231 datas.RewindRead(0);
232 MessageParcel reply;
233
234 storageManagerPtr->HandleUpdateUserAuth(datas, reply);
235 return true;
236 }
237
HandleActiveUserKeyFuzzTest(std::unique_ptr<char[]> data,size_t size)238 bool HandleActiveUserKeyFuzzTest(std::unique_ptr<char[]> data, size_t size)
239 {
240 MessageParcel datas;
241 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
242 datas.WriteBuffer(data.get(), size);
243 datas.RewindRead(0);
244 MessageParcel reply;
245
246 storageManagerPtr->HandleActiveUserKey(datas, reply);
247 return true;
248 }
249
HandleInactiveUserKeyFuzzTest(std::unique_ptr<char[]> data,size_t size)250 bool HandleInactiveUserKeyFuzzTest(std::unique_ptr<char[]> data, size_t size)
251 {
252 MessageParcel datas;
253 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
254 datas.WriteBuffer(data.get(), size);
255 datas.RewindRead(0);
256 MessageParcel reply;
257
258 storageManagerPtr->HandleInactiveUserKey(datas, reply);
259 return true;
260 }
261
HandleLockUserScreenFuzzTest(std::unique_ptr<char[]> data,size_t size)262 bool HandleLockUserScreenFuzzTest(std::unique_ptr<char[]> data, size_t size)
263 {
264 MessageParcel datas;
265 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
266 datas.WriteBuffer(data.get(), size);
267 datas.RewindRead(0);
268 MessageParcel reply;
269
270 storageManagerPtr->HandleLockUserScreen(datas, reply);
271 return true;
272 }
273
HandleUnlockUserScreenFuzzTest(std::unique_ptr<char[]> data,size_t size)274 bool HandleUnlockUserScreenFuzzTest(std::unique_ptr<char[]> data, size_t size)
275 {
276 MessageParcel datas;
277 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
278 datas.WriteBuffer(data.get(), size);
279 datas.RewindRead(0);
280 MessageParcel reply;
281
282 storageManagerPtr->HandleUnlockUserScreen(datas, reply);
283 return true;
284 }
285
HandleUpdateKeyContextFuzzTest(std::unique_ptr<char[]> data,size_t size)286 bool HandleUpdateKeyContextFuzzTest(std::unique_ptr<char[]> data, size_t size)
287 {
288 MessageParcel datas;
289 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
290 datas.WriteBuffer(data.get(), size);
291 datas.RewindRead(0);
292 MessageParcel reply;
293
294 storageManagerPtr->HandleUpdateKeyContext(datas, reply);
295 return true;
296 }
297
HandleCreateShareFileFuzzTest(std::unique_ptr<char[]> data,size_t size)298 bool HandleCreateShareFileFuzzTest(std::unique_ptr<char[]> data, size_t size)
299 {
300 MessageParcel datas;
301 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
302 datas.WriteBuffer(data.get(), size);
303 datas.RewindRead(0);
304 MessageParcel reply;
305
306 storageManagerPtr->HandleCreateShareFile(datas, reply);
307 return true;
308 }
309
HandleDeleteShareFileFuzzTest(std::unique_ptr<char[]> data,size_t size)310 bool HandleDeleteShareFileFuzzTest(std::unique_ptr<char[]> data, size_t size)
311 {
312 MessageParcel datas;
313 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
314 datas.WriteBuffer(data.get(), size);
315 datas.RewindRead(0);
316 MessageParcel reply;
317
318 storageManagerPtr->HandleDeleteShareFile(datas, reply);
319 return true;
320 }
321
HandleSetBundleQuotaFuzzTest(std::unique_ptr<char[]> data,size_t size)322 bool HandleSetBundleQuotaFuzzTest(std::unique_ptr<char[]> data, size_t size)
323 {
324 MessageParcel datas;
325 datas.WriteInterfaceToken(StorageManagerStub::GetDescriptor());
326 datas.WriteBuffer(data.get(), size);
327 datas.RewindRead(0);
328 MessageParcel reply;
329
330 storageManagerPtr->HandleSetBundleQuota(datas, reply);
331 return true;
332 }
333 } // namespace OHOS::StorageManager
334
335 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)336 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
337 {
338 /* Run your code on data */
339 if (data == nullptr) {
340 return 0;
341 }
342
343 /* Validate the length of size */
344 if (size < OHOS::StorageManager::U32_AT_SIZE || size > OHOS::StorageManager::FOO_MAX_LEN) {
345 return 0;
346 }
347
348 auto str = std::make_unique<char[]>(size + 1);
349 (void)memset_s(str.get(), size + 1, 0x00, size + 1);
350 if (memcpy_s(str.get(), size, data, size) != EOK) {
351 return 0;
352 }
353
354 OHOS::StorageManager::StorageManagerFuzzTest(move(str), size);
355 OHOS::StorageManager::HandlePrepareAddUserFuzzTest(move(str), size);
356 OHOS::StorageManager::HandleRemoveUserFuzzTest(move(str), size);
357 OHOS::StorageManager::HandlePrepareStartUserFuzzTest(move(str), size);
358 OHOS::StorageManager::HandleStopUserFuzzTest(move(str), size);
359 OHOS::StorageManager::HandleGetCurrentBundleStatsFuzzTest(move(str), size);
360 OHOS::StorageManager::HandleMountFuzzTest(move(str), size);
361 OHOS::StorageManager::HandleUnmountFuzzTest(move(str), size);
362 OHOS::StorageManager::HandlePartitionFuzzTest(move(str), size);
363 OHOS::StorageManager::HandleFormatFuzzTest(move(str), size);
364 OHOS::StorageManager::HandleGenerateUserKeysFuzzTest(move(str), size);
365 OHOS::StorageManager::HandleDeleteUserKeysFuzzTest(move(str), size);
366 OHOS::StorageManager::HandleUpdateUserAuthFuzzTest(move(str), size);
367 OHOS::StorageManager::HandleActiveUserKeyFuzzTest(move(str), size);
368 OHOS::StorageManager::HandleInactiveUserKeyFuzzTest(move(str), size);
369 OHOS::StorageManager::HandleLockUserScreenFuzzTest(move(str), size);
370 OHOS::StorageManager::HandleUnlockUserScreenFuzzTest(move(str), size);
371 OHOS::StorageManager::HandleUpdateKeyContextFuzzTest(move(str), size);
372 OHOS::StorageManager::HandleCreateShareFileFuzzTest(move(str), size);
373 OHOS::StorageManager::HandleDeleteShareFileFuzzTest(move(str), size);
374 OHOS::StorageManager::HandleSetBundleQuotaFuzzTest(move(str), size);
375 return 0;
376 }
377