1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "samgrdumper_fuzzer.h"
17
18 #define private public
19 #include "system_ability_manager.h"
20 #include "system_ability_manager_dumper.h"
21 #include "schedule/system_ability_state_scheduler.h"
22 #include "sam_mock_permission.h"
23 #include "sa_status_change_mock.h"
24 #include "securec.h"
25
26 namespace OHOS {
27 namespace Samgr {
28 namespace {
29 constexpr size_t THRESHOLD = 10;
30 constexpr const char* HIDUMPER_PROCESS_NAME = "hidumper_service";
31 const uint8_t *g_baseFuzzData = nullptr;
32 size_t g_baseFuzzSize = 0;
33 size_t g_baseFuzzPos;
34 constexpr int32_t SAID = 1493;
35 }
36
GetData()37 template <class T> T GetData()
38 {
39 T object{};
40 size_t objectSize = sizeof(object);
41 if (g_baseFuzzData == nullptr || objectSize > g_baseFuzzSize - g_baseFuzzPos) {
42 return object;
43 }
44 errno_t ret = memcpy_s(&object, objectSize, g_baseFuzzData + g_baseFuzzPos, objectSize);
45 if (ret != EOK) {
46 return {};
47 }
48 g_baseFuzzPos += objectSize;
49 return object;
50 }
51
BuildInt32FromData(const uint8_t * data,size_t size)52 int32_t BuildInt32FromData(const uint8_t* data, size_t size)
53 {
54 if ((data == nullptr) || (size < sizeof(int32_t))) {
55 return 0;
56 }
57 int32_t int32Val = *reinterpret_cast<const int32_t *>(data);
58 return int32Val;
59 }
60
BuildStringFromData(const uint8_t * data,size_t size)61 std::string BuildStringFromData(const uint8_t* data, size_t size)
62 {
63 if ((data == nullptr) || (size == 0)) {
64 return "";
65 }
66 std::string strVal(reinterpret_cast<const char *>(data), size);
67 return strVal;
68 }
69
SamgrDumperFuzzTest(const uint8_t * data,size_t size)70 void SamgrDumperFuzzTest(const uint8_t* data, size_t size)
71 {
72 SamMockPermission::MockProcess(HIDUMPER_PROCESS_NAME);
73 std::string strVal = BuildStringFromData(data, size);
74 std::vector<std::string> args;
75 SplitStr(strVal, " ", args);
76 std::vector<std::u16string> argsWithStr16;
77 for (size_t i = 0; i < args.size(); i++) {
78 argsWithStr16.emplace_back(Str8ToStr16(args[i]));
79 }
80 std::string result;
81 std::shared_ptr<SystemAbilityStateScheduler> scheduler = std::make_shared<SystemAbilityStateScheduler>();
82 int32_t fd = -1;
83 SystemAbilityManagerDumper::FfrtDumpProc(scheduler, fd, args);
84 SystemAbilityManagerDumper::Dump(scheduler, args, result);
85 int32_t cmd = -1;
86 SystemAbilityManagerDumper::IpcDumpCmdParser(cmd, args);
87 std::string processName = BuildStringFromData(data, size);
88 SystemAbilityManagerDumper::IpcDumpIsSamgr(processName);
89 SystemAbilityManagerDumper::IpcDumpIsAllProcess(processName);
90 SystemAbilityManagerDumper::GetSamgrIpcStatistics(result);
91 SystemAbilityManagerDumper::StopSamgrIpcStatistics(result);
92 SystemAbilityManagerDumper::StartSamgrIpcStatistics(result);
93 SystemAbilityManagerDumper::GetFfrtDumpInfoProc(scheduler, args, result);
94 SystemAbilityManagerDumper::GetSAMgrFfrtInfo(result);
95 int32_t pid = BuildInt32FromData(data, size);
96 SystemAbilityManagerDumper::DumpFfrtInfoByProcName(pid, Str8ToStr16(processName), result);
97
98 std::shared_ptr<SystemAbilityManager> manager = std::make_shared<SystemAbilityManager>();
99 manager->abilityStateScheduler_ = std::make_shared<SystemAbilityStateScheduler>();
100 manager->Dump(fd, argsWithStr16);
101 manager->IpcDumpProc(fd, args);
102 manager->IpcDumpAllProcess(fd, cmd);
103 manager->IpcDumpSamgrProcess(fd, cmd);
104 manager->IpcDumpSingleProcess(fd, cmd, processName);
105 }
106
FuzzListenerDumpProc(const uint8_t * data,size_t size)107 void FuzzListenerDumpProc(const uint8_t* data, size_t size)
108 {
109 SamMockPermission::MockProcess(HIDUMPER_PROCESS_NAME);
110 g_baseFuzzData = data;
111 g_baseFuzzSize = size;
112 g_baseFuzzPos = 0;
113 int32_t pid1 = GetData<int32_t>();
114 int32_t pid2 = GetData<int32_t>();
115 std::map<int32_t, std::list<SAListener>> dumpListeners;
116 std::list<SAListener> listeners;
117 sptr<SaStatusChangeMock> listener(new SaStatusChangeMock());
118 listeners.emplace_back(listener, pid1);
119 listeners.emplace_back(listener, pid2);
120 dumpListeners[SAID] = listeners;
121 int32_t fd = -1;
122 std::vector<std::string> args;
123 args.push_back("test");
124 args.push_back("-h");
125 SystemAbilityManagerDumper::ListenerDumpProc(dumpListeners, fd, args);
126 args.clear();
127
128 args.push_back("test");
129 args.push_back("-l");
130 args.push_back("-sa");
131 SystemAbilityManagerDumper::ListenerDumpProc(dumpListeners, fd, args);
132 args.clear();
133
134 args.push_back("test");
135 args.push_back("-l");
136 args.push_back("-p");
137 SystemAbilityManagerDumper::ListenerDumpProc(dumpListeners, fd, args);
138 args.clear();
139
140 args.push_back("test");
141 args.push_back("-sa");
142 args.push_back(ToString(SAID));
143 SystemAbilityManagerDumper::ListenerDumpProc(dumpListeners, fd, args);
144 args.clear();
145
146 args.push_back("test");
147 args.push_back("-p");
148 args.push_back(ToString(pid1));
149 SystemAbilityManagerDumper::ListenerDumpProc(dumpListeners, fd, args);
150 args.clear();
151 }
152 }
153 }
154
155 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)156 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
157 {
158 if (size < OHOS::Samgr::THRESHOLD) {
159 return 0;
160 }
161
162 OHOS::Samgr::SamgrDumperFuzzTest(data, size);
163 OHOS::Samgr::FuzzListenerDumpProc(data, size);
164
165 return 0;
166 }
167
168