1 /*
2  * Copyright (c) 2024 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "abilityappmgrapprunningmanager_fuzzer.h"
17 #include "ability_record.h"
18 
19 #include <cstddef>
20 #include <cstdint>
21 
22 #define private public
23 #include "app_running_manager.h"
24 #include "child_process_record.h"
25 #include "app_running_record.h"
26 #undef private
27 #include "securec.h"
28 #include "ability_record.h"
29 
30 
31 using namespace OHOS::AAFwk;
32 using namespace OHOS::AppExecFwk;
33 
34 namespace OHOS {
35 namespace {
36 constexpr int INPUT_ZERO = 0;
37 constexpr int INPUT_ONE = 1;
38 constexpr int INPUT_TWO = 2;
39 constexpr int INPUT_THREE = 3;
40 constexpr size_t FOO_MAX_LEN = 1024;
41 constexpr size_t U32_AT_SIZE = 4;
42 constexpr size_t OFFSET_ZERO = 24;
43 constexpr size_t OFFSET_ONE = 16;
44 constexpr size_t OFFSET_TWO = 8;
45 constexpr uint8_t ENABLE = 2;
46 }
GetU32Data(const char * ptr)47 uint32_t GetU32Data(const char* ptr)
48 {
49     // convert fuzz input data to an integer
50     return (ptr[INPUT_ZERO] << OFFSET_ZERO) | (ptr[INPUT_ONE] << OFFSET_ONE) | (ptr[INPUT_TWO] << OFFSET_TWO) |
51         ptr[INPUT_THREE];
52 }
53 
GetFuzzAbilityToken()54 sptr<Token> GetFuzzAbilityToken()
55 {
56     sptr<Token> token = nullptr;
57     AbilityRequest abilityRequest;
58     abilityRequest.appInfo.bundleName = "com.example.fuzzTest";
59     abilityRequest.abilityInfo.name = "MainAbility";
60     abilityRequest.abilityInfo.type = AbilityType::DATA;
61     std::shared_ptr<AbilityRecord> abilityRecord = AbilityRecord::CreateAbilityRecord(abilityRequest);
62     if (abilityRecord) {
63         token = abilityRecord->GetToken();
64     }
65     return token;
66 }
67 
DoSomethingInterestingWithMyAPIadda(const char * data,size_t size)68 void DoSomethingInterestingWithMyAPIadda(const char* data, size_t size)
69 {
70     std::shared_ptr<AppRunningManager> manager = std::make_shared<AppRunningManager>();
71     pid_t pidApps = static_cast<pid_t>(GetU32Data(data));
72     std::string jsonStr(data, size);
73     int uid = static_cast<int>(GetU32Data(data));
74     manager->SetAbilityForegroundingFlagToAppRecord(pidApps);
75     int64_t eventId = static_cast<int64_t>(GetU32Data(data));
76     manager->HandleTerminateTimeOut(eventId);
77     sptr<IRemoteObject> token = GetFuzzAbilityToken();
78     std::shared_ptr<AppMgrServiceInner> appMgrServiceInner;
79     manager->HandleAbilityAttachTimeOut(token, appMgrServiceInner);
80     manager->GetAppRunningRecord(eventId);
81     bool clearMissionFlag = *data % ENABLE;
82     manager->TerminateAbility(token, clearMissionFlag, appMgrServiceInner);
83     ApplicationInfo appInfos;
84     manager->ProcessUpdateApplicationInfoInstalled(appInfos);
85     std::list<pid_t> pids;
86     manager->ProcessExitByBundleNameAndUid(jsonStr, uid, pids);
87     int32_t userId = static_cast<int32_t>(GetU32Data(data));
88     manager->GetPidsByUserId(userId, pids);
89     manager->PrepareTerminate(token, clearMissionFlag);
90     sptr<IRemoteObject> abilityToken = GetFuzzAbilityToken();
91     manager->GetTerminatingAppRunningRecord(abilityToken);
92     AppExecFwk::RunningProcessInfo processInfo;
93     manager->GetRunningProcessInfoByToken(token, processInfo);
94     OHOS::AppExecFwk::RunningProcessInfo infoByPid;
95     manager->GetRunningProcessInfoByPid(pidApps, infoByPid);
96     std::regex re;
97     manager->ClipStringContent(re, jsonStr, jsonStr);
98     manager->GetAppRunningRecordByRenderPid(pidApps);
99     wptr<IRemoteObject> remote;
100     manager->OnRemoteRenderDied(remote);
101     manager->GetAppRunningStateByBundleName(jsonStr);
102     sptr<IQuickFixCallback> callback;
103     manager->NotifyLoadRepairPatch(jsonStr, callback);
104     manager->NotifyHotReloadPage(jsonStr, callback);
105     manager->NotifyUnLoadRepairPatch(jsonStr, callback);
106     std::shared_ptr<ApplicationInfo> infoAPP;
107     int32_t recordId = static_cast<int32_t>(GetU32Data(data));
108     OHOS::AppExecFwk::AppRunningRecord foregroundingRecord(infoAPP, recordId, jsonStr);
109 }
110 
DoSomethingInterestingWithMyAPIaddb(const char * data,size_t size)111 void DoSomethingInterestingWithMyAPIaddb(const char* data, size_t size)
112 {
113     std::shared_ptr<AppRunningManager> manager = std::make_shared<AppRunningManager>();
114     std::string jsonStr(data, size);
115     int32_t recordId = static_cast<int32_t>(GetU32Data(data));
116     std::shared_ptr<ApplicationInfo> infoAPP;
117     OHOS::AppExecFwk::AppRunningRecord foregroundingRecord(infoAPP, recordId, jsonStr);
118     manager->IsApplicationFirstForeground(foregroundingRecord);
119     manager->IsApplicationBackground(foregroundingRecord);
120     manager->IsApplicationFirstFocused(foregroundingRecord);
121     manager->IsApplicationUnfocused(jsonStr);
122     bool isAttachDebug = *data % ENABLE;
123     manager->SetAttachAppDebug(jsonStr, isAttachDebug);
124     bool isDetachDebug = *data % ENABLE;
125     manager->GetAppDebugInfosByBundleName(jsonStr, isDetachDebug);
126     std::vector<sptr<IRemoteObject>> abilityTokens;
127     manager->GetAbilityTokensByBundleName(jsonStr, abilityTokens);
128     pid_t pidApps = static_cast<pid_t>(GetU32Data(data));
129     manager->GetAppRunningRecordByChildProcessPid(pidApps);
130     wptr<IRemoteObject> remote;
131     manager->OnChildProcessRemoteDied(remote);
132     manager->GetAllAppRunningRecordCountByBundleName(jsonStr);
133     auto uid = static_cast<int32_t>(GetU32Data(data));
134     manager->SignRestartAppFlag(uid);
135     manager->GetAppRunningUniqueIdByPid(pidApps, jsonStr);
136     std::vector<pid_t> hostPids;
137     manager->GetAllUIExtensionRootHostPid(pidApps, hostPids);
138     std::vector<pid_t> providerPids;
139     pid_t hostPid = static_cast<pid_t>(GetU32Data(data));
140     manager->GetAllUIExtensionProviderPid(hostPid, providerPids);
141     int32_t uiExtensionAbilityId = static_cast<int32_t>(GetU32Data(data));
142     pid_t providerPid = static_cast<pid_t>(GetU32Data(data));
143     manager->AddUIExtensionLauncherItem(uiExtensionAbilityId, hostPid, providerPid);
144     manager->RemoveUIExtensionLauncherItem(pidApps);
145     manager->RemoveUIExtensionLauncherItemById(uiExtensionAbilityId);
146     manager->DumpIpcAllStart(jsonStr);
147     manager->DumpIpcAllStop(jsonStr);
148     manager->DumpIpcAllStat(jsonStr);
149 }
150 
DoSomethingInterestingWithMyAPIaddc(const char * data,size_t size)151 void DoSomethingInterestingWithMyAPIaddc(const char* data, size_t size)
152 {
153     std::shared_ptr<AppRunningManager> manager = std::make_shared<AppRunningManager>();
154     std::string jsonStr(data, size);
155     int32_t pidDump = static_cast<int32_t>(GetU32Data(data));
156     manager->DumpIpcStart(pidDump, jsonStr);
157     manager->DumpIpcStop(pidDump, jsonStr);
158     manager->DumpIpcStat(pidDump, jsonStr);
159     std::vector<int32_t> pidFrt;
160     manager->DumpFfrt(pidFrt, jsonStr);
161     int32_t uids = static_cast<int32_t>(GetU32Data(data));
162     std::shared_ptr<ApplicationInfo> appInfosd = std::make_shared<ApplicationInfo>();
163     std::set<std::shared_ptr<AppRunningRecord>> cachedSet;
164     manager->IsAppProcessesAllCached(jsonStr, uids, cachedSet);
165     int64_t eventId = static_cast<int64_t>(GetU32Data(data));
166     manager->GetAbilityRunningRecord(eventId);
167     std::shared_ptr<AppRunningRecord> appRecord;
168     AppExecFwk::RunningProcessInfo infoRecord;
169     manager->AssignRunningProcessInfoByAppRecord(appRecord, infoRecord);
170 }
171 
DoSomethingInterestingWithMyAPI(const char * data,size_t size)172 bool DoSomethingInterestingWithMyAPI(const char* data, size_t size)
173 {
174     std::shared_ptr<AppRunningManager> manager = std::make_shared<AppRunningManager>();
175     std::shared_ptr<ApplicationInfo> appInfo = std::make_shared<ApplicationInfo>();
176     std::string jsonStr(data, size);
177     BundleInfo bundleInfo;
178     manager->CreateAppRunningRecord(appInfo, jsonStr, bundleInfo);
179     int uid = static_cast<int>(GetU32Data(data));
180     manager->CheckAppRunningRecordIsExist(jsonStr, jsonStr, uid, bundleInfo, jsonStr);
181     manager->CheckAppRunningRecordIsExistByBundleName(jsonStr);
182     int32_t appCloneIndex = static_cast<int32_t>(GetU32Data(data));
183     bool isRunning = *data % ENABLE;
184     manager->CheckAppCloneRunningRecordIsExistByBundleName(jsonStr, appCloneIndex, isRunning);
185     pid_t pidApps = static_cast<pid_t>(GetU32Data(data));
186     manager->GetAppRunningRecordByPid(pidApps);
187     sptr<IRemoteObject> abilityToken = GetFuzzAbilityToken();
188     manager->GetAppRunningRecordByAbilityToken(abilityToken);
189     wptr<IRemoteObject> remote;
190     std::shared_ptr<AppMgrServiceInner> appMgrServiceInner;
191     manager->OnRemoteDied(remote, appMgrServiceInner);
192     manager->GetAppRunningRecordMap();
193     int32_t recordId = static_cast<int32_t>(GetU32Data(data));
194     manager->RemoveAppRunningRecordById(recordId);
195     manager->ClearAppRunningRecordMap();
196     std::list<pid_t> pids;
197     manager->ProcessExitByBundleName(jsonStr, pids);
198     std::vector<AppStateData> list;
199     manager->GetForegroundApplications(list);
200     Configuration config;
201     manager->UpdateConfiguration(config);
202     manager->UpdateConfigurationByBundleName(config, jsonStr);
203     int32_t level = static_cast<int32_t>(GetU32Data(data));
204     manager->NotifyMemoryLevel(level);
205     std::map<pid_t, MemoryLevel> procLevelMap;
206     manager->NotifyProcMemoryLevel(procLevelMap);
207     int32_t pidDump = static_cast<int32_t>(GetU32Data(data));
208     OHOS::AppExecFwk::MallocInfo mallocInfo;
209     manager->DumpHeapMemory(pidDump, mallocInfo);
210     OHOS::AppExecFwk::JsHeapDumpInfo info;
211     manager->DumpJsHeapMemory(info);
212     DoSomethingInterestingWithMyAPIadda(data, size);
213     DoSomethingInterestingWithMyAPIaddb(data, size);
214     DoSomethingInterestingWithMyAPIaddc(data, size);
215     return true;
216 }
217 }
218 
219 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)220 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
221 {
222     /* Run your code on data */
223     if (data == nullptr) {
224         std::cout << "invalid data" << std::endl;
225         return 0;
226     }
227 
228     /* Validate the length of size */
229     if (size > OHOS::FOO_MAX_LEN || size < OHOS::U32_AT_SIZE) {
230         return 0;
231     }
232 
233     char* ch = static_cast<char*>(malloc(size + 1));
234     if (ch == nullptr) {
235         std::cout << "malloc failed." << std::endl;
236         return 0;
237     }
238 
239     (void)memset_s(ch, size + 1, 0x00, size + 1);
240     if (memcpy_s(ch, size + 1, data, size) != EOK) {
241         std::cout << "copy failed." << std::endl;
242         free(ch);
243         ch = nullptr;
244         return 0;
245     }
246 
247     OHOS::DoSomethingInterestingWithMyAPI(ch, size);
248     free(ch);
249     ch = nullptr;
250     return 0;
251 }
252 
253