1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "dslm_fuzzer.h"
17
18 #include "securec.h"
19 #include "parcel.h"
20
21 #include "device_security_defines.h"
22 #include "utils_log.h"
23 #include "device_security_level_callback_stub.h"
24 #include "dslm_service.h"
25
26 extern "C" int32_t OnPeerMsgReceived(const DeviceIdentify *devId, const uint8_t *msg, uint32_t len);
27
28 namespace OHOS {
29 namespace Security {
30 namespace DeviceSecurityLevel {
31 namespace {
32 const uint8_t mockBuffer[DEVICE_ID_MAX_LEN] = {0};
33
34 DslmService g_dslmService(DEVICE_SECURITY_LEVEL_MANAGER_SA_ID, true);
35
OnPeerMsgReceivedFuzzer(Parcel & parcel)36 void OnPeerMsgReceivedFuzzer(Parcel &parcel)
37 {
38 SECURITY_LOG_INFO("begin");
39 DeviceIdentify deviceIdentify = {};
40 deviceIdentify.length = parcel.ReadUint32();
41 const uint8_t *buffer = parcel.ReadBuffer(DEVICE_ID_MAX_LEN);
42 if (buffer != nullptr) {
43 (void)memcpy_s(deviceIdentify.identity, DEVICE_ID_MAX_LEN, buffer, DEVICE_ID_MAX_LEN);
44 }
45 OnPeerMsgReceived(&deviceIdentify,
46 reinterpret_cast<const uint8_t *>(parcel.GetData() + parcel.GetReadPosition()), parcel.GetReadableBytes());
47 SECURITY_LOG_INFO("end");
48 }
49
OnRemoteRequestFuzzer(Parcel & parcel)50 void OnRemoteRequestFuzzer(Parcel &parcel)
51 {
52 SECURITY_LOG_INFO("begin");
53 MessageParcel data;
54 MessageParcel reply;
55 MessageOption option;
56
57 data.WriteInterfaceToken(IDeviceSecurityLevel::GetDescriptor());
58
59 /* DeviceIdentify */
60 data.WriteUint32(parcel.ReadUint32());
61 const uint8_t *buffer = parcel.ReadBuffer(DEVICE_ID_MAX_LEN);
62 if (buffer == nullptr) {
63 data.WriteBuffer(mockBuffer, DEVICE_ID_MAX_LEN);
64 } else {
65 data.WriteBuffer(buffer, DEVICE_ID_MAX_LEN);
66 }
67
68 /* option */
69 data.WriteUint64(parcel.ReadUint64());
70 data.WriteUint32(parcel.ReadUint32());
71 data.WriteUint32(parcel.ReadUint32());
72
73 sptr<IRemoteObject> callback = new (std::nothrow) DeviceSecurityLevelCallbackStub(
74 [](uint32_t code, MessageParcel &data, MessageParcel &reply, MessageOption &option) {
75 SECURITY_LOG_INFO("DeviceSecurityLevelCallbackStub called");
76 return 0;
77 });
78 /* callback */
79 data.WriteRemoteObject(callback);
80 /* cookie */
81 data.WriteUint32(parcel.ReadUint32());
82
83 g_dslmService.OnRemoteRequest(parcel.ReadUint32(), data, reply, option);
84 SECURITY_LOG_INFO("end");
85 }
86
DslmFuzzTest(const uint8_t * data,size_t size)87 void DslmFuzzTest(const uint8_t *data, size_t size)
88 {
89 Parcel parcel;
90 parcel.WriteBuffer(data, size);
91 parcel.RewindRead(0);
92 if (parcel.ReadBool()) {
93 OnPeerMsgReceivedFuzzer(parcel);
94 } else {
95 OnRemoteRequestFuzzer(parcel);
96 }
97 }
98 }
99 } // namespace DeviceSecurityLevel
100 } // namespace Security
101 } // namespace OHOS
102
103 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)104 extern "C" int32_t LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
105 {
106 OHOS::Security::DeviceSecurityLevel::DslmFuzzTest(data, size);
107 return 0;
108 }
109