1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "getpermissionsstatus_fuzzer.h"
17
18 #include <cstdint>
19 #include <string>
20 #include <vector>
21 #include <thread>
22 #undef private
23 #include "access_token.h"
24 #include "accesstoken_kit.h"
25 #include "nativetoken_kit.h"
26 #include "securec.h"
27 #include "token_setproc.h"
28
29 using namespace std;
30 using namespace OHOS::Security::AccessToken;
31
32 namespace OHOS {
33 const uint8_t *g_baseFuzzData = nullptr;
34 size_t g_baseFuzzSize = 0;
35 size_t g_baseFuzzPos = 0;
36
GetNativeToken()37 void GetNativeToken()
38 {
39 uint64_t tokenId;
40 const char **perms = new const char *[1];
41 perms[0] = "ohos.permission.GET_SENSITIVE_PERMISSIONS"; // 3 means the third permission
42
43 NativeTokenInfoParams infoInstance = {
44 .dcapsNum = 0,
45 .permsNum = 1,
46 .aclsNum = 0,
47 .dcaps = nullptr,
48 .perms = perms,
49 .acls = nullptr,
50 .processName = "getpermissionsstatus_fuzzer_test",
51 .aplStr = "system_core",
52 };
53
54 tokenId = GetAccessTokenId(&infoInstance);
55 SetSelfTokenID(tokenId);
56 AccessTokenKit::ReloadNativeTokenInfo();
57 delete[] perms;
58 }
59
60 /*
61 * describe: get data from outside untrusted data(g_data) which size is according to sizeof(T)
62 * tips: only support basic type
63 */
GetData()64 template<class T> T GetData()
65 {
66 T object {};
67 size_t objectSize = sizeof(object);
68 if (g_baseFuzzData == nullptr || objectSize > g_baseFuzzSize - g_baseFuzzPos) {
69 return object;
70 }
71 errno_t ret = memcpy_s(&object, objectSize, g_baseFuzzData + g_baseFuzzPos, objectSize);
72 if (ret != EOK) {
73 return {};
74 }
75 g_baseFuzzPos += objectSize;
76 return object;
77 }
78
GetStringFromData(int strlen)79 std::string GetStringFromData(int strlen)
80 {
81 char cstr[strlen];
82 cstr[strlen - 1] = '\0';
83 for (int i = 0; i < strlen - 1; i++) {
84 cstr[i] = GetData<char>();
85 }
86 std::string str(cstr);
87 return str;
88 }
89
GetPermissionsStatusFuzzTest(const uint8_t * data,size_t size)90 bool GetPermissionsStatusFuzzTest(const uint8_t* data, size_t size)
91 {
92 if ((data == nullptr) || (size == 0)) {
93 return false;
94 }
95
96 int32_t result = RET_SUCCESS;
97 g_baseFuzzData = data;
98 g_baseFuzzSize = size;
99 g_baseFuzzPos = 0;
100 if (size > sizeof(uint32_t) + sizeof(std::string)) {
101 AccessTokenID tokenId = static_cast<AccessTokenID>(GetData<uint32_t>());
102 std::string testPerName = GetStringFromData(int(size));
103 std::vector<PermissionListState> permsList;
104 PermissionListState perm = {
105 .permissionName = testPerName,
106 .state = SETTING_OPER,
107 };
108 permsList.emplace_back(perm);
109 PermissionGrantInfo info;
110 AccessTokenKit::GetPermissionsStatus(tokenId, permsList);
111 }
112 return result == RET_SUCCESS;
113 }
114 }
115
116 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)117 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
118 {
119 /* Run your code on data */
120 OHOS::GetNativeToken();
121 OHOS::GetPermissionsStatusFuzzTest(data, size);
122 return 0;
123 }
124