1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "data_collect_manager_fuzzer.h"
17
18 #include <string>
19
20 #include "data_collect_manager_callback_service.h"
21 #include "data_collect_manager_service.h"
22 #include "security_guard_log.h"
23
24
25 namespace OHOS::Security::SecurityGuard {
26 DataCollectManagerService g_service(DATA_COLLECT_MANAGER_SA_ID, true);
27 constexpr int32_t REMAINDER_VALUE = 9;
28 constexpr int32_t CMD_DATA_COLLECT_VALUE = 0;
29 constexpr int32_t CMD_DATA_REQUEST_VALUE = 1;
30 constexpr int32_t CMD_DATA_SUBSCRIBE = 2;
31 constexpr int32_t CMD_DATA_UNSUBSCRIBE_VALUE = 3;
32 constexpr int32_t CMD_SECURITY_EVENT_QUERY_VALUE = 4;
33 constexpr int32_t CMD_SECURITY_COLLECTOR_START = 5;
34 constexpr int32_t CMD_SECURITY_COLLECTOR_STOP = 6;
35 constexpr int32_t CMD_SECURITY_CONFIG_UPDATE = 7;
36 constexpr int32_t CMD_SECURITY_EVENT_CONFIG_QUERY = 8;
37
38 void OnRemoteCollectRequest(const uint8_t* data, size_t size, MessageParcel* datas,
39 MessageParcel* reply, MessageOption* option);
40 void OnRemoteRequestRequest(const uint8_t* data, size_t size, MessageParcel* datas,
41 MessageParcel* reply, MessageOption* option);
42 void OnRemoteSubscribeRequest(const uint8_t* data, size_t size, MessageParcel* datas,
43 MessageParcel* reply, MessageOption* option);
44 void OnRemoteUnsubscribeRequest(const uint8_t* data, size_t size, MessageParcel* datas,
45 MessageParcel* reply, MessageOption* option);
46 void OnRemoteSecurityEventQuery(const uint8_t* data, size_t size, MessageParcel* datas,
47 MessageParcel* reply, MessageOption* option);
48 void OnRemoteStart(const uint8_t* data, size_t size, MessageParcel* datas,
49 MessageParcel* reply, MessageOption* option);
50 void OnRemoteStop(const uint8_t* data, size_t size, MessageParcel* datas,
51 MessageParcel* reply, MessageOption* option);
52 void OnRemoteConfigUpdate(const uint8_t* data, size_t size, MessageParcel* datas,
53 MessageParcel* reply, MessageOption* option);
54 void OnRemoteSecurityEventConfigQuery(const uint8_t* data, size_t size, MessageParcel* datas,
55 MessageParcel* reply, MessageOption* option);
56
OnRemoteRequestFuzzTest(const uint8_t * data,size_t size)57 void OnRemoteRequestFuzzTest(const uint8_t* data, size_t size)
58 {
59 MessageParcel datas;
60 MessageParcel reply;
61 MessageOption option;
62 datas.WriteInterfaceToken(IDataCollectManager::GetDescriptor());
63 if (size % REMAINDER_VALUE == CMD_DATA_COLLECT_VALUE) {
64 // handle data collect cmd
65 OnRemoteCollectRequest(data, size, &datas, &reply, &option);
66 return;
67 } else if (size % REMAINDER_VALUE == CMD_DATA_REQUEST_VALUE) {
68 // handle data request cmd
69 OnRemoteRequestRequest(data, size, &datas, &reply, &option);
70 return;
71 } else if (size % REMAINDER_VALUE == CMD_DATA_SUBSCRIBE) {
72 // handle data subscribe cmd
73 OnRemoteSubscribeRequest(data, size, &datas, &reply, &option);
74 return;
75 } else if (size % REMAINDER_VALUE == CMD_DATA_UNSUBSCRIBE_VALUE) {
76 // handle data unsubscribe cmd
77 OnRemoteUnsubscribeRequest(data, size, &datas, &reply, &option);
78 return;
79 } else if (size % REMAINDER_VALUE == CMD_SECURITY_EVENT_QUERY_VALUE) {
80 // handle security event query cmd
81 OnRemoteSecurityEventQuery(data, size, &datas, &reply, &option);
82 return;
83 } else if (size % REMAINDER_VALUE == CMD_SECURITY_COLLECTOR_START) {
84 // handle collector start cmd
85 OnRemoteStart(data, size, &datas, &reply, &option);
86 return;
87 } else if (size % REMAINDER_VALUE == CMD_SECURITY_COLLECTOR_STOP) {
88 // handle collector stop cmd
89 OnRemoteStop(data, size, &datas, &reply, &option);
90 return;
91 } else if (size % REMAINDER_VALUE == CMD_SECURITY_CONFIG_UPDATE) {
92 // handle collector stop cmd
93 OnRemoteConfigUpdate(data, size, &datas, &reply, &option);
94 return;
95 } else if (size % REMAINDER_VALUE == CMD_SECURITY_EVENT_CONFIG_QUERY) {
96 // handle collector stop cmd
97 OnRemoteSecurityEventConfigQuery(data, size, &datas, &reply, &option);
98 return;
99 }
100 }
101
OnRemoteCollectRequest(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)102 void OnRemoteCollectRequest(const uint8_t* data, size_t size, MessageParcel* datas,
103 MessageParcel* reply, MessageOption* option)
104 {
105 if (data == nullptr || size < sizeof(int64_t)) {
106 return;
107 }
108 size_t offset = 0;
109 int64_t eventId = *(reinterpret_cast<const int64_t *>(data + offset));
110 offset += sizeof(int64_t);
111 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
112 datas->WriteInt64(eventId);
113 datas->WriteString(string);
114 datas->WriteString(string);
115 datas->WriteString(string);
116 g_service.OnRemoteRequest(DataCollectManagerStub::CMD_DATA_COLLECT, *datas, *reply, *option);
117 }
118
OnRemoteRequestRequest(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)119 void OnRemoteRequestRequest(const uint8_t* data, size_t size, MessageParcel* datas,
120 MessageParcel* reply, MessageOption* option)
121 {
122 if (data == nullptr) {
123 return;
124 }
125 std::string string(reinterpret_cast<const char *>(data), size);
126 datas->WriteString(string);
127 datas->WriteString(string);
128 RequestRiskDataCallback func = [] (std::string &devId, std::string &riskData, uint32_t status,
129 const std::string &errMsg) -> int32_t {
130 SGLOGI("DataCollectManagerCallbackService called");
131 return 0;
132 };
133 sptr<IRemoteObject> callback = new (std::nothrow) DataCollectManagerCallbackService(func);
134 datas->WriteRemoteObject(callback);
135 g_service.OnRemoteRequest(DataCollectManagerStub::CMD_DATA_REQUEST, *datas, *reply, *option);
136 }
137
OnRemoteSubscribeRequest(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)138 void OnRemoteSubscribeRequest(const uint8_t* data, size_t size, MessageParcel* datas,
139 MessageParcel* reply, MessageOption* option)
140 {
141 if (data == nullptr || size < sizeof(int64_t) + sizeof(int64_t)) {
142 return;
143 }
144 size_t offset = 0;
145 int64_t duration = *(reinterpret_cast<const int64_t *>(data + offset));
146 offset += sizeof(int64_t);
147 int64_t eventId = *(reinterpret_cast<const int64_t *>(data + offset));
148 offset += sizeof(int64_t);
149 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
150 SecurityCollector::Event event;
151 event.eventId = eventId;
152 event.version = string;
153 event.content = string;
154 event.extra = string;
155 SecurityCollector::SecurityCollectorSubscribeInfo subscriberInfo{event, duration, true};
156 RequestRiskDataCallback func = [] (std::string &devId, std::string &riskData, uint32_t status,
157 const std::string &errMsg) -> int32_t {
158 SGLOGI("DataCollectManagerCallbackService called");
159 return 0;
160 };
161 sptr<IRemoteObject> callback = new (std::nothrow) DataCollectManagerCallbackService(func);
162 datas->WriteRemoteObject(callback);
163 g_service.OnRemoteRequest(DataCollectManagerStub::CMD_DATA_SUBSCRIBE, *datas, *reply, *option);
164 }
165
OnRemoteUnsubscribeRequest(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)166 void OnRemoteUnsubscribeRequest(const uint8_t* data, size_t size, MessageParcel* datas,
167 MessageParcel* reply, MessageOption* option)
168 {
169 RequestRiskDataCallback func = [] (std::string &devId, std::string &riskData, uint32_t status,
170 const std::string &errMsg) -> int32_t {
171 SGLOGI("DataCollectManagerCallbackService called");
172 return 0;
173 };
174 if (data == nullptr || size < sizeof(int64_t) + sizeof(int64_t)) {
175 return;
176 }
177 size_t offset = 0;
178 int64_t duration = *(reinterpret_cast<const int64_t *>(data + offset));
179 offset += sizeof(int64_t);
180 int64_t eventId = *(reinterpret_cast<const int64_t *>(data + offset));
181 offset += sizeof(int64_t);
182 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
183 SecurityCollector::Event event;
184 event.eventId = eventId;
185 event.version = string;
186 event.content = string;
187 event.extra = string;
188 SecurityCollector::SecurityCollectorSubscribeInfo subscriberInfo{event, duration, true};
189 sptr<IRemoteObject> callback = new (std::nothrow) DataCollectManagerCallbackService(func);
190 datas->WriteRemoteObject(callback);
191 g_service.OnRemoteRequest(DataCollectManagerStub::CMD_DATA_UNSUBSCRIBE, *datas, *reply, *option);
192 }
193
OnRemoteSecurityEventQuery(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)194 void OnRemoteSecurityEventQuery(const uint8_t* data, size_t size, MessageParcel* datas,
195 MessageParcel* reply, MessageOption* option)
196 {
197 if (data == nullptr || size < sizeof(uint32_t) + sizeof(int64_t)) {
198 return;
199 }
200 size_t offset = 0;
201 uint32_t uint32 = *(reinterpret_cast<const uint32_t *>(data + offset));
202 offset += sizeof(uint32_t);
203 uint32_t rulerSize = uint32 >= MAX_QUERY_EVENT_SIZE ? MAX_QUERY_EVENT_SIZE : uint32;
204 datas->WriteUint32(rulerSize);
205 int64_t eventId = *(reinterpret_cast<const int64_t *>(data + offset));
206 offset += sizeof(int64_t);
207 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
208 for (uint32_t i = 0; i < rulerSize; i++) {
209 SecurityCollector::SecurityEventRuler ruler =
210 SecurityCollector::SecurityEventRuler(eventId, string, string, string);
211 datas->WriteParcelable(&ruler);
212 }
213 RequestRiskDataCallback func = [] (std::string &devId, std::string &riskData, uint32_t status,
214 const std::string &errMsg) -> int32_t {
215 SGLOGI("DataCollectManagerCallbackService called");
216 return 0;
217 };
218 sptr<IRemoteObject> callback = new (std::nothrow) DataCollectManagerCallbackService(func);
219 datas->WriteRemoteObject(callback);
220 g_service.OnRemoteRequest(DataCollectManagerStub::CMD_SECURITY_EVENT_QUERY, *datas, *reply, *option);
221 }
222
OnRemoteStart(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)223 void OnRemoteStart(const uint8_t* data, size_t size, MessageParcel* datas,
224 MessageParcel* reply, MessageOption* option)
225 {
226 if (data == nullptr || size < sizeof(int64_t) + sizeof(int64_t)) {
227 return;
228 }
229 size_t offset = 0;
230 int64_t duration = *(reinterpret_cast<const int64_t *>(data + offset));
231 offset += sizeof(int64_t);
232 int64_t eventId = *(reinterpret_cast<const int64_t *>(data + offset));
233 offset += sizeof(int64_t);
234 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
235 SecurityCollector::Event event;
236 event.eventId = eventId;
237 event.version = string;
238 event.content = string;
239 event.extra = string;
240 SecurityCollector::SecurityCollectorSubscribeInfo subscriberInfo{event, duration, true};
241 RequestRiskDataCallback func = [] (std::string &devId, std::string &riskData, uint32_t status,
242 const std::string &errMsg) -> int32_t {
243 SGLOGI("DataCollectManagerCallbackService called");
244 return 0;
245 };
246 sptr<IRemoteObject> callback = new (std::nothrow) DataCollectManagerCallbackService(func);
247 datas->WriteRemoteObject(callback);
248 g_service.OnRemoteRequest(DataCollectManagerStub::CMD_SECURITY_COLLECTOR_START, *datas, *reply, *option);
249 }
250
OnRemoteStop(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)251 void OnRemoteStop(const uint8_t* data, size_t size, MessageParcel* datas,
252 MessageParcel* reply, MessageOption* option)
253 {
254 if (data == nullptr || size < sizeof(int64_t) + sizeof(int64_t)) {
255 return;
256 }
257 size_t offset = 0;
258 int64_t duration = *(reinterpret_cast<const int64_t *>(data + offset));
259 offset += sizeof(int64_t);
260 int64_t eventId = *(reinterpret_cast<const int64_t *>(data + offset));
261 offset += sizeof(int64_t);
262 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
263 SecurityCollector::Event event;
264 event.eventId = eventId;
265 event.version = string;
266 event.content = string;
267 event.extra = string;
268 SecurityCollector::SecurityCollectorSubscribeInfo subscriberInfo{event, duration, true};
269 RequestRiskDataCallback func = [] (std::string &devId, std::string &riskData, uint32_t status,
270 const std::string &errMsg) -> int32_t {
271 SGLOGI("DataCollectManagerCallbackService called");
272 return 0;
273 };
274 sptr<IRemoteObject> callback = new (std::nothrow) DataCollectManagerCallbackService(func);
275 datas->WriteRemoteObject(callback);
276 g_service.OnRemoteRequest(DataCollectManagerStub::CMD_SECURITY_COLLECTOR_STOP, *datas, *reply, *option);
277 }
278
OnRemoteConfigUpdate(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)279 void OnRemoteConfigUpdate(const uint8_t* data, size_t size, MessageParcel* datas,
280 MessageParcel* reply, MessageOption* option)
281 {
282 int32_t fd = static_cast<int32_t>(size);
283 std::string fileName(reinterpret_cast<const char *>(data), size);
284 datas->WriteFileDescriptor(fd);
285 datas->WriteString(fileName);
286 g_service.OnRemoteRequest(DataCollectManagerStub::CMD_SECURITY_CONFIG_UPDATE, *datas, *reply, *option);
287 }
288
OnRemoteSecurityEventConfigQuery(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)289 void OnRemoteSecurityEventConfigQuery(const uint8_t* data, size_t size, MessageParcel* datas,
290 MessageParcel* reply, MessageOption* option)
291 {
292 RequestRiskDataCallback func = [] (std::string &devId, std::string &riskData, uint32_t status,
293 const std::string &errMsg) -> int32_t {
294 SGLOGI("DataCollectManagerCallbackService called");
295 return 0;
296 };
297 if (data == nullptr || size < sizeof(int64_t) + sizeof(int64_t)) {
298 return;
299 }
300 size_t offset = 0;
301 int64_t duration = *(reinterpret_cast<const int64_t *>(data + offset));
302 offset += sizeof(int64_t);
303 int64_t eventId = *(reinterpret_cast<const int64_t *>(data + offset));
304 offset += sizeof(int64_t);
305 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
306 SecurityCollector::Event event;
307 event.eventId = eventId;
308 event.version = string;
309 event.content = string;
310 event.extra = string;
311 SecurityCollector::SecurityCollectorSubscribeInfo subscriberInfo{event, duration, true};
312 sptr<IRemoteObject> callback = new (std::nothrow) DataCollectManagerCallbackService(func);
313 datas->WriteRemoteObject(callback);
314 g_service.OnRemoteRequest(DataCollectManagerStub::CMD_SECURITY_EVENT_CONFIG_QUERY, *datas, *reply, *option);
315 }
316
317 } // namespace OHOS::Security::SecurityGuard
318
319 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)320 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
321 {
322 /* Run your code on date */
323 OHOS::Security::SecurityGuard::OnRemoteRequestFuzzTest(data, size);
324 return 0;
325 }
326