1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "systemabilityfwk_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20 #include <cstdlib>
21 #include <fcntl.h>
22 #include <unistd.h>
23
24 #define private public
25 #include "string_ex.h"
26 #include "local_ability_manager.h"
27 #include "sa_mock_permission.h"
28 #include "mock_sa_realize.h"
29 #include "securec.h"
30
31 namespace OHOS {
32 namespace Samgr {
33 namespace {
34 constexpr size_t THRESHOLD = 10;
35 constexpr uint8_t MAX_CALL_TRANSACTION = 16;
36 constexpr int32_t OFFSET = 4;
37 constexpr int32_t USLEEP_NUM = 200000;
38 constexpr int32_t SHIFT_FIRST = 24;
39 constexpr int32_t SHIFT_SECOND = 16;
40 constexpr int32_t SHIFT_THIRD = 8;
41 constexpr int32_t ZERO_NUM = 0;
42 constexpr int32_t FIRST_NUM = 1;
43 constexpr int32_t SECOND_NUM = 2;
44 constexpr int32_t THIRD_NUM = 3;
45 const std::u16string LOCAL_ABILITY_MANAGER_INTERFACE_TOKEN = u"ohos.localabilitymanager.accessToken";
46 const uint8_t *g_baseFuzzData = nullptr;
47 size_t g_baseFuzzSize = 0;
48 size_t g_baseFuzzPos;
49 }
50
GetData()51 template <class T> T GetData()
52 {
53 T object{};
54 size_t objectSize = sizeof(object);
55 if (g_baseFuzzData == nullptr || objectSize > g_baseFuzzSize - g_baseFuzzPos) {
56 return object;
57 }
58 errno_t ret = memcpy_s(&object, objectSize, g_baseFuzzData + g_baseFuzzPos, objectSize);
59 if (ret != EOK) {
60 return {};
61 }
62 g_baseFuzzPos += objectSize;
63 return object;
64 }
65
ConvertToUint32(const uint8_t * ptr)66 uint32_t ConvertToUint32(const uint8_t* ptr)
67 {
68 if (ptr == nullptr) {
69 return 0;
70 }
71 return (ptr[ZERO_NUM] << SHIFT_FIRST) | (ptr[FIRST_NUM] << SHIFT_SECOND) |
72 (ptr[SECOND_NUM] << SHIFT_THIRD) | (ptr[THIRD_NUM]);
73 }
74
FuzzLocalAbilityManager(const uint8_t * rawData,size_t size)75 void FuzzLocalAbilityManager(const uint8_t* rawData, size_t size)
76 {
77 SaMockPermission::MockPermission();
78 g_baseFuzzData = rawData;
79 g_baseFuzzSize = size;
80 g_baseFuzzPos = 0;
81 int32_t systemAbilityId = GetData<int32_t>();
82 int32_t listenSaId = GetData<int32_t>();
83 int32_t dependSaId = GetData<int32_t>();
84 std::vector<int32_t> dependSas = {dependSaId};
85 std::string profilePath = GetData<std::string>();
86 std::string procName = GetData<std::string>();
87 std::string eventStr = GetData<std::string>();
88 SaProfile saProfile = {Str8ToStr16(procName), systemAbilityId};
89 std::list<SaProfile> saInfos = {saProfile};
90
91 MockSaRealize *ability = new MockSaRealize(systemAbilityId, false);
92 LocalAbilityManager::GetInstance().AddAbility(ability);
93 LocalAbilityManager::GetInstance().DoStartSAProcess(profilePath, systemAbilityId);
94 LocalAbilityManager::GetInstance().GetTraceTag(profilePath);
95 LocalAbilityManager::GetInstance().InitializeSaProfiles(systemAbilityId);
96 LocalAbilityManager::GetInstance().CheckTrustSa(profilePath, procName, saInfos);
97 LocalAbilityManager::GetInstance().RemoveAbility(systemAbilityId);
98 LocalAbilityManager::GetInstance().GetRunningStatus(systemAbilityId);
99
100 LocalAbilityManager::GetInstance().AddSystemAbilityListener(systemAbilityId, listenSaId);
101 LocalAbilityManager::GetInstance().RemoveSystemAbilityListener(systemAbilityId, listenSaId);
102 LocalAbilityManager::GetInstance().CheckDependencyStatus(dependSas);
103 LocalAbilityManager::GetInstance().StartSystemAbilityTask(ability);
104 LocalAbilityManager::GetInstance().CheckSystemAbilityManagerReady();
105 LocalAbilityManager::GetInstance().InitSystemAbilityProfiles(profilePath, systemAbilityId);
106 LocalAbilityManager::GetInstance().ClearResource();
107 LocalAbilityManager::GetInstance().StartOndemandSystemAbility(systemAbilityId);
108 LocalAbilityManager::GetInstance().StopOndemandSystemAbility(systemAbilityId);
109
110 LocalAbilityManager::GetInstance().GetStartReason(systemAbilityId);
111 LocalAbilityManager::GetInstance().GetStopReason(systemAbilityId);
112 LocalAbilityManager::GetInstance().JsonToOnDemandReason(nullptr);
113 LocalAbilityManager::GetInstance().SetStartReason(systemAbilityId, nullptr);
114 LocalAbilityManager::GetInstance().SetStopReason(systemAbilityId, nullptr);
115 LocalAbilityManager::GetInstance().OnStartAbility(systemAbilityId);
116 LocalAbilityManager::GetInstance().OnStopAbility(systemAbilityId);
117 LocalAbilityManager::GetInstance().StartAbility(systemAbilityId, eventStr);
118 LocalAbilityManager::GetInstance().StopAbility(systemAbilityId, eventStr);
119 LocalAbilityManager::GetInstance().InitializeOnDemandSaProfile(systemAbilityId);
120 LocalAbilityManager::GetInstance().InitializeSaProfilesInnerLocked(saProfile);
121 LocalAbilityManager::GetInstance().StartDependSaTask(ability);
122 LocalAbilityManager::GetInstance().RegisterOnDemandSystemAbility(systemAbilityId);
123 LocalAbilityManager::GetInstance().NeedRegisterOnDemand(saProfile, systemAbilityId);
124 LocalAbilityManager::GetInstance().Run(systemAbilityId);
125 LocalAbilityManager::GetInstance().AddLocalAbilityManager();
126 }
127
FuzzIpcStatCmdProc(const uint8_t * rawData,size_t size)128 void FuzzIpcStatCmdProc(const uint8_t* rawData, size_t size)
129 {
130 SaMockPermission::MockPermission();
131 g_baseFuzzData = rawData;
132 g_baseFuzzSize = size;
133 g_baseFuzzPos = 0;
134 MessageParcel data;
135 data.WriteInterfaceToken(LOCAL_ABILITY_MANAGER_INTERFACE_TOKEN);
136 int32_t fd = GetData<int32_t>();
137 data.WriteFileDescriptor(fd);
138 int32_t cmd = GetData<int32_t>();
139 data.WriteInt32(cmd);
140 MessageParcel reply;
141 MessageOption option;
142 LocalAbilityManager::GetInstance().OnRemoteRequest(static_cast<uint32_t>(
143 SafwkInterfaceCode::IPC_STAT_CMD_TRANSACTION), data, reply, option);
144 }
145
FuzzSystemAbilityFwk(const uint8_t * rawData,size_t size)146 void FuzzSystemAbilityFwk(const uint8_t* rawData, size_t size)
147 {
148 SaMockPermission::MockPermission();
149 uint32_t code = ConvertToUint32(rawData);
150 rawData = rawData + OFFSET;
151 size = size - OFFSET;
152 MessageParcel data;
153 data.WriteInterfaceToken(LOCAL_ABILITY_MANAGER_INTERFACE_TOKEN);
154 data.WriteBuffer(rawData, size);
155 data.RewindRead(0);
156 MessageParcel reply;
157 MessageOption option;
158 LocalAbilityManager::GetInstance().OnRemoteRequest(code % MAX_CALL_TRANSACTION, data, reply, option);
159 usleep(USLEEP_NUM);
160 }
161 }
162 }
163
164 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)165 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
166 {
167 if (size < OHOS::Samgr::THRESHOLD) {
168 return 0;
169 }
170
171 OHOS::Samgr::FuzzSystemAbilityFwk(data, size);
172 OHOS::Samgr::FuzzIpcStatCmdProc(data, size);
173 OHOS::Samgr::FuzzLocalAbilityManager(data, size);
174 return 0;
175 }
176
177