1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "appmgrserviceinnerfirst_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20
21 #define private public
22 #include "app_mgr_service_inner.h"
23 #undef private
24
25 #include "ability_record.h"
26 #include "parcel.h"
27 #include "securec.h"
28
29 using namespace OHOS::AAFwk;
30 using namespace OHOS::AppExecFwk;
31
32 namespace OHOS {
33 namespace {
34 constexpr size_t FOO_MAX_LEN = 1024;
35 constexpr size_t U32_AT_SIZE = 4;
36 constexpr uint8_t ENABLE = 2;
37 constexpr size_t OFFSET_ZERO = 24;
38 constexpr size_t OFFSET_ONE = 16;
39 constexpr size_t OFFSET_TWO = 8;
40 }
GetU32Data(const char * ptr)41 uint32_t GetU32Data(const char* ptr)
42 {
43 // convert fuzz input data to an integer
44 return (ptr[0] << OFFSET_ZERO) | (ptr[1] << OFFSET_ONE) | (ptr[2] << OFFSET_TWO) | ptr[3];
45 }
GetFuzzAbilityToken()46 sptr<Token> GetFuzzAbilityToken()
47 {
48 sptr<Token> token = nullptr;
49 AbilityRequest abilityRequest;
50 abilityRequest.appInfo.bundleName = "com.example.fuzzTest";
51 abilityRequest.abilityInfo.name = "MainAbility";
52 abilityRequest.abilityInfo.type = AbilityType::PAGE;
53 std::shared_ptr<AbilityRecord> abilityRecord = AbilityRecord::CreateAbilityRecord(abilityRequest);
54 if (abilityRecord) {
55 token = abilityRecord->GetToken();
56 }
57 return token;
58 }
DoSomethingInterestingWithMyAPI(const char * data,size_t size)59 bool DoSomethingInterestingWithMyAPI(const char* data, size_t size)
60 {
61 AppMgrServiceInner* appMgrServiceInner = new AppMgrServiceInner();
62 sptr<IRemoteObject> token = GetFuzzAbilityToken();
63 sptr<IRemoteObject> preToken = nullptr;
64 std::shared_ptr<AbilityInfo> abilityInfo = std::make_shared<AbilityInfo>();
65 std::shared_ptr<ApplicationInfo> appInfo = std::make_shared<ApplicationInfo>();
66 std::shared_ptr<Want> want = std::make_shared<Want>();
67 appMgrServiceInner->LoadAbility(token, preToken, abilityInfo, appInfo, want);
68 appMgrServiceInner->CheckLoadAbilityConditions(token, abilityInfo, appInfo);
69 HapModuleInfo hapModuleInfo;
70 int32_t appIndex = static_cast<int32_t>(GetU32Data(data));
71 std::string processName(data, size);
72 appMgrServiceInner->MakeProcessName(abilityInfo, appInfo, hapModuleInfo, appIndex, processName);
73 appMgrServiceInner->MakeProcessName(appInfo, hapModuleInfo, processName);
74 AbilityInfo abilityInfoObj;
75 BundleInfo bundleInfo;
76 appMgrServiceInner->GetBundleAndHapInfo(abilityInfoObj, appInfo, bundleInfo, hapModuleInfo, appIndex);
77 pid_t pid = static_cast<pid_t>(GetU32Data(data));
78 sptr<IAppScheduler> appScheduler = nullptr;
79 appMgrServiceInner->AttachApplication(pid, appScheduler);
80 std::shared_ptr<AppRunningRecord> appRecord;
81 appMgrServiceInner->LaunchApplication(appRecord);
82 int32_t recordId = static_cast<int32_t>(GetU32Data(data));
83 appMgrServiceInner->AddAbilityStageDone(recordId);
84 appMgrServiceInner->ApplicationForegrounded(recordId);
85 appMgrServiceInner->ApplicationBackgrounded(recordId);
86 appMgrServiceInner->ApplicationTerminated(recordId);
87 std::string bundleName(data, size);
88 appMgrServiceInner->KillApplication(bundleName);
89 int uid = static_cast<int>(GetU32Data(data));
90 appMgrServiceInner->KillApplicationByUid(bundleName, uid);
91 appMgrServiceInner->KillApplicationSelf();
92 int userId = static_cast<int>(GetU32Data(data));
93 appMgrServiceInner->KillApplicationByUserId(bundleName, userId);
94 appMgrServiceInner->KillApplicationByUserIdLocked(bundleName, userId);
95 int32_t callerUid = static_cast<int32_t>(GetU32Data(data));
96 pid_t callerPid = static_cast<pid_t>(GetU32Data(data));
97 appMgrServiceInner->ClearUpApplicationData(bundleName, callerUid, callerPid);
98 std::vector<RunningProcessInfo> info;
99 appMgrServiceInner->GetAllRunningProcesses(info);
100 appMgrServiceInner->GetProcessRunningInfosByUserId(info, userId);
101 int32_t level = static_cast<int32_t>(GetU32Data(data));
102 appMgrServiceInner->NotifyMemoryLevel(level);
103 appMgrServiceInner->StartAbility(token, preToken, abilityInfo, appRecord, hapModuleInfo, want);
104 appMgrServiceInner->GetAppRunningRecordByAbilityToken(token);
105 appMgrServiceInner->AbilityTerminated(token);
106 appMgrServiceInner->GetAppRunningRecordByAppRecordId(recordId);
107 ApplicationState state = ApplicationState::APP_STATE_BEGIN;
108 bool needNotifyApp = *data % ENABLE;
109 appMgrServiceInner->OnAppStateChanged(appRecord, state, needNotifyApp);
110 std::shared_ptr<AbilityRunningRecord> ability;
111 AppExecFwk::AbilityState abilityState = AppExecFwk::AbilityState::ABILITY_STATE_BEGIN;
112 appMgrServiceInner->OnAbilityStateChanged(ability, abilityState);
113 std::string appName(data, size);
114 uint32_t startFlags = GetU32Data(data);
115 int32_t bundleIndex = static_cast<int32_t>(GetU32Data(data));
116 appMgrServiceInner->StartProcess(appName, processName, startFlags, appRecord, uid, bundleName, bundleIndex);
117 appMgrServiceInner->RemoveAppFromRecentList(appName, processName);
118 wptr<IRemoteObject> remote = nullptr;
119 bool isRenderProcess = *data % ENABLE;
120 appMgrServiceInner->OnRemoteDied(remote, isRenderProcess);
121 bool containsApp = *data % ENABLE;
122 appMgrServiceInner->ClearAppRunningData(appRecord, containsApp);
123 appMgrServiceInner->PushAppFront(recordId);
124 appMgrServiceInner->RemoveAppFromRecentListById(recordId);
125 appMgrServiceInner->AddAppToRecentList(appName, processName, pid, recordId);
126 appMgrServiceInner->GetAppTaskInfoById(recordId);
127 sptr<AppDeathRecipient> appDeathRecipient = nullptr;
128 appMgrServiceInner->AddAppDeathRecipient(pid, appDeathRecipient);
129 std::shared_ptr<AMSEventHandler> handler;
130 appMgrServiceInner->SetEventHandler(handler);
131 appMgrServiceInner->HandleAbilityAttachTimeOut(token);
132 appMgrServiceInner->PrepareTerminate(token);
133 int64_t eventId = static_cast<int64_t>(GetU32Data(data));
134 appMgrServiceInner->HandleTerminateApplicationTimeOut(eventId);
135 appMgrServiceInner->HandleAddAbilityStageTimeOut(eventId);
136 RunningProcessInfo runningProcessInfo;
137 appMgrServiceInner->GetRunningProcessInfoByToken(token, runningProcessInfo);
138 std::vector<AppExecFwk::BundleInfo> bundleInfos;
139 appMgrServiceInner->LoadResidentProcess(bundleInfos);
140 int restartCount = static_cast<int>(GetU32Data(data));
141 bool isEmptyKeepAliveApp = *data % ENABLE;
142 appMgrServiceInner->StartResidentProcess(bundleInfos, restartCount, isEmptyKeepAliveApp);
143 appMgrServiceInner->StartEmptyResidentProcess(bundleInfo, processName, restartCount, isEmptyKeepAliveApp);
144 appMgrServiceInner->RestartResidentProcess(appRecord);
145 const std::string eventData(data, size);
146 appMgrServiceInner->NotifyAppStatus(bundleName, eventData);
147 appMgrServiceInner->NotifyAppStatusByCallerUid(bundleName, static_cast<int32_t>(userId), callerUid, eventData);
148 return true;
149 }
150 }
151
152 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)153 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
154 {
155 /* Run your code on data */
156 if (data == nullptr) {
157 std::cout << "invalid data" << std::endl;
158 return 0;
159 }
160
161 /* Validate the length of size */
162 if (size > OHOS::FOO_MAX_LEN || size < OHOS::U32_AT_SIZE) {
163 return 0;
164 }
165
166 char* ch = (char *)malloc(size + 1);
167 if (ch == nullptr) {
168 std::cout << "malloc failed." << std::endl;
169 return 0;
170 }
171
172 (void)memset_s(ch, size + 1, 0x00, size + 1);
173 if (memcpy_s(ch, size, data, size) != EOK) {
174 std::cout << "copy failed." << std::endl;
175 free(ch);
176 ch = nullptr;
177 return 0;
178 }
179
180 OHOS::DoSomethingInterestingWithMyAPI(ch, size);
181 free(ch);
182 ch = nullptr;
183 return 0;
184 }
185