1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "cmsystemtrustedstore_fuzzer.h"
17
18 #include "cm_fuzz_test_common.h"
19 #include "cert_manager_api.h"
20 #include "cm_ipc_client_serialization.h"
21 #include "cm_ipc_service.h"
22 #include "cm_param.h"
23 #include "cert_manager_status.h"
24
25 using namespace CmFuzzTest;
26 namespace OHOS {
27 constexpr uint32_t MIN_DATA_USE_TIME = 6;
SetSysCertStatus(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset,struct CmBlob * keyUri)28 static bool SetSysCertStatus(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset, struct CmBlob *keyUri)
29 {
30 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
31 if (!GetCmBlobFromBuffer(tmpData, remainSize, offset, keyUri)) {
32 return false;
33 }
34 }
35 uint32_t store = CM_SYSTEM_TRUSTED_STORE;
36 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
37 if (!GetUintFromBuffer(tmpData, remainSize, offset, &store)) {
38 return false;
39 }
40 }
41
42 uint32_t state = CERT_STATUS_ENABLED;
43 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
44 if (!GetUintFromBuffer(tmpData, remainSize, offset, &state)) {
45 return false;
46 }
47 }
48
49 struct CmParam params01[] = {
50 { .tag = CM_TAG_PARAM0_BUFFER, .blob = *keyUri },
51 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
52 { .tag = CM_TAG_PARAM1_UINT32, .uint32Param = state },
53 };
54
55 struct CmParamSet *paramSet01 = nullptr;
56 int32_t ret = CmParamsToParamSet(¶ms01[0], CM_ARRAY_SIZE(params01), ¶mSet01);
57 if (ret != CM_SUCCESS) {
58 return false;
59 }
60 struct CmBlob paramSetBlob = { paramSet01->paramSetSize, reinterpret_cast<uint8_t*>(paramSet01) };
61 (void)CmIpcServiceSetCertStatus(¶mSetBlob, nullptr, nullptr);
62 CmFreeParamSet(¶mSet01);
63 return true;
64 }
65
GetAllSysCert(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset)66 static bool GetAllSysCert(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset)
67 {
68 uint32_t store = CM_SYSTEM_TRUSTED_STORE;
69 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
70 if (!GetUintFromBuffer(tmpData, remainSize, offset, &store)) {
71 return false;
72 }
73 }
74 uint8_t *certListBlobData = reinterpret_cast<uint8_t *>(CmMalloc(CERT_LIST_LEN));
75 if (certListBlobData == nullptr) {
76 return false;
77 }
78 struct CmBlob certListBlob = { CERT_LIST_LEN, certListBlobData };
79 struct CmParam params02[] = {
80 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
81 };
82 struct CmParamSet *paramSet02 = nullptr;
83 int32_t ret = CmParamsToParamSet(¶ms02[0], CM_ARRAY_SIZE(params02), ¶mSet02);
84 if (ret != CM_SUCCESS) {
85 CmFree(certListBlobData);
86 return false;
87 }
88 struct CmBlob paramSetBlob = { paramSet02->paramSetSize, reinterpret_cast<uint8_t*>(paramSet02) };
89 (void)CmIpcServiceGetCertificateList(¶mSetBlob, &certListBlob, nullptr);
90 CmFree(certListBlobData);
91 CmFreeParamSet(¶mSet02);
92 return true;
93 }
94
GetSysCert(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset,struct CmBlob * keyUri)95 static bool GetSysCert(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset, struct CmBlob *keyUri)
96 {
97 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
98 if (!GetCmBlobFromBuffer(tmpData, remainSize, offset, keyUri)) {
99 return false;
100 }
101 }
102 uint32_t store = CM_SYSTEM_TRUSTED_STORE;
103 if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
104 if (!GetUintFromBuffer(tmpData, remainSize, offset, &store)) {
105 return false;
106 }
107 }
108 uint8_t *certInfoData = reinterpret_cast<uint8_t *>(CmMalloc(CERT_INFO_LEN));
109 if (certInfoData == nullptr) {
110 return false;
111 }
112 CmBlob certInfoBlob = { CERT_INFO_LEN, certInfoData };
113 struct CmParam params03[] = {
114 { .tag = CM_TAG_PARAM0_BUFFER, .blob = *keyUri },
115 { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
116 };
117 struct CmParamSet *paramSet03 = nullptr;
118 int32_t ret = CmParamsToParamSet(¶ms03[0], CM_ARRAY_SIZE(params03), ¶mSet03);
119 if (ret != CM_SUCCESS) {
120 CmFree(certInfoData);
121 return false;
122 }
123 struct CmBlob paramSetBlob = { paramSet03->paramSetSize, reinterpret_cast<uint8_t*>(paramSet03) };
124 (void)CmIpcServiceGetCertificateInfo(¶mSetBlob, &certInfoBlob, nullptr);
125 CmFree(certInfoData);
126 CmFreeParamSet(¶mSet03);
127 return true;
128 }
129
DoSomethingInterestingWithMyAPI(const uint8_t * data,size_t size)130 bool DoSomethingInterestingWithMyAPI(const uint8_t* data, size_t size)
131 {
132 uint8_t *tmpData = nullptr;
133 if (!CopyMyData(data, size, sizeof(uint32_t) * MIN_DATA_USE_TIME, &tmpData)) {
134 return false;
135 }
136
137 uint32_t remainSize = static_cast<uint32_t>(size);
138 uint32_t offset = 0;
139 SetATPermission();
140
141 bool ret = false;
142 uint8_t keyUriData[] = "1d3472b9.0";
143 struct CmBlob keyUri = { sizeof(keyUriData), &keyUriData[0] };
144
145 do {
146 if (!SetSysCertStatus(tmpData, &remainSize, &offset, &keyUri)) {
147 break;
148 }
149
150 if (!GetAllSysCert(tmpData, &remainSize, &offset)) {
151 break;
152 }
153
154 if (!GetSysCert(tmpData, &remainSize, &offset, &keyUri)) {
155 break;
156 }
157 ret = true;
158 } while (0);
159 CmFree(tmpData);
160 return ret;
161 }
162 }
163
164
165 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)166 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
167 {
168 /* Run your code on data */
169 OHOS::DoSomethingInterestingWithMyAPI(data, size);
170 return 0;
171 }
172
173