1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "data_collect_fuzzer.h"
17
18 #include <string>
19 #include <fuzzer/FuzzedDataProvider.h>
20 #include "securec.h"
21 #include <string_ex.h>
22
23 #define private public
24 #define protected public
25 #include "event_define.h"
26 #include "acquire_data_subscribe_manager.h"
27 #include "acquire_data_callback_proxy.h"
28 #include "data_collect_manager_callback_proxy.h"
29 #include "data_collect_manager_service.h"
30 #include "data_collect_manager_stub.h"
31 #include "security_event_query_callback_proxy.h"
32 #include "database_helper.h"
33 #include "database_manager.h"
34 #include "database.h"
35 #include "rdb_event_store_callback.h"
36 #include "risk_event_rdb_helper.h"
37 #include "store_define.h"
38 #undef private
39 #undef prtected
40
41 using namespace OHOS::Security::SecurityGuard;
42 namespace {
43 constexpr int MAX_STRING_SIZE = 1024;
44 }
45 namespace OHOS {
46 class MockRemoteObject final : public IRemoteObject {
47 public:
MockRemoteObject()48 MockRemoteObject() : IRemoteObject(u"")
49 {
50 }
GetObjectRefCount()51 int32_t GetObjectRefCount() { return 0; };
SendRequest(uint32_t code,MessageParcel & data,MessageParcel & reply,MessageOption & option)52 int SendRequest(uint32_t code, MessageParcel &data, MessageParcel &reply, MessageOption &option) { return 0; };
AddDeathRecipient(const sptr<DeathRecipient> & recipient)53 bool AddDeathRecipient(const sptr<DeathRecipient> &recipient) { return true; };
RemoveDeathRecipient(const sptr<DeathRecipient> & recipient)54 bool RemoveDeathRecipient(const sptr<DeathRecipient> &recipient) { return true; };
Dump(int fd,const std::vector<std::u16string> & args)55 int Dump(int fd, const std::vector<std::u16string> &args) { return 0; };
56 };
57
AcquireDataSubscribeManagerFuzzTest(const uint8_t * data,size_t size)58 bool AcquireDataSubscribeManagerFuzzTest(const uint8_t* data, size_t size)
59 {
60 if (data == nullptr || size < sizeof(int64_t)) {
61 return false;
62 }
63 FuzzedDataProvider fdp(data, size);
64 sptr<IRemoteObject> obj(new (std::nothrow) MockRemoteObject());
65 Security::SecurityCollector::Event event{fdp.ConsumeIntegral<int64_t>(),
66 fdp.ConsumeRandomLengthString(MAX_STRING_SIZE), fdp.ConsumeRandomLengthString(MAX_STRING_SIZE),
67 fdp.ConsumeRandomLengthString(MAX_STRING_SIZE)};
68 Security::SecurityCollector::SecurityCollectorSubscribeInfo subscribeInfo{event};
69 AcquireDataSubscribeManager::GetInstance().InsertSubscribeRecord(subscribeInfo, obj);
70 AcquireDataSubscribeManager::GetInstance().RemoveSubscribeRecord(subscribeInfo.GetEvent().eventId, obj);
71 AcquireDataSubscribeManager::GetInstance().BatchPublish(event);
72 AcquireDataSubscribeManager::GetInstance().SubscribeSc(fdp.ConsumeIntegral<int64_t>(), obj);
73 AcquireDataSubscribeManager::GetInstance().UnSubscribeSc(fdp.ConsumeIntegral<int64_t>());
74 AcquireDataSubscribeManager::GetInstance().SubscribeScInSg(fdp.ConsumeIntegral<int64_t>(), obj);
75 AcquireDataSubscribeManager::GetInstance().SubscribeScInSc(fdp.ConsumeIntegral<int64_t>(), obj);
76 SecurityEventFilter subscribeMute {};
77 subscribeMute.filter_.eventId = fdp.ConsumeIntegral<int64_t>();
78 subscribeMute.filter_.eventGroup = fdp.ConsumeRandomLengthString(MAX_STRING_SIZE);
79 subscribeMute.filter_.mutes.emplace_back(fdp.ConsumeRandomLengthString(MAX_STRING_SIZE));
80 AcquireDataSubscribeManager::GetInstance().InsertSubscribeMute(subscribeMute, obj,
81 fdp.ConsumeRandomLengthString(MAX_STRING_SIZE));
82 AcquireDataSubscribeManager::GetInstance().RemoveSubscribeMute(subscribeMute, obj,
83 fdp.ConsumeRandomLengthString(MAX_STRING_SIZE));
84 AcquireDataSubscribeManager::GetInstance().BatchUpload(obj, std::vector<Security::SecurityCollector::Event>{event});
85 AcquireDataSubscribeManager::GetInstance().RemoveSubscribeRecordOnRemoteDied(obj);
86 return true;
87 }
88
AcquireDataCallbackProxyFuzzTest(const uint8_t * data,size_t size)89 bool AcquireDataCallbackProxyFuzzTest(const uint8_t* data, size_t size)
90 {
91 if (data == nullptr || size < sizeof(int64_t)) {
92 return false;
93 }
94 size_t offset = 0;
95 int64_t eventId = *(reinterpret_cast<const int64_t *>(data));
96 offset += sizeof(int64_t);
97 std::string string(reinterpret_cast<const char*>(data + offset), size - offset);
98 Security::SecurityCollector::Event event{eventId, string, string, string};
99 sptr<IRemoteObject> obj(new (std::nothrow) MockRemoteObject());
100 AcquireDataCallbackProxy proxy{obj};
101 proxy.OnNotify({event});
102 return true;
103 }
104
DataCollectManagerCallbackProxyFuzzTest(const uint8_t * data,size_t size)105 bool DataCollectManagerCallbackProxyFuzzTest(const uint8_t* data, size_t size)
106 {
107 if (data == nullptr || size < sizeof(uint32_t)) {
108 return false;
109 }
110 size_t offset = 0;
111 uint32_t status = *(reinterpret_cast<const uint32_t *>(data));
112 offset += sizeof(uint32_t);
113 std::string string(reinterpret_cast<const char*>(data + offset), size - offset);
114 sptr<IRemoteObject> obj(new (std::nothrow) MockRemoteObject());
115 DataCollectManagerCallbackProxy proxy{obj};
116 proxy.ResponseRiskData(string, string, status);
117 return true;
118 }
119
DataCollectManagerServiceFuzzTest(const uint8_t * data,size_t size)120 bool DataCollectManagerServiceFuzzTest(const uint8_t* data, size_t size)
121 {
122 if (data == nullptr || size < sizeof(int32_t) + sizeof(int64_t)) {
123 return false;
124 }
125 size_t offset = 0;
126 int fd = static_cast<int32_t>(size);
127 offset += sizeof(int32_t);
128 int64_t eventId = *(reinterpret_cast<const int64_t *>(data));
129 offset += sizeof(int64_t);
130 std::string string(reinterpret_cast<const char*>(data + offset), size - offset);
131 std::vector<std::u16string> args{Str8ToStr16(string)};
132 Security::SecurityCollector::SecurityEventRuler ruler{eventId};
133 Security::SecurityCollector::Event event{eventId, string, string, string};
134 Security::SecurityCollector::SecurityCollectorSubscribeInfo subscribeInfo{event};
135 SecurityConfigUpdateInfo updateInfo{0};
136 RequestCondition condition;
137 sptr<IRemoteObject> obj(new (std::nothrow) MockRemoteObject());
138 auto proxy = iface_cast<ISecurityEventQueryCallback>(obj);
139 sptr<IRemoteObject> callback(new (std::nothrow) MockRemoteObject());
140 DataCollectManagerService service(DATA_COLLECT_MANAGER_SA_ID, false);
141 service.Dump(fd, args);
142 service.RequestDataSubmit(eventId, string, string, string);
143 service.OnAddSystemAbility(fd, string);
144 service.OnRemoveSystemAbility(fd, string);
145 service.QueryEventByRuler(proxy, ruler);
146 service.CollectorStart(subscribeInfo, callback);
147 service.CollectorStop(subscribeInfo, callback);
148 service.ConfigUpdate(updateInfo);
149 service.WriteRemoteFileToLocal(updateInfo, string);
150 DataCollectManagerService::GetSecEventsFromConditions(condition);
151 return true;
152 }
153
SecurityEventQueryCallbackProxyFuzzTest(const uint8_t * data,size_t size)154 bool SecurityEventQueryCallbackProxyFuzzTest(const uint8_t* data, size_t size)
155 {
156 if (data == nullptr || size < sizeof(int64_t)) {
157 return false;
158 }
159 size_t offset = 0;
160 sptr<IRemoteObject> obj(new (std::nothrow) MockRemoteObject());
161 SecurityEventQueryCallbackProxy proxy{obj};
162 int64_t eventId = *(reinterpret_cast<const int64_t *>(data));
163 offset += sizeof(int64_t);
164 std::string string(reinterpret_cast<const char*>(data + offset), size - offset);
165 Security::SecurityCollector::SecurityEvent event{eventId};
166 std::vector<Security::SecurityCollector::SecurityEvent> events{event};
167 proxy.OnQuery(events);
168 proxy.OnComplete();
169 proxy.OnError(string);
170 return true;
171 }
172
DatabaseHelperFuzzTest(const uint8_t * data,size_t size)173 bool DatabaseHelperFuzzTest(const uint8_t* data, size_t size)
174 {
175 if (data == nullptr || size < sizeof(int64_t)) {
176 return false;
177 }
178 size_t offset = 0;
179 int64_t eventId = *(reinterpret_cast<const int64_t *>(data));
180 offset += sizeof(int64_t);
181 std::vector<int64_t> eventIds{eventId};
182 std::string string(reinterpret_cast<const char*>(data + offset), size - offset);
183 DatabaseHelper helper{string};
184 SecEvent event = {
185 .eventId = eventId,
186 .version = string,
187 };
188 std::vector<SecEvent> events{event};
189 NativeRdb::ValuesBucket values{};
190 NativeRdb::RdbPredicates predicates{string};
191 helper.Init();
192 helper.InsertEvent(event);
193 helper.QueryAllEvent(events);
194 helper.QueryRecentEventByEventId(eventId, event);
195 helper.QueryRecentEventByEventId(eventIds, events);
196 helper.QueryEventByEventId(eventId, events);
197 helper.QueryEventByEventId(eventIds, events);
198 helper.QueryEventByEventIdAndDate(eventIds, events, string, string);
199 helper.QueryEventByEventType(eventId, events);
200 helper.QueryEventByLevel(eventId, events);
201 helper.QueryEventByOwner(string, events);
202 helper.CountAllEvent();
203 helper.CountEventByEventId(eventId);
204 helper.DeleteOldEventByEventId(eventId, eventId);
205 helper.DeleteAllEventByEventId(eventId);
206 helper.FlushAllEvent();
207 helper.QueryEventBase(predicates, events);
208 helper.CreateTable();
209 helper.SetValuesBucket(event, values);
210 helper.Release();
211 return true;
212 }
213
DatabaseManagerFuzzTest(const uint8_t * data,size_t size)214 bool DatabaseManagerFuzzTest(const uint8_t* data, size_t size)
215 {
216 if (data == nullptr || size < sizeof(uint32_t) + sizeof(int64_t)) {
217 return false;
218 }
219 size_t offset = 0;
220 uint32_t source = *(reinterpret_cast<const uint32_t *>(data));
221 offset += sizeof(uint32_t);
222 int64_t eventId = *(reinterpret_cast<const int64_t *>(data));
223 offset += sizeof(int64_t);
224 std::string string(reinterpret_cast<const char*>(data + offset), size - offset);
225 SecEvent event = {
226 .eventId = eventId,
227 .version = string,
228 };
229 std::vector<SecEvent> events{event};
230 int32_t tmp = static_cast<int32_t>(size);
231 std::vector<int64_t> eventIds{eventId};
232 sptr<IRemoteObject> obj(new (std::nothrow) MockRemoteObject());
233 DatabaseManager::GetInstance().InsertEvent(source, event);
234 DatabaseManager::GetInstance().QueryAllEvent(string, events);
235 DatabaseManager::GetInstance().QueryRecentEventByEventId(eventId, event);
236 DatabaseManager::GetInstance().QueryRecentEventByEventId(string, eventIds, events);
237 DatabaseManager::GetInstance().QueryEventByEventIdAndDate(string, eventIds, events, string, string);
238 DatabaseManager::GetInstance().QueryEventByEventId(eventId, events);
239 DatabaseManager::GetInstance().QueryEventByEventId(string, eventIds, events);
240 DatabaseManager::GetInstance().QueryEventByEventType(string, tmp, events);
241 DatabaseManager::GetInstance().QueryEventByLevel(string, tmp, events);
242 DatabaseManager::GetInstance().QueryEventByOwner(string, string, events);
243 DatabaseManager::GetInstance().CountAllEvent(string);
244 DatabaseManager::GetInstance().CountEventByEventId(eventId);
245 DatabaseManager::GetInstance().DeleteOldEventByEventId(eventId, eventId);
246 DatabaseManager::GetInstance().DeleteAllEventByEventId(eventId);
247 DatabaseManager::GetInstance().SubscribeDb(eventIds, nullptr);
248 DatabaseManager::GetInstance().UnSubscribeDb(eventIds, nullptr);
249 return true;
250 }
251
DatabaseFuzzTest(const uint8_t * data,size_t size)252 bool DatabaseFuzzTest(const uint8_t* data, size_t size)
253 {
254 if (data == nullptr || size < sizeof(int32_t) + sizeof(int64_t)) {
255 return false;
256 }
257 size_t offset = 0;
258 Database database{};
259 int32_t int32 = static_cast<int32_t>(size);
260 offset += sizeof(int32_t);
261 int64_t int64 = *(reinterpret_cast<const int64_t *>(data));
262 offset += sizeof(int64_t);
263 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
264 NativeRdb::RdbStoreConfig config{string};
265 NativeRdb::ValuesBucket value{};
266 NativeRdb::AbsRdbPredicates predicates{string};
267 std::vector<NativeRdb::ValuesBucket> values{value};
268 std::vector<std::string> columns{string};
269 database.Insert(int64, string, value);
270 database.BatchInsert(int64, string, values);
271 database.Update(int32, value, predicates);
272 database.Delete(int32, predicates);
273 database.Query(predicates, columns);
274 database.ExecuteSql(string);
275 database.ExecuteAndGetLong(int64, string);
276 database.Count(int64, predicates);
277 database.BeginTransaction();
278 database.RollBack();
279 database.Commit();
280 return true;
281 }
282
RiskEventRdbHelperFuzzTest()283 void RiskEventRdbHelperFuzzTest()
284 {
285 Security::SecurityGuard::RiskEventRdbHelper::GetInstance().Init();
286 }
287 } // namespace OHOS
288
LLVMFuzzerInitialize(int * argc,char *** argv)289 extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv)
290 {
291 OHOS::RiskEventRdbHelperFuzzTest();
292 return 0;
293 }
294
295 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)296 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
297 {
298 /* Run your code on date */
299 OHOS::AcquireDataSubscribeManagerFuzzTest(data, size);
300 OHOS::DataCollectManagerCallbackProxyFuzzTest(data, size);
301 OHOS::DataCollectManagerServiceFuzzTest(data, size);
302 OHOS::SecurityEventQueryCallbackProxyFuzzTest(data, size);
303 OHOS::DatabaseHelperFuzzTest(data, size);
304 OHOS::DatabaseManagerFuzzTest(data, size);
305 OHOS::DatabaseFuzzTest(data, size);
306 return 0;
307 }