1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "screensessionmanager_fuzzer.h"
17
18 #include <iremote_broker.h>
19 #include <iservice_registry.h>
20 #include <system_ability_definition.h>
21
22 #include "session_manager.h"
23 #include "zidl/screen_session_manager_proxy.h"
24 #include "zidl/mock_session_manager_service_interface.h"
25 #include "window_manager_hilog.h"
26 #include "data_source.h"
27
28 namespace OHOS::Rosen {
29 namespace {
30 constexpr HiviewDFX::HiLogLabel LABEL = {LOG_CORE, HILOG_DOMAIN_WINDOW, "ScreenSessionManagerFuzzTest"};
31 }
32
33 using DMMessage = DisplayManagerMessage;
34
GetProxy()35 std::pair<sptr<IScreenSessionManager>, sptr<IRemoteObject>> GetProxy()
36 {
37 sptr<ISystemAbilityManager> systemAbilityManager =
38 SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
39 if (!systemAbilityManager) {
40 WLOGFE("Failed to get system ability mgr");
41 return {nullptr, nullptr};
42 }
43
44 sptr<IRemoteObject> remoteObject = systemAbilityManager->GetSystemAbility(DISPLAY_MANAGER_SERVICE_SA_ID);
45 if (!remoteObject) {
46 WLOGFE("Remote object is nullptr");
47 return {nullptr, nullptr};
48 }
49
50 auto screenSessionManagerProxy = iface_cast<IScreenSessionManager>(remoteObject);
51 if (!screenSessionManagerProxy) {
52 WLOGFE("Get screen session manager proxy failed, nullptr");
53 return {nullptr, nullptr};
54 }
55
56 WLOGFD("GetProxy success");
57
58 return {screenSessionManagerProxy, remoteObject};
59 }
60
IPCFuzzTest(const uint8_t * data,size_t size)61 void IPCFuzzTest(const uint8_t* data, size_t size)
62 {
63 auto [proxy, remoteObject] = GetProxy();
64 if (!proxy || !remoteObject) {
65 return;
66 }
67
68 DataSource source(data, size);
69 uint32_t code = source.GetObject<uint32_t>();
70 int flags = source.GetObject<int>();
71 int waitTime = source.GetObject<int>();
72
73 MessageParcel sendData;
74 MessageParcel reply;
75 MessageOption option(flags, waitTime);
76 auto rawSize = source.size_ - source.pos_;
77 auto buf = source.GetRaw(rawSize);
78 if (buf) {
79 sendData.WriteBuffer(buf, rawSize);
80 }
81 remoteObject->SendRequest(code, sendData, reply, option);
82 }
83
IPCSpecificInterfaceFuzzTest1(sptr<IRemoteObject> proxy,MessageParcel & sendData,MessageParcel & reply,MessageOption & option)84 void IPCSpecificInterfaceFuzzTest1(sptr<IRemoteObject> proxy, MessageParcel& sendData, MessageParcel& reply,
85 MessageOption& option)
86 {
87 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_GET_DEFAULT_DISPLAY_INFO),
88 sendData, reply, option);
89 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_REGISTER_DISPLAY_MANAGER_AGENT),
90 sendData, reply, option);
91 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_UNREGISTER_DISPLAY_MANAGER_AGENT),
92 sendData, reply, option);
93 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_WAKE_UP_BEGIN),
94 sendData, reply, option);
95 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_WAKE_UP_END),
96 sendData, reply, option);
97 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SUSPEND_BEGIN),
98 sendData, reply, option);
99 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SUSPEND_END),
100 sendData, reply, option);
101 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SET_DISPLAY_STATE),
102 sendData, reply, option);
103 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SET_SCREEN_POWER_FOR_ALL),
104 sendData, reply, option);
105 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_GET_DISPLAY_STATE),
106 sendData, reply, option);
107 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_NOTIFY_DISPLAY_EVENT),
108 sendData, reply, option);
109 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_GET_SCREEN_POWER),
110 sendData, reply, option);
111 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_GET_DISPLAY_BY_ID),
112 sendData, reply, option);
113 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_GET_DISPLAY_BY_SCREEN),
114 sendData, reply, option);
115 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_GET_ALL_DISPLAYIDS),
116 sendData, reply, option);
117 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_GET_SCREEN_INFO_BY_ID),
118 sendData, reply, option);
119 }
120
IPCSpecificInterfaceFuzzTest2(sptr<IRemoteObject> proxy,MessageParcel & sendData,MessageParcel & reply,MessageOption & option)121 void IPCSpecificInterfaceFuzzTest2(sptr<IRemoteObject> proxy, MessageParcel& sendData, MessageParcel& reply,
122 MessageOption& option)
123 {
124 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_GET_ALL_SCREEN_INFOS),
125 sendData, reply, option);
126 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SCREEN_GET_SUPPORTED_COLOR_GAMUTS),
127 sendData, reply, option);
128 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_CREATE_VIRTUAL_SCREEN),
129 sendData, reply, option);
130 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SET_VIRTUAL_SCREEN_SURFACE),
131 sendData, reply, option);
132 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_DESTROY_VIRTUAL_SCREEN),
133 sendData, reply, option);
134 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SCREEN_MAKE_MIRROR),
135 sendData, reply, option);
136 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SCREEN_STOP_MIRROR),
137 sendData, reply, option);
138 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SCREEN_MAKE_EXPAND),
139 sendData, reply, option);
140 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SCREEN_STOP_EXPAND),
141 sendData, reply, option);
142 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_GET_SCREEN_GROUP_INFO_BY_ID),
143 sendData, reply, option);
144 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_REMOVE_VIRTUAL_SCREEN_FROM_SCREEN_GROUP),
145 sendData, reply, option);
146 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_GET_DISPLAY_SNAPSHOT),
147 sendData, reply, option);
148 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SET_SCREEN_ACTIVE_MODE),
149 sendData, reply, option);
150 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SET_VIRTUAL_PIXEL_RATIO),
151 sendData, reply, option);
152 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SCREEN_GET_COLOR_GAMUT),
153 sendData, reply, option);
154 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SCREEN_SET_COLOR_GAMUT),
155 sendData, reply, option);
156 }
157
IPCSpecificInterfaceFuzzTest3(sptr<IRemoteObject> proxy,MessageParcel & sendData,MessageParcel & reply,MessageOption & option)158 void IPCSpecificInterfaceFuzzTest3(sptr<IRemoteObject> proxy, MessageParcel& sendData, MessageParcel& reply,
159 MessageOption& option)
160 {
161 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SCREEN_GET_GAMUT_MAP),
162 sendData, reply, option);
163 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SCREEN_SET_GAMUT_MAP),
164 sendData, reply, option);
165 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SCREEN_SET_COLOR_TRANSFORM),
166 sendData, reply, option);
167 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SET_ORIENTATION),
168 sendData, reply, option);
169 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SET_SCREEN_ROTATION_LOCKED),
170 sendData, reply, option);
171 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_IS_SCREEN_ROTATION_LOCKED),
172 sendData, reply, option);
173 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_GET_CUTOUT_INFO),
174 sendData, reply, option);
175 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_HAS_PRIVATE_WINDOW),
176 sendData, reply, option);
177 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SCENE_BOARD_DUMP_ALL_SCREEN),
178 sendData, reply, option);
179 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SCENE_BOARD_DUMP_SPECIAL_SCREEN),
180 sendData, reply, option);
181 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SCENE_BOARD_SET_FOLD_DISPLAY_MODE),
182 sendData, reply, option);
183 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SCENE_BOARD_GET_FOLD_DISPLAY_MODE),
184 sendData, reply, option);
185 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SCENE_BOARD_IS_FOLDABLE),
186 sendData, reply, option);
187 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SCENE_BOARD_GET_FOLD_STATUS),
188 sendData, reply, option);
189 proxy->SendRequest(static_cast<uint32_t>(DMMessage::TRANS_ID_SCENE_BOARD_GET_CURRENT_FOLD_CREASE_REGION),
190 sendData, reply, option);
191 }
192
IPCInterfaceFuzzTest(const uint8_t * data,size_t size)193 void IPCInterfaceFuzzTest(const uint8_t* data, size_t size)
194 {
195 auto [proxy, remoteObject] = GetProxy();
196 if (!proxy || !remoteObject) {
197 return;
198 }
199
200 DataSource source(data, size);
201 int flags = source.GetObject<int>();
202 int waitTime = source.GetObject<int>();
203
204 MessageParcel sendData;
205 MessageParcel reply;
206 MessageOption option(flags, waitTime);
207 sendData.WriteInterfaceToken(proxy->GetDescriptor());
208 auto rawSize = source.size_ - source.pos_;
209 auto buf = source.GetRaw(rawSize);
210 if (buf) {
211 sendData.WriteBuffer(buf, rawSize);
212 }
213 IPCSpecificInterfaceFuzzTest1(remoteObject, sendData, reply, option);
214 IPCSpecificInterfaceFuzzTest2(remoteObject, sendData, reply, option);
215 IPCSpecificInterfaceFuzzTest3(remoteObject, sendData, reply, option);
216 }
217
ProxyInterfaceFuzzTestPart1(const uint8_t * data,size_t size)218 void ProxyInterfaceFuzzTestPart1(const uint8_t* data, size_t size)
219 {
220 auto [proxy, remoteObject] = GetProxy();
221 if (!proxy || !remoteObject) {
222 return;
223 }
224
225 DataSource source(data, size);
226
227 proxy->GetDefaultDisplayInfo();
228
229 PowerStateChangeReason reason = source.GetObject<PowerStateChangeReason>();
230 proxy->WakeUpBegin(reason);
231 proxy->WakeUpEnd();
232
233 reason = source.GetObject<PowerStateChangeReason>();
234 proxy->SuspendBegin(reason);
235 proxy->SuspendEnd();
236
237 DisplayState displayState = source.GetObject<DisplayState>();
238 proxy->SetDisplayState(displayState);
239
240 ScreenPowerState powerState = source.GetObject<ScreenPowerState>();
241 reason = source.GetObject<PowerStateChangeReason>();
242 proxy->SetScreenPowerForAll(powerState, reason);
243
244 DisplayId displayId = source.GetObject<DisplayId>();
245 proxy->GetDisplayState(displayId);
246
247 DisplayEvent displayEvent = source.GetObject<DisplayEvent>();
248 proxy->NotifyDisplayEvent(displayEvent);
249
250 ScreenId dmsScreenId = source.GetObject<ScreenId>();
251 proxy->GetScreenPower(dmsScreenId);
252 }
253
ProxyInterfaceFuzzTestPart2(const uint8_t * data,size_t size)254 void ProxyInterfaceFuzzTestPart2(const uint8_t* data, size_t size)
255 {
256 auto [proxy, remoteObject] = GetProxy();
257 if (!proxy || !remoteObject) {
258 return;
259 }
260
261 DataSource source(data, size);
262
263 DisplayId displayId = source.GetObject<DisplayId>();
264 proxy->GetDisplayInfoById(displayId);
265
266 ScreenId dmsScreenId = source.GetObject<ScreenId>();
267 proxy->GetDisplayInfoByScreen(dmsScreenId);
268 proxy->GetAllDisplayIds();
269 proxy->GetScreenInfoById(dmsScreenId);
270
271 std::vector<sptr<ScreenInfo>> screenInfos;
272 proxy->GetAllScreenInfos(screenInfos);
273
274 dmsScreenId = source.GetObject<ScreenId>();
275 std::vector<ScreenColorGamut> colorGamuts;
276 proxy->GetScreenSupportedColorGamuts(dmsScreenId, colorGamuts);
277
278 VirtualScreenOption screenOption;
279 screenOption.name_ = source.GetString();
280 screenOption.width_ = source.GetObject<uint32_t>();
281 screenOption.height_ = source.GetObject<uint32_t>();
282 screenOption.density_ = source.GetObject<float>();
283 screenOption.flags_ = source.GetObject<int32_t>();
284 screenOption.isForShot_ = source.GetObject<bool>();
285 sptr<IRemoteObject> displayManagerAgent = nullptr;
286 proxy->CreateVirtualScreen(screenOption, displayManagerAgent);
287 }
288
ProxyInterfaceFuzzTestPart3(const uint8_t * data,size_t size)289 void ProxyInterfaceFuzzTestPart3(const uint8_t* data, size_t size)
290 {
291 auto [proxy, remoteObject] = GetProxy();
292 if (!proxy || !remoteObject) {
293 return;
294 }
295
296 DataSource source(data, size);
297
298 ScreenId screenId = source.GetObject<ScreenId>();
299 sptr<IBufferProducer> bufferProducer = nullptr;
300 proxy->SetVirtualScreenSurface(screenId, bufferProducer);
301 proxy->DestroyVirtualScreen(screenId);
302
303 ScreenId mainScreenId = source.GetObject<ScreenId>();
304 std::vector<ScreenId> screenIds{
305 source.GetObject<ScreenId>(), source.GetObject<ScreenId>(), source.GetObject<ScreenId>()};
306 ScreenId screenGroupId;
307 proxy->MakeMirror(mainScreenId, screenIds, screenGroupId);
308 proxy->StopMirror(screenIds);
309
310 std::vector<Point> startPoint{
311 source.GetObject<Point>(), source.GetObject<Point>(), source.GetObject<Point>()};
312 proxy->MakeExpand(screenIds, startPoint, screenGroupId);
313 proxy->StopExpand(screenIds);
314 proxy->RemoveVirtualScreenFromGroup(screenIds);
315
316 screenId = source.GetObject<ScreenId>();
317 proxy->GetScreenGroupInfoById(screenId);
318
319 DisplayId displayId = source.GetObject<DisplayId>();
320 proxy->GetDisplaySnapshot(displayId, nullptr);
321
322 screenId = source.GetObject<ScreenId>();
323 uint32_t modeId = source.GetObject<uint32_t>();
324 proxy->SetScreenActiveMode(screenId, modeId);
325 }
326
ProxyInterfaceFuzzTestPart4(const uint8_t * data,size_t size)327 void ProxyInterfaceFuzzTestPart4(const uint8_t* data, size_t size)
328 {
329 auto [proxy, remoteObject] = GetProxy();
330 if (!proxy || !remoteObject) {
331 return;
332 }
333
334 DataSource source(data, size);
335
336 ScreenId screenId = source.GetObject<ScreenId>();
337 float virtualPixelRatio = source.GetObject<float>();
338 proxy->SetVirtualPixelRatio(screenId, virtualPixelRatio);
339
340 screenId = source.GetObject<ScreenId>();
341 ScreenColorGamut colorGamut;
342 int32_t colorGamutIdx = source.GetObject<int32_t>();
343 proxy->GetScreenColorGamut(screenId, colorGamut);
344 proxy->SetScreenColorGamut(screenId, colorGamutIdx);
345
346 screenId = source.GetObject<ScreenId>();
347 ScreenGamutMap gamutMap = source.GetObject<ScreenGamutMap>();
348 proxy->SetScreenGamutMap(screenId, gamutMap);
349 proxy->GetScreenGamutMap(screenId, gamutMap);
350 proxy->SetScreenColorTransform(screenId);
351
352 screenId = source.GetObject<ScreenId>();
353 Orientation orientation = source.GetObject<Orientation>();
354 proxy->SetOrientation(screenId, orientation);
355
356 bool isLocked = source.GetObject<bool>();
357 proxy->SetScreenRotationLocked(isLocked);
358 proxy->IsScreenRotationLocked(isLocked);
359
360 DisplayId displayId = source.GetObject<DisplayId>();
361 proxy->GetCutoutInfo(displayId);
362 }
363
ProxyInterfaceFuzzTestPart5(const uint8_t * data,size_t size)364 void ProxyInterfaceFuzzTestPart5(const uint8_t* data, size_t size)
365 {
366 auto [proxy, remoteObject] = GetProxy();
367 if (!proxy || !remoteObject) {
368 return;
369 }
370
371 DataSource source(data, size);
372
373 DisplayId displayId = source.GetObject<DisplayId>();
374 bool hasPrivateWindow;
375 proxy->HasPrivateWindow(displayId, hasPrivateWindow);
376
377 ScreenId screenId = source.GetObject<ScreenId>();
378 std::string dumpInfo;
379 proxy->DumpAllScreensInfo(dumpInfo);
380 proxy->DumpSpecialScreenInfo(screenId, dumpInfo);
381
382 FoldDisplayMode displayMode = source.GetObject<FoldDisplayMode>();
383 proxy->SetFoldDisplayMode(displayMode);
384 proxy->GetFoldDisplayMode();
385 proxy->IsFoldable();
386 proxy->GetFoldStatus();
387 proxy->GetCurrentFoldCreaseRegion();
388 }
389
ProxyInterfaceFuzzTest(const uint8_t * data,size_t size)390 void ProxyInterfaceFuzzTest(const uint8_t* data, size_t size)
391 {
392 ProxyInterfaceFuzzTestPart1(data, size);
393 ProxyInterfaceFuzzTestPart2(data, size);
394 ProxyInterfaceFuzzTestPart3(data, size);
395 ProxyInterfaceFuzzTestPart4(data, size);
396 ProxyInterfaceFuzzTestPart5(data, size);
397 }
398 }
399
400 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)401 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
402 {
403 /* Run your code on data */
404 OHOS::Rosen::IPCFuzzTest(data, size);
405 OHOS::Rosen::IPCInterfaceFuzzTest(data, size);
406 OHOS::Rosen::ProxyInterfaceFuzzTest(data, size);
407 return 0;
408 }
409