1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "gnssability_fuzzer.h"
17
18 #include "if_system_ability_manager.h"
19 #include "iservice_registry.h"
20 #include "message_option.h"
21 #include "message_parcel.h"
22 #include "system_ability_definition.h"
23 #include "locator_ability.h"
24 #include "locationhub_ipc_interface_code.h"
25 #include "accesstoken_kit.h"
26 #include "nativetoken_kit.h"
27 #include "token_setproc.h"
28
29 #ifdef FEATURE_GNSS_SUPPORT
30 #include "gnss_ability.h"
31 #endif
32 #include "permission_manager.h"
33 #include "work_record_statistic.h"
34
35 namespace OHOS {
36 using namespace OHOS::Location;
37 const int32_t MAX_MEM_SIZE = 4 * 1024 * 1024;
38 const int32_t SLEEP_TIMES = 1000;
39 const int32_t LOCATION_PERM_NUM = 4;
MockNativePermission()40 void MockNativePermission()
41 {
42 const char *perms[] = {
43 ACCESS_LOCATION.c_str(), ACCESS_APPROXIMATELY_LOCATION.c_str(),
44 ACCESS_BACKGROUND_LOCATION.c_str(), MANAGE_SECURE_SETTINGS.c_str(),
45 };
46 NativeTokenInfoParams infoInstance = {
47 .dcapsNum = 0,
48 .permsNum = LOCATION_PERM_NUM,
49 .aclsNum = 0,
50 .dcaps = nullptr,
51 .perms = perms,
52 .acls = nullptr,
53 .processName = "GnssAbility_FuzzTest",
54 .aplStr = "system_basic",
55 };
56 auto tokenId = GetAccessTokenId(&infoInstance);
57 SetSelfTokenID(tokenId);
58 Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
59 }
60
ParseData(const uint8_t * data,size_t size)61 char* ParseData(const uint8_t* data, size_t size)
62 {
63 if (data == nullptr) {
64 return nullptr;
65 }
66
67 if (size > MAX_MEM_SIZE) {
68 return nullptr;
69 }
70
71 char* ch = (char *)malloc(size + 1);
72 if (ch == nullptr) {
73 return nullptr;
74 }
75
76 (void)memset_s(ch, size + 1, 0x00, size + 1);
77 if (memcpy_s(ch, size, data, size) != EOK) {
78 free(ch);
79 ch = nullptr;
80 return nullptr;
81 }
82 return ch;
83 }
84
85 #ifdef FEATURE_GNSS_SUPPORT
GnssAbility001FuzzTest(const char * data,size_t size)86 bool GnssAbility001FuzzTest(const char* data, size_t size)
87 {
88 MessageParcel requestParcel;
89 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
90 requestParcel.WriteBuffer(data, size);
91 requestParcel.RewindRead(0);
92 MessageParcel reply;
93 MessageOption option;
94
95 auto ability = GnssAbility::GetInstance();
96 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::SET_MOCKED_LOCATIONS),
97 requestParcel, reply, option);
98 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
99 WorkRecordStatistic::DestroyInstance();
100 return true;
101 }
102
GnssAbility002FuzzTest(const char * data,size_t size)103 bool GnssAbility002FuzzTest(const char* data, size_t size)
104 {
105 MessageParcel requestParcel;
106 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
107 requestParcel.WriteBuffer(data, size);
108 requestParcel.RewindRead(0);
109 MessageParcel reply;
110 MessageOption option;
111
112 auto ability = GnssAbility::GetInstance();
113 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::SEND_LOCATION_REQUEST),
114 requestParcel, reply, option);
115
116 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
117 WorkRecordStatistic::DestroyInstance();
118 return true;
119 }
120
GnssAbility003FuzzTest(const char * data,size_t size)121 bool GnssAbility003FuzzTest(const char* data, size_t size)
122 {
123 MessageParcel requestParcel;
124 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
125 requestParcel.WriteBuffer(data, size);
126 requestParcel.RewindRead(0);
127 MessageParcel reply;
128 MessageOption option;
129
130 auto ability = GnssAbility::GetInstance();
131 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::SET_ENABLE),
132 requestParcel, reply, option);
133
134 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
135 WorkRecordStatistic::DestroyInstance();
136 return true;
137 }
138
GnssAbility004FuzzTest(const char * data,size_t size)139 bool GnssAbility004FuzzTest(const char* data, size_t size)
140 {
141 MessageParcel requestParcel;
142 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
143 requestParcel.WriteBuffer(data, size);
144 requestParcel.RewindRead(0);
145 MessageParcel reply;
146 MessageOption option;
147
148 auto ability = GnssAbility::GetInstance();
149 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REFRESH_REQUESTS),
150 requestParcel, reply, option);
151
152 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
153 WorkRecordStatistic::DestroyInstance();
154 return true;
155 }
156
GnssAbility005FuzzTest(const char * data,size_t size)157 bool GnssAbility005FuzzTest(const char* data, size_t size)
158 {
159 MessageParcel requestParcel;
160 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
161 requestParcel.WriteBuffer(data, size);
162 requestParcel.RewindRead(0);
163 MessageParcel reply;
164 MessageOption option;
165
166 auto ability = GnssAbility::GetInstance();
167 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REG_GNSS_STATUS),
168 requestParcel, reply, option);
169
170 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
171 WorkRecordStatistic::DestroyInstance();
172 return true;
173 }
174
GnssAbility006FuzzTest(const char * data,size_t size)175 bool GnssAbility006FuzzTest(const char* data, size_t size)
176 {
177 MessageParcel requestParcel;
178 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
179 requestParcel.WriteBuffer(data, size);
180 requestParcel.RewindRead(0);
181 MessageParcel reply;
182 MessageOption option;
183
184 auto ability = GnssAbility::GetInstance();
185 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::UNREG_GNSS_STATUS),
186 requestParcel, reply, option);
187
188 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
189 WorkRecordStatistic::DestroyInstance();
190 return true;
191 }
192
GnssAbility007FuzzTest(const char * data,size_t size)193 bool GnssAbility007FuzzTest(const char* data, size_t size)
194 {
195 MessageParcel requestParcel;
196 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
197 requestParcel.WriteBuffer(data, size);
198 requestParcel.RewindRead(0);
199 MessageParcel reply;
200 MessageOption option;
201
202 auto ability = GnssAbility::GetInstance();
203 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REG_NMEA),
204 requestParcel, reply, option);
205 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
206 WorkRecordStatistic::DestroyInstance();
207 return true;
208 }
209
GnssAbility008FuzzTest(const char * data,size_t size)210 bool GnssAbility008FuzzTest(const char* data, size_t size)
211 {
212 MessageParcel requestParcel;
213 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
214 requestParcel.WriteBuffer(data, size);
215 requestParcel.RewindRead(0);
216 MessageParcel reply;
217 MessageOption option;
218
219 auto ability = GnssAbility::GetInstance();
220 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::UNREG_NMEA),
221 requestParcel, reply, option);
222
223 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
224 WorkRecordStatistic::DestroyInstance();
225 return true;
226 }
227
GnssAbility009FuzzTest(const char * data,size_t size)228 bool GnssAbility009FuzzTest(const char* data, size_t size)
229 {
230 MessageParcel requestParcel;
231 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
232 requestParcel.WriteBuffer(data, size);
233 requestParcel.RewindRead(0);
234 MessageParcel reply;
235 MessageOption option;
236
237 auto ability = GnssAbility::GetInstance();
238 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REG_CACHED),
239 requestParcel, reply, option);
240
241 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
242 WorkRecordStatistic::DestroyInstance();
243 return true;
244 }
245
GnssAbility010FuzzTest(const char * data,size_t size)246 bool GnssAbility010FuzzTest(const char* data, size_t size)
247 {
248 MessageParcel requestParcel;
249 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
250 requestParcel.WriteBuffer(data, size);
251 requestParcel.RewindRead(0);
252 MessageParcel reply;
253 MessageOption option;
254
255 auto ability = GnssAbility::GetInstance();
256 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::UNREG_CACHED),
257 requestParcel, reply, option);
258
259 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
260 WorkRecordStatistic::DestroyInstance();
261 return true;
262 }
263
GnssAbility011FuzzTest(const char * data,size_t size)264 bool GnssAbility011FuzzTest(const char* data, size_t size)
265 {
266 MessageParcel requestParcel;
267 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
268 requestParcel.WriteBuffer(data, size);
269 requestParcel.RewindRead(0);
270 MessageParcel reply;
271 MessageOption option;
272
273 auto ability = GnssAbility::GetInstance();
274 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::GET_CACHED_SIZE),
275 requestParcel, reply, option);
276
277 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
278 WorkRecordStatistic::DestroyInstance();
279 return true;
280 }
281
GnssAbility012FuzzTest(const char * data,size_t size)282 bool GnssAbility012FuzzTest(const char* data, size_t size)
283 {
284 MessageParcel requestParcel;
285 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
286 requestParcel.WriteBuffer(data, size);
287 requestParcel.RewindRead(0);
288 MessageParcel reply;
289 MessageOption option;
290
291 auto ability = GnssAbility::GetInstance();
292 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::FLUSH_CACHED),
293 requestParcel, reply, option);
294
295 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
296 WorkRecordStatistic::DestroyInstance();
297 return true;
298 }
299
GnssAbility013FuzzTest(const char * data,size_t size)300 bool GnssAbility013FuzzTest(const char* data, size_t size)
301 {
302 MessageParcel requestParcel;
303 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
304 requestParcel.WriteBuffer(data, size);
305 requestParcel.RewindRead(0);
306 MessageParcel reply;
307 MessageOption option;
308
309 auto ability = GnssAbility::GetInstance();
310 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::SEND_COMMANDS),
311 requestParcel, reply, option);
312
313 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
314 WorkRecordStatistic::DestroyInstance();
315 return true;
316 }
317
GnssAbility014FuzzTest(const char * data,size_t size)318 bool GnssAbility014FuzzTest(const char* data, size_t size)
319 {
320 MessageParcel requestParcel;
321 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
322 requestParcel.WriteBuffer(data, size);
323 requestParcel.RewindRead(0);
324 MessageParcel reply;
325 MessageOption option;
326
327 auto ability = GnssAbility::GetInstance();
328 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::ENABLE_LOCATION_MOCK),
329 requestParcel, reply, option);
330
331 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
332 WorkRecordStatistic::DestroyInstance();
333 return true;
334 }
335
GnssAbility015FuzzTest(const char * data,size_t size)336 bool GnssAbility015FuzzTest(const char* data, size_t size)
337 {
338 MessageParcel requestParcel;
339 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
340 requestParcel.WriteBuffer(data, size);
341 requestParcel.RewindRead(0);
342 MessageParcel reply;
343 MessageOption option;
344
345 auto ability = GnssAbility::GetInstance();
346 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::DISABLE_LOCATION_MOCK),
347 requestParcel, reply, option);
348
349 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
350 WorkRecordStatistic::DestroyInstance();
351 return true;
352 }
353
GnssAbility016FuzzTest(const char * data,size_t size)354 bool GnssAbility016FuzzTest(const char* data, size_t size)
355 {
356 MessageParcel requestParcel;
357 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
358 requestParcel.WriteBuffer(data, size);
359 requestParcel.RewindRead(0);
360 MessageParcel reply;
361 MessageOption option;
362
363 auto ability = GnssAbility::GetInstance();
364 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::ADD_FENCE_INFO),
365 requestParcel, reply, option);
366
367 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
368 WorkRecordStatistic::DestroyInstance();
369 return true;
370 }
371
GnssAbility017FuzzTest(const char * data,size_t size)372 bool GnssAbility017FuzzTest(const char* data, size_t size)
373 {
374 MessageParcel requestParcel;
375 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
376 requestParcel.WriteBuffer(data, size);
377 requestParcel.RewindRead(0);
378 MessageParcel reply;
379 MessageOption option;
380
381 auto ability = GnssAbility::GetInstance();
382 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REMOVE_FENCE_INFO),
383 requestParcel, reply, option);
384
385 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
386 WorkRecordStatistic::DestroyInstance();
387 return true;
388 }
389
GnssAbility018FuzzTest(const char * data,size_t size)390 bool GnssAbility018FuzzTest(const char* data, size_t size)
391 {
392 MessageParcel requestParcel;
393 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
394 requestParcel.WriteBuffer(data, size);
395 requestParcel.RewindRead(0);
396 MessageParcel reply;
397 MessageOption option;
398
399 auto ability = GnssAbility::GetInstance();
400 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::ADD_GNSS_GEOFENCE),
401 requestParcel, reply, option);
402
403 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
404 WorkRecordStatistic::DestroyInstance();
405 return true;
406 }
407
GnssAbility019FuzzTest(const char * data,size_t size)408 bool GnssAbility019FuzzTest(const char* data, size_t size)
409 {
410 MessageParcel requestParcel;
411 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
412 requestParcel.WriteBuffer(data, size);
413 requestParcel.RewindRead(0);
414 MessageParcel reply;
415 MessageOption option;
416
417 auto ability = GnssAbility::GetInstance();
418 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REMOVE_GNSS_GEOFENCE),
419 requestParcel, reply, option);
420
421 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
422 WorkRecordStatistic::DestroyInstance();
423 return true;
424 }
425
GnssAbility020FuzzTest(const char * data,size_t size)426 bool GnssAbility020FuzzTest(const char* data, size_t size)
427 {
428 MessageParcel requestParcel;
429 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
430 requestParcel.WriteBuffer(data, size);
431 requestParcel.RewindRead(0);
432 MessageParcel reply;
433 MessageOption option;
434
435 auto ability = GnssAbility::GetInstance();
436 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::GET_GEOFENCE_SUPPORT_COORDINATE_SYSTEM_TYPE),
437 requestParcel, reply, option);
438
439 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
440 WorkRecordStatistic::DestroyInstance();
441 return true;
442 }
443
GnssAbility021FuzzTest(const char * data,size_t size)444 bool GnssAbility021FuzzTest(const char* data, size_t size)
445 {
446 MessageParcel requestParcel;
447 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
448 requestParcel.WriteBuffer(data, size);
449 requestParcel.RewindRead(0);
450 MessageParcel reply;
451 MessageOption option;
452
453 auto ability = GnssAbility::GetInstance();
454 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::SEND_NETWORK_LOCATION),
455 requestParcel, reply, option);
456
457 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
458 WorkRecordStatistic::DestroyInstance();
459 return true;
460 }
461 #endif
462 } // namespace OHOS
463
464 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)465 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
466 {
467 OHOS::MockNativePermission();
468 char* ch = OHOS::ParseData(data, size);
469 if (ch != nullptr) {
470 #ifdef FEATURE_GNSS_SUPPORT
471 OHOS::GnssAbility001FuzzTest(ch, size);
472 OHOS::GnssAbility002FuzzTest(ch, size);
473 OHOS::GnssAbility003FuzzTest(ch, size);
474 OHOS::GnssAbility004FuzzTest(ch, size);
475 OHOS::GnssAbility005FuzzTest(ch, size);
476 OHOS::GnssAbility006FuzzTest(ch, size);
477 OHOS::GnssAbility007FuzzTest(ch, size);
478 OHOS::GnssAbility008FuzzTest(ch, size);
479 OHOS::GnssAbility009FuzzTest(ch, size);
480 OHOS::GnssAbility010FuzzTest(ch, size);
481 OHOS::GnssAbility011FuzzTest(ch, size);
482 OHOS::GnssAbility012FuzzTest(ch, size);
483 OHOS::GnssAbility013FuzzTest(ch, size);
484 OHOS::GnssAbility014FuzzTest(ch, size);
485 OHOS::GnssAbility015FuzzTest(ch, size);
486 OHOS::GnssAbility016FuzzTest(ch, size);
487 OHOS::GnssAbility017FuzzTest(ch, size);
488 OHOS::GnssAbility018FuzzTest(ch, size);
489 OHOS::GnssAbility019FuzzTest(ch, size);
490 OHOS::GnssAbility020FuzzTest(ch, size);
491 OHOS::GnssAbility021FuzzTest(ch, size);
492 #endif
493 free(ch);
494 ch = nullptr;
495 }
496 return 0;
497 }
498
499