1 /*
2  * Copyright (c) 2022 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "locatorcallbackhost_fuzzer.h"
17 
18 #include "accesstoken_kit.h"
19 #include "if_system_ability_manager.h"
20 #include "iservice_registry.h"
21 #include "message_option.h"
22 #include "message_parcel.h"
23 #include "nativetoken_kit.h"
24 #include "system_ability_definition.h"
25 #include "token_setproc.h"
26 #include "locator_ability.h"
27 
28 #include "locator_callback_napi.h"
29 #include "permission_manager.h"
30 
31 namespace OHOS {
32 using namespace OHOS::Location;
33 const int32_t MAX_MEM_SIZE = 4 * 1024 * 1024;
34 const int32_t LOCATION_PERM_NUM = 4;
MockNativePermission()35 void MockNativePermission()
36 {
37     const char *perms[] = {
38         ACCESS_LOCATION.c_str(), ACCESS_APPROXIMATELY_LOCATION.c_str(),
39         ACCESS_BACKGROUND_LOCATION.c_str(), MANAGE_SECURE_SETTINGS.c_str(),
40     };
41     NativeTokenInfoParams infoInstance = {
42         .dcapsNum = 0,
43         .permsNum = LOCATION_PERM_NUM,
44         .aclsNum = 0,
45         .dcaps = nullptr,
46         .perms = perms,
47         .acls = nullptr,
48         .processName = "GnssAbility_FuzzTest",
49         .aplStr = "system_basic",
50     };
51     auto tokenId = GetAccessTokenId(&infoInstance);
52     SetSelfTokenID(tokenId);
53     Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
54 }
55 
ParseData(const uint8_t * data,size_t size)56 char* ParseData(const uint8_t* data, size_t size)
57 {
58     if (data == nullptr) {
59         return nullptr;
60     }
61 
62     if (size > MAX_MEM_SIZE) {
63         return nullptr;
64     }
65 
66     char* ch = (char *)malloc(size + 1);
67     if (ch == nullptr) {
68         return nullptr;
69     }
70 
71     (void)memset_s(ch, size + 1, 0x00, size + 1);
72     if (memcpy_s(ch, size, data, size) != EOK) {
73         free(ch);
74         ch = nullptr;
75         return nullptr;
76     }
77     return ch;
78 }
79 
LocatorCallbackHost001FuzzTest(const char * data,size_t size)80 bool LocatorCallbackHost001FuzzTest(const char* data, size_t size)
81 {
82     MessageParcel requestParcel;
83     requestParcel.WriteInterfaceToken(u"location.ILocatorCallback");
84     requestParcel.WriteBuffer(data, size);
85     requestParcel.RewindRead(0);
86 
87     MessageParcel reply;
88     MessageOption option;
89 
90     auto callback = sptr<LocatorCallbackNapi>(new (std::nothrow) LocatorCallbackNapi());
91     callback->OnRemoteRequest(ILocatorCallback::RECEIVE_LOCATION_INFO_EVENT, requestParcel, reply, option);
92 
93     return true;
94 }
95 
LocatorCallbackHost002FuzzTest(const char * data,size_t size)96 bool LocatorCallbackHost002FuzzTest(const char* data, size_t size)
97 {
98     MessageParcel requestParcel;
99     requestParcel.WriteInterfaceToken(u"location.ILocatorCallback");
100     requestParcel.WriteBuffer(data, size);
101     requestParcel.RewindRead(0);
102 
103     MessageParcel reply;
104     MessageOption option;
105 
106     auto callback = sptr<LocatorCallbackNapi>(new (std::nothrow) LocatorCallbackNapi());
107     callback->OnRemoteRequest(ILocatorCallback::RECEIVE_LOCATION_STATUS_EVENT, requestParcel, reply, option);
108 
109     return true;
110 }
111 
LocatorCallbackHost003FuzzTest(const char * data,size_t size)112 bool LocatorCallbackHost003FuzzTest(const char* data, size_t size)
113 {
114     MessageParcel requestParcel;
115     requestParcel.WriteInterfaceToken(u"location.ILocatorCallback");
116     requestParcel.WriteBuffer(data, size);
117     requestParcel.RewindRead(0);
118 
119     MessageParcel reply;
120     MessageOption option;
121 
122     auto callback = sptr<LocatorCallbackNapi>(new (std::nothrow) LocatorCallbackNapi());
123     callback->OnRemoteRequest(ILocatorCallback::RECEIVE_ERROR_INFO_EVENT, requestParcel, reply, option);
124 
125     return true;
126 }
127 } // namespace OHOS
128 
129 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)130 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
131 {
132     OHOS::MockNativePermission();
133     char* ch = OHOS::ParseData(data, size);
134     if (ch != nullptr) {
135         OHOS::LocatorCallbackHost001FuzzTest(ch, size);
136         OHOS::LocatorCallbackHost002FuzzTest(ch, size);
137         OHOS::LocatorCallbackHost003FuzzTest(ch, size);
138         free(ch);
139         ch = nullptr;
140     }
141     return 0;
142 }
143 
144