1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <iostream>
17 #include <cstddef>
18 #include <cstdint>
19 #include <atomic>
20 #include <thread>
21 #include "audio_policy_server.h"
22 #include "audio_concurrency_service.h"
23 #include "power_state_listener.h"
24 #include "audio_device_info.h"
25 #include "message_parcel.h"
26 #include "accesstoken_kit.h"
27 #include "audio_routing_manager.h"
28 #include "audio_stream_manager.h"
29 #include "nativetoken_kit.h"
30 #include "token_setproc.h"
31 #include "access_token.h"
32 using namespace std;
33
34 namespace OHOS {
35 namespace AudioStandard {
36 const int32_t LIMITSIZE = 4;
37 const int32_t SYSTEM_ABILITY_ID = 3009;
38 const bool RUN_ON_CREATE = false;
39 bool g_hasPermission = false;
40 bool g_hasServerInit = false;
41 static const uint8_t *RAW_DATA = nullptr;
42 static size_t g_dataSize = 0;
43 static size_t g_pos;
44 const size_t THRESHOLD = 10;
45
GetServerPtr()46 AudioPolicyServer *GetServerPtr()
47 {
48 static AudioPolicyServer server(SYSTEM_ABILITY_ID, RUN_ON_CREATE);
49 if (!g_hasServerInit) {
50 server.OnStart();
51 server.OnAddSystemAbility(AUDIO_DISTRIBUTED_SERVICE_ID, "");
52 #ifdef FEATURE_MULTIMODALINPUT_INPUT
53 server.OnAddSystemAbility(MULTIMODAL_INPUT_SERVICE_ID, "");
54 #endif
55 server.OnAddSystemAbility(BLUETOOTH_HOST_SYS_ABILITY_ID, "");
56 server.OnAddSystemAbility(POWER_MANAGER_SERVICE_ID, "");
57 server.OnAddSystemAbility(SUBSYS_ACCOUNT_SYS_ABILITY_ID_BEGIN, "");
58 server.audioPolicyService_.SetDefaultDeviceLoadFlag(true);
59 g_hasServerInit = true;
60 }
61 return &server;
62 }
63
AudioFuzzTestGetPermission()64 void AudioFuzzTestGetPermission()
65 {
66 if (!g_hasPermission) {
67 uint64_t tokenId;
68 constexpr int perNum = 10;
69 const char *perms[perNum] = {
70 "ohos.permission.MICROPHONE",
71 "ohos.permission.MANAGE_INTELLIGENT_VOICE",
72 "ohos.permission.MANAGE_AUDIO_CONFIG",
73 "ohos.permission.MICROPHONE_CONTROL",
74 "ohos.permission.MODIFY_AUDIO_SETTINGS",
75 "ohos.permission.ACCESS_NOTIFICATION_POLICY",
76 "ohos.permission.USE_BLUETOOTH",
77 "ohos.permission.CAPTURE_VOICE_DOWNLINK_AUDIO",
78 "ohos.permission.RECORD_VOICE_CALL",
79 "ohos.permission.MANAGE_SYSTEM_AUDIO_EFFECTS",
80 };
81
82 NativeTokenInfoParams infoInstance = {
83 .dcapsNum = 0,
84 .permsNum = 10,
85 .aclsNum = 0,
86 .dcaps = nullptr,
87 .perms = perms,
88 .acls = nullptr,
89 .processName = "audiofuzztest",
90 .aplStr = "system_basic",
91 };
92 tokenId = GetAccessTokenId(&infoInstance);
93 SetSelfTokenID(tokenId);
94 OHOS::Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
95 g_hasPermission = true;
96 }
97 }
98
99 /*
100 * describe: get data from outside untrusted data(RAW_DATA) which size is according to sizeof(T)
101 * tips: only support basic type
102 */
103 template<class T>
GetData()104 T GetData()
105 {
106 T object {};
107 size_t objectSize = sizeof(object);
108 if (RAW_DATA == nullptr || objectSize > g_dataSize - g_pos) {
109 return object;
110 }
111 errno_t ret = memcpy_s(&object, objectSize, RAW_DATA + g_pos, objectSize);
112 if (ret != EOK) {
113 return {};
114 }
115 g_pos += objectSize;
116 return object;
117 }
118
119 template<class T>
GetArrLength(T & arr)120 uint32_t GetArrLength(T& arr)
121 {
122 if (arr == nullptr) {
123 AUDIO_INFO_LOG("%{public}s: The array length is equal to 0", __func__);
124 return 0;
125 }
126 return sizeof(arr) / sizeof(arr[0]);
127 }
128
AudioConcurrencyServiceFuzzTest()129 void AudioConcurrencyServiceFuzzTest()
130 {
131 std::shared_ptr<AudioConcurrencyService> service = std::make_shared<AudioConcurrencyService>();
132 uint32_t sessionID = GetData<uint32_t>();
133 std::shared_ptr<AudioConcurrencyService::AudioConcurrencyDeathRecipient> concurrency =
134 std::make_shared<AudioConcurrencyService::AudioConcurrencyDeathRecipient>(service, sessionID);
135
136 wptr<IRemoteObject> remote;
137 concurrency->OnRemoteDied(remote);
138
139 std::shared_ptr<AudioConcurrencyCallback> callback;
140 auto samgr = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
141 sptr<IRemoteObject> object = samgr->GetSystemAbility(AUDIO_DISTRIBUTED_SERVICE_ID);
142 sptr<AudioConcurrencyService::AudioConcurrencyDeathRecipient> deathRecipient;
143 std::shared_ptr<AudioConcurrencyService::AudioConcurrencyClient> audioConcurrencyClient =
144 std::make_shared<AudioConcurrencyService::AudioConcurrencyClient>(callback, object, deathRecipient, sessionID);
145
146 service->SetAudioConcurrencyCallback(sessionID, object);
147 audioConcurrencyClient->OnConcedeStream();
148 }
149
AudioPowerStateListenerFuzzTest()150 void AudioPowerStateListenerFuzzTest()
151 {
152 sptr<AudioPolicyServer> audioPolicyServer;
153 sptr<PowerStateListenerStub> powerStub =
154 static_cast<sptr<PowerStateListenerStub>>(new(std::nothrow) PowerStateListener(audioPolicyServer));
155 uint32_t code = GetData<uint32_t>();
156 MessageParcel data;
157 MessageParcel reply;
158 MessageOption option;
159 powerStub->OnRemoteRequest(code, data, reply, option);
160 powerStub->OnSyncSleepCallbackStub(data);
161 powerStub->OnSyncWakeupCallbackStub(data);
162
163 GetServerPtr()->powerStateListener_->OnSyncSleep(true);
164 GetServerPtr()->powerStateListener_->OnSyncWakeup(true);
165
166 sptr<SyncHibernateListenerStub> syncStub =
167 static_cast<sptr<SyncHibernateListenerStub>>(new(std::nothrow) SyncHibernateListener(audioPolicyServer));
168 syncStub->OnRemoteRequest(code, data, reply, option);
169
170 GetServerPtr()->syncHibernateListener_->OnSyncHibernate();
171 GetServerPtr()->syncHibernateListener_->OnSyncWakeup(true);
172 }
173
174 typedef void (*TestFuncs[2])();
175
176 TestFuncs g_testFuncs = {
177 AudioConcurrencyServiceFuzzTest,
178 AudioPowerStateListenerFuzzTest,
179 };
180
FuzzTest(const uint8_t * rawData,size_t size)181 bool FuzzTest(const uint8_t* rawData, size_t size)
182 {
183 if (rawData == nullptr) {
184 return false;
185 }
186
187 // initialize data
188 RAW_DATA = rawData;
189 g_dataSize = size;
190 g_pos = 0;
191
192 uint32_t code = GetData<uint32_t>();
193 uint32_t len = GetArrLength(g_testFuncs);
194 if (len > 0) {
195 g_testFuncs[code % len]();
196 } else {
197 AUDIO_INFO_LOG("%{public}s: The len length is equal to 0", __func__);
198 }
199
200 return true;
201 }
202 } // namespace AudioStandard
203 } // namesapce OHOS
204
LLVMFuzzerInitialize(int * argc,char *** argv)205 extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv)
206 {
207 OHOS::AudioStandard::AudioFuzzTestGetPermission();
208 return 0;
209 }
210
211 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)212 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
213 {
214 if (size < OHOS::AudioStandard::THRESHOLD) {
215 return 0;
216 }
217
218 OHOS::AudioStandard::FuzzTest(data, size);
219 return 0;
220 }