1 /*
2 * Copyright (c) 2022-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "co_auth_service_fuzzer.h"
17
18 #include "parcel.h"
19
20 #include "co_auth_service.h"
21 #include "executor_messenger_service.h"
22 #include "executor_callback_interface.h"
23 #include "mock_ipc_common.h"
24 #include "iam_fuzz_test.h"
25 #include "iam_logger.h"
26 #include "iam_ptr.h"
27
28 #define LOG_TAG "USER_AUTH_SA"
29
30 #undef private
31
32 using namespace std;
33 using namespace OHOS::UserIam::Common;
34 using namespace OHOS::UserIam::UserAuth;
35 using ExecutorRegisterInfo = CoAuthInterface::ExecutorRegisterInfo;
36
37 namespace OHOS {
38 namespace UserIam {
39 namespace CoAuth {
40 namespace {
41 const int CMD_LEN = 19;
42 std::u16string cmd[] = {u"-h", u"-lc", u"-ls", u"-c", u"-c [base system]", u"-s", u"-s [SA0 SA1]", u"-s [SA] -a [-h]",
43 u"-e", u"--net", u"--storage", u"-p", u"-p [pid]", u"--cpuusage [pid]", u"cified pid", u"--cpufreq", u"--mem [pid]",
44 u"--zip", u"--mem-smaps pid [-v]"};
45
46 class CoAuthServiceFuzzer : public ExecutorCallbackInterface {
47 public:
CoAuthServiceFuzzer(int32_t onBeginExecuteResult,int32_t onEndExecuteResult,int32_t onSetPropertyResult,int32_t onGetPropertyResult,int32_t onSendDataResult)48 CoAuthServiceFuzzer(int32_t onBeginExecuteResult, int32_t onEndExecuteResult, int32_t onSetPropertyResult,
49 int32_t onGetPropertyResult, int32_t onSendDataResult)
50 : onBeginExecuteResult_(onBeginExecuteResult),
51 onEndExecuteResult_(onEndExecuteResult),
52 onSetPropertyResult_(onSetPropertyResult),
53 onGetPropertyResult_(onGetPropertyResult),
54 onSendDataResult_(onSendDataResult)
55 {
56 }
57
58 virtual ~CoAuthServiceFuzzer() = default;
59
OnMessengerReady(sptr<ExecutorMessengerInterface> & messenger,const std::vector<uint8_t> & publicKey,const std::vector<uint64_t> & templateIdList)60 void OnMessengerReady(sptr<ExecutorMessengerInterface> &messenger,
61 const std::vector<uint8_t> &publicKey, const std::vector<uint64_t> &templateIdList) override
62 {
63 IAM_LOGI("start");
64 return;
65 }
66
OnBeginExecute(uint64_t scheduleId,const std::vector<uint8_t> & publicKey,const Attributes & command)67 int32_t OnBeginExecute(uint64_t scheduleId, const std::vector<uint8_t> &publicKey,
68 const Attributes &command) override
69 {
70 IAM_LOGI("start");
71 return onBeginExecuteResult_;
72 }
73
OnEndExecute(uint64_t scheduleId,const Attributes & command)74 int32_t OnEndExecute(uint64_t scheduleId, const Attributes &command) override
75 {
76 IAM_LOGI("start");
77 return onEndExecuteResult_;
78 }
79
OnSetProperty(const Attributes & properties)80 int32_t OnSetProperty(const Attributes &properties) override
81 {
82 IAM_LOGI("start");
83 return onSetPropertyResult_;
84 }
85
OnGetProperty(const Attributes & condition,Attributes & values)86 int32_t OnGetProperty(const Attributes &condition, Attributes &values) override
87 {
88 IAM_LOGI("start");
89 return onGetPropertyResult_;
90 }
91
OnSendData(uint64_t scheduleId,const Attributes & data)92 int32_t OnSendData(uint64_t scheduleId, const Attributes &data) override
93 {
94 IAM_LOGI("start");
95 return onSendDataResult_;
96 }
97
AsObject()98 sptr<IRemoteObject> AsObject() override
99 {
100 sptr<IRemoteObject> tmp(nullptr);
101 return tmp;
102 }
103
104 private:
105 int32_t onBeginExecuteResult_;
106 int32_t onEndExecuteResult_;
107 int32_t onSetPropertyResult_;
108 int32_t onGetPropertyResult_;
109 int32_t onSendDataResult_;
110 };
111
FillFuzzExecutorRegisterInfo(Parcel & parcel,ExecutorRegisterInfo & executorInfo)112 void FillFuzzExecutorRegisterInfo(Parcel &parcel, ExecutorRegisterInfo &executorInfo)
113 {
114 executorInfo.authType = static_cast<UserIam::UserAuth::AuthType>(parcel.ReadInt32());
115 executorInfo.executorRole = static_cast<UserIam::UserAuth::ExecutorRole>(parcel.ReadInt32());
116 executorInfo.executorSensorHint = parcel.ReadUint32();
117 executorInfo.executorMatcher = parcel.ReadUint32();
118 executorInfo.esl = static_cast<UserIam::UserAuth::ExecutorSecureLevel>(parcel.ReadInt32());
119 FillFuzzUint8Vector(parcel, executorInfo.publicKey);
120 IAM_LOGI("FillFuzzExecutorRegisterInfo success");
121 }
122
123 CoAuthService g_coAuthService;
124 sptr<ExecutorMessengerService> executorMessengerService = ExecutorMessengerService::GetInstance();
125
FuzzRegister(Parcel & parcel)126 void FuzzRegister(Parcel &parcel)
127 {
128 IAM_LOGI("FuzzRegister begin");
129 ExecutorRegisterInfo executorInfo;
130 FillFuzzExecutorRegisterInfo(parcel, executorInfo);
131 sptr<ExecutorCallbackInterface> callback(nullptr);
132 if (parcel.ReadBool()) {
133 callback = sptr<ExecutorCallbackInterface>(new (std::nothrow)
134 CoAuthServiceFuzzer(parcel.ReadInt32(), parcel.ReadInt32(), parcel.ReadInt32(), parcel.ReadInt32(),
135 parcel.ReadInt32()));
136 }
137 g_coAuthService.ExecutorRegister(executorInfo, callback);
138 IAM_LOGI("FuzzRegister end");
139 }
140
FuzzOther(Parcel & parcel)141 void FuzzOther(Parcel &parcel)
142 {
143 IAM_LOGI("begin");
144 g_coAuthService.Init();
145
146 auto callback = Common::MakeShared<CoAuthServiceFuzzer>(parcel.ReadInt32(), parcel.ReadInt32(),
147 parcel.ReadInt32(), parcel.ReadInt32(), parcel.ReadInt32());
148 uint64_t executorIndex = parcel.ReadUint64();
149 AuthType authType = static_cast<AuthType>(parcel.ReadInt32());
150 g_coAuthService.AddExecutorDeathRecipient(executorIndex, authType, callback);
151 g_coAuthService.OnStart();
152 g_coAuthService.OnStop();
153 IAM_LOGI("end");
154 }
155
FuzzSendData(Parcel & parcel)156 void FuzzSendData(Parcel &parcel)
157 {
158 IAM_LOGI("FuzzSendData begin");
159 uint64_t scheduleId = parcel.ReadUint64();
160 ExecutorRole dstRole = static_cast<ExecutorRole>(parcel.ReadInt32());
161 std::vector<uint8_t> msg;
162 Common::FillFuzzUint8Vector(parcel, msg);
163
164 if (executorMessengerService != nullptr) {
165 executorMessengerService->SendData(scheduleId, dstRole, msg);
166 }
167 IAM_LOGI("FuzzSendData end");
168 }
169
FuzzFinish(Parcel & parcel)170 void FuzzFinish(Parcel &parcel)
171 {
172 IAM_LOGI("FuzzFinish begin");
173 uint64_t scheduleId = parcel.ReadUint64();
174 ResultCode resultCode = static_cast<ResultCode>(parcel.ReadInt32());
175 auto finalResult = Common::MakeShared<Attributes>();
176
177 if (executorMessengerService != nullptr) {
178 executorMessengerService->Finish(scheduleId, resultCode, finalResult);
179 }
180 IAM_LOGI("FuzzFinish end");
181 }
182
FuzzDump(Parcel & parcel)183 void FuzzDump(Parcel &parcel)
184 {
185 IAM_LOGI("FuzzDump begin");
186 std::vector<uint8_t> msg;
187 Common::FillFuzzUint8Vector(parcel, msg);
188 int32_t fd = parcel.ReadInt32();
189 std::vector<std::u16string> args;
190 for (uint32_t i = 0; i < msg.size(); i++) {
191 args.push_back(cmd[msg[i] % CMD_LEN]);
192 }
193 g_coAuthService.Dump(fd, args);
194 IAM_LOGI("FuzzDump end");
195 }
196
FuzzNotifyFwkReady(Parcel & parcel)197 void FuzzNotifyFwkReady(Parcel &parcel)
198 {
199 IAM_LOGI("FuzzNotifyFwkReady begin");
200 g_coAuthService.NotifyFwkReady();
201 IAM_LOGI("FuzzNotifyFwkReady end");
202 }
203
FuzzUnRegisterAccessTokenListener(Parcel & parcel)204 void FuzzUnRegisterAccessTokenListener(Parcel &parcel)
205 {
206 IAM_LOGI("FuzzNotifyFwkReady begin");
207 g_coAuthService.RegisterAccessTokenListener();
208 g_coAuthService.UnRegisterAccessTokenListener();
209 IAM_LOGI("FuzzNotifyFwkReady end");
210 }
211
212 using FuzzFunc = decltype(FuzzRegister);
213 FuzzFunc *g_fuzzFuncs[] = {
214 FuzzRegister,
215 FuzzSendData,
216 FuzzFinish,
217 FuzzDump,
218 FuzzOther,
219 FuzzNotifyFwkReady,
220 FuzzUnRegisterAccessTokenListener,
221 };
222
CoAuthFuzzTest(const uint8_t * data,size_t size)223 void CoAuthFuzzTest(const uint8_t *data, size_t size)
224 {
225 Parcel parcel;
226 parcel.WriteBuffer(data, size);
227 parcel.RewindRead(0);
228 uint32_t index = parcel.ReadUint32() % (sizeof(g_fuzzFuncs) / sizeof(FuzzFunc *));
229 auto fuzzFunc = g_fuzzFuncs[index];
230 fuzzFunc(parcel);
231 return;
232 }
233 } // namespace
234 } // namespace CoAuth
235 } // namespace UserIam
236 } // namespace OHOS
237
238 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)239 extern "C" int32_t LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
240 {
241 OHOS::UserIam::CoAuth::CoAuthFuzzTest(data, size);
242 return 0;
243 }
244