1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "external_file_access_fuzzer.h"
17
18 #include <cstdio>
19 #include <thread>
20 #include <unistd.h>
21
22 #include "accesstoken_kit.h"
23 #include "token_setproc.h"
24 #include "nativetoken_kit.h"
25 #include "file_access_framework_errno.h"
26 #include "file_access_helper.h"
27 #include "iservice_registry.h"
28 #include "hilog_wrapper.h"
29
30 namespace OHOS {
31 using namespace std;
32 using namespace OHOS;
33 using namespace FileAccessFwk;
34
35 const int ABILITY_ID = 5003;
36 shared_ptr<FileAccessHelper> g_fah = nullptr;
37 const int UID_TRANSFORM_TMP = 20000000;
38 const int UID_DEFAULT = 0;
39
SetNativeToken()40 void SetNativeToken()
41 {
42 uint64_t tokenId;
43 const char **perms = new const char *;
44 *perms = "ohos.permission.FILE_ACCESS_MANAGER";
45 NativeTokenInfoParams infoInstance = {
46 .dcapsNum = 0,
47 .permsNum = 1,
48 .aclsNum = 0,
49 .dcaps = nullptr,
50 .perms = perms,
51 .acls = nullptr,
52 .aplStr = "system_core",
53 };
54
55 infoInstance.processName = "SetUpTestCase";
56 tokenId = GetAccessTokenId(&infoInstance);
57 const uint64_t systemAppMask = (static_cast<uint64_t>(1) << 32);
58 tokenId |= systemAppMask;
59 SetSelfTokenID(tokenId);
60 OHOS::Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
61 delete perms;
62 }
63
GetFileAccessHelper()64 shared_ptr<FileAccessHelper> GetFileAccessHelper()
65 {
66 if (g_fah != nullptr) {
67 return g_fah;
68 }
69 SetNativeToken();
70 auto saManager = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
71 auto remoteObj = saManager->GetSystemAbility(ABILITY_ID);
72 AAFwk::Want want;
73 vector<AAFwk::Want> wantVec;
74 setuid(UID_TRANSFORM_TMP);
75 int ret = FileAccessHelper::GetRegisteredFileAccessExtAbilityInfo(wantVec);
76 if (ret != OHOS::FileAccessFwk::ERR_OK) {
77 HILOG_ERROR("GetRegisteredFileAccessExtAbilityInfo failed.");
78 return nullptr;
79 }
80 bool sus = false;
81 for (size_t i = 0; i < wantVec.size(); i++) {
82 auto element = wantVec[i].GetElement();
83 if (element.GetBundleName() == "com.ohos.UserFile.ExternalFileManager" &&
84 element.GetAbilityName() == "FileExtensionAbility") {
85 want = wantVec[i];
86 sus = true;
87 break;
88 }
89 }
90 if (!sus) {
91 HILOG_ERROR("not found bundleName.");
92 return nullptr;
93 }
94 vector<AAFwk::Want> wants {want};
95 g_fah = FileAccessHelper::Creator(remoteObj, wants);
96 setuid(UID_DEFAULT);
97 if (g_fah == nullptr) {
98 HILOG_ERROR("creator fileAccessHelper return nullptr.");
99 return nullptr;
100 }
101 return g_fah;
102 }
103
CreatorFuzzTest(const uint8_t * data,size_t size)104 bool CreatorFuzzTest(const uint8_t* data, size_t size)
105 {
106 SetNativeToken();
107 if ((data == nullptr) || (size <= 0)) {
108 HILOG_ERROR("parameter data is nullptr or parameter size <= 0.");
109 return false;
110 }
111 std::string bundleName(reinterpret_cast<const char*>(data), size);
112 auto saManager = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
113 auto remoteObj = saManager->GetSystemAbility(ABILITY_ID);
114 AAFwk::Want want;
115 want.SetElementName(bundleName, "FileExtensionAbility");
116 vector<AAFwk::Want> wants {want};
117 setuid(UID_TRANSFORM_TMP);
118 shared_ptr<FileAccessHelper> helper = nullptr;
119 helper = FileAccessHelper::Creator(remoteObj, wants);
120 setuid(UID_DEFAULT);
121 if (helper == nullptr) {
122 HILOG_ERROR("creator return nullptr.");
123 return false;
124 }
125 helper->Release();
126 return true;
127 }
128
AccessFuzzTest(const uint8_t * data,size_t size)129 bool AccessFuzzTest(const uint8_t* data, size_t size)
130 {
131 if ((data == nullptr) || (size <= 0)) {
132 HILOG_ERROR("parameter data is nullptr or parameter size <= 0.");
133 return false;
134 }
135 Uri uri(std::string(reinterpret_cast<const char*>(data), size));
136 shared_ptr<FileAccessHelper> helper = GetFileAccessHelper();
137 if (helper == nullptr) {
138 HILOG_ERROR("GetFileAccessHelper return nullptr.");
139 return false;
140 }
141 bool isExist = false;
142 int result = helper->Access(uri, isExist);
143 if (isExist != true || result != OHOS::FileAccessFwk::ERR_OK) {
144 return false;
145 }
146 return true;
147 }
148
OpenFileFuzzTest(const uint8_t * data,size_t size)149 bool OpenFileFuzzTest(const uint8_t* data, size_t size)
150 {
151 if ((data == nullptr) || (size <= 0)) {
152 HILOG_ERROR("parameter data is nullptr or parameter size <= 0.");
153 return false;
154 }
155 Uri uri(std::string(reinterpret_cast<const char*>(data), size));
156 shared_ptr<FileAccessHelper> helper = GetFileAccessHelper();
157 if (helper == nullptr) {
158 HILOG_ERROR("GetFileAccessHelper return nullptr.");
159 return false;
160 }
161 int fd = -1;
162 int result = 0;
163 result = helper->OpenFile(uri, WRITE_READ, fd);
164 if (result != OHOS::FileAccessFwk::ERR_OK) {
165 HILOG_ERROR("OpenFile failed. ret : %{public}d", result);
166 return false;
167 }
168 close(fd);
169 return true;
170 }
171
CreateFileFuzzTest(const uint8_t * data,size_t size)172 bool CreateFileFuzzTest(const uint8_t* data, size_t size)
173 {
174 if ((data == nullptr) || (size <= 0)) {
175 HILOG_ERROR("parameter data is nullptr or parameter size <= 0.");
176 return false;
177 }
178 shared_ptr<FileAccessHelper> helper = GetFileAccessHelper();
179 if (helper == nullptr) {
180 HILOG_ERROR("GetFileAccessHelper return nullptr.");
181 return false;
182 }
183
184 vector<RootInfo> info;
185 int result = helper->GetRoots(info);
186 if (result != OHOS::FileAccessFwk::ERR_OK) {
187 HILOG_ERROR("GetRoots failed. ret : %{public}d", result);
188 return false;
189 }
190 for (size_t i = 0; i < info.size(); i++) {
191 Uri parentUri(info[i].uri);
192 Uri newFileUri("");
193 result = helper->CreateFile(parentUri, "CreateFileFuzzTest", newFileUri);
194 if (result != OHOS::FileAccessFwk::ERR_OK) {
195 HILOG_ERROR("CreateFile failed. ret : %{public}d", result);
196 return false;
197 }
198 result = helper->Delete(newFileUri);
199 if (result != OHOS::FileAccessFwk::ERR_OK) {
200 HILOG_ERROR("Delete failed. ret : %{public}d", result);
201 return false;
202 }
203 }
204 return true;
205 }
206
MkdirFuzzTest(const uint8_t * data,size_t size)207 bool MkdirFuzzTest(const uint8_t* data, size_t size)
208 {
209 if ((data == nullptr) || (size <= 0)) {
210 HILOG_ERROR("parameter data is nullptr or parameter size <= 0.");
211 return false;
212 }
213 shared_ptr<FileAccessHelper> helper = GetFileAccessHelper();
214 if (helper == nullptr) {
215 HILOG_ERROR("GetFileAccessHelper return nullptr.");
216 return false;
217 }
218
219 vector<RootInfo> info;
220 int result = helper->GetRoots(info);
221 if (result != OHOS::FileAccessFwk::ERR_OK) {
222 HILOG_ERROR("GetRoots failed. ret : %{public}d", result);
223 return false;
224 }
225 for (size_t i = 0; i < info.size(); i++) {
226 Uri parentUri(info[i].uri);
227 Uri newDirUri("");
228 result = helper->Mkdir(parentUri, "MkdirFuzzTest", newDirUri);
229 if (result != OHOS::FileAccessFwk::ERR_OK) {
230 HILOG_ERROR("Mkdir failed. ret : %{public}d", result);
231 return false;
232 }
233 result = helper->Delete(newDirUri);
234 if (result != OHOS::FileAccessFwk::ERR_OK) {
235 HILOG_ERROR("Delete failed. ret : %{public}d", result);
236 return false;
237 }
238 }
239 return true;
240 }
241
DeleteFuzzTest(const uint8_t * data,size_t size)242 bool DeleteFuzzTest(const uint8_t* data, size_t size)
243 {
244 if ((data == nullptr) || (size <= 0)) {
245 HILOG_ERROR("parameter data is nullptr or parameter size <= 0.");
246 return false;
247 }
248 Uri uri(std::string(reinterpret_cast<const char*>(data), size));
249 shared_ptr<FileAccessHelper> helper = GetFileAccessHelper();
250 if (helper == nullptr) {
251 HILOG_ERROR("GetFileAccessHelper return nullptr.");
252 return false;
253 }
254 int result = helper->Delete(uri);
255 if (result != OHOS::FileAccessFwk::ERR_OK) {
256 HILOG_ERROR("Delete failed. ret : %{public}d", result);
257 return false;
258 }
259 return true;
260 }
261
MoveFuzzTest(const uint8_t * data,size_t size)262 bool MoveFuzzTest(const uint8_t* data, size_t size)
263 {
264 if ((data == nullptr) || (size <= 0)) {
265 HILOG_ERROR("parameter data is nullptr or parameter size <= 0.");
266 return false;
267 }
268 shared_ptr<FileAccessHelper> helper = GetFileAccessHelper();
269 if (helper == nullptr) {
270 HILOG_ERROR("GetFileAccessHelper return nullptr.");
271 return false;
272 }
273 vector<RootInfo> info;
274 int result = helper->GetRoots(info);
275 if (result != OHOS::FileAccessFwk::ERR_OK) {
276 return false;
277 }
278 for (size_t i = 0; i < info.size(); i++) {
279 Uri parentUri(info[i].uri);
280 Uri newDirUriTest1("");
281 Uri newDirUriTest2("");
282 result = helper->Mkdir(parentUri, "test1", newDirUriTest1);
283 if (result != OHOS::FileAccessFwk::ERR_OK) {
284 HILOG_ERROR("Mkdir failed. ret : %{public}d", result);
285 return false;
286 }
287 result = helper->Mkdir(parentUri, "test2", newDirUriTest2);
288 if (result != OHOS::FileAccessFwk::ERR_OK) {
289 HILOG_ERROR("Mkdir failed. ret : %{public}d", result);
290 return false;
291 }
292 Uri testUri("");
293 result = helper->CreateFile(newDirUriTest1, "test.txt", testUri);
294 if (result != OHOS::FileAccessFwk::ERR_OK) {
295 HILOG_ERROR("CreateFile failed. ret : %{public}d", result);
296 return false;
297 }
298 Uri testUri2("");
299 result = helper->Move(testUri, newDirUriTest2, testUri2);
300 if (result != OHOS::FileAccessFwk::ERR_OK) {
301 HILOG_ERROR("Move failed. ret : %{public}d", result);
302 return false;
303 }
304 result = helper->Delete(newDirUriTest1);
305 if (result != OHOS::FileAccessFwk::ERR_OK) {
306 HILOG_ERROR("Delete failed. ret : %{public}d", result);
307 return false;
308 }
309 result = helper->Delete(newDirUriTest2);
310 if (result != OHOS::FileAccessFwk::ERR_OK) {
311 HILOG_ERROR("Delete failed. ret : %{public}d", result);
312 return false;
313 }
314 }
315 return true;
316 }
317
RenameFuzzTest(const uint8_t * data,size_t size)318 bool RenameFuzzTest(const uint8_t* data, size_t size)
319 {
320 if ((data == nullptr) || (size <= 0)) {
321 HILOG_ERROR("parameter data is nullptr or parameter size <= 0.");
322 return false;
323 }
324 shared_ptr<FileAccessHelper> helper = GetFileAccessHelper();
325 if (helper == nullptr) {
326 HILOG_ERROR("GetFileAccessHelper return nullptr.");
327 return false;
328 }
329 vector<RootInfo> info;
330 int result = helper->GetRoots(info);
331 if (result != OHOS::FileAccessFwk::ERR_OK) {
332 HILOG_ERROR("GetRoots failed. ret : %{public}d", result);
333 return false;
334 }
335 for (size_t i = 0; i < info.size(); i++) {
336 Uri parentUri(info[i].uri);
337 Uri newDirUriTest("");
338 result = helper->Mkdir(parentUri, "test", newDirUriTest);
339 if (result != OHOS::FileAccessFwk::ERR_OK) {
340 HILOG_ERROR("Mkdir failed. ret : %{public}d", result);
341 return false;
342 }
343 Uri renameUri("");
344 result = helper->Rename(newDirUriTest, "testRename", renameUri);
345 if (result != OHOS::FileAccessFwk::ERR_OK) {
346 HILOG_ERROR("Rename failed. ret : %{public}d", result);
347 return false;
348 }
349 result = helper->Delete(renameUri);
350 if (result != OHOS::FileAccessFwk::ERR_OK) {
351 HILOG_ERROR("Delete failed. ret : %{public}d", result);
352 return false;
353 }
354 }
355 return true;
356 }
357
ListFileFuzzTest(const uint8_t * data,size_t size)358 bool ListFileFuzzTest(const uint8_t* data, size_t size)
359 {
360 if ((data == nullptr) || (size == 0)) {
361 HILOG_ERROR("parameter data is nullptr or parameter size <= 0.");
362 return false;
363 }
364 shared_ptr<FileAccessHelper> helper = GetFileAccessHelper();
365 if (helper == nullptr) {
366 HILOG_ERROR("GetFileAccessHelper return nullptr.");
367 return false;
368 }
369
370 FileInfo fileInfo;
371 fileInfo.uri = std::string(reinterpret_cast<const char*>(data), size);
372 int64_t offset = 0;
373 int64_t maxCount = 1000;
374 std::vector<FileInfo> fileInfoVec;
375 FileFilter filter;
376 int result = helper->ListFile(fileInfo, offset, maxCount, filter, fileInfoVec);
377 if (result != OHOS::FileAccessFwk::ERR_OK) {
378 HILOG_ERROR("ListFile failed. ret : %{public}d", result);
379 return false;
380 }
381 return true;
382 }
383
ScanFileFuzzTest(const uint8_t * data,size_t size)384 bool ScanFileFuzzTest(const uint8_t* data, size_t size)
385 {
386 if ((data == nullptr) || (size == 0)) {
387 HILOG_ERROR("parameter data is nullptr or parameter size <= 0.");
388 return false;
389 }
390 shared_ptr<FileAccessHelper> helper = GetFileAccessHelper();
391 if (helper == nullptr) {
392 HILOG_ERROR("GetFileAccessHelper return nullptr.");
393 return false;
394 }
395
396 FileInfo fileInfo;
397 fileInfo.uri = std::string(reinterpret_cast<const char*>(data), size);
398 int64_t offset = 0;
399 int64_t maxCount = 1000;
400 std::vector<FileInfo> fileInfoVec;
401 FileFilter filter;
402 int result = helper->ScanFile(fileInfo, offset, maxCount, filter, fileInfoVec);
403 if (result != OHOS::FileAccessFwk::ERR_OK) {
404 HILOG_ERROR("ScanFile failed. ret : %{public}d", result);
405 return false;
406 }
407 return true;
408 }
409
GetFileInfoFromUriFuzzTest(const uint8_t * data,size_t size)410 bool GetFileInfoFromUriFuzzTest(const uint8_t* data, size_t size)
411 {
412 if ((data == nullptr) || (size == 0)) {
413 HILOG_ERROR("parameter data is nullptr or parameter size <= 0.");
414 return false;
415 }
416 Uri uri(std::string(reinterpret_cast<const char*>(data), size));
417 shared_ptr<FileAccessHelper> helper = GetFileAccessHelper();
418 if (helper == nullptr) {
419 HILOG_ERROR("GetFileAccessHelper return nullptr.");
420 return false;
421 }
422 FileInfo fileinfo;
423 int result = helper->GetFileInfoFromUri(uri, fileinfo);
424 if (result != OHOS::FileAccessFwk::ERR_OK) {
425 HILOG_ERROR("GetFileInfoFromUri failed. ret : %{public}d", result);
426 return false;
427 }
428 return true;
429 }
430
431 }
432
433 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)434 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
435 {
436 /* Run your code on data */
437 OHOS::CreatorFuzzTest(data, size);
438 OHOS::AccessFuzzTest(data, size);
439 OHOS::OpenFileFuzzTest(data, size);
440 OHOS::MkdirFuzzTest(data, size);
441 OHOS::CreateFileFuzzTest(data, size);
442 OHOS::DeleteFuzzTest(data, size);
443 OHOS::MoveFuzzTest(data, size);
444 OHOS::RenameFuzzTest(data, size);
445 OHOS::ListFileFuzzTest(data, size);
446 OHOS::ScanFileFuzzTest(data, size);
447 OHOS::GetFileInfoFromUriFuzzTest(data, size);
448 return 0;
449 }