1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "face_auth_executor_hdi_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20 #include <memory>
21 #include <new>
22 #include <vector>
23
24 #include "parcel.h"
25 #include "refbase.h"
26
27 #include "iam_check.h"
28 #include "iam_fuzz_test.h"
29 #include "iam_logger.h"
30 #include "iam_ptr.h"
31 #include "framework_types.h"
32 #include "iexecute_callback.h"
33
34 #include "face_auth_executor_hdi.h"
35 #include "v1_0/face_auth_types.h"
36 #include "v1_0/iexecutor.h"
37
38 #define LOG_LABEL UserIam::Common::LABEL_FACE_AUTH_SA
39
40 #undef private
41
42 using namespace std;
43 using namespace OHOS::UserIam::Common;
44 using namespace OHOS::UserIam::UserAuth;
45 namespace FaceHdi = OHOS::HDI::FaceAuth::V1_0;
46 using BufferProducerSequenceable = OHOS::HDI::Camera::V1_0::BufferProducerSequenceable;
47
48 namespace OHOS {
49 namespace UserIam {
50 namespace FaceAuth {
51 namespace {
52 class DummyExecutorProxy : public FaceHdi::IExecutor {
53 public:
DummyExecutorProxy()54 DummyExecutorProxy() : fuzzParcel_(nullptr)
55 {
56 }
57
58 virtual ~DummyExecutorProxy() = default;
59
GetExecutorInfo(FaceHdi::ExecutorInfo & executorInfo)60 int32_t GetExecutorInfo(FaceHdi::ExecutorInfo &executorInfo)
61 {
62 IF_FALSE_LOGE_AND_RETURN_VAL(fuzzParcel_ != nullptr, 0);
63 FillFuzzHdiExecutorInfo(*fuzzParcel_, executorInfo);
64 return (*fuzzParcel_).ReadInt32();
65 }
66
GetTemplateInfo(uint64_t templateId,FaceHdi::TemplateInfo & templateInfo)67 int32_t GetTemplateInfo(uint64_t templateId, FaceHdi::TemplateInfo &templateInfo)
68 {
69 IF_FALSE_LOGE_AND_RETURN_VAL(fuzzParcel_ != nullptr, 0);
70 FillFuzzHdiTemplateInfo(*fuzzParcel_, templateInfo);
71 return (*fuzzParcel_).ReadInt32();
72 }
73
OnRegisterFinish(const std::vector<uint64_t> & templateIdList,const std::vector<uint8_t> & frameworkPublicKey,const std::vector<uint8_t> & extraInfo)74 int32_t OnRegisterFinish(const std::vector<uint64_t> &templateIdList,
75 const std::vector<uint8_t> &frameworkPublicKey, const std::vector<uint8_t> &extraInfo)
76 {
77 IF_FALSE_LOGE_AND_RETURN_VAL(fuzzParcel_ != nullptr, 0);
78 return (*fuzzParcel_).ReadInt32();
79 }
80
Enroll(uint64_t scheduleId,const std::vector<uint8_t> & extraInfo,const sptr<FaceHdi::IExecutorCallback> & callbackObj)81 int32_t Enroll(
82 uint64_t scheduleId, const std::vector<uint8_t> &extraInfo, const sptr<FaceHdi::IExecutorCallback> &callbackObj)
83 {
84 IF_FALSE_LOGE_AND_RETURN_VAL(fuzzParcel_ != nullptr, 0);
85 return (*fuzzParcel_).ReadInt32();
86 }
87
Authenticate(uint64_t scheduleId,const std::vector<uint64_t> & templateIdList,const std::vector<uint8_t> & extraInfo,const sptr<FaceHdi::IExecutorCallback> & callbackObj)88 int32_t Authenticate(uint64_t scheduleId, const std::vector<uint64_t> &templateIdList,
89 const std::vector<uint8_t> &extraInfo, const sptr<FaceHdi::IExecutorCallback> &callbackObj)
90 {
91 IF_FALSE_LOGE_AND_RETURN_VAL(fuzzParcel_ != nullptr, 0);
92 return (*fuzzParcel_).ReadInt32();
93 }
94
Identify(uint64_t scheduleId,const std::vector<uint8_t> & extraInfo,const sptr<FaceHdi::IExecutorCallback> & callbackObj)95 int32_t Identify(
96 uint64_t scheduleId, const std::vector<uint8_t> &extraInfo, const sptr<FaceHdi::IExecutorCallback> &callbackObj)
97 {
98 IF_FALSE_LOGE_AND_RETURN_VAL(fuzzParcel_ != nullptr, 0);
99 return (*fuzzParcel_).ReadInt32();
100 }
101
Delete(const std::vector<uint64_t> & templateIdList)102 int32_t Delete(const std::vector<uint64_t> &templateIdList)
103 {
104 IF_FALSE_LOGE_AND_RETURN_VAL(fuzzParcel_ != nullptr, 0);
105 return (*fuzzParcel_).ReadInt32();
106 }
107
Cancel(uint64_t scheduleId)108 int32_t Cancel(uint64_t scheduleId)
109 {
110 IF_FALSE_LOGE_AND_RETURN_VAL(fuzzParcel_ != nullptr, 0);
111 return (*fuzzParcel_).ReadInt32();
112 }
113
SendCommand(int32_t commandId,const std::vector<uint8_t> & extraInfo,const sptr<FaceHdi::IExecutorCallback> & callbackObj)114 int32_t SendCommand(
115 int32_t commandId, const std::vector<uint8_t> &extraInfo, const sptr<FaceHdi::IExecutorCallback> &callbackObj)
116 {
117 IF_FALSE_LOGE_AND_RETURN_VAL(fuzzParcel_ != nullptr, 0);
118 return (*fuzzParcel_).ReadInt32();
119 }
120
SetBufferProducer(const sptr<BufferProducerSequenceable> & bufferProducer)121 int32_t SetBufferProducer(const sptr<BufferProducerSequenceable> &bufferProducer)
122 {
123 IF_FALSE_LOGE_AND_RETURN_VAL(fuzzParcel_ != nullptr, 0);
124 return (*fuzzParcel_).ReadInt32();
125 }
126
SetParcel(Parcel & parcel)127 void SetParcel(Parcel &parcel)
128 {
129 fuzzParcel_ = &parcel;
130 }
131
ClearParcel()132 void ClearParcel()
133 {
134 fuzzParcel_ = nullptr;
135 }
136
137 private:
FillFuzzHdiExecutorInfo(Parcel & parcel,FaceHdi::ExecutorInfo & executorInfo)138 void FillFuzzHdiExecutorInfo(Parcel &parcel, FaceHdi::ExecutorInfo &executorInfo)
139 {
140 executorInfo.sensorId = parcel.ReadUint16();
141 executorInfo.executorType = parcel.ReadUint32();
142 executorInfo.executorRole = static_cast<FaceHdi::ExecutorRole>(parcel.ReadInt32());
143 executorInfo.authType = static_cast<FaceHdi::AuthType>(parcel.ReadInt32());
144 executorInfo.esl = static_cast<FaceHdi::ExecutorSecureLevel>(parcel.ReadInt32());
145 FillFuzzUint8Vector(parcel, executorInfo.publicKey);
146 FillFuzzUint8Vector(parcel, executorInfo.extraInfo);
147 IAM_LOGI("success");
148 }
149
FillFuzzHdiTemplateInfo(Parcel & parcel,FaceHdi::TemplateInfo & templateInfo)150 void FillFuzzHdiTemplateInfo(Parcel &parcel, FaceHdi::TemplateInfo &templateInfo)
151 {
152 templateInfo.executorType = parcel.ReadUint32();
153 templateInfo.lockoutDuration = parcel.ReadInt32();
154 templateInfo.remainAttempts = parcel.ReadInt32();
155 FillFuzzUint8Vector(parcel, templateInfo.extraInfo);
156 IAM_LOGI("success");
157 }
158
159 Parcel *fuzzParcel_;
160 };
161
162 class DummyExecuteCallback : public UserAuth::IExecuteCallback {
163 public:
164 virtual ~DummyExecuteCallback() = default;
165
OnResult(ResultCode result,const std::vector<uint8_t> & extraInfo)166 void OnResult(ResultCode result, const std::vector<uint8_t> &extraInfo)
167 {
168 }
169
OnResult(ResultCode result)170 void OnResult(ResultCode result)
171 {
172 }
173
OnAcquireInfo(int32_t acquire,const std::vector<uint8_t> & extraInfo)174 void OnAcquireInfo(int32_t acquire, const std::vector<uint8_t> &extraInfo)
175 {
176 }
177 };
178
179 auto g_proxy = new (nothrow) DummyExecutorProxy();
180 FaceAuthExecutorHdi g_hdi(g_proxy);
181
FillFuzzExecutorInfo(Parcel & parcel,ExecutorInfo & executorInfo)182 void FillFuzzExecutorInfo(Parcel &parcel, ExecutorInfo &executorInfo)
183 {
184 executorInfo.executorSensorHint = parcel.ReadInt32();
185 executorInfo.authType = static_cast<AuthType>(parcel.ReadInt32());
186 executorInfo.executorRole = static_cast<ExecutorRole>(parcel.ReadInt32());
187 executorInfo.executorMatcher = parcel.ReadInt32();
188 executorInfo.esl = static_cast<ExecutorSecureLevel>(parcel.ReadInt32());
189 FillFuzzUint8Vector(parcel, executorInfo.publicKey);
190 IAM_LOGI("success");
191 }
192
FillFuzzTemplateInfo(Parcel & parcel,UserAuth::TemplateInfo & templateInfo)193 void FillFuzzTemplateInfo(Parcel &parcel, UserAuth::TemplateInfo &templateInfo)
194 {
195 templateInfo.executorType = parcel.ReadUint32();
196 templateInfo.freezingTime = parcel.ReadInt32();
197 templateInfo.remainTimes = parcel.ReadInt32();
198 FillFuzzUint8Vector(parcel, templateInfo.extraInfo);
199 IAM_LOGI("success");
200 }
201
FillFuzzIExecuteCallback(Parcel & parcel,std::shared_ptr<UserAuth::IExecuteCallback> & callback)202 void FillFuzzIExecuteCallback(Parcel &parcel, std::shared_ptr<UserAuth::IExecuteCallback> &callback)
203 {
204 callback = nullptr;
205 if (parcel.ReadBool()) {
206 callback = MakeShared<DummyExecuteCallback>();
207 if (callback == nullptr) {
208 IAM_LOGE("callback is nullptr");
209 }
210 }
211 IAM_LOGI("success");
212 }
213
FuzzGetExecutorInfo(Parcel & parcel)214 void FuzzGetExecutorInfo(Parcel &parcel)
215 {
216 IAM_LOGI("begin");
217 ExecutorInfo info;
218 FillFuzzExecutorInfo(parcel, info);
219 g_hdi.GetExecutorInfo(info);
220 IAM_LOGI("end");
221 }
222
FuzzGetTemplateInfo(Parcel & parcel)223 void FuzzGetTemplateInfo(Parcel &parcel)
224 {
225 IAM_LOGI("begin");
226 uint64_t templateId = parcel.ReadUint64();
227 UserAuth::TemplateInfo info;
228 FillFuzzTemplateInfo(parcel, info);
229 g_hdi.GetTemplateInfo(templateId, info);
230 IAM_LOGI("end");
231 }
232
FuzzOnRegisterFinish(Parcel & parcel)233 void FuzzOnRegisterFinish(Parcel &parcel)
234 {
235 IAM_LOGI("begin");
236 std::vector<uint64_t> templateIdList;
237 FillFuzzUint64Vector(parcel, templateIdList);
238 std::vector<uint8_t> frameworkPublicKey;
239 FillFuzzUint8Vector(parcel, frameworkPublicKey);
240 std::vector<uint8_t> extraInfo;
241 FillFuzzUint8Vector(parcel, extraInfo);
242 g_hdi.OnRegisterFinish(templateIdList, frameworkPublicKey, extraInfo);
243 IAM_LOGI("end");
244 }
245
FuzzEnroll(Parcel & parcel)246 void FuzzEnroll(Parcel &parcel)
247 {
248 IAM_LOGI("begin");
249 uint64_t scheduleId = parcel.ReadUint64();
250 uint32_t tokenId = parcel.ReadUint32();
251 std::vector<uint8_t> extraInfo;
252 FillFuzzUint8Vector(parcel, extraInfo);
253 std::shared_ptr<UserAuth::IExecuteCallback> callbackObj;
254 FillFuzzIExecuteCallback(parcel, callbackObj);
255 g_hdi.Enroll(scheduleId, tokenId, extraInfo, callbackObj);
256 IAM_LOGI("end");
257 }
258
FuzzAuthenticate(Parcel & parcel)259 void FuzzAuthenticate(Parcel &parcel)
260 {
261 IAM_LOGI("begin");
262 uint64_t scheduleId = parcel.ReadUint64();
263 uint32_t tokenId = parcel.ReadUint32();
264 std::vector<uint64_t> templateIdList;
265 FillFuzzUint64Vector(parcel, templateIdList);
266 std::vector<uint8_t> extraInfo;
267 FillFuzzUint8Vector(parcel, extraInfo);
268 std::shared_ptr<UserAuth::IExecuteCallback> callbackObj;
269 FillFuzzIExecuteCallback(parcel, callbackObj);
270 g_hdi.Authenticate(scheduleId, tokenId, templateIdList, extraInfo, callbackObj);
271 IAM_LOGI("end");
272 }
273
FuzzIdentify(Parcel & parcel)274 void FuzzIdentify(Parcel &parcel)
275 {
276 IAM_LOGI("begin");
277 uint64_t scheduleId = parcel.ReadUint64();
278 uint32_t tokenId = parcel.ReadUint32();
279 std::vector<uint8_t> extraInfo;
280 FillFuzzUint8Vector(parcel, extraInfo);
281 std::shared_ptr<UserAuth::IExecuteCallback> callbackObj;
282 FillFuzzIExecuteCallback(parcel, callbackObj);
283 g_hdi.Identify(scheduleId, tokenId, extraInfo, callbackObj);
284 IAM_LOGI("end");
285 }
286
FuzzDelete(Parcel & parcel)287 void FuzzDelete(Parcel &parcel)
288 {
289 IAM_LOGI("begin");
290 std::vector<uint64_t> templateIdList;
291 FillFuzzUint64Vector(parcel, templateIdList);
292 g_hdi.Delete(templateIdList);
293 IAM_LOGI("end");
294 }
295
FuzzCancel(Parcel & parcel)296 void FuzzCancel(Parcel &parcel)
297 {
298 IAM_LOGI("begin");
299 uint64_t scheduleId = parcel.ReadUint64();
300 g_hdi.Cancel(scheduleId);
301 IAM_LOGI("end");
302 }
303
FuzzSendCommand(Parcel & parcel)304 void FuzzSendCommand(Parcel &parcel)
305 {
306 IAM_LOGI("begin");
307 PropertyMode commandId = static_cast<PropertyMode>(parcel.ReadInt32());
308 std::vector<uint8_t> extraInfo;
309 FillFuzzUint8Vector(parcel, extraInfo);
310 std::shared_ptr<UserAuth::IExecuteCallback> callbackObj;
311 FillFuzzIExecuteCallback(parcel, callbackObj);
312 g_hdi.SendCommand(commandId, extraInfo, callbackObj);
313 IAM_LOGI("end");
314 }
315
SetProxyParcel(Parcel & parcel)316 void SetProxyParcel(Parcel &parcel)
317 {
318 if (g_proxy == nullptr) {
319 IAM_LOGE("g_proxy is nullptr");
320 return;
321 }
322 g_proxy->SetParcel(parcel);
323 }
324
ClearProxyParcel()325 void ClearProxyParcel()
326 {
327 if (g_proxy == nullptr) {
328 IAM_LOGE("g_proxy is nullptr");
329 return;
330 }
331 g_proxy->ClearParcel();
332 }
333
334 using FuzzFunc = decltype(FuzzGetExecutorInfo);
335 FuzzFunc *g_fuzzFuncs[] = {FuzzGetExecutorInfo, FuzzGetTemplateInfo, FuzzOnRegisterFinish, FuzzEnroll, FuzzAuthenticate,
336 FuzzIdentify, FuzzDelete, FuzzCancel, FuzzSendCommand};
337
FaceAuthServiceFuzzTest(const uint8_t * data,size_t size)338 void FaceAuthServiceFuzzTest(const uint8_t *data, size_t size)
339 {
340 Parcel parcel;
341 parcel.WriteBuffer(data, size);
342 parcel.RewindRead(0);
343 uint32_t index = parcel.ReadUint32() % (sizeof(g_fuzzFuncs) / sizeof(FuzzFunc *));
344 auto fuzzFunc = g_fuzzFuncs[index];
345 SetProxyParcel(parcel);
346 fuzzFunc(parcel);
347 ClearProxyParcel();
348 return;
349 }
350 } // namespace
351 } // namespace FaceAuth
352 } // namespace UserIam
353 } // namespace OHOS
354
355 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)356 extern "C" int32_t LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
357 {
358 OHOS::UserIam::FaceAuth::FaceAuthServiceFuzzTest(data, size);
359 return 0;
360 }
361