1 /*
2 * Copyright (c) 2022-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "co_auth_service_fuzzer.h"
17
18 #include <cstdio>
19 #include "parcel.h"
20
21 #include "co_auth_service.h"
22 #include "executor_messenger_service.h"
23 #include "executor_callback_interface.h"
24 #include "mock_ipc_common.h"
25 #include "iam_fuzz_test.h"
26 #include "iam_logger.h"
27 #include "iam_ptr.h"
28
29 #define LOG_TAG "USER_AUTH_SA"
30
31 #undef private
32
33 using namespace std;
34 using namespace OHOS::UserIam::Common;
35 using namespace OHOS::UserIam::UserAuth;
36 using ExecutorRegisterInfo = CoAuthInterface::ExecutorRegisterInfo;
37
38 namespace OHOS {
39 namespace UserIam {
40 namespace CoAuth {
41 namespace {
42 const int CMD_LEN = 19;
43 std::u16string cmd[] = {u"-h", u"-lc", u"-ls", u"-c", u"-c [base system]", u"-s", u"-s [SA0 SA1]", u"-s [SA] -a [-h]",
44 u"-e", u"--net", u"--storage", u"-p", u"-p [pid]", u"--cpuusage [pid]", u"cified pid", u"--cpufreq", u"--mem [pid]",
45 u"--zip", u"--mem-smaps pid [-v]"};
46
47 class CoAuthServiceFuzzer : public ExecutorCallbackInterface {
48 public:
CoAuthServiceFuzzer(int32_t onBeginExecuteResult,int32_t onEndExecuteResult,int32_t onSetPropertyResult,int32_t onGetPropertyResult,int32_t onSendDataResult)49 CoAuthServiceFuzzer(int32_t onBeginExecuteResult, int32_t onEndExecuteResult, int32_t onSetPropertyResult,
50 int32_t onGetPropertyResult, int32_t onSendDataResult)
51 : onBeginExecuteResult_(onBeginExecuteResult),
52 onEndExecuteResult_(onEndExecuteResult),
53 onSetPropertyResult_(onSetPropertyResult),
54 onGetPropertyResult_(onGetPropertyResult),
55 onSendDataResult_(onSendDataResult)
56 {
57 }
58
59 virtual ~CoAuthServiceFuzzer() = default;
60
OnMessengerReady(sptr<ExecutorMessengerInterface> & messenger,const std::vector<uint8_t> & publicKey,const std::vector<uint64_t> & templateIdList)61 void OnMessengerReady(sptr<ExecutorMessengerInterface> &messenger,
62 const std::vector<uint8_t> &publicKey, const std::vector<uint64_t> &templateIdList) override
63 {
64 IAM_LOGI("start");
65 return;
66 }
67
OnBeginExecute(uint64_t scheduleId,const std::vector<uint8_t> & publicKey,const Attributes & command)68 int32_t OnBeginExecute(uint64_t scheduleId, const std::vector<uint8_t> &publicKey,
69 const Attributes &command) override
70 {
71 IAM_LOGI("start");
72 return onBeginExecuteResult_;
73 }
74
OnEndExecute(uint64_t scheduleId,const Attributes & command)75 int32_t OnEndExecute(uint64_t scheduleId, const Attributes &command) override
76 {
77 IAM_LOGI("start");
78 return onEndExecuteResult_;
79 }
80
OnSetProperty(const Attributes & properties)81 int32_t OnSetProperty(const Attributes &properties) override
82 {
83 IAM_LOGI("start");
84 return onSetPropertyResult_;
85 }
86
OnGetProperty(const Attributes & condition,Attributes & values)87 int32_t OnGetProperty(const Attributes &condition, Attributes &values) override
88 {
89 IAM_LOGI("start");
90 return onGetPropertyResult_;
91 }
92
OnSendData(uint64_t scheduleId,const Attributes & data)93 int32_t OnSendData(uint64_t scheduleId, const Attributes &data) override
94 {
95 IAM_LOGI("start");
96 return onSendDataResult_;
97 }
98
AsObject()99 sptr<IRemoteObject> AsObject() override
100 {
101 sptr<IRemoteObject> tmp(nullptr);
102 return tmp;
103 }
104
105 private:
106 int32_t onBeginExecuteResult_;
107 int32_t onEndExecuteResult_;
108 int32_t onSetPropertyResult_;
109 int32_t onGetPropertyResult_;
110 int32_t onSendDataResult_;
111 };
112
FillFuzzExecutorRegisterInfo(Parcel & parcel,ExecutorRegisterInfo & executorInfo)113 void FillFuzzExecutorRegisterInfo(Parcel &parcel, ExecutorRegisterInfo &executorInfo)
114 {
115 executorInfo.authType = static_cast<UserIam::UserAuth::AuthType>(parcel.ReadInt32());
116 executorInfo.executorRole = static_cast<UserIam::UserAuth::ExecutorRole>(parcel.ReadInt32());
117 executorInfo.executorSensorHint = parcel.ReadUint32();
118 executorInfo.executorMatcher = parcel.ReadUint32();
119 executorInfo.esl = static_cast<UserIam::UserAuth::ExecutorSecureLevel>(parcel.ReadInt32());
120 FillFuzzUint8Vector(parcel, executorInfo.publicKey);
121 IAM_LOGI("FillFuzzExecutorRegisterInfo success");
122 }
123
124 std::shared_ptr<CoAuthService> g_coAuthService = CoAuthService::GetInstance();
125 sptr<ExecutorMessengerService> executorMessengerService = ExecutorMessengerService::GetInstance();
126
FuzzRegister(Parcel & parcel)127 void FuzzRegister(Parcel &parcel)
128 {
129 IAM_LOGI("FuzzRegister begin");
130 ExecutorRegisterInfo executorInfo;
131 FillFuzzExecutorRegisterInfo(parcel, executorInfo);
132 sptr<ExecutorCallbackInterface> callback(nullptr);
133 if (parcel.ReadBool()) {
134 callback = sptr<ExecutorCallbackInterface>(new (std::nothrow)
135 CoAuthServiceFuzzer(parcel.ReadInt32(), parcel.ReadInt32(), parcel.ReadInt32(), parcel.ReadInt32(),
136 parcel.ReadInt32()));
137 }
138 g_coAuthService->ExecutorRegister(executorInfo, callback);
139 IAM_LOGI("FuzzRegister end");
140 }
141
FuzzOther(Parcel & parcel)142 void FuzzOther(Parcel &parcel)
143 {
144 IAM_LOGI("begin");
145 g_coAuthService->OnDriverStart();
146
147 auto callback = Common::MakeShared<CoAuthServiceFuzzer>(parcel.ReadInt32(), parcel.ReadInt32(),
148 parcel.ReadInt32(), parcel.ReadInt32(), parcel.ReadInt32());
149 uint64_t executorIndex = parcel.ReadUint64();
150 AuthType authType = static_cast<AuthType>(parcel.ReadInt32());
151 ExecutorRole executorRole = static_cast<ExecutorRole>(parcel.ReadInt32());
152 g_coAuthService->AddExecutorDeathRecipient(executorIndex, authType, executorRole, callback);
153 g_coAuthService->OnStart();
154 g_coAuthService->OnStop();
155 IAM_LOGI("end");
156 }
157
FuzzSendData(Parcel & parcel)158 void FuzzSendData(Parcel &parcel)
159 {
160 IAM_LOGI("FuzzSendData begin");
161 uint64_t scheduleId = parcel.ReadUint64();
162 ExecutorRole dstRole = static_cast<ExecutorRole>(parcel.ReadInt32());
163 std::vector<uint8_t> msg;
164 Common::FillFuzzUint8Vector(parcel, msg);
165
166 if (executorMessengerService != nullptr) {
167 executorMessengerService->SendData(scheduleId, dstRole, msg);
168 }
169 IAM_LOGI("FuzzSendData end");
170 }
171
FuzzFinish(Parcel & parcel)172 void FuzzFinish(Parcel &parcel)
173 {
174 IAM_LOGI("FuzzFinish begin");
175 uint64_t scheduleId = parcel.ReadUint64();
176 ResultCode resultCode = static_cast<ResultCode>(parcel.ReadInt32());
177 auto finalResult = Common::MakeShared<Attributes>();
178
179 if (executorMessengerService != nullptr) {
180 executorMessengerService->Finish(scheduleId, resultCode, finalResult);
181 }
182 IAM_LOGI("FuzzFinish end");
183 }
184
FuzzDump(Parcel & parcel)185 void FuzzDump(Parcel &parcel)
186 {
187 IAM_LOGI("FuzzDump begin");
188 std::vector<uint8_t> msg;
189 Common::FillFuzzUint8Vector(parcel, msg);
190 int32_t fd = parcel.ReadInt32();
191 std::string fileName = to_string(fd) + ".txt";
192 FILE *file = fopen(fileName.c_str(), "w");
193 if (file != nullptr) {
194 fd = fileno(file);
195 std::vector<std::u16string> args;
196 for (uint32_t i = 0; i < msg.size(); i++) {
197 args.push_back(cmd[msg[i] % CMD_LEN]);
198 }
199 g_coAuthService->Dump(fd, args);
200 fclose(file);
201 remove(fileName.c_str());
202 }
203 IAM_LOGI("FuzzDump end");
204 }
205
FuzzNotifyFwkReady(Parcel & parcel)206 void FuzzNotifyFwkReady(Parcel &parcel)
207 {
208 IAM_LOGI("FuzzNotifyFwkReady begin");
209 g_coAuthService->NotifyFwkReady();
210 IAM_LOGI("FuzzNotifyFwkReady end");
211 }
212
FuzzUnRegisterAccessTokenListener(Parcel & parcel)213 void FuzzUnRegisterAccessTokenListener(Parcel &parcel)
214 {
215 IAM_LOGI("FuzzNotifyFwkReady begin");
216 g_coAuthService->RegisterAccessTokenListener();
217 g_coAuthService->UnRegisterAccessTokenListener();
218 IAM_LOGI("FuzzNotifyFwkReady end");
219 }
220
221 using FuzzFunc = decltype(FuzzRegister);
222 FuzzFunc *g_fuzzFuncs[] = {
223 FuzzRegister,
224 FuzzSendData,
225 FuzzFinish,
226 FuzzDump,
227 FuzzOther,
228 FuzzNotifyFwkReady,
229 FuzzUnRegisterAccessTokenListener,
230 };
231
CoAuthFuzzTest(const uint8_t * data,size_t size)232 void CoAuthFuzzTest(const uint8_t *data, size_t size)
233 {
234 Parcel parcel;
235 parcel.WriteBuffer(data, size);
236 parcel.RewindRead(0);
237 uint32_t index = parcel.ReadUint32() % (sizeof(g_fuzzFuncs) / sizeof(FuzzFunc *));
238 auto fuzzFunc = g_fuzzFuncs[index];
239 fuzzFunc(parcel);
240 return;
241 }
242 } // namespace
243 } // namespace CoAuth
244 } // namespace UserIam
245 } // namespace OHOS
246
247 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)248 extern "C" int32_t LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
249 {
250 OHOS::UserIam::CoAuth::CoAuthFuzzTest(data, size);
251 return 0;
252 }
253