1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "attachabilitythread_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20
21 #include "ability_manager_client.h"
22 #include "ability_connect_manager.h"
23 #include "ability_record.h"
24 #include "ability_scheduler_stub.h"
25 #include "data_ability_manager.h"
26
27 using namespace OHOS::AAFwk;
28 using namespace OHOS::AppExecFwk;
29
30 namespace OHOS {
31 namespace {
32 constexpr size_t FOO_MAX_LEN = 1024;
33 constexpr size_t U32_AT_SIZE = 4;
34 constexpr int32_t UID_TEST = 100;
35 constexpr int OFFSET_ZERO = 24;
36 }
37 class AbilitySchedulerFuzzTest : public AbilitySchedulerStub {
38 public:
39 AbilitySchedulerFuzzTest() = default;
~AbilitySchedulerFuzzTest()40 virtual ~AbilitySchedulerFuzzTest()
41 {};
ScheduleAbilityTransaction(const Want & want,const LifeCycleStateInfo & targetState)42 void ScheduleAbilityTransaction(const Want &want, const LifeCycleStateInfo &targetState) override
43 {}
SendResult(int requestCode,int resultCode,const Want & resultWant)44 void SendResult(int requestCode, int resultCode, const Want &resultWant) override
45 {}
ScheduleConnectAbility(const Want & want)46 void ScheduleConnectAbility(const Want &want) override
47 {}
ScheduleDisconnectAbility(const Want & want)48 void ScheduleDisconnectAbility(const Want &want) override
49 {}
ScheduleCommandAbility(const Want & want,bool restart,int startId)50 void ScheduleCommandAbility(const Want &want, bool restart, int startId) override
51 {}
ScheduleSaveAbilityState()52 void ScheduleSaveAbilityState() override
53 {}
ScheduleRestoreAbilityState(const PacMap & inState)54 void ScheduleRestoreAbilityState(const PacMap &inState) override
55 {}
GetFileTypes(const Uri & uri,const std::string & mimeTypeFilter)56 std::vector<std::string> GetFileTypes(const Uri &uri, const std::string &mimeTypeFilter) override
57 {
58 return {};
59 }
OpenFile(const Uri & uri,const std::string & mode)60 int OpenFile(const Uri &uri, const std::string &mode) override
61 {
62 return 0;
63 }
OpenRawFile(const Uri & uri,const std::string & mode)64 int OpenRawFile(const Uri &uri, const std::string &mode) override
65 {
66 return 0;
67 }
Insert(const Uri & uri,const NativeRdb::ValuesBucket & value)68 int Insert(const Uri &uri, const NativeRdb::ValuesBucket &value) override
69 {
70 return 0;
71 }
Update(const Uri & uri,const NativeRdb::ValuesBucket & value,const NativeRdb::DataAbilityPredicates & predicates)72 int Update(const Uri &uri, const NativeRdb::ValuesBucket &value,
73 const NativeRdb::DataAbilityPredicates &predicates) override
74 {
75 return 0;
76 }
Delete(const Uri & uri,const NativeRdb::DataAbilityPredicates & predicates)77 int Delete(const Uri &uri, const NativeRdb::DataAbilityPredicates &predicates) override
78 {
79 return 0;
80 }
Call(const Uri & uri,const std::string & method,const std::string & arg,const AppExecFwk::PacMap & pacMap)81 std::shared_ptr<AppExecFwk::PacMap> Call(
82 const Uri &uri, const std::string &method, const std::string &arg, const AppExecFwk::PacMap &pacMap) override
83 {
84 return {};
85 }
Query(const Uri & uri,std::vector<std::string> & columns,const NativeRdb::DataAbilityPredicates & predicates)86 std::shared_ptr<NativeRdb::AbsSharedResultSet> Query(const Uri &uri,
87 std::vector<std::string> &columns, const NativeRdb::DataAbilityPredicates &predicates) override
88 {
89 return {};
90 }
GetType(const Uri & uri)91 std::string GetType(const Uri &uri) override
92 {
93 return {};
94 }
Reload(const Uri & uri,const PacMap & extras)95 bool Reload(const Uri &uri, const PacMap &extras) override
96 {
97 return true;
98 }
BatchInsert(const Uri & uri,const std::vector<NativeRdb::ValuesBucket> & values)99 int BatchInsert(const Uri &uri, const std::vector<NativeRdb::ValuesBucket> &values) override
100 {
101 return 0;
102 }
ScheduleRegisterObserver(const Uri & uri,const sptr<IDataAbilityObserver> & dataObserver)103 bool ScheduleRegisterObserver(const Uri &uri, const sptr<IDataAbilityObserver> &dataObserver) override
104 {
105 return true;
106 }
ScheduleUnregisterObserver(const Uri & uri,const sptr<IDataAbilityObserver> & dataObserver)107 bool ScheduleUnregisterObserver(const Uri &uri, const sptr<IDataAbilityObserver> &dataObserver) override
108 {
109 return true;
110 }
ScheduleNotifyChange(const Uri & uri)111 bool ScheduleNotifyChange(const Uri &uri) override
112 {
113 return true;
114 }
NormalizeUri(const Uri & uri)115 Uri NormalizeUri(const Uri &uri) override
116 {
117 return Uri{"abilityschedulerstub"};
118 }
119
DenormalizeUri(const Uri & uri)120 Uri DenormalizeUri(const Uri &uri) override
121 {
122 return Uri{"abilityschedulerstub"};
123 }
ExecuteBatch(const std::vector<std::shared_ptr<AppExecFwk::DataAbilityOperation>> & operations)124 std::vector<std::shared_ptr<AppExecFwk::DataAbilityResult>> ExecuteBatch(
125 const std::vector<std::shared_ptr<AppExecFwk::DataAbilityOperation>> &operations) override
126 {
127 return {};
128 }
ContinueAbility(const std::string & deviceId,uint32_t versionCode)129 void ContinueAbility(const std::string& deviceId, uint32_t versionCode) override
130 {}
NotifyContinuationResult(int32_t result)131 void NotifyContinuationResult(int32_t result) override
132 {}
DumpAbilityInfo(const std::vector<std::string> & params,std::vector<std::string> & info)133 void DumpAbilityInfo(const std::vector<std::string> ¶ms, std::vector<std::string> &info) override
134 {}
135 #ifdef ABILITY_COMMAND_FOR_TEST
BlockAbility()136 int BlockAbility() override
137 {
138 return 0;
139 }
140 #endif
CallRequest()141 void CallRequest() override
142 {
143 return;
144 }
145 };
GetFuzzAbilityToken(AbilityType type)146 sptr<Token> GetFuzzAbilityToken(AbilityType type)
147 {
148 sptr<Token> token = nullptr;
149
150 AbilityRequest abilityRequest;
151 abilityRequest.uid = UID_TEST;
152 abilityRequest.appInfo.bundleName = "com.example.fuzzTest";
153 abilityRequest.abilityInfo.name = "MainAbility";
154 abilityRequest.abilityInfo.type = type;
155 std::shared_ptr<AbilityRecord> abilityRecord = AbilityRecord::CreateAbilityRecord(abilityRequest);
156 if (abilityRecord) {
157 token = abilityRecord->GetToken();
158 }
159
160 return token;
161 }
GetU32Data(const char * ptr)162 uint32_t GetU32Data(const char* ptr)
163 {
164 // convert fuzz input data to an integer
165 return (ptr[0] << OFFSET_ZERO) | (ptr[1] << 16) | (ptr[2] << 8) | ptr[3];
166 }
DoSomethingInterestingWithMyAPI(const char * data,size_t size)167 bool DoSomethingInterestingWithMyAPI(const char* data, size_t size)
168 {
169 auto abilitymgr = AbilityManagerClient::GetInstance();
170 int userId = static_cast<int>(GetU32Data(data));
171 auto connectManager = new AbilityConnectManager(userId);
172 auto dataManager = new DataAbilityManager();
173 sptr<IAbilityScheduler> scheduler = new AbilitySchedulerFuzzTest();
174 if (!abilitymgr) {
175 return false;
176 }
177
178 // get token
179 sptr<IRemoteObject> token = GetFuzzAbilityToken(AbilityType::PAGE);
180 if (!token) {
181 std::cout << "Get ability token failed." << std::endl;
182 return false;
183 }
184
185 // get serviceToken
186 sptr<IRemoteObject> serviceToken = GetFuzzAbilityToken(AbilityType::SERVICE);
187 if (!serviceToken) {
188 std::cout << "Get service ability token failed." << std::endl;
189 return false;
190 }
191
192 // get dataToken
193 sptr<IRemoteObject> dataToken = GetFuzzAbilityToken(AbilityType::DATA);
194 if (!dataToken) {
195 std::cout << "Get data ability token failed." << std::endl;
196 return false;
197 }
198
199 if (connectManager) {
200 connectManager->AttachAbilityThreadLocked(scheduler, serviceToken);
201 }
202
203 if (dataManager) {
204 dataManager->AttachAbilityThread(scheduler, dataToken);
205 }
206
207 if (abilitymgr->AttachAbilityThread(scheduler, token) != 0) {
208 return false;
209 }
210
211 return true;
212 }
213 }
214
215 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)216 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
217 {
218 /* Run your code on data */
219 if (data == nullptr) {
220 std::cout << "invalid data" << std::endl;
221 return 0;
222 }
223
224 /* Validate the length of size */
225 if (size > OHOS::FOO_MAX_LEN || size < OHOS::U32_AT_SIZE) {
226 return 0;
227 }
228
229 char* ch = (char *)malloc(size + 1);
230 if (ch == nullptr) {
231 std::cout << "malloc failed." << std::endl;
232 return 0;
233 }
234
235 (void)memset_s(ch, size + 1, 0x00, size + 1);
236 if (memcpy_s(ch, size, data, size) != EOK) {
237 std::cout << "copy failed." << std::endl;
238 free(ch);
239 ch = nullptr;
240 return 0;
241 }
242
243 OHOS::DoSomethingInterestingWithMyAPI(ch, size);
244 free(ch);
245 ch = nullptr;
246 return 0;
247 }
248
249