1 /*
2  * Copyright (c) 2022 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "passiveability_fuzzer.h"
17 
18 #include "accesstoken_kit.h"
19 #include "if_system_ability_manager.h"
20 #include "iservice_registry.h"
21 #include "message_option.h"
22 #include "message_parcel.h"
23 #include "nativetoken_kit.h"
24 #include "system_ability_definition.h"
25 #include "token_setproc.h"
26 #include "locator_ability.h"
27 #include "locationhub_ipc_interface_code.h"
28 
29 #ifdef FEATURE_PASSIVE_SUPPORT
30 #include "passive_ability.h"
31 #endif
32 #include "permission_manager.h"
33 #include "work_record_statistic.h"
34 
35 namespace OHOS {
36 using namespace OHOS::Location;
37 const int32_t MAX_MEM_SIZE = 4 * 1024 * 1024;
38 const int32_t SLEEP_TIMES = 1000;
39 const int32_t LOCATION_PERM_NUM = 4;
40 
MockNativePermission()41 void MockNativePermission()
42 {
43     const char *perms[] = {
44         ACCESS_LOCATION.c_str(), ACCESS_APPROXIMATELY_LOCATION.c_str(),
45         ACCESS_BACKGROUND_LOCATION.c_str(), MANAGE_SECURE_SETTINGS.c_str(),
46     };
47     NativeTokenInfoParams infoInstance = {
48         .dcapsNum = 0,
49         .permsNum = LOCATION_PERM_NUM,
50         .aclsNum = 0,
51         .dcaps = nullptr,
52         .perms = perms,
53         .acls = nullptr,
54         .processName = "GnssAbility_FuzzTest",
55         .aplStr = "system_basic",
56     };
57     auto tokenId = GetAccessTokenId(&infoInstance);
58     SetSelfTokenID(tokenId);
59     Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
60 }
61 
ParseData(const uint8_t * data,size_t size)62 char* ParseData(const uint8_t* data, size_t size)
63 {
64     if (data == nullptr) {
65         return nullptr;
66     }
67 
68     if (size > MAX_MEM_SIZE) {
69         return nullptr;
70     }
71 
72     char* ch = (char *)malloc(size + 1);
73     if (ch == nullptr) {
74         return nullptr;
75     }
76 
77     (void)memset_s(ch, size + 1, 0x00, size + 1);
78     if (memcpy_s(ch, size, data, size) != EOK) {
79         free(ch);
80         ch = nullptr;
81         return nullptr;
82     }
83     return ch;
84 }
85 
86 #ifdef FEATURE_PASSIVE_SUPPORT
PassiveAbility001FuzzTest(const char * data,size_t size)87 bool PassiveAbility001FuzzTest(const char* data, size_t size)
88 {
89     MessageParcel requestParcel;
90     requestParcel.WriteInterfaceToken(u"location.IPassiveAbility");
91     requestParcel.WriteBuffer(data, size);
92     requestParcel.RewindRead(0);
93 
94     MessageParcel reply;
95     MessageOption option;
96 
97     auto ability = sptr<PassiveAbility>(new (std::nothrow) PassiveAbility());
98     ability->OnRemoteRequest(static_cast<uint32_t>(PassiveInterfaceCode::SEND_LOCATION_REQUEST),
99         requestParcel, reply, option);
100     std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
101     WorkRecordStatistic::DestroyInstance();
102     return true;
103 }
104 
PassiveAbility002FuzzTest(const char * data,size_t size)105 bool PassiveAbility002FuzzTest(const char* data, size_t size)
106 {
107     MessageParcel requestParcel;
108     requestParcel.WriteInterfaceToken(u"location.IPassiveAbility");
109     requestParcel.WriteBuffer(data, size);
110     requestParcel.RewindRead(0);
111 
112     MessageParcel reply;
113     MessageOption option;
114 
115     auto ability = sptr<PassiveAbility>(new (std::nothrow) PassiveAbility());
116     ability->OnRemoteRequest(static_cast<uint32_t>(PassiveInterfaceCode::SET_ENABLE),
117         requestParcel, reply, option);
118     std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
119     WorkRecordStatistic::DestroyInstance();
120     return true;
121 }
122 
PassiveAbility003FuzzTest(const char * data,size_t size)123 bool PassiveAbility003FuzzTest(const char* data, size_t size)
124 {
125     MessageParcel requestParcel;
126     requestParcel.WriteInterfaceToken(u"location.IPassiveAbility");
127     requestParcel.WriteBuffer(data, size);
128     requestParcel.RewindRead(0);
129 
130     MessageParcel reply;
131     MessageOption option;
132 
133     auto ability = sptr<PassiveAbility>(new (std::nothrow) PassiveAbility());
134     ability->OnRemoteRequest(static_cast<uint32_t>(PassiveInterfaceCode::ENABLE_LOCATION_MOCK),
135         requestParcel, reply, option);
136     std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
137     WorkRecordStatistic::DestroyInstance();
138     return true;
139 }
140 
PassiveAbility004FuzzTest(const char * data,size_t size)141 bool PassiveAbility004FuzzTest(const char* data, size_t size)
142 {
143     MessageParcel requestParcel;
144     requestParcel.WriteInterfaceToken(u"location.IPassiveAbility");
145     requestParcel.WriteBuffer(data, size);
146     requestParcel.RewindRead(0);
147 
148     MessageParcel reply;
149     MessageOption option;
150 
151     auto ability = sptr<PassiveAbility>(new (std::nothrow) PassiveAbility());
152     ability->OnRemoteRequest(static_cast<uint32_t>(PassiveInterfaceCode::DISABLE_LOCATION_MOCK),
153         requestParcel, reply, option);
154     std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
155     WorkRecordStatistic::DestroyInstance();
156     return true;
157 }
158 
PassiveAbility005FuzzTest(const char * data,size_t size)159 bool PassiveAbility005FuzzTest(const char* data, size_t size)
160 {
161     MessageParcel requestParcel;
162     requestParcel.WriteInterfaceToken(u"location.IPassiveAbility");
163     requestParcel.WriteBuffer(data, size);
164     requestParcel.RewindRead(0);
165 
166     MessageParcel reply;
167     MessageOption option;
168 
169     auto ability = sptr<PassiveAbility>(new (std::nothrow) PassiveAbility());
170     ability->OnRemoteRequest(static_cast<uint32_t>(PassiveInterfaceCode::SET_MOCKED_LOCATIONS),
171         requestParcel, reply, option);
172     std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
173     WorkRecordStatistic::DestroyInstance();
174     return true;
175 }
176 #endif
177 } // namespace OHOS
178 
179 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)180 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
181 {
182     OHOS::MockNativePermission();
183     char* ch = OHOS::ParseData(data, size);
184     if (ch != nullptr) {
185 #ifdef FEATURE_PASSIVE_SUPPORT
186         OHOS::PassiveAbility001FuzzTest(ch, size);
187         OHOS::PassiveAbility002FuzzTest(ch, size);
188         OHOS::PassiveAbility003FuzzTest(ch, size);
189         OHOS::PassiveAbility004FuzzTest(ch, size);
190         OHOS::PassiveAbility005FuzzTest(ch, size);
191 #endif
192         free(ch);
193         ch = nullptr;
194     }
195     return 0;
196 }
197 
198