1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "samgrcoverage_fuzzer.h"
17
18 #define private public
19 #include "if_system_ability_manager.h"
20 #include "itest_transaction_service.h"
21 #include "sa_status_change_mock.h"
22 #include "sam_mock_permission.h"
23 #include "ability_death_recipient.h"
24 #include "system_ability_manager.h"
25 #include "iservice_registry.h"
26 #include "hisysevent_adapter.h"
27
28 #include <cinttypes>
29 #include <cstddef>
30 #include <cstdint>
31 #include <unistd.h>
32 #include <cstdlib>
33 #include <fcntl.h>
34
35 namespace OHOS {
36 namespace Samgr {
37 namespace {
38 constexpr size_t THRESHOLD = 10;
39 constexpr int32_t SAID = 1493;
40 }
41
BuildInt32FromData(const uint8_t * data,size_t size)42 int32_t BuildInt32FromData(const uint8_t* data, size_t size)
43 {
44 if ((data == nullptr) || (size < sizeof(int32_t))) {
45 return 0;
46 }
47 int32_t int32Val = *reinterpret_cast<const int32_t *>(data);
48 return int32Val;
49 }
50
BuildStringFromData(const uint8_t * data,size_t size)51 std::string BuildStringFromData(const uint8_t* data, size_t size)
52 {
53 if ((data == nullptr) || (size == 0)) {
54 return "";
55 }
56 std::string strVal(reinterpret_cast<const char *>(data), size);
57 return strVal;
58 }
59
FuzzOndemandLoad(const uint8_t * data,size_t size)60 void FuzzOndemandLoad(const uint8_t* data, size_t size)
61 {
62 sptr<SystemAbilityManager> saMgr = SystemAbilityManager::GetInstance();
63 if (saMgr == nullptr) {
64 return;
65 }
66 std::string procName = BuildStringFromData(data, size);
67 std::u16string procNameU16 = Str8ToStr16(procName);
68 int32_t saId = BuildInt32FromData(data, size);
69 SystemAbilityManager::AbilityItem abilityItem;
70 ISystemAbilityManager::SAExtraProp saExtraProp;
71 bool isExist = false;
72 saMgr->AddSamgrToAbilityMap();
73 saMgr->OndemandLoad();
74 saMgr->DoLoadForPerf();
75 saMgr->RemoveWhiteCommonEvent();
76 OnDemandEvent onDemandEvent;
77 SaControlInfo saControlInfo;
78 std::list<SaControlInfo> saControlList;
79 saControlList.emplace_back(saControlInfo);
80 saMgr->ProcessOnDemandEvent(onDemandEvent, saControlList);
81 saMgr->GetSystemAbilityFromRemote(saId);
82 saMgr->startingAbilityMap_[saId] = abilityItem;
83 saMgr->StartOnDemandAbility(procNameU16, saId);
84 saMgr->startingAbilityMap_.clear();
85 saMgr->StopOnDemandAbility(procNameU16, saId, onDemandEvent);
86 saMgr->AddOnDemandSystemAbilityInfo(saId, procNameU16);
87 saMgr->StartOnDemandAbility(saId, isExist);
88
89 sptr<IRemoteObject> testAbility = new TestTransactionService();
90 saMgr->AddSystemAbility(SAID, testAbility, saExtraProp);
91 nlohmann::json reason;
92 int32_t delayTime = 0;
93 saMgr->IdleSystemAbility(SAID, procNameU16, reason, delayTime);
94 saMgr->ActiveSystemAbility(SAID, procNameU16, reason);
95 saMgr->RemoveSystemAbility(SAID);
96 saMgr->AddSystemAbility(SAID, testAbility, saExtraProp);
97 saMgr->RemoveDiedSystemAbility(SAID);
98 saMgr->AddSystemAbility(SAID, testAbility, saExtraProp);
99 saMgr->RemoveSystemAbility(testAbility);
100 }
101
FuzzRemoveSystemProcess(const uint8_t * data,size_t size)102 void FuzzRemoveSystemProcess(const uint8_t* data, size_t size)
103 {
104 sptr<SystemAbilityManager> saMgr = SystemAbilityManager::GetInstance();
105 if (saMgr == nullptr) {
106 return;
107 }
108 std::string procName = BuildStringFromData(data, size);
109 std::u16string procNameU16 = Str8ToStr16(procName);
110 sptr<IRemoteObject> testAbility(new SaStatusChangeMock());
111 saMgr->AddSystemProcess(procNameU16, testAbility);
112 saMgr->RemoveSystemProcess(testAbility);
113
114 sptr<SaStatusChangeMock> callback(new SaStatusChangeMock());
115 saMgr->listenerMap_[SAID].push_back({callback, SAID});
116 auto& count = saMgr->subscribeCountMap_[SAID];
117 ++count;
118 saMgr->UnSubscribeSystemAbility(callback->AsObject());
119
120 u16string name = u"test";
121 string srcDeviceId = "srcDeviceId";
122 saMgr->startingProcessMap_.clear();
123 sptr<SystemAbilityLoadCallbackMock> callbackOne = new SystemAbilityLoadCallbackMock();
124 SystemAbilityManager::AbilityItem abilityItem;
125 abilityItem.callbackMap[srcDeviceId].push_back(make_pair(callbackOne, SAID));
126 saMgr->startingAbilityMap_[SAID] = abilityItem;
127 saMgr->CleanCallbackForLoadFailed(SAID, name, srcDeviceId, callbackOne);
128 }
129
FuzzNotifySystemAbilityLoaded(const uint8_t * data,size_t size)130 void FuzzNotifySystemAbilityLoaded(const uint8_t* data, size_t size)
131 {
132 sptr<SystemAbilityManager> saMgr = SystemAbilityManager::GetInstance();
133 if (saMgr == nullptr) {
134 return;
135 }
136 sptr<SystemAbilityLoadCallbackMock> callback = new SystemAbilityLoadCallbackMock();
137 sptr<IRemoteObject> remoteObject = new TestTransactionService();
138 saMgr->NotifySystemAbilityLoaded(SAID, remoteObject, callback);
139 string srcDeviceId = "srcDeviceId";
140 int32_t systemAbilityId = 401;
141 saMgr->LoadSystemAbilityFromRpc(srcDeviceId, systemAbilityId, callback);
142 saMgr->CheckSaIsImmediatelyRecycle(systemAbilityId);
143
144 saMgr->startingAbilityMap_.clear();
145 sptr<ISystemAbilityLoadCallback> mockLoadCallback1 = new SystemAbilityLoadCallbackMock();
146 std::map<std::string, SystemAbilityManager::CallbackList> mockCallbackMap1 = {
147 {"111111", {{mockLoadCallback1, 0}}}
148 };
149 SystemAbilityManager::AbilityItem mockAbilityItem1 = {
150 SystemAbilityManager::AbilityState::INIT, mockCallbackMap1
151 };
152 saMgr->startingAbilityMap_[SAID] = mockAbilityItem1;
153 saMgr->OnAbilityCallbackDied(mockLoadCallback1->AsObject());
154
155 saMgr->remoteCallbacks_.clear();
156 sptr<ISystemAbilityLoadCallback> mockLoadCallback2 = new SystemAbilityLoadCallbackMock();
157 saMgr->remoteCallbacks_ = {
158 {"11111", {mockLoadCallback2}}
159 };
160 saMgr->OnRemoteCallbackDied(mockLoadCallback2->AsObject());
161
162 sptr<SystemAbilityLoadCallbackMock> callback2 = new SystemAbilityLoadCallbackMock();
163 list<sptr<ISystemAbilityLoadCallback>> callbacks;
164 callbacks.push_back(callback2);
165 saMgr->remoteCallbackDeath_ = sptr<IRemoteObject::DeathRecipient>(new RemoteCallbackDeathRecipient());
166 saMgr->RemoveRemoteCallbackLocked(callbacks, callback2);
167 }
168 }
169 }
170
171 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)172 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
173 {
174 if (size < OHOS::Samgr::THRESHOLD) {
175 return 0;
176 }
177 OHOS::Samgr::FuzzOndemandLoad(data, size);
178 OHOS::Samgr::FuzzRemoveSystemProcess(data, size);
179 OHOS::Samgr::FuzzNotifySystemAbilityLoaded(data, size);
180 return 0;
181 }
182
183