1 /*
2 * Copyright (c) 2022-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "user_idm_service_fuzzer.h"
17
18 #include <cstdio>
19 #include "parcel.h"
20 #include "securec.h"
21
22 #include "iam_fuzz_test.h"
23 #include "iam_logger.h"
24 #include "iam_ptr.h"
25 #include "user_idm_service.h"
26 #include "user_idm_callback_proxy.h"
27 #include "dummy_iam_callback_interface.h"
28
29 #undef private
30
31 using namespace std;
32 using namespace OHOS::UserIam::Common;
33
34 #define LOG_TAG "USER_AUTH_SA"
35
36 namespace OHOS {
37 namespace UserIam {
38 namespace UserAuth {
39 namespace {
40 const int CMD_LEN = 19;
41 std::u16string cmd[] = {u"-h", u"-lc", u"-ls", u"-c", u"-c [base system]", u"-s", u"-s [SA0 SA1]", u"-s [SA] -a [-h]",
42 u"-e", u"--net", u"--storage", u"-p", u"-p [pid]", u"--cpuusage [pid]", u"cified pid", u"--cpufreq", u"--mem [pid]",
43 u"--zip", u"--mem-smaps pid [-v]"};
44
45 class DummyIdmGetCredentialInfoCallback : public IdmGetCredInfoCallbackInterface {
46 public:
OnCredentialInfos(int32_t result,const std::vector<CredentialInfo> & credInfoList)47 void OnCredentialInfos(int32_t result, const std::vector<CredentialInfo> &credInfoList) override
48 {
49 IAM_LOGI("start");
50 return;
51 }
52
AsObject()53 sptr<IRemoteObject> AsObject() override
54 {
55 sptr<IRemoteObject> tmp(nullptr);
56 return tmp;
57 }
58 };
59
60 class DummyIdmGetSecureUserInfoCallback : public IdmGetSecureUserInfoCallbackInterface {
61 public:
OnSecureUserInfo(int32_t result,const SecUserInfo & secUserInfo)62 void OnSecureUserInfo(int32_t result, const SecUserInfo &secUserInfo) override
63 {
64 IAM_LOGI("start");
65 return;
66 }
67
AsObject()68 sptr<IRemoteObject> AsObject() override
69 {
70 sptr<IRemoteObject> tmp(nullptr);
71 return tmp;
72 }
73 };
74
75 class DummyIdmCallback : public IdmCallbackInterface {
76 public:
OnResult(int32_t result,const Attributes & reqRet)77 void OnResult(int32_t result, const Attributes &reqRet) override
78 {
79 IAM_LOGI("start");
80 return;
81 }
82
OnAcquireInfo(int32_t module,int32_t acquire,const Attributes & reqRet)83 void OnAcquireInfo(int32_t module, int32_t acquire, const Attributes &reqRet) override
84 {
85 IAM_LOGI("start");
86 return;
87 }
88
AsObject()89 sptr<IRemoteObject> AsObject() override
90 {
91 sptr<IRemoteObject> tmp(nullptr);
92 return tmp;
93 }
94 };
95
GetFuzzOptionalUserId(Parcel & parcel)96 int32_t GetFuzzOptionalUserId(Parcel &parcel)
97 {
98 if (parcel.ReadBool()) {
99 return parcel.ReadInt32();
100 }
101 return 0;
102 }
103
GetFuzzIdmGetCredentialInfoCallback(Parcel & parcel)104 sptr<IdmGetCredInfoCallbackInterface> GetFuzzIdmGetCredentialInfoCallback(Parcel &parcel)
105 {
106 sptr<IdmGetCredInfoCallbackInterface> tmp(nullptr);
107 if (parcel.ReadBool()) {
108 tmp = sptr<IdmGetCredInfoCallbackInterface>(new (std::nothrow) DummyIdmGetCredentialInfoCallback());
109 }
110 return tmp;
111 }
112
GetFuzzIdmGetSecureUserInfoCallback(Parcel & parcel)113 sptr<IdmGetSecureUserInfoCallbackInterface> GetFuzzIdmGetSecureUserInfoCallback(Parcel &parcel)
114 {
115 sptr<IdmGetSecureUserInfoCallbackInterface> tmp(nullptr);
116 if (parcel.ReadBool()) {
117 tmp = sptr<IdmGetSecureUserInfoCallbackInterface>(new (std::nothrow) DummyIdmGetSecureUserInfoCallback());
118 }
119 return tmp;
120 }
121
GetFuzzIdmCallback(Parcel & parcel)122 sptr<IdmCallbackInterface> GetFuzzIdmCallback(Parcel &parcel)
123 {
124 sptr<IdmCallbackInterface> tmp(nullptr);
125 if (parcel.ReadBool()) {
126 tmp = sptr<IdmCallbackInterface>(new (std::nothrow) DummyIdmCallback());
127 }
128 return tmp;
129 }
130
131 UserIdmService g_UserIdmService(SUBSYS_USERIAM_SYS_ABILITY_USERIDM, true);
132
FuzzOpenSession(Parcel & parcel)133 void FuzzOpenSession(Parcel &parcel)
134 {
135 IAM_LOGI("begin");
136 int32_t userId = GetFuzzOptionalUserId(parcel);
137 std::vector<uint8_t> challenge;
138 FillFuzzUint8Vector(parcel, challenge);
139 g_UserIdmService.OpenSession(userId, challenge);
140 IAM_LOGI("end");
141 }
142
FuzzCloseSession(Parcel & parcel)143 void FuzzCloseSession(Parcel &parcel)
144 {
145 IAM_LOGI("begin");
146 int32_t userId = GetFuzzOptionalUserId(parcel);
147 g_UserIdmService.CloseSession(userId);
148 IAM_LOGI("end");
149 }
150
FuzzGetCredentialInfo(Parcel & parcel)151 void FuzzGetCredentialInfo(Parcel &parcel)
152 {
153 IAM_LOGI("begin");
154 int32_t userId = GetFuzzOptionalUserId(parcel);
155 AuthType authType = static_cast<AuthType>(parcel.ReadUint32());
156 sptr<IdmGetCredInfoCallbackInterface> callback = GetFuzzIdmGetCredentialInfoCallback(parcel);
157 g_UserIdmService.GetCredentialInfo(userId, authType, callback);
158 IAM_LOGI("end");
159 }
160
FuzzGetSecInfo(Parcel & parcel)161 void FuzzGetSecInfo(Parcel &parcel)
162 {
163 IAM_LOGI("begin");
164 int32_t userId = GetFuzzOptionalUserId(parcel);
165 sptr<IdmGetSecureUserInfoCallbackInterface> callback = GetFuzzIdmGetSecureUserInfoCallback(parcel);
166 g_UserIdmService.GetSecInfo(userId, callback);
167 IAM_LOGI("end");
168 }
169
FuzzAddCredential(Parcel & parcel)170 void FuzzAddCredential(Parcel &parcel)
171 {
172 IAM_LOGI("begin");
173 int32_t userId = parcel.ReadInt32();
174 UserIdmInterface::CredentialPara para = {};
175 para.authType = static_cast<AuthType>(parcel.ReadInt32());
176 para.pinType = static_cast<PinSubType>(parcel.ReadInt32());
177 FillFuzzUint8Vector(parcel, para.token);
178 sptr<IdmCallbackInterface> callback = GetFuzzIdmCallback(parcel);
179 g_UserIdmService.AddCredential(userId, para, callback, false);
180 IAM_LOGI("end");
181 }
182
FuzzUpdateCredential(Parcel & parcel)183 void FuzzUpdateCredential(Parcel &parcel)
184 {
185 IAM_LOGI("begin");
186 int32_t userId = parcel.ReadInt32();
187 UserIdmInterface::CredentialPara para = {};
188 para.authType = static_cast<AuthType>(parcel.ReadInt32());
189 para.pinType = static_cast<PinSubType>(parcel.ReadInt32());
190 FillFuzzUint8Vector(parcel, para.token);
191 sptr<IdmCallbackInterface> callback = GetFuzzIdmCallback(parcel);
192 g_UserIdmService.UpdateCredential(userId, para, callback);
193 IAM_LOGI("end");
194 }
195
FuzzCancel(Parcel & parcel)196 void FuzzCancel(Parcel &parcel)
197 {
198 IAM_LOGI("begin");
199 int32_t userId = parcel.ReadInt32();
200 g_UserIdmService.Cancel(userId);
201 IAM_LOGI("end");
202 }
203
FuzzEnforceDelUser(Parcel & parcel)204 void FuzzEnforceDelUser(Parcel &parcel)
205 {
206 IAM_LOGI("begin");
207 int32_t userId = parcel.ReadInt32();
208 sptr<IdmCallbackInterface> callback = GetFuzzIdmCallback(parcel);
209 g_UserIdmService.EnforceDelUser(userId, callback);
210 IAM_LOGI("end");
211 }
212
FuzzDelUser(Parcel & parcel)213 void FuzzDelUser(Parcel &parcel)
214 {
215 IAM_LOGI("begin");
216 int32_t userId = parcel.ReadInt32();
217 std::vector<uint8_t> authToken;
218 FillFuzzUint8Vector(parcel, authToken);
219 sptr<IdmCallbackInterface> callback = GetFuzzIdmCallback(parcel);
220 g_UserIdmService.DelUser(userId, authToken, callback);
221 IAM_LOGI("end");
222 }
223
FuzzDump(Parcel & parcel)224 void FuzzDump(Parcel &parcel)
225 {
226 IAM_LOGI("FuzzDump begin");
227 std::vector<uint8_t> msg;
228 Common::FillFuzzUint8Vector(parcel, msg);
229 int32_t fd = parcel.ReadInt32();
230 std::string fileName = to_string(fd) + ".txt";
231 FILE *file = fopen(fileName.c_str(), "w");
232 if (file != nullptr) {
233 fd = fileno(file);
234 std::vector<std::u16string> args;
235 for (uint32_t i = 0; i < msg.size(); i++) {
236 args.push_back(cmd[msg[i] % CMD_LEN]);
237 }
238 g_UserIdmService.Dump(fd, args);
239 fclose(file);
240 remove(fileName.c_str());
241 }
242 IAM_LOGI("FuzzDump end");
243 }
244
DelCredential(Parcel & parcel)245 void DelCredential(Parcel &parcel)
246 {
247 IAM_LOGI("begin");
248 int32_t userId = parcel.ReadInt32();
249 uint64_t credentialId = parcel.ReadUint64();
250 std::vector<uint8_t> authToken;
251 FillFuzzUint8Vector(parcel, authToken);
252 sptr<IdmCallbackInterface> callback = GetFuzzIdmCallback(parcel);
253 g_UserIdmService.DelCredential(userId, credentialId, authToken, callback);
254 IAM_LOGI("end");
255 }
256
FuzzClearRedundancyCredential(Parcel & parcel)257 void FuzzClearRedundancyCredential(Parcel &parcel)
258 {
259 IAM_LOGI("begin");
260 sptr<IdmCallbackInterface> callback = GetFuzzIdmCallback(parcel);
261 g_UserIdmService.ClearRedundancyCredential(callback);
262 IAM_LOGI("end");
263 }
264
FuzzClearRedundancyCredentialInner(Parcel & parcel)265 void FuzzClearRedundancyCredentialInner(Parcel &parcel)
266 {
267 IAM_LOGI("begin");
268 std::string callerName = parcel.ReadString();
269 int32_t callerType = parcel.ReadInt32();
270 g_UserIdmService.ClearRedundancyCredentialInner(callerName, callerType);
271 IAM_LOGI("end");
272 }
273
FuzzEnforceDelUserInner(Parcel & parcel)274 void FuzzEnforceDelUserInner(Parcel &parcel)
275 {
276 IAM_LOGI("begin");
277 int32_t userId = 100;
278 sptr<IamCallbackInterface> iamCallback = sptr<IamCallbackInterface>(new (nothrow) DummyIamCallbackInterface);
279 std::shared_ptr<ContextCallback> callbackForTrace =
280 ContextCallback::NewInstance(iamCallback, TRACE_ENFORCE_DELETE_USER);
281 std::string changeReasonTrace = parcel.ReadString();
282 g_UserIdmService.EnforceDelUserInner(userId, callbackForTrace, changeReasonTrace);
283 IAM_LOGI("end");
284 }
285
FuzzCancelCurrentEnroll(Parcel & parcel)286 void FuzzCancelCurrentEnroll(Parcel &parcel)
287 {
288 IAM_LOGI("begin");
289 g_UserIdmService.CancelCurrentEnroll();
290 g_UserIdmService.CancelCurrentEnrollIfExist();
291 IAM_LOGI("end");
292 }
293
FuzzStartEnroll(Parcel & parcel)294 void FuzzStartEnroll(Parcel &parcel)
295 {
296 IAM_LOGI("begin");
297 Enrollment::EnrollmentPara para = {};
298 sptr<IamCallbackInterface> iamCallback = sptr<IamCallbackInterface>(new (nothrow) DummyIamCallbackInterface);
299 std::shared_ptr<ContextCallback> contextCallback = ContextCallback::NewInstance(iamCallback, TRACE_ADD_CREDENTIAL);
300 Attributes extraInfo;
301 g_UserIdmService.StartEnroll(para, contextCallback, extraInfo, true);
302 IAM_LOGI("end");
303 }
304
305 using FuzzFunc = decltype(FuzzOpenSession);
306 FuzzFunc *g_fuzzFuncs[] = {
307 FuzzOpenSession,
308 FuzzCloseSession,
309 FuzzGetCredentialInfo,
310 FuzzGetSecInfo,
311 FuzzAddCredential,
312 FuzzUpdateCredential,
313 FuzzCancel,
314 FuzzEnforceDelUser,
315 FuzzDelUser,
316 DelCredential,
317 FuzzDump,
318 FuzzClearRedundancyCredential,
319 FuzzClearRedundancyCredentialInner,
320 FuzzEnforceDelUserInner,
321 FuzzCancelCurrentEnroll,
322 FuzzStartEnroll,
323 };
324
UserIdmFuzzTest(const uint8_t * data,size_t size)325 void UserIdmFuzzTest(const uint8_t *data, size_t size)
326 {
327 Parcel parcel;
328 parcel.WriteBuffer(data, size);
329 parcel.RewindRead(0);
330 uint32_t index = parcel.ReadUint32() % (sizeof(g_fuzzFuncs) / sizeof(FuzzFunc *));
331 auto fuzzFunc = g_fuzzFuncs[index];
332 fuzzFunc(parcel);
333 return;
334 }
335 } // namespace
336 } // namespace UserAuth
337 } // namespace UserIam
338 } // namespace OHOS
339
340 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)341 extern "C" int32_t LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
342 {
343 OHOS::UserIam::UserAuth::UserIdmFuzzTest(data, size);
344 return 0;
345 }
346