• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2024 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "hcamera_device_fuzzer.h"
17 #include "camera_log.h"
18 #include "message_parcel.h"
19 #include <cstddef>
20 #include <cstdint>
21 #include <memory>
22 #include "token_setproc.h"
23 #include "nativetoken_kit.h"
24 #include "accesstoken_kit.h"
25 #include "securec.h"
26 #include "metadata_utils.h"
27 
28 namespace OHOS {
29 namespace CameraStandard {
30 using namespace OHOS::HDI::Camera::V1_0;
31 static constexpr int32_t MAX_CODE_LEN = 512;
32 static constexpr int32_t MIN_SIZE_NUM = 4;
33 static constexpr int32_t NUM_1 = 1;
34 static const uint8_t* RAW_DATA = nullptr;
35 const size_t THRESHOLD = 10;
36 static size_t g_dataSize = 0;
37 static size_t g_pos;
38 const int NUM_10 = 10;
39 const int NUM_100 = 100;
40 
41 sptr<HCameraDevice> HCameraDeviceFuzzer::fuzz_{nullptr};
42 
43 /*
44 * describe: get data from outside untrusted data(g_data) which size is according to sizeof(T)
45 * tips: only support basic type
46 */
47 template<class T>
GetData()48 T GetData()
49 {
50     T object {};
51     size_t objectSize = sizeof(object);
52     if (RAW_DATA == nullptr || objectSize > g_dataSize - g_pos) {
53         return object;
54     }
55     errno_t ret = memcpy_s(&object, objectSize, RAW_DATA + g_pos, objectSize);
56     if (ret != EOK) {
57         return {};
58     }
59     g_pos += objectSize;
60     return object;
61 }
62 
63 template<class T>
GetArrLength(T & arr)64 uint32_t GetArrLength(T& arr)
65 {
66     if (arr == nullptr) {
67         MEDIA_INFO_LOG("%{public}s: The array length is equal to 0", __func__);
68         return 0;
69     }
70     return sizeof(arr) / sizeof(arr[0]);
71 }
72 
HCameraDeviceFuzzTest1()73 void HCameraDeviceFuzzer::HCameraDeviceFuzzTest1()
74 {
75     if ((RAW_DATA == nullptr) || (g_dataSize > MAX_CODE_LEN) || (g_dataSize < MIN_SIZE_NUM)) {
76         return;
77     }
78     fuzz_->GetDeviceMuteMode();
79     std::shared_ptr<OHOS::Camera::CameraMetadata> settings;
80     settings = std::make_shared<OHOS::Camera::CameraMetadata>(NUM_10, NUM_100);
81     fuzz_->CreateMuteSetting(settings);
82     fuzz_->DispatchDefaultSettingToHdi();
83     fuzz_->CloneCachedSettings();
84     uint64_t secureSeqId;
85     fuzz_->callerToken_ = 1;
86     fuzz_->GetSecureCameraSeq(&secureSeqId);
87     std::vector<int32_t> results = {GetData<uint32_t>()};
88     fuzz_->GetEnabledResults(results);
89     fuzz_->CheckZoomChange(settings);
90     fuzz_->ResetZoomTimer();
91     fuzz_->UnPrepareZoom();
92     fuzz_->UpdateSetting(settings);
93     uint8_t value = GetData<uint8_t>();
94     fuzz_->SetUsedAsPosition(value);
95     fuzz_->GetUsedAsPosition();
96     fuzz_->UpdateSettingOnce(settings);
97     uint32_t tag = GetData<uint32_t>();
98     fuzz_->DebugLogForSmoothZoom(settings, tag);
99     fuzz_->DebugLogForAfRegions(settings, tag);
100     fuzz_->DebugLogForAeRegions(settings, tag);
101     fuzz_->RegisterFoldStatusListener();
102     fuzz_->UnregisterFoldStatusListener();
103     fuzz_->EnableResult(results);
104     fuzz_->DisableResult(results);
105     fuzz_->UpdateDeviceOpenLifeCycleSettings(settings);
106     fuzz_->OpenDevice(true);
107     fuzz_->CheckOnResultData(settings);
108     fuzz_->ResetDeviceOpenLifeCycleSettings();
109 }
110 
HCameraDeviceFuzzTest2()111 void HCameraDeviceFuzzer::HCameraDeviceFuzzTest2()
112 {
113     if ((RAW_DATA == nullptr) || (g_dataSize > MAX_CODE_LEN) || (g_dataSize < MIN_SIZE_NUM)) {
114         return;
115     }
116     fuzz_->Close();
117     fuzz_->CheckPermissionBeforeOpenDevice();
118     fuzz_->HandlePrivacyBeforeOpenDevice();
119     fuzz_->Release();
120     fuzz_->OpenDevice(true);
121     std::shared_ptr<OHOS::Camera::CameraMetadata> settings;
122     settings = std::make_shared<OHOS::Camera::CameraMetadata>(NUM_10, NUM_100);
123     fuzz_->ReportMetadataDebugLog(settings);
124     int32_t operationMode = GetData<int32_t>();
125     std::set<std::string> conflicting = {"fuzz1", "fuzz2"};
126     fuzz_->GetCameraResourceCost(operationMode, conflicting);
127 }
128 
HCameraDeviceFuzzTest3()129 void HCameraDeviceFuzzer::HCameraDeviceFuzzTest3()
130 {
131     if ((RAW_DATA == nullptr) || (g_dataSize > MAX_CODE_LEN) || (g_dataSize < MIN_SIZE_NUM)) {
132         return;
133     }
134     fuzz_->GetCameraId();
135     fuzz_->GetCameraType();
136     fuzz_->IsOpenedCameraDevice();
137     bool isMoving = GetData<int32_t>() % 2;
138     fuzz_->EnableMovingPhoto(isMoving);
139     fuzz_->SetDeviceMuteMode(isMoving);
140     fuzz_->ResetDeviceSettings();
141     fuzz_->DispatchDefaultSettingToHdi();
142     fuzz_->ResetCachedSettings();
143     fuzz_->GetDeviceAbility();
144     fuzz_->Open();
145     uint64_t secureSeqId = GetData<uint64_t>();
146     fuzz_->OpenSecureCamera(&secureSeqId);
147     fuzz_->GetSecureCameraSeq(&secureSeqId);
148     fuzz_->OpenDevice(isMoving);
149     fuzz_->HandleFoldableDevice();
150     fuzz_->CheckPermissionBeforeOpenDevice();
151     fuzz_->HandlePrivacyBeforeOpenDevice();
152     fuzz_->HandlePrivacyWhenOpenDeviceFail();
153     fuzz_->HandlePrivacyAfterCloseDevice();
154     fuzz_->OpenDevice(true);
155     fuzz_->CloseDevice();
156     int32_t mode = GetData<int32_t>();
157     fuzz_->CheckMovingPhotoSupported(mode);
158     fuzz_->ResetZoomTimer();
159     std::shared_ptr<OHOS::Camera::CameraMetadata> metaIn = nullptr;
160     std::shared_ptr<OHOS::Camera::CameraMetadata> metaOut = nullptr;
161     fuzz_->GetStatus(metaIn, metaOut);
162     int32_t errorMsg = GetData<int32_t>();
163     constexpr int32_t executionModeCount = static_cast<int32_t>(CAMERA_UNKNOWN_ERROR) + NUM_1;
164     OHOS::HDI::Camera::V1_0::ErrorType selectedErrorType =
165         static_cast<OHOS::HDI::Camera::V1_0::ErrorType>(GetData<uint8_t>() % executionModeCount);
166     fuzz_->OnError(selectedErrorType, errorMsg);
167     std::vector<uint8_t> result = {0, 1};
168     uint64_t timestamp = GetData<uint64_t>();
169     int32_t streamId = GetData<int32_t>();
170     fuzz_->OnResult(timestamp, result);
171     fuzz_->OnResult(streamId, result);
172 }
173 
HCameraDeviceFuzzTest4()174 void HCameraDeviceFuzzer::HCameraDeviceFuzzTest4()
175 {
176     if ((RAW_DATA == nullptr) || (g_dataSize > MAX_CODE_LEN) || (g_dataSize < MIN_SIZE_NUM)) {
177         return;
178     }
179     std::shared_ptr<OHOS::Camera::CameraMetadata> cameraResult;
180     cameraResult = std::make_shared<OHOS::Camera::CameraMetadata>(NUM_10, NUM_100);
181     std::function<void(int64_t, int64_t)> callback = [](int64_t start, int64_t end) {
182         MEDIA_INFO_LOG("Start: %lld, End: %lld\n", start, end);
183     };
184     fuzz_->SetMovingPhotoStartTimeCallback(callback);
185     fuzz_->SetMovingPhotoEndTimeCallback(callback);
186     fuzz_->GetMovingPhotoStartAndEndTime(cameraResult);
187     fuzz_->GetCallerToken();
188     bool running = GetData<bool>();
189     fuzz_->NotifyCameraSessionStatus(running);
190     fuzz_->RemoveResourceWhenHostDied();
191     int32_t state = GetData<int32_t>();
192     fuzz_->NotifyCameraStatus(state);
193 }
194 
Test()195 void Test()
196 {
197     auto dcameraDevice = std::make_unique<HCameraDeviceFuzzer>();
198     if (dcameraDevice == nullptr) {
199         MEDIA_INFO_LOG("dcameraDevice is null");
200         return;
201     }
202     sptr<HCameraHostManager> cameraHostManager = new HCameraHostManager(nullptr);
203     std::string cameraId;
204     uint32_t callingTokenId = GetData<uint32_t>();
205     HCameraDeviceFuzzer::fuzz_ = new (std::nothrow)
206         HCameraDevice(cameraHostManager, cameraId, callingTokenId);
207     CHECK_ERROR_RETURN_LOG(!HCameraDeviceFuzzer::fuzz_, "CreateFuzz Error");
208     dcameraDevice->HCameraDeviceFuzzTest1();
209     dcameraDevice->HCameraDeviceFuzzTest2();
210     dcameraDevice->HCameraDeviceFuzzTest3();
211     dcameraDevice->HCameraDeviceFuzzTest4();
212 }
213 
214 typedef void (*TestFuncs[1])();
215 
216 TestFuncs g_testFuncs = {
217     Test,
218 };
219 
FuzzTest(const uint8_t * rawData,size_t size)220 bool FuzzTest(const uint8_t* rawData, size_t size)
221 {
222     // initialize data
223     RAW_DATA = rawData;
224     g_dataSize = size;
225     g_pos = 0;
226 
227     uint32_t code = GetData<uint32_t>();
228     uint32_t len = GetArrLength(g_testFuncs);
229     if (len > 0) {
230         g_testFuncs[code % len]();
231     } else {
232         MEDIA_INFO_LOG("%{public}s: The len length is equal to 0", __func__);
233     }
234 
235     return true;
236 }
237 } // namespace CameraStandard
238 } // namespace OHOS
239 
240 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(uint8_t * data,size_t size)241 extern "C" int LLVMFuzzerTestOneInput(uint8_t* data, size_t size)
242 {
243     if (size < OHOS::CameraStandard::THRESHOLD) {
244         return 0;
245     }
246 
247     OHOS::CameraStandard::FuzzTest(data, size);
248     return 0;
249 }