• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2024 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include <iostream>
17 #include <cstddef>
18 #include <cstdint>
19 #include "audio_info.h"
20 #include "audio_interrupt_service.h"
21 #include "audio_policy_server.h"
22 #include "audio_session_info.h"
23 #include "accesstoken_kit.h"
24 #include "nativetoken_kit.h"
25 #include "token_setproc.h"
26 #include "access_token.h"
27 #include "i_hpae_manager.h"
28 #include "manager/hdi_adapter_manager.h"
29 #include "util/id_handler.h"
30 using namespace std;
31 
32 namespace OHOS {
33 namespace AudioStandard {
34 using namespace std;
35 bool g_hasPermission = false;
36 bool g_hasServerInit = false;
37 const int32_t SYSTEM_ABILITY_ID = 3009;
38 const bool RUN_ON_CREATE = false;
39 const std::u16string FORMMGR_INTERFACE_TOKEN = u"IAudioPolicy";
40 static const uint8_t *RAW_DATA = nullptr;
41 static size_t g_dataSize = 0;
42 static size_t g_pos;
43 const size_t THRESHOLD = 10;
44 
45 /*
46 * describe: get data from outside untrusted data(RAW_DATA) which size is according to sizeof(T)
47 * tips: only support basic type
48 */
49 template<class T>
GetData()50 T GetData()
51 {
52     T object {};
53     size_t objectSize = sizeof(object);
54     if (RAW_DATA == nullptr || objectSize > g_dataSize - g_pos) {
55         return object;
56     }
57     errno_t ret = memcpy_s(&object, objectSize, RAW_DATA + g_pos, objectSize);
58     if (ret != EOK) {
59         return {};
60     }
61     g_pos += objectSize;
62     return object;
63 }
64 
65 template<class T>
GetArrLength(T & arr)66 uint32_t GetArrLength(T& arr)
67 {
68     if (arr == nullptr) {
69         AUDIO_INFO_LOG("%{public}s: The array length is equal to 0", __func__);
70         return 0;
71     }
72     return sizeof(arr) / sizeof(arr[0]);
73 }
74 
AudioFuzzTestGetPermission()75 void AudioFuzzTestGetPermission()
76 {
77     if (!g_hasPermission) {
78         uint64_t tokenId;
79         constexpr int perNum = 10;
80         const char *perms[perNum] = {
81             "ohos.permission.MICROPHONE",
82             "ohos.permission.MANAGE_INTELLIGENT_VOICE",
83             "ohos.permission.MANAGE_AUDIO_CONFIG",
84             "ohos.permission.MICROPHONE_CONTROL",
85             "ohos.permission.MODIFY_AUDIO_SETTINGS",
86             "ohos.permission.ACCESS_NOTIFICATION_POLICY",
87             "ohos.permission.USE_BLUETOOTH",
88             "ohos.permission.CAPTURE_VOICE_DOWNLINK_AUDIO",
89             "ohos.permission.RECORD_VOICE_CALL",
90             "ohos.permission.MANAGE_SYSTEM_AUDIO_EFFECTS",
91         };
92 
93         NativeTokenInfoParams infoInstance = {
94             .dcapsNum = 0,
95             .permsNum = 10,
96             .aclsNum = 0,
97             .dcaps = nullptr,
98             .perms = perms,
99             .acls = nullptr,
100             .processName = "audiofuzztest",
101             .aplStr = "system_basic",
102         };
103         tokenId = GetAccessTokenId(&infoInstance);
104         SetSelfTokenID(tokenId);
105         OHOS::Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
106         g_hasPermission = true;
107     }
108 }
109 
MoreFuzzTest()110 void MoreFuzzTest()
111 {
112     std::shared_ptr<AudioInterruptService> interruptService = std::make_shared<AudioInterruptService>();
113     interruptService->GetAudioServerProxy();
114     interruptService->WriteServiceStartupError();
115 
116     int32_t pid = GetData<int32_t>();
117     interruptService->OnSessionTimeout(pid);
118     interruptService->HandleSessionTimeOutEvent(pid);
119 }
120 
AddAudioSessionFuzzTest()121 void AddAudioSessionFuzzTest()
122 {
123     int32_t sessionStrategy = 0;
124 
125     AudioInterrupt incomingInterrupt;
126     incomingInterrupt.audioFocusType.streamType = STREAM_MUSIC;
127     incomingInterrupt.audioFocusType.sourceType = SOURCE_TYPE_VOICE_COMMUNICATION;
128     AudioInterrupt activeInterrupt;
129     activeInterrupt.audioFocusType.streamType = STREAM_MUSIC;
130     AudioFocusEntry focusEntry;
131     focusEntry.isReject = false;
132 
133     std::shared_ptr<AudioInterruptService> interruptService = std::make_shared<AudioInterruptService>();
134     interruptService->CanMixForSession(incomingInterrupt, activeInterrupt, focusEntry);
135     interruptService->CanMixForIncomingSession(incomingInterrupt, activeInterrupt, focusEntry);
136     interruptService->CanMixForActiveSession(incomingInterrupt, activeInterrupt, focusEntry);
137     interruptService->IsIncomingStreamLowPriority(focusEntry);
138     interruptService->IsActiveStreamLowPriority(focusEntry);
139 }
140 
AddSetAudioManagerInterruptCallbackFuzzTest()141 void AddSetAudioManagerInterruptCallbackFuzzTest()
142 {
143     MessageParcel data;
144     data.WriteInterfaceToken(FORMMGR_INTERFACE_TOKEN);
145     data.WriteBuffer(RAW_DATA, g_dataSize);
146     data.RewindRead(0);
147     sptr<IRemoteObject> object = data.ReadRemoteObject();
148     std::shared_ptr<AudioInterruptService> interruptService = std::make_shared<AudioInterruptService>();
149     interruptService->GetAudioServerProxy();
150     if (object == nullptr) {
151         return;
152     }
153     interruptService->SetAudioManagerInterruptCallback(object);
154 
155     int32_t zoneId = GetData<int32_t>();
156     uint32_t sessionId = GetData<uint32_t>();
157     uint32_t uid = GetData<uint32_t>();
158     interruptService->SetAudioInterruptCallback(zoneId, sessionId, object, uid);
159 }
160 
ClearAudioFocusInfoListOnAccountsChangedFuzzTest()161 void ClearAudioFocusInfoListOnAccountsChangedFuzzTest()
162 {
163     int id = GetData<int>();
164     std::shared_ptr<AudioInterruptService> interruptService = std::make_shared<AudioInterruptService>();
165     interruptService->ClearAudioFocusInfoListOnAccountsChanged(id);
166 }
167 
168 typedef void (*TestFuncs[4])();
169 
170 TestFuncs g_testFuncs = {
171     MoreFuzzTest,
172     AddAudioSessionFuzzTest,
173     AddSetAudioManagerInterruptCallbackFuzzTest,
174     ClearAudioFocusInfoListOnAccountsChangedFuzzTest,
175 };
176 
FuzzTest(const uint8_t * rawData,size_t size)177 bool FuzzTest(const uint8_t* rawData, size_t size)
178 {
179     if (rawData == nullptr) {
180         return false;
181     }
182 
183     // initialize data
184     RAW_DATA = rawData;
185     g_dataSize = size;
186     g_pos = 0;
187 
188     uint32_t code = GetData<uint32_t>();
189     uint32_t len = GetArrLength(g_testFuncs);
190     if (len > 0) {
191         g_testFuncs[code % len]();
192     } else {
193         AUDIO_INFO_LOG("%{public}s: The len length is equal to 0", __func__);
194     }
195 
196     return true;
197 }
198 } // namespace AudioStandard
199 } // namesapce OHOS
200 
201 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)202 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
203 {
204     if (size < OHOS::AudioStandard::THRESHOLD) {
205         return 0;
206     }
207 
208     OHOS::AudioStandard::AudioFuzzTestGetPermission();
209     OHOS::AudioStandard::FuzzTest(data, size);
210     return 0;
211 }