1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "abilitymanagerservicefirst_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20
21 #define private public
22 #define protected public
23 #include "ability_manager_service.h"
24 #undef protected
25 #undef private
26
27 #include "ability_connect_callback_interface.h"
28 #include "ability_connect_callback_stub.h"
29 #include "ability_record.h"
30
31 using namespace OHOS::AAFwk;
32 using namespace OHOS::AppExecFwk;
33
34 namespace OHOS {
35 namespace {
36 constexpr size_t FOO_MAX_LEN = 1024;
37 constexpr size_t U32_AT_SIZE = 4;
38 constexpr uint8_t ENABLE = 2;
39 class MyAbilityConnection : public IAbilityConnection {
40 public:
41 MyAbilityConnection() = default;
42 virtual ~MyAbilityConnection() = default;
OnAbilityConnectDone(const AppExecFwk::ElementName & element,const sptr<IRemoteObject> & remoteObject,int resultCode)43 void OnAbilityConnectDone(
44 const AppExecFwk::ElementName& element, const sptr<IRemoteObject>& remoteObject, int resultCode) override
45 {}
OnAbilityDisconnectDone(const AppExecFwk::ElementName & element,int resultCode)46 void OnAbilityDisconnectDone(const AppExecFwk::ElementName& element, int resultCode) override
47 {}
AsObject()48 sptr<IRemoteObject> AsObject() override
49 {
50 return {};
51 }
52 };
53 }
54
GetU32Data(const char * ptr)55 uint32_t GetU32Data(const char* ptr)
56 {
57 // convert fuzz input data to an integer
58 return (ptr[0] << 24) | (ptr[1] << 16) | (ptr[2] << 8) | ptr[3];
59 }
60
GetFuzzAbilityToken()61 sptr<Token> GetFuzzAbilityToken()
62 {
63 sptr<Token> token = nullptr;
64 AbilityRequest abilityRequest;
65 abilityRequest.appInfo.bundleName = "com.example.fuzzTest";
66 abilityRequest.abilityInfo.name = "MainAbility";
67 abilityRequest.abilityInfo.type = AbilityType::DATA;
68 std::shared_ptr<AbilityRecord> abilityRecord = AbilityRecord::CreateAbilityRecord(abilityRequest);
69 if (abilityRecord) {
70 token = abilityRecord->GetToken();
71 }
72 return token;
73 }
74
DoSomethingInterestingWithMyAPI(const char * data,size_t size)75 bool DoSomethingInterestingWithMyAPI(const char* data, size_t size)
76 {
77 bool boolParam = *data % ENABLE;
78 int intParam = static_cast<int>(GetU32Data(data));
79 int32_t int32Param = static_cast<int32_t>(GetU32Data(data));
80 int64_t int64Param = static_cast<int64_t>(GetU32Data(data));
81 uint32_t uint32Param = GetU32Data(data);
82 std::string stringParam(data, size);
83 Parcel wantParcel;
84 Want* want = nullptr;
85 if (wantParcel.WriteBuffer(data, size)) {
86 want = Want::Unmarshalling(wantParcel);
87 if (!want) {
88 return false;
89 }
90 }
91 sptr<IRemoteObject> token = GetFuzzAbilityToken();
92 sptr<IAbilityConnection> connect = new MyAbilityConnection();
93
94 // fuzz for AbilityManagerService
95 auto abilityms = std::make_shared<AbilityManagerService>();
96 abilityms->InitStartupFlag();
97 abilityms->QueryServiceState();
98 AbilityRequest abilityRequest;
99 AppExecFwk::ExtensionAbilityType extensionType = ExtensionAbilityType::SERVICE;
100 abilityms->CheckOptExtensionAbility(*want, abilityRequest, int32Param, extensionType);
101 AppExecFwk::AbilityInfo abilityInfo;
102 abilityms->ReportAbilitStartInfoToRSS(abilityInfo);
103 abilityms->ReportEventToSuspendManager(abilityInfo);
104 abilityms->StartExtensionAbility(*want, token, int32Param, extensionType);
105 abilityms->StopExtensionAbility(*want, token, int32Param, extensionType);
106 abilityms->TerminateAbility(token, intParam, want);
107 abilityms->CloseAbility(token, intParam, want);
108 abilityms->TerminateAbilityWithFlag(token, intParam, want, boolParam);
109 abilityms->SendResultToAbility(intParam, intParam, *want);
110 abilityms->StartRemoteAbility(*want, intParam, int32Param, token);
111 abilityms->CheckIfOperateRemote(*want);
112 abilityms->AnonymizeDeviceId(stringParam);
113 abilityms->MinimizeAbility(token, boolParam);
114 abilityms->ConnectAbility(*want, connect, token, int32Param);
115 abilityms->ConnectAbilityCommon(*want, connect, token, extensionType, int32Param);
116 abilityms->BuildEventInfo(*want, int32Param);
117 abilityms->DisconnectAbility(connect);
118 abilityms->ConnectLocalAbility(*want, int32Param, connect, token, extensionType);
119 abilityms->ConnectRemoteAbility(*want, token, token);
120 abilityms->DisconnectLocalAbility(connect);
121 abilityms->DisconnectRemoteAbility(token);
122 AAFwk::WantParams wantParams;
123 abilityms->ContinueMission(stringParam, stringParam, int32Param, token, wantParams);
124 abilityms->ContinueAbility(stringParam, int32Param, uint32Param);
125 abilityms->StartContinuation(*want, token, int32Param);
126 abilityms->NotifyCompleteContinuation(stringParam, int32Param, boolParam);
127 abilityms->NotifyContinuationResult(int32Param, int32Param);
128 abilityms->StartSyncRemoteMissions(stringParam, boolParam, int64Param);
129 abilityms->StopSyncRemoteMissions(stringParam);
130 sptr<AbilityRuntime::IConnectionObserver> observer;
131 abilityms->RegisterObserver(observer);
132 abilityms->UnregisterObserver(observer);
133 std::vector<AbilityRuntime::DlpConnectionInfo> infos;
134 abilityms->GetDlpConnectionInfos(infos);
135
136 sptr<SessionInfo> extensionSessionInfo;
137 abilityms->StartUIExtensionAbility(extensionSessionInfo, int32Param);
138 extensionSessionInfo = new (std::nothrow) SessionInfo();
139 extensionSessionInfo->sessionToken = token;
140 extensionSessionInfo->callerToken = token;
141 extensionSessionInfo->persistentId = int32Param;
142 extensionSessionInfo->resultCode = int32Param;
143 extensionSessionInfo->requestCode = int32Param;
144 extensionSessionInfo->errorReason = stringParam;
145 extensionSessionInfo->errorCode = int32Param;
146 extensionSessionInfo->uiAbilityId = int64Param;
147 extensionSessionInfo->userId = int32Param;
148 extensionSessionInfo->state = CallToState::FOREGROUND;
149 extensionSessionInfo->want = *want;
150 abilityms->StartUIExtensionAbility(extensionSessionInfo, int32Param);
151
152 if (!want) {
153 delete want;
154 want = nullptr;
155 }
156
157 return true;
158 }
159 }
160
161 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)162 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
163 {
164 /* Run your code on data */
165 if (data == nullptr) {
166 return 0;
167 }
168
169 /* Validate the length of size */
170 if (size < OHOS::U32_AT_SIZE || size > OHOS::FOO_MAX_LEN) {
171 return 0;
172 }
173
174 char* ch = (char*)malloc(size + 1);
175 if (ch == nullptr) {
176 std::cout << "malloc failed." << std::endl;
177 return 0;
178 }
179
180 (void)memset_s(ch, size + 1, 0x00, size + 1);
181 if (memcpy_s(ch, size, data, size) != EOK) {
182 std::cout << "copy failed." << std::endl;
183 free(ch);
184 ch = nullptr;
185 return 0;
186 }
187
188 OHOS::DoSomethingInterestingWithMyAPI(ch, size);
189 free(ch);
190 ch = nullptr;
191 return 0;
192 }
193
194