1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "systemabilityfwk_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20 #include <cstdlib>
21 #include <fcntl.h>
22 #include <unistd.h>
23
24 #define private public
25 #include "string_ex.h"
26 #include "local_ability_manager.h"
27 #include "sa_mock_permission.h"
28 #include "mock_sa_realize.h"
29 #include "securec.h"
30 #include "iservice_registry.h"
31
32 namespace OHOS {
33 namespace Samgr {
34 namespace {
35 constexpr size_t THRESHOLD = 10;
36 constexpr uint8_t MAX_CALL_TRANSACTION = 16;
37 constexpr int32_t OFFSET = 4;
38 constexpr int32_t USLEEP_NUM = 200000;
39 constexpr int32_t SHIFT_FIRST = 24;
40 constexpr int32_t SHIFT_SECOND = 16;
41 constexpr int32_t SHIFT_THIRD = 8;
42 constexpr int32_t ZERO_NUM = 0;
43 constexpr int32_t FIRST_NUM = 1;
44 constexpr int32_t SECOND_NUM = 2;
45 constexpr int32_t THIRD_NUM = 3;
46 const std::u16string LOCAL_ABILITY_MANAGER_INTERFACE_TOKEN = u"ohos.localabilitymanager.accessToken";
47 const uint8_t *g_baseFuzzData = nullptr;
48 size_t g_baseFuzzSize = 0;
49 size_t g_baseFuzzPos;
50 }
51
GetData()52 template <class T> T GetData()
53 {
54 T object{};
55 size_t objectSize = sizeof(object);
56 if (g_baseFuzzData == nullptr || objectSize > g_baseFuzzSize - g_baseFuzzPos) {
57 return object;
58 }
59 errno_t ret = memcpy_s(&object, objectSize, g_baseFuzzData + g_baseFuzzPos, objectSize);
60 if (ret != EOK) {
61 return {};
62 }
63 g_baseFuzzPos += objectSize;
64 return object;
65 }
66
BuildStringFromData(const uint8_t * data,size_t size)67 std::string BuildStringFromData(const uint8_t* data, size_t size)
68 {
69 if ((data == nullptr) || (size == 0)) {
70 return "";
71 }
72 std::string strVal(reinterpret_cast<const char *>(data), size);
73 return strVal;
74 }
75
ConvertToUint32(const uint8_t * ptr)76 uint32_t ConvertToUint32(const uint8_t* ptr)
77 {
78 if (ptr == nullptr) {
79 return 0;
80 }
81 return (ptr[ZERO_NUM] << SHIFT_FIRST) | (ptr[FIRST_NUM] << SHIFT_SECOND) |
82 (ptr[SECOND_NUM] << SHIFT_THIRD) | (ptr[THIRD_NUM]);
83 }
84
FuzzListener(const uint8_t * rawData,size_t size)85 void FuzzListener(const uint8_t* rawData, size_t size)
86 {
87 SaMockPermission::MockPermission();
88 g_baseFuzzData = rawData;
89 g_baseFuzzSize = size;
90 g_baseFuzzPos = 0;
91 int32_t systemAbilityId = GetData<int32_t>();
92 int32_t listenerSaId = GetData<int32_t>();
93 LocalAbilityManager::GetInstance().NotifyAbilityListener(systemAbilityId, listenerSaId, "test", 1);
94
95 sptr<ISystemAbilityStatusChange> sysListener = new LocalAbilityManager::SystemAbilityListener();
96 sysListener->OnAddSystemAbility(systemAbilityId, "deviceId");
97 sysListener->OnRemoveSystemAbility(systemAbilityId, "deviceId");
98 }
99
FuzzStartTimedQuery(const uint8_t * rawData,size_t size)100 void FuzzStartTimedQuery(const uint8_t* rawData, size_t size)
101 {
102 SaMockPermission::MockPermission();
103 g_baseFuzzData = rawData;
104 g_baseFuzzSize = size;
105 g_baseFuzzPos = 0;
106 int32_t systemAbilityId = GetData<int32_t>();
107 LocalAbilityManager::GetInstance().StartTimedQuery();
108 LocalAbilityManager::GetInstance().IdentifyUnusedOndemand();
109 LocalAbilityManager::GetInstance().IdentifyUnusedResident();
110 LocalAbilityManager::GetInstance().NoNeedCheckUnused(systemAbilityId);
111 int32_t timeout = GetData<int32_t>();
112 LocalAbilityManager::GetInstance().LimitUnusedTimeout(systemAbilityId, timeout);
113 LocalAbilityManager::GetInstance().unusedCfgMap_.erase(systemAbilityId);
114 }
115
FuzzPhaseTasks(const uint8_t * rawData,size_t size)116 void FuzzPhaseTasks(const uint8_t* rawData, size_t size)
117 {
118 SaMockPermission::MockPermission();
119 g_baseFuzzData = rawData;
120 g_baseFuzzSize = size;
121 g_baseFuzzPos = 0;
122 int32_t systemAbilityId = GetData<int32_t>();
123 LocalAbilityManager::GetInstance().FindAndStartPhaseTasks(systemAbilityId);
124 std::list<SystemAbility*> systemAbilityList;
125 LocalAbilityManager::GetInstance().StartPhaseTasks(systemAbilityList);
126 systemAbilityList.push_back(nullptr);
127 LocalAbilityManager::GetInstance().StartPhaseTasks(systemAbilityList);
128 LocalAbilityManager::GetInstance().WaitForTasks();
129 }
130
FuzzSendStrategyToSA(const uint8_t * rawData,size_t size)131 void FuzzSendStrategyToSA(const uint8_t* rawData, size_t size)
132 {
133 SaMockPermission::MockPermission();
134 g_baseFuzzData = rawData;
135 g_baseFuzzSize = size;
136 g_baseFuzzPos = 0;
137 int32_t type = GetData<int32_t>();
138 int32_t systemAbilityId = GetData<int32_t>();
139 int32_t level = GetData<int32_t>();
140 std::string action = BuildStringFromData(rawData, size);
141 LocalAbilityManager::GetInstance().SendStrategyToSA(type, systemAbilityId, level, action);
142 }
143
FuzzSystemAbilityExtProc(const uint8_t * rawData,size_t size)144 void FuzzSystemAbilityExtProc(const uint8_t* rawData, size_t size)
145 {
146 SaMockPermission::MockPermission();
147 g_baseFuzzData = rawData;
148 g_baseFuzzSize = size;
149 g_baseFuzzPos = 0;
150 int32_t systemAbilityId = GetData<int32_t>();
151 SystemAbilityExtensionPara callback;
152 std::string extension = BuildStringFromData(rawData, size);
153 LocalAbilityManager::GetInstance().SystemAbilityExtProc(extension, systemAbilityId, &callback);
154 }
155
FuzzGetSaLastRequestTime(const uint8_t * rawData,size_t size)156 void FuzzGetSaLastRequestTime(const uint8_t* rawData, size_t size)
157 {
158 SaMockPermission::MockPermission();
159 g_baseFuzzData = rawData;
160 g_baseFuzzSize = size;
161 g_baseFuzzPos = 0;
162 int32_t systemAbilityId = GetData<int32_t>();
163 sptr<ISystemAbilityManager> samgrProxy = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
164 uint64_t lastRequestTime = 0;
165 LocalAbilityManager::GetInstance().GetSaLastRequestTime(samgrProxy, systemAbilityId, lastRequestTime);
166 }
167
FuzzLocalAbilityManager(const uint8_t * rawData,size_t size)168 void FuzzLocalAbilityManager(const uint8_t* rawData, size_t size)
169 {
170 SaMockPermission::MockPermission();
171 g_baseFuzzData = rawData;
172 g_baseFuzzSize = size;
173 g_baseFuzzPos = 0;
174 int32_t systemAbilityId = GetData<int32_t>();
175 int32_t listenSaId = GetData<int32_t>();
176 int32_t dependSaId = GetData<int32_t>();
177 std::vector<int32_t> dependSas = {dependSaId};
178 std::string strVal = BuildStringFromData(rawData, size);
179 std::string profilePath = strVal;
180 std::string procName = strVal;
181 std::string eventStr = strVal;
182 SaProfile saProfile = {Str8ToStr16(procName), systemAbilityId};
183 std::list<SaProfile> saInfos = {saProfile};
184
185 MockSaRealize *ability = new MockSaRealize(systemAbilityId, false);
186 LocalAbilityManager::GetInstance().AddAbility(ability);
187 LocalAbilityManager::GetInstance().DoStartSAProcess(profilePath, systemAbilityId);
188 LocalAbilityManager::GetInstance().GetTraceTag(profilePath);
189 LocalAbilityManager::GetInstance().InitializeSaProfiles(systemAbilityId);
190 LocalAbilityManager::GetInstance().CheckTrustSa(profilePath, procName, saInfos);
191 LocalAbilityManager::GetInstance().RemoveAbility(systemAbilityId);
192 LocalAbilityManager::GetInstance().GetRunningStatus(systemAbilityId);
193
194 LocalAbilityManager::GetInstance().AddSystemAbilityListener(systemAbilityId, listenSaId);
195 LocalAbilityManager::GetInstance().RemoveSystemAbilityListener(systemAbilityId, listenSaId);
196 LocalAbilityManager::GetInstance().CheckDependencyStatus(dependSas);
197 LocalAbilityManager::GetInstance().StartSystemAbilityTask(ability);
198 LocalAbilityManager::GetInstance().CheckSystemAbilityManagerReady();
199 LocalAbilityManager::GetInstance().InitSystemAbilityProfiles(profilePath, systemAbilityId);
200 LocalAbilityManager::GetInstance().ClearResource();
201 LocalAbilityManager::GetInstance().StartOndemandSystemAbility(systemAbilityId);
202 LocalAbilityManager::GetInstance().StopOndemandSystemAbility(systemAbilityId);
203
204 LocalAbilityManager::GetInstance().GetStartReason(systemAbilityId);
205 LocalAbilityManager::GetInstance().GetStopReason(systemAbilityId);
206 LocalAbilityManager::GetInstance().JsonToOnDemandReason(nullptr);
207 LocalAbilityManager::GetInstance().SetStartReason(systemAbilityId, nullptr);
208 LocalAbilityManager::GetInstance().SetStopReason(systemAbilityId, nullptr);
209 LocalAbilityManager::GetInstance().OnStartAbility(systemAbilityId);
210 LocalAbilityManager::GetInstance().OnStopAbility(systemAbilityId);
211 LocalAbilityManager::GetInstance().StartAbility(systemAbilityId, eventStr);
212 LocalAbilityManager::GetInstance().StopAbility(systemAbilityId, eventStr);
213 LocalAbilityManager::GetInstance().InitializeOnDemandSaProfile(systemAbilityId);
214 LocalAbilityManager::GetInstance().InitializeSaProfilesInnerLocked(saProfile);
215 LocalAbilityManager::GetInstance().StartDependSaTask(ability);
216 LocalAbilityManager::GetInstance().RegisterOnDemandSystemAbility(systemAbilityId);
217 LocalAbilityManager::GetInstance().NeedRegisterOnDemand(saProfile, systemAbilityId);
218 LocalAbilityManager::GetInstance().Run(systemAbilityId);
219 LocalAbilityManager::GetInstance().AddLocalAbilityManager();
220 }
221
FuzzIpcStatCmdProc(const uint8_t * rawData,size_t size)222 void FuzzIpcStatCmdProc(const uint8_t* rawData, size_t size)
223 {
224 SaMockPermission::MockPermission();
225 g_baseFuzzData = rawData;
226 g_baseFuzzSize = size;
227 g_baseFuzzPos = 0;
228 MessageParcel data;
229 data.WriteInterfaceToken(LOCAL_ABILITY_MANAGER_INTERFACE_TOKEN);
230 int32_t fd = GetData<int32_t>();
231 data.WriteFileDescriptor(fd);
232 int32_t cmd = GetData<int32_t>();
233 data.WriteInt32(cmd);
234 MessageParcel reply;
235 MessageOption option;
236 LocalAbilityManager::GetInstance().OnRemoteRequest(static_cast<uint32_t>(
237 SafwkInterfaceCode::IPC_STAT_CMD_TRANSACTION), data, reply, option);
238 }
239
FuzzSystemAbilityFwk(const uint8_t * rawData,size_t size)240 void FuzzSystemAbilityFwk(const uint8_t* rawData, size_t size)
241 {
242 SaMockPermission::MockPermission();
243 uint32_t code = ConvertToUint32(rawData);
244 rawData = rawData + OFFSET;
245 size = size - OFFSET;
246 MessageParcel data;
247 data.WriteInterfaceToken(LOCAL_ABILITY_MANAGER_INTERFACE_TOKEN);
248 data.WriteBuffer(rawData, size);
249 data.RewindRead(0);
250 MessageParcel reply;
251 MessageOption option;
252 LocalAbilityManager::GetInstance().OnRemoteRequest(code % MAX_CALL_TRANSACTION, data, reply, option);
253 usleep(USLEEP_NUM);
254 }
255 }
256 }
257
258 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)259 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
260 {
261 if (size < OHOS::Samgr::THRESHOLD) {
262 return 0;
263 }
264 OHOS::Samgr::FuzzListener(data, size);
265 OHOS::Samgr::FuzzStartTimedQuery(data, size);
266 OHOS::Samgr::FuzzPhaseTasks(data, size);
267 OHOS::Samgr::FuzzSendStrategyToSA(data, size);
268 OHOS::Samgr::FuzzSystemAbilityExtProc(data, size);
269 OHOS::Samgr::FuzzGetSaLastRequestTime(data, size);
270 OHOS::Samgr::FuzzSystemAbilityFwk(data, size);
271 OHOS::Samgr::FuzzIpcStatCmdProc(data, size);
272 OHOS::Samgr::FuzzLocalAbilityManager(data, size);
273 return 0;
274 }
275
276