1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <cstddef>
17 #include <cstdint>
18 #include <string>
19 #include <vector>
20 #include "faultlogger.h"
21 #include "faultlog_manager.h"
22 #include "faultlogger_service_ohos.h"
23 #include "faultlogger_service_fuzzer.h"
24 #include "faultlogger_fuzzertest_common.h"
25 #include "hiview_global.h"
26 #include "hiview_platform.h"
27 #include "sys_event.h"
28 #include "faultlog_manager_service.h"
29
30 using namespace OHOS::HiviewDFX;
31 namespace OHOS {
32 namespace {
33 constexpr int FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH = 50;
34 constexpr int32_t FAULTLOGTYPE_SIZE = 6;
35 }
36
37 class HiviewTestContext : public HiviewContext {
38 public:
GetHiViewDirectory(DirectoryType type __UNUSED)39 std::string GetHiViewDirectory(DirectoryType type __UNUSED)
40 {
41 return "/data/log/hiview/sys_event_test";
42 }
43 };
44
CreateFaultloggerInstance()45 std::shared_ptr<Faultlogger> CreateFaultloggerInstance()
46 {
47 static std::unique_ptr<HiviewPlatform> platform = std::make_unique<HiviewPlatform>();
48 auto plugin = std::make_shared<Faultlogger>();
49 plugin->SetName("Faultlogger");
50 plugin->SetHandle(nullptr);
51 plugin->SetHiviewContext(platform.get());
52 plugin->OnLoad();
53 return plugin;
54 }
55
FuzzServiceInterfaceDump(const uint8_t * data,size_t size)56 void FuzzServiceInterfaceDump(const uint8_t* data, size_t size)
57 {
58 constexpr int maxLen = 20;
59 int32_t fd;
60 if (size <= (sizeof(fd) + maxLen)) {
61 return;
62 }
63
64 auto service = CreateFaultloggerInstance();
65 auto faultlogManagerService = std::make_shared<FaultLogManagerService>(service->GetWorkLoop(),
66 service->faultLogManager_);
67 FaultloggerServiceOhos serviceOhos;
68 FaultloggerServiceOhos::StartService(faultlogManagerService);
69 if (FaultloggerServiceOhos::GetOrSetFaultlogger(nullptr) != faultlogManagerService) {
70 printf("FaultloggerServiceOhos start service error.\n");
71 return;
72 }
73
74 STREAM_TO_VALUEINFO(data, fd);
75 std::vector<std::u16string> args;
76 char16_t arg[maxLen] = {0};
77 errno_t err = strncpy_s(reinterpret_cast<char*>(arg), sizeof(arg), reinterpret_cast<const char*>(data), maxLen);
78 if (err != EOK) {
79 std::cout << "strncpy_s arg failed" << std::endl;
80 return;
81 }
82 args.push_back(arg);
83
84 (void)serviceOhos.Dump(fd, args);
85 }
86
FuzzServiceInterfaceQuerySelfFaultLog(const uint8_t * data,size_t size)87 void FuzzServiceInterfaceQuerySelfFaultLog(const uint8_t* data, size_t size)
88 {
89 HiviewTestContext hiviewTestContext;
90 HiviewGlobal::CreateInstance(hiviewTestContext);
91
92 auto service = CreateFaultloggerInstance();
93 auto faultlogManagerService = std::make_shared<FaultLogManagerService>(service->GetWorkLoop(),
94 service->faultLogManager_);
95 FaultloggerServiceOhos serviceOhos;
96 FaultloggerServiceOhos::StartService(faultlogManagerService);
97 if (FaultloggerServiceOhos::GetOrSetFaultlogger(nullptr) != faultlogManagerService) {
98 printf("FaultloggerServiceOhos start service error.\n");
99 return;
100 }
101 int32_t faultType;
102 int32_t maxNum;
103 auto offsetTotalLength = sizeof(faultType) + sizeof(maxNum);
104 if (offsetTotalLength > size) {
105 return;
106 }
107
108 STREAM_TO_VALUEINFO(data, faultType);
109 STREAM_TO_VALUEINFO(data, maxNum);
110
111 auto remoteObject = serviceOhos.QuerySelfFaultLog(faultType, maxNum);
112 auto result = iface_cast<FaultLogQueryResultOhos>(remoteObject);
113 if (result != nullptr) {
114 while (result->HasNext()) {
115 result->GetNext();
116 }
117 }
118 }
119
FuzzServiceInterfaceCreateTempFaultLogFile(const uint8_t * data,size_t size)120 void FuzzServiceInterfaceCreateTempFaultLogFile(const uint8_t* data, size_t size)
121 {
122 auto faultLogManager = std::make_unique<FaultLogManager>(nullptr);
123 faultLogManager->Init();
124
125 int64_t time;
126 int32_t id;
127 int32_t faultType;
128 auto offsetTotalLength = sizeof(time) + sizeof(id) + sizeof(faultType) + FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH;
129 if (offsetTotalLength > size) {
130 return;
131 }
132
133 STREAM_TO_VALUEINFO(data, time);
134 STREAM_TO_VALUEINFO(data, id);
135 STREAM_TO_VALUEINFO(data, faultType);
136
137 std::string module(reinterpret_cast<const char*>(data), FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH);
138 data += FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH;
139 faultLogManager->CreateTempFaultLogFile(time, id, faultType, module);
140 }
141
FuzzServiceInterfaceAddFaultLog(const uint8_t * data,size_t size)142 void FuzzServiceInterfaceAddFaultLog(const uint8_t* data, size_t size)
143 {
144 auto service = CreateFaultloggerInstance();
145 auto faultlogManagerService = std::make_shared<FaultLogManagerService>(service->GetWorkLoop(),
146 service->faultLogManager_);
147 FaultloggerServiceOhos serviceOhos;
148 FaultloggerServiceOhos::StartService(faultlogManagerService);
149 if (FaultloggerServiceOhos::GetOrSetFaultlogger(nullptr) != faultlogManagerService) {
150 printf("FaultloggerServiceOhos start service error.\n");
151 return;
152 }
153 FaultLogInfoOhos info;
154 int32_t faultLogType {0};
155 auto offsetTotalLength = sizeof(info.time) + sizeof(info.pid) + sizeof(info.uid) + sizeof(faultLogType) +
156 (6 * FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH); // 6 : Offset by 6 string length
157 if (offsetTotalLength > size) {
158 return;
159 }
160
161 STREAM_TO_VALUEINFO(data, info.time);
162 STREAM_TO_VALUEINFO(data, info.pid);
163 STREAM_TO_VALUEINFO(data, info.uid);
164 STREAM_TO_VALUEINFO(data, faultLogType);
165 info.faultLogType = abs(faultLogType % 10); // 10 : get the absolute value of the last digit of the number
166
167 std::string module(reinterpret_cast<const char*>(data), FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH);
168 data += FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH;
169 info.module = module;
170 std::string reason(reinterpret_cast<const char*>(data), FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH);
171 data += FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH;
172 info.reason = reason;
173 std::string logPath(reinterpret_cast<const char*>(data), FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH);
174 data += FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH;
175 info.logPath = logPath;
176 std::string registers(reinterpret_cast<const char*>(data), FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH);
177 data += FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH;
178 info.registers = registers;
179 std::string hilog(reinterpret_cast<const char*>(data), FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH);
180 data += FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH;
181 info.sectionMaps["HILOG"] = hilog;
182 std::string keyLogFile(reinterpret_cast<const char*>(data), FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH);
183 data += FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH;
184 info.sectionMaps["KEYLOGFILE"] = keyLogFile;
185 serviceOhos.AddFaultLog(info);
186 serviceOhos.Destroy();
187 }
188
FuzzServiceInterfaceOnEvent(const uint8_t * data,size_t size)189 void FuzzServiceInterfaceOnEvent(const uint8_t* data, size_t size)
190 {
191 auto service = CreateFaultloggerInstance();
192
193 int32_t pid;
194 int32_t uid;
195 int32_t tid;
196 auto offsetTotalLength = sizeof(pid) + sizeof(uid) + sizeof(tid) +
197 (7 * FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH); // 7 : Offset by 7 string length
198 if (offsetTotalLength > size) {
199 return;
200 }
201
202 STREAM_TO_VALUEINFO(data, pid);
203 STREAM_TO_VALUEINFO(data, uid);
204 STREAM_TO_VALUEINFO(data, tid);
205
206 std::string domain(reinterpret_cast<const char*>(data), FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH);
207 data += FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH;
208 std::string eventName(reinterpret_cast<const char*>(data), FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH);
209 data += FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH;
210 SysEventCreator sysEventCreator(domain, eventName, SysEventCreator::FAULT);
211 std::map<std::string, std::string> bundle;
212 std::string hilog(reinterpret_cast<const char*>(data), FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH);
213 data += FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH;
214 bundle["HILOG"] = hilog;
215 std::string keyLogFile(reinterpret_cast<const char*>(data), FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH);
216 data += FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH;
217 bundle["KEYLOGFILE"] = keyLogFile;
218
219 std::string summary(reinterpret_cast<const char*>(data), FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH);
220 data += FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH;
221 std::string packageName(reinterpret_cast<const char*>(data), FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH);
222 data += FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH;
223 sysEventCreator.SetKeyValue("name_", "JS_ERROR");
224 sysEventCreator.SetKeyValue("pid_", pid);
225 sysEventCreator.SetKeyValue("uid_", uid);
226 sysEventCreator.SetKeyValue("tid_", tid);
227 sysEventCreator.SetKeyValue("SUMMARY", summary);
228 sysEventCreator.SetKeyValue("PACKAGE_NAME", packageName);
229 sysEventCreator.SetKeyValue("bundle_", bundle);
230 std::string desc(reinterpret_cast<const char*>(data), FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH);
231 data += FAULTLOGGER_FUZZTEST_MAX_STRING_LENGTH;
232 auto sysEvent = std::make_shared<SysEvent>(desc, nullptr, sysEventCreator);
233 auto event = std::dynamic_pointer_cast<Event>(sysEvent);
234 service->OnEvent(event);
235 }
236
FuzzServiceInterfaceGwpAsanGrayscale(const uint8_t * data,size_t size)237 void FuzzServiceInterfaceGwpAsanGrayscale(const uint8_t* data, size_t size)
238 {
239 HiviewTestContext hiviewTestContext;
240 HiviewGlobal::CreateInstance(hiviewTestContext);
241
242 auto service = CreateFaultloggerInstance();
243 auto faultlogManagerService = std::make_shared<FaultLogManagerService>(service->GetWorkLoop(),
244 service->faultLogManager_);
245 FaultloggerServiceOhos serviceOhos;
246 FaultloggerServiceOhos::StartService(faultlogManagerService);
247 if (FaultloggerServiceOhos::GetOrSetFaultlogger(nullptr) != faultlogManagerService) {
248 printf("FaultloggerServiceOhos start service error.\n");
249 return;
250 }
251 bool alwaysEnabled;
252 double sampleRate;
253 double maxSimutaneousAllocations;
254 int32_t duration;
255 auto offsetTotalLength = sizeof(alwaysEnabled) + sizeof(sampleRate) +
256 sizeof(maxSimutaneousAllocations) + sizeof(duration);
257 if (offsetTotalLength > size) {
258 return;
259 }
260
261 STREAM_TO_VALUEINFO(data, alwaysEnabled);
262 STREAM_TO_VALUEINFO(data, sampleRate);
263 STREAM_TO_VALUEINFO(data, maxSimutaneousAllocations);
264 STREAM_TO_VALUEINFO(data, duration);
265
266 serviceOhos.EnableGwpAsanGrayscale(1, 1000, 2000, 5); // 1000 - 2000 is test value, 5 is test duration
267 serviceOhos.DisableGwpAsanGrayscale();
268 serviceOhos.GetGwpAsanGrayscaleState();
269 }
270
FuzzFaultloggerServiceInterface(const uint8_t * data,size_t size)271 void FuzzFaultloggerServiceInterface(const uint8_t* data, size_t size)
272 {
273 FuzzServiceInterfaceDump(data, size);
274 FuzzServiceInterfaceQuerySelfFaultLog(data, size);
275 FuzzServiceInterfaceCreateTempFaultLogFile(data, size);
276 FuzzServiceInterfaceAddFaultLog(data, size);
277 FuzzServiceInterfaceOnEvent(data, size);
278 FuzzServiceInterfaceGwpAsanGrayscale(data, size);
279 usleep(10000); // 10000 : pause for 10000 microseconds to avoid resource depletion
280 }
281 }
282
283 // Fuzzer entry point.
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)284 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
285 {
286 if (data == nullptr || size == 0) {
287 return 0;
288 }
289 OHOS::FuzzFaultloggerServiceInterface(data, size);
290 return 0;
291 }
292