1 /*
2  * Copyright (c) 2022 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "windowipc_fuzzer.h"
17 
18 #include <iremote_broker.h>
19 #include <iservice_registry.h>
20 #include <securec.h>
21 #include <system_ability_definition.h>
22 
23 #include "zidl/window_manager_proxy.h"
24 #include "window_manager_hilog.h"
25 
26 namespace OHOS ::Rosen {
27 namespace {
28 constexpr HiviewDFX::HiLogLabel LABEL = {LOG_CORE, HILOG_DOMAIN_DISPLAY, "DisplayManagerIPC_Fuzzer"};
29 }
30 template<class T>
GetObject(T & object,const uint8_t * data,size_t size)31 size_t GetObject(T& object, const uint8_t* data, size_t size)
32 {
33     size_t objectSize = sizeof(object);
34     if (objectSize > size) {
35         return 0;
36     }
37     return memcpy_s(&object, objectSize, data, objectSize) == EOK ? objectSize : 0;
38 }
39 
GetProxy()40 std::pair<sptr<IWindowManager>, sptr<IRemoteObject>> GetProxy()
41 {
42     sptr<ISystemAbilityManager> systemAbilityManager =
43         SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
44     if (!systemAbilityManager) {
45         WLOGFE("Failed to get system ability mgr.");
46         return { nullptr, nullptr };
47     }
48     sptr<IRemoteObject> remoteObject = systemAbilityManager->GetSystemAbility(WINDOW_MANAGER_SERVICE_ID);
49     if (!remoteObject) {
50         WLOGFE("Failed to get display manager service.");
51         return { nullptr, nullptr };
52     }
53     sptr<IWindowManager> windowManagerServiceProxy = iface_cast<IWindowManager>(remoteObject);
54     if ((!windowManagerServiceProxy) || (!windowManagerServiceProxy->AsObject())) {
55         WLOGFE("Failed to get system display manager services");
56         return { nullptr, nullptr };
57     }
58     return { windowManagerServiceProxy, remoteObject };
59 }
60 
IPCFuzzTest(const uint8_t * data,size_t size)61 bool IPCFuzzTest(const uint8_t* data, size_t size)
62 {
63     uint32_t code;
64     int flags, waitTime;
65     if (data == nullptr || size < sizeof(code) + sizeof(flags) + sizeof(waitTime)) {
66         return false;
67     }
68     auto proxy = GetProxy();
69     if (proxy.first == nullptr || proxy.second == nullptr) {
70         return false;
71     }
72     size_t startPos = 0;
73     startPos += GetObject<uint32_t>(code, data + startPos, size - startPos);
74     startPos += GetObject<int>(flags, data + startPos, size - startPos);
75     startPos += GetObject<int>(waitTime, data + startPos, size - startPos);
76     MessageParcel sendData;
77     MessageParcel reply;
78     MessageOption option(flags, waitTime);
79     sendData.WriteBuffer(data + startPos, size - startPos);
80     proxy.second->SendRequest(code, sendData, reply, option);
81     return true;
82 }
83 
IPCSpecificInterfaceFuzzTest1(sptr<IRemoteObject> proxy,MessageParcel & sendData,MessageParcel & reply,MessageOption & option)84 void IPCSpecificInterfaceFuzzTest1(sptr<IRemoteObject> proxy, MessageParcel& sendData, MessageParcel& reply,
85     MessageOption& option)
86 {
87     proxy->SendRequest(static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_CREATE_WINDOW),
88         sendData, reply, option);
89     proxy->SendRequest(static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_ADD_WINDOW),
90         sendData, reply, option);
91     proxy->SendRequest(static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_REMOVE_WINDOW),
92         sendData, reply, option);
93     proxy->SendRequest(static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_DESTROY_WINDOW),
94         sendData, reply, option);
95     proxy->SendRequest(static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_REQUEST_FOCUS),
96         sendData, reply, option);
97     proxy->SendRequest(
98         static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_REGISTER_FOCUS_CHANGED_LISTENER),
99         sendData, reply, option);
100     proxy->SendRequest(
101         static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_UNREGISTER_FOCUS_CHANGED_LISTENER),
102         sendData, reply, option);
103     proxy->SendRequest(
104         static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_REGISTER_WINDOW_MANAGER_AGENT),
105         sendData, reply, option);
106     proxy->SendRequest(
107         static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_UNREGISTER_WINDOW_MANAGER_AGENT),
108         sendData, reply, option);
109     proxy->SendRequest(static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_GET_AVOID_AREA),
110         sendData, reply, option);
111     proxy->SendRequest(static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_GET_TOP_WINDOW_ID),
112         sendData, reply, option);
113     proxy->SendRequest(static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_NOTIFY_READY_MOVE_OR_DRAG),
114         sendData, reply, option);
115     proxy->SendRequest(static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_PROCESS_POINT_DOWN),
116         sendData, reply, option);
117     proxy->SendRequest(static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_PROCESS_POINT_UP),
118         sendData, reply, option);
119     proxy->SendRequest(static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_MINIMIZE_ALL_APP_WINDOWS),
120         sendData, reply, option);
121 }
122 
IPCSpecificInterfaceFuzzTest2(sptr<IRemoteObject> proxy,MessageParcel & sendData,MessageParcel & reply,MessageOption & option)123 void IPCSpecificInterfaceFuzzTest2(sptr<IRemoteObject> proxy, MessageParcel& sendData, MessageParcel& reply,
124     MessageOption& option)
125 {
126     proxy->SendRequest(
127         static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_TOGGLE_SHOWN_STATE_FOR_ALL_APP_WINDOWS),
128         sendData, reply, option);
129     proxy->SendRequest(static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_SET_BACKGROUND_BLUR),
130         sendData, reply, option);
131     proxy->SendRequest(static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_SET_ALPHA),
132         sendData, reply, option);
133     proxy->SendRequest(static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_UPDATE_LAYOUT_MODE),
134         sendData, reply, option);
135     proxy->SendRequest(static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_UPDATE_PROPERTY),
136         sendData, reply, option);
137     proxy->SendRequest(
138         static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_GET_ACCESSIBILITY_WINDOW_INFO_ID),
139         sendData, reply, option);
140     proxy->SendRequest(
141         static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_ANIMATION_SET_CONTROLLER),
142         sendData, reply, option);
143     proxy->SendRequest(static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_GET_SYSTEM_CONFIG),
144         sendData, reply, option);
145     proxy->SendRequest(static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_NOTIFY_WINDOW_TRANSITION),
146         sendData, reply, option);
147     proxy->SendRequest(
148         static_cast<uint32_t>(IWindowManager::WindowManagerMessage::TRANS_ID_GET_FULLSCREEN_AND_SPLIT_HOT_ZONE),
149         sendData, reply, option);
150 }
151 
IPCInterfaceFuzzTest(const uint8_t * data,size_t size)152 bool IPCInterfaceFuzzTest(const uint8_t* data, size_t size)
153 {
154     int flags, waitTime;
155     if (data == nullptr || size < sizeof(flags) + sizeof(waitTime)) {
156         return false;
157     }
158     auto proxy = GetProxy();
159     if (proxy.first == nullptr || proxy.second == nullptr) {
160         return false;
161     }
162     size_t startPos = 0;
163     startPos += GetObject<int>(flags, data + startPos, size - startPos);
164     startPos += GetObject<int>(waitTime, data + startPos, size - startPos);
165     MessageParcel sendData;
166     MessageParcel reply;
167     MessageOption option(flags, waitTime);
168     sendData.WriteInterfaceToken(proxy.first->GetDescriptor());
169     sendData.WriteBuffer(data + startPos, size - startPos);
170     IPCSpecificInterfaceFuzzTest1(proxy.second, sendData, reply, option);
171     IPCSpecificInterfaceFuzzTest2(proxy.second, sendData, reply, option);
172     return true;
173 }
174 } // namespace.OHOS::Rosen
175 
176 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)177 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
178 {
179     /* Run your code on data */
180     OHOS::Rosen::IPCFuzzTest(data, size);
181     OHOS::Rosen::IPCInterfaceFuzzTest(data, size);
182     return 0;
183 }
184 
185