1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "data_collect_manager_fuzzer.h"
17 #include "data_collect_manager_idl.h"
18 #include <string>
19
20 #include "data_collect_manager_callback_service.h"
21 #include "data_collect_manager_service.h"
22 #include "security_guard_log.h"
23
24
25 namespace OHOS::Security::SecurityGuard {
26 DataCollectManagerService g_service(DATA_COLLECT_MANAGER_SA_ID, true);
27 constexpr int32_t REMAINDER_VALUE = 9;
28 constexpr int32_t CMD_DATA_COLLECT_VALUE = 0;
29 constexpr int32_t CMD_DATA_REQUEST_VALUE = 1;
30 constexpr int32_t CMD_DATA_SUBSCRIBE = 2;
31 constexpr int32_t CMD_DATA_UNSUBSCRIBE_VALUE = 3;
32 constexpr int32_t CMD_SECURITY_EVENT_QUERY_VALUE = 4;
33 constexpr int32_t CMD_SECURITY_COLLECTOR_START = 5;
34 constexpr int32_t CMD_SECURITY_COLLECTOR_STOP = 6;
35 constexpr int32_t CMD_SECURITY_CONFIG_UPDATE = 7;
36 constexpr int32_t CMD_SECURITY_EVENT_CONFIG_QUERY = 8;
37
38 void OnRemoteCollectRequest(const uint8_t* data, size_t size, MessageParcel* datas,
39 MessageParcel* reply, MessageOption* option);
40 void OnRemoteRequestRequest(const uint8_t* data, size_t size, MessageParcel* datas,
41 MessageParcel* reply, MessageOption* option);
42 void OnRemoteSubscribeRequest(const uint8_t* data, size_t size, MessageParcel* datas,
43 MessageParcel* reply, MessageOption* option);
44 void OnRemoteUnsubscribeRequest(const uint8_t* data, size_t size, MessageParcel* datas,
45 MessageParcel* reply, MessageOption* option);
46 void OnRemoteSecurityEventQuery(const uint8_t* data, size_t size, MessageParcel* datas,
47 MessageParcel* reply, MessageOption* option);
48 void OnRemoteStart(const uint8_t* data, size_t size, MessageParcel* datas,
49 MessageParcel* reply, MessageOption* option);
50 void OnRemoteStop(const uint8_t* data, size_t size, MessageParcel* datas,
51 MessageParcel* reply, MessageOption* option);
52 void OnRemoteConfigUpdate(const uint8_t* data, size_t size, MessageParcel* datas,
53 MessageParcel* reply, MessageOption* option);
54 void OnRemoteSecurityEventConfigQuery(const uint8_t* data, size_t size, MessageParcel* datas,
55 MessageParcel* reply, MessageOption* option);
56
OnRemoteRequestFuzzTest(const uint8_t * data,size_t size)57 void OnRemoteRequestFuzzTest(const uint8_t* data, size_t size)
58 {
59 MessageParcel datas;
60 MessageParcel reply;
61 MessageOption option;
62 datas.WriteInterfaceToken(DataCollectManagerIdl::GetDescriptor());
63 if (size % REMAINDER_VALUE == CMD_DATA_COLLECT_VALUE) {
64 // handle data collect cmd
65 OnRemoteCollectRequest(data, size, &datas, &reply, &option);
66 return;
67 } else if (size % REMAINDER_VALUE == CMD_DATA_REQUEST_VALUE) {
68 // handle data request cmd
69 OnRemoteRequestRequest(data, size, &datas, &reply, &option);
70 return;
71 } else if (size % REMAINDER_VALUE == CMD_DATA_SUBSCRIBE) {
72 // handle data subscribe cmd
73 OnRemoteSubscribeRequest(data, size, &datas, &reply, &option);
74 return;
75 } else if (size % REMAINDER_VALUE == CMD_DATA_UNSUBSCRIBE_VALUE) {
76 // handle data unsubscribe cmd
77 OnRemoteUnsubscribeRequest(data, size, &datas, &reply, &option);
78 return;
79 } else if (size % REMAINDER_VALUE == CMD_SECURITY_EVENT_QUERY_VALUE) {
80 // handle security event query cmd
81 OnRemoteSecurityEventQuery(data, size, &datas, &reply, &option);
82 return;
83 } else if (size % REMAINDER_VALUE == CMD_SECURITY_COLLECTOR_START) {
84 // handle collector start cmd
85 OnRemoteStart(data, size, &datas, &reply, &option);
86 return;
87 } else if (size % REMAINDER_VALUE == CMD_SECURITY_COLLECTOR_STOP) {
88 // handle collector stop cmd
89 OnRemoteStop(data, size, &datas, &reply, &option);
90 return;
91 } else if (size % REMAINDER_VALUE == CMD_SECURITY_CONFIG_UPDATE) {
92 // handle collector stop cmd
93 OnRemoteConfigUpdate(data, size, &datas, &reply, &option);
94 return;
95 } else if (size % REMAINDER_VALUE == CMD_SECURITY_EVENT_CONFIG_QUERY) {
96 // handle collector stop cmd
97 OnRemoteSecurityEventConfigQuery(data, size, &datas, &reply, &option);
98 return;
99 }
100 }
101
OnRemoteCollectRequest(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)102 void OnRemoteCollectRequest(const uint8_t* data, size_t size, MessageParcel* datas,
103 MessageParcel* reply, MessageOption* option)
104 {
105 if (data == nullptr || size < sizeof(int64_t)) {
106 return;
107 }
108 size_t offset = 0;
109 int64_t eventId = *(reinterpret_cast<const int64_t *>(data + offset));
110 offset += sizeof(int64_t);
111 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
112 datas->WriteInt64(eventId);
113 datas->WriteString(string);
114 datas->WriteString(string);
115 datas->WriteString(string);
116 g_service.OnRemoteRequest(
117 static_cast<uint32_t>(DataCollectManagerIdlIpcCode::COMMAND_REQUEST_DATA_SUBMIT), *datas, *reply, *option);
118 }
119
OnRemoteRequestRequest(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)120 void OnRemoteRequestRequest(const uint8_t* data, size_t size, MessageParcel* datas,
121 MessageParcel* reply, MessageOption* option)
122 {
123 if (data == nullptr) {
124 return;
125 }
126 std::string string(reinterpret_cast<const char *>(data), size);
127 datas->WriteString(string);
128 datas->WriteString(string);
129 RequestRiskDataCallback func = [] (std::string &devId, std::string &riskData, uint32_t status,
130 const std::string &errMsg) -> int32_t {
131 SGLOGI("DataCollectManagerCallbackService called");
132 return 0;
133 };
134 sptr<IRemoteObject> callback = new (std::nothrow) DataCollectManagerCallbackService(func);
135 datas->WriteRemoteObject(callback);
136 g_service.OnRemoteRequest(
137 static_cast<uint32_t>(DataCollectManagerIdlIpcCode::COMMAND_REQUEST_RISK_DATA), *datas, *reply, *option);
138 }
139
OnRemoteSubscribeRequest(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)140 void OnRemoteSubscribeRequest(const uint8_t* data, size_t size, MessageParcel* datas,
141 MessageParcel* reply, MessageOption* option)
142 {
143 if (data == nullptr || size < sizeof(int64_t) + sizeof(int64_t)) {
144 return;
145 }
146 size_t offset = 0;
147 int64_t duration = *(reinterpret_cast<const int64_t *>(data + offset));
148 offset += sizeof(int64_t);
149 int64_t eventId = *(reinterpret_cast<const int64_t *>(data + offset));
150 offset += sizeof(int64_t);
151 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
152 SecurityCollector::Event event;
153 event.eventId = eventId;
154 event.version = string;
155 event.content = string;
156 event.extra = string;
157 SecurityCollector::SecurityCollectorSubscribeInfo subscriberInfo{event, duration, true};
158 RequestRiskDataCallback func = [] (std::string &devId, std::string &riskData, uint32_t status,
159 const std::string &errMsg) -> int32_t {
160 SGLOGI("DataCollectManagerCallbackService called");
161 return 0;
162 };
163 sptr<IRemoteObject> callback = new (std::nothrow) DataCollectManagerCallbackService(func);
164 datas->WriteRemoteObject(callback);
165 g_service.OnRemoteRequest(
166 static_cast<uint32_t>(DataCollectManagerIdlIpcCode::COMMAND_SUBSCRIBE), *datas, *reply, *option);
167 }
168
OnRemoteUnsubscribeRequest(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)169 void OnRemoteUnsubscribeRequest(const uint8_t* data, size_t size, MessageParcel* datas,
170 MessageParcel* reply, MessageOption* option)
171 {
172 RequestRiskDataCallback func = [] (std::string &devId, std::string &riskData, uint32_t status,
173 const std::string &errMsg) -> int32_t {
174 SGLOGI("DataCollectManagerCallbackService called");
175 return 0;
176 };
177 if (data == nullptr || size < sizeof(int64_t) + sizeof(int64_t)) {
178 return;
179 }
180 size_t offset = 0;
181 int64_t duration = *(reinterpret_cast<const int64_t *>(data + offset));
182 offset += sizeof(int64_t);
183 int64_t eventId = *(reinterpret_cast<const int64_t *>(data + offset));
184 offset += sizeof(int64_t);
185 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
186 SecurityCollector::Event event;
187 event.eventId = eventId;
188 event.version = string;
189 event.content = string;
190 event.extra = string;
191 SecurityCollector::SecurityCollectorSubscribeInfo subscriberInfo{event, duration, true};
192 sptr<IRemoteObject> callback = new (std::nothrow) DataCollectManagerCallbackService(func);
193 datas->WriteRemoteObject(callback);
194 g_service.OnRemoteRequest(
195 static_cast<uint32_t>(DataCollectManagerIdlIpcCode::COMMAND_UNSUBSCRIBE), *datas, *reply, *option);
196 }
197
OnRemoteSecurityEventQuery(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)198 void OnRemoteSecurityEventQuery(const uint8_t* data, size_t size, MessageParcel* datas,
199 MessageParcel* reply, MessageOption* option)
200 {
201 if (data == nullptr || size < sizeof(uint32_t) + sizeof(int64_t)) {
202 return;
203 }
204 size_t offset = 0;
205 uint32_t uint32 = *(reinterpret_cast<const uint32_t *>(data + offset));
206 offset += sizeof(uint32_t);
207 uint32_t rulerSize = uint32 >= MAX_QUERY_EVENT_SIZE ? MAX_QUERY_EVENT_SIZE : uint32;
208 datas->WriteUint32(rulerSize);
209 int64_t eventId = *(reinterpret_cast<const int64_t *>(data + offset));
210 offset += sizeof(int64_t);
211 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
212 for (uint32_t i = 0; i < rulerSize; i++) {
213 SecurityCollector::SecurityEventRuler ruler =
214 SecurityCollector::SecurityEventRuler(eventId, string, string, string);
215 datas->WriteParcelable(&ruler);
216 }
217 RequestRiskDataCallback func = [] (std::string &devId, std::string &riskData, uint32_t status,
218 const std::string &errMsg) -> int32_t {
219 SGLOGI("DataCollectManagerCallbackService called");
220 return 0;
221 };
222 sptr<IRemoteObject> callback = new (std::nothrow) DataCollectManagerCallbackService(func);
223 datas->WriteRemoteObject(callback);
224 g_service.OnRemoteRequest(
225 static_cast<uint32_t>(DataCollectManagerIdlIpcCode::COMMAND_QUERY_SECURITY_EVENT), *datas, *reply, *option);
226 }
227
OnRemoteStart(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)228 void OnRemoteStart(const uint8_t* data, size_t size, MessageParcel* datas,
229 MessageParcel* reply, MessageOption* option)
230 {
231 if (data == nullptr || size < sizeof(int64_t) + sizeof(int64_t)) {
232 return;
233 }
234 size_t offset = 0;
235 int64_t duration = *(reinterpret_cast<const int64_t *>(data + offset));
236 offset += sizeof(int64_t);
237 int64_t eventId = *(reinterpret_cast<const int64_t *>(data + offset));
238 offset += sizeof(int64_t);
239 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
240 SecurityCollector::Event event;
241 event.eventId = eventId;
242 event.version = string;
243 event.content = string;
244 event.extra = string;
245 SecurityCollector::SecurityCollectorSubscribeInfo subscriberInfo{event, duration, true};
246 RequestRiskDataCallback func = [] (std::string &devId, std::string &riskData, uint32_t status,
247 const std::string &errMsg) -> int32_t {
248 SGLOGI("DataCollectManagerCallbackService called");
249 return 0;
250 };
251 sptr<IRemoteObject> callback = new (std::nothrow) DataCollectManagerCallbackService(func);
252 datas->WriteRemoteObject(callback);
253 g_service.OnRemoteRequest(
254 static_cast<uint32_t>(DataCollectManagerIdlIpcCode::COMMAND_COLLECTOR_START), *datas, *reply, *option);
255 }
256
OnRemoteStop(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)257 void OnRemoteStop(const uint8_t* data, size_t size, MessageParcel* datas,
258 MessageParcel* reply, MessageOption* option)
259 {
260 if (data == nullptr || size < sizeof(int64_t) + sizeof(int64_t)) {
261 return;
262 }
263 size_t offset = 0;
264 int64_t duration = *(reinterpret_cast<const int64_t *>(data + offset));
265 offset += sizeof(int64_t);
266 int64_t eventId = *(reinterpret_cast<const int64_t *>(data + offset));
267 offset += sizeof(int64_t);
268 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
269 SecurityCollector::Event event;
270 event.eventId = eventId;
271 event.version = string;
272 event.content = string;
273 event.extra = string;
274 SecurityCollector::SecurityCollectorSubscribeInfo subscriberInfo{event, duration, true};
275 RequestRiskDataCallback func = [] (std::string &devId, std::string &riskData, uint32_t status,
276 const std::string &errMsg) -> int32_t {
277 SGLOGI("DataCollectManagerCallbackService called");
278 return 0;
279 };
280 sptr<IRemoteObject> callback = new (std::nothrow) DataCollectManagerCallbackService(func);
281 datas->WriteRemoteObject(callback);
282 g_service.OnRemoteRequest(
283 static_cast<uint32_t>(DataCollectManagerIdlIpcCode::COMMAND_COLLECTOR_STOP), *datas, *reply, *option);
284 }
285
OnRemoteConfigUpdate(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)286 void OnRemoteConfigUpdate(const uint8_t* data, size_t size, MessageParcel* datas,
287 MessageParcel* reply, MessageOption* option)
288 {
289 int32_t fd = static_cast<int32_t>(size);
290 std::string fileName(reinterpret_cast<const char *>(data), size);
291 datas->WriteFileDescriptor(fd);
292 datas->WriteString(fileName);
293 g_service.OnRemoteRequest(
294 static_cast<uint32_t>(DataCollectManagerIdlIpcCode::COMMAND_CONFIG_UPDATE), *datas, *reply, *option);
295 }
296
OnRemoteSecurityEventConfigQuery(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)297 void OnRemoteSecurityEventConfigQuery(const uint8_t* data, size_t size, MessageParcel* datas,
298 MessageParcel* reply, MessageOption* option)
299 {
300 RequestRiskDataCallback func = [] (std::string &devId, std::string &riskData, uint32_t status,
301 const std::string &errMsg) -> int32_t {
302 SGLOGI("DataCollectManagerCallbackService called");
303 return 0;
304 };
305 if (data == nullptr || size < sizeof(int64_t) + sizeof(int64_t)) {
306 return;
307 }
308 size_t offset = 0;
309 int64_t duration = *(reinterpret_cast<const int64_t *>(data + offset));
310 offset += sizeof(int64_t);
311 int64_t eventId = *(reinterpret_cast<const int64_t *>(data + offset));
312 offset += sizeof(int64_t);
313 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
314 SecurityCollector::Event event;
315 event.eventId = eventId;
316 event.version = string;
317 event.content = string;
318 event.extra = string;
319 SecurityCollector::SecurityCollectorSubscribeInfo subscriberInfo{event, duration, true};
320 sptr<IRemoteObject> callback = new (std::nothrow) DataCollectManagerCallbackService(func);
321 datas->WriteRemoteObject(callback);
322 g_service.OnRemoteRequest(
323 static_cast<uint32_t>(DataCollectManagerIdlIpcCode::COMMAND_QUERY_SECURITY_EVENT_CONFIG),
324 *datas, *reply, *option);
325 }
326
327 } // namespace OHOS::Security::SecurityGuard
328
329 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)330 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
331 {
332 /* Run your code on date */
333 OHOS::Security::SecurityGuard::OnRemoteRequestFuzzTest(data, size);
334 return 0;
335 }
336