1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "inner_sdk_fuzzer.h"
17
18 #include <string>
19 #include <fuzzer/FuzzedDataProvider.h>
20 #include "securec.h"
21
22 #define private public
23 #define protected public
24 #include "data_collect_manager.h"
25 #include "event_subscribe_client.h"
26 #include "acquire_data_manager_callback_service.h"
27 #include "acquire_data_manager_callback_stub.h"
28 #include "data_collect_manager_callback_service.h"
29 #include "data_collect_manager_callback_stub.h"
30 #include "data_collect_manager_idl_proxy.h"
31 #ifndef SECURITY_GUARD_TRIM_MODEL_ANALYSIS
32 #include "risk_analysis_manager_callback_service.h"
33 #include "risk_analysis_manager_callback_stub.h"
34 #include "risk_analysis_manager_callback.h"
35 #include "risk_analysis_manager_proxy.h"
36 #endif
37 #include "collector_manager.h"
38 #include "security_collector_manager_callback_stub.h"
39 #include "security_collector_manager_proxy.h"
40 #include "security_collector_subscribe_info.h"
41 #include "security_event.h"
42 #include "security_event_ruler.h"
43 #include "security_event_query_callback_service.h"
44 #undef private
45 #undef protected
46
47 using namespace OHOS::Security::SecurityGuard;
48 using namespace OHOS::Security::SecurityCollector;
49 namespace {
50 constexpr int MAX_STRING_SIZE = 1024;
51 }
52 namespace OHOS {
53 class MockCollectorSubscriber : public ICollectorSubscriber {
54 public:
MockCollectorSubscriber(const Event & event)55 explicit MockCollectorSubscriber(const Event &event) : ICollectorSubscriber(event) {};
OnNotify(const Event & event)56 int32_t OnNotify(const Event &event) override { return 0; };
57 };
58
59 class MockRemoteObject final : public IRemoteObject {
60 public:
MockRemoteObject()61 MockRemoteObject() : IRemoteObject(u"")
62 {
63 }
GetObjectRefCount()64 int32_t GetObjectRefCount() { return 0; };
SendRequest(uint32_t code,MessageParcel & data,MessageParcel & reply,MessageOption & option)65 int SendRequest(uint32_t code, MessageParcel &data, MessageParcel &reply, MessageOption &option) { return 0; };
AddDeathRecipient(const sptr<DeathRecipient> & recipient)66 bool AddDeathRecipient(const sptr<DeathRecipient> &recipient) { return true; };
RemoveDeathRecipient(const sptr<DeathRecipient> & recipient)67 bool RemoveDeathRecipient(const sptr<DeathRecipient> &recipient) { return true; };
Dump(int fd,const std::vector<std::u16string> & args)68 int Dump(int fd, const std::vector<std::u16string> &args) { return 0; };
69 };
70
71 class MockAcquireDataManagerCallbackStub : public AcquireDataManagerCallbackStub {
72 public:
73 explicit MockAcquireDataManagerCallbackStub() = default;
74 ~MockAcquireDataManagerCallbackStub() override = default;
OnNotify(const std::vector<Security::SecurityCollector::Event> & events)75 int32_t OnNotify(const std::vector<Security::SecurityCollector::Event> &events) override { return 0; };
76 };
77
78 #ifndef SECURITY_GUARD_TRIM_MODEL_ANALYSIS
79 class MockRiskAnalysisManagerCallbackStub : public RiskAnalysisManagerCallbackStub {
80 public:
81 MockRiskAnalysisManagerCallbackStub() = default;
82 ~MockRiskAnalysisManagerCallbackStub() override = default;
ResponseSecurityModelResult(const std::string & devId,uint32_t modelId,std::string & result)83 int32_t ResponseSecurityModelResult(const std::string &devId, uint32_t modelId, std::string &result) override
84 {
85 return 0;
86 };
87 };
88 #endif
89 class MockSecurityCollectorManagerCallbackStub : public SecurityCollectorManagerCallbackStub {
90 public:
91 MockSecurityCollectorManagerCallbackStub() = default;
92 ~MockSecurityCollectorManagerCallbackStub() override = default;
93
OnNotify(const Event & event)94 int32_t OnNotify(const Event &event) override { return 0; };
95 };
96
97 class MockDataCollectManagerCallbackStub : public DataCollectManagerCallbackStub {
98 public:
99 MockDataCollectManagerCallbackStub() = default;
100 ~MockDataCollectManagerCallbackStub() override = default;
101
ResponseRiskData(std::string & devId,std::string & riskData,uint32_t status,const std::string & errMsg="")102 int32_t ResponseRiskData(std::string &devId, std::string &riskData, uint32_t status,
103 const std::string& errMsg = "") override { return 0; };
104 };
105
TestRequestRiskDataCallback(std::string &,std::string &,uint32_t,const std::string &)106 int32_t TestRequestRiskDataCallback(std::string &, std::string &, uint32_t, const std::string &)
107 {
108 return 0;
109 }
110
TestResultCallback(const std::string & devId,uint32_t modelId,const std::string & result)111 int32_t TestResultCallback(const std::string &devId, uint32_t modelId, const std::string &result)
112 {
113 return 0;
114 }
115
116
AcquireDataManagerFuzzTest(const uint8_t * data,size_t size)117 void AcquireDataManagerFuzzTest(const uint8_t* data, size_t size)
118 {
119 if (data == nullptr || size < sizeof(int64_t)) {
120 return;
121 }
122 FuzzedDataProvider fdp(data, size);
123 int fd = fdp.ConsumeIntegral<int32_t>();
124 int64_t eventId = fdp.ConsumeIntegral<int64_t>();
125 std::string string = fdp.ConsumeRandomLengthString(MAX_STRING_SIZE);
126 Security::SecurityCollector::Event event{eventId, string, string, string};
127 auto subscriber = std::make_shared<MockCollectorSubscriber>(event);
128 sptr<IRemoteObject> obj(new (std::nothrow) MockRemoteObject());
129 DataCollectManager::GetInstance().Subscribe(subscriber);
130 DataCollectManager::GetInstance().Unsubscribe(subscriber);
131 DataCollectManager::GetInstance().StartCollector(event, eventId);
132 DataCollectManager::GetInstance().StopCollector(event);
133 DataCollectManager::GetInstance().QuerySecurityEventConfig(string);
134 std::vector<SecurityEventRuler> rulers{};
135 DataCollectManager::GetInstance().QuerySecurityEvent(rulers, nullptr);
136 DataCollectManager::GetInstance().SecurityGuardConfigUpdate(fd, string);
137 }
138
DataCollectManagerFuzzTest(const uint8_t * data,size_t size)139 void DataCollectManagerFuzzTest(const uint8_t* data, size_t size)
140 {
141 if (data == nullptr || size < sizeof(int64_t)) {
142 return;
143 }
144 FuzzedDataProvider fdp(data, size);
145 EventSubscribeClient client {};
146 auto mute = std::make_shared<Security::SecurityGuard::EventMuteFilter>();
147 mute->eventId = fdp.ConsumeIntegral<int64_t>();
148 mute->type = fdp.ConsumeIntegral<int64_t>();
149 mute->isInclude = fdp.ConsumeIntegral<bool>();
150 mute->mutes.insert(fdp.ConsumeRandomLengthString(MAX_STRING_SIZE));
151 client.AddFilter(mute);
152 client.RemoveFilter(mute);
153 auto func = [] (std::string &devId, std::string &riskData, uint32_t status,
154 const std::string &errMsg)-> int32_t {
155 return 0;
156 };
157 std::string string = fdp.ConsumeRandomLengthString(MAX_STRING_SIZE);
158 std::string string1 = fdp.ConsumeRandomLengthString(MAX_STRING_SIZE);
159 DataCollectManager::GetInstance().RequestSecurityEventInfo(string, string1, func);
160 }
AcquireDataManagerCallbackServiceFuzzTest(const uint8_t * data,size_t size)161 void AcquireDataManagerCallbackServiceFuzzTest(const uint8_t* data, size_t size)
162 {
163 if (data == nullptr || size < sizeof(int64_t)) {
164 return;
165 }
166 size_t offset = 0;
167 int64_t eventId = *(reinterpret_cast<const int64_t *>(data + offset));
168 offset += sizeof(int64_t);
169 std::string string(reinterpret_cast<const char*>(data + offset), size - offset);
170 Security::SecurityCollector::Event event{eventId, string, string, string};
171 AcquireDataManagerCallbackService service;
172 service.OnNotify({event});
173 }
174
AcquireDataManagerCallbackStubFuzzTest(const uint8_t * data,size_t size)175 void AcquireDataManagerCallbackStubFuzzTest(const uint8_t* data, size_t size)
176 {
177 if (data == nullptr || size < sizeof(int64_t)) {
178 return;
179 }
180 size_t offset = 0;
181 MockAcquireDataManagerCallbackStub stub;
182 MessageParcel datas;
183 MessageParcel reply;
184 MessageOption option;
185 int64_t int64 = *(reinterpret_cast<const int64_t *>(data + offset));
186 offset += sizeof(int64_t);
187 std::string string(reinterpret_cast<const char*>(data + offset), size - offset);
188 datas.WriteInterfaceToken(AcquireDataManagerCallbackStub::GetDescriptor());
189 datas.WriteInt64(int64);
190 datas.WriteString(string);
191 datas.WriteString(string);
192 datas.WriteString(string);
193 stub.OnRemoteRequest(AcquireDataManagerCallbackStub::CMD_DATA_SUBSCRIBE_CALLBACK, datas, reply, option);
194 }
195 #ifndef SECURITY_GUARD_TRIM_MODEL_ANALYSIS
RiskAnalysisManagerCallbackStubFuzzTest(const uint8_t * data,size_t size)196 void RiskAnalysisManagerCallbackStubFuzzTest(const uint8_t* data, size_t size)
197 {
198 if (data == nullptr || size < sizeof(uint32_t)) {
199 return;
200 }
201 size_t offset = 0;
202 MockRiskAnalysisManagerCallbackStub stub;
203 MessageParcel datas;
204 MessageParcel reply;
205 MessageOption option;
206 uint32_t code = *(reinterpret_cast<const uint32_t *>(data + offset));
207 offset += sizeof(uint32_t);
208 std::string string(reinterpret_cast<const char*>(data + offset), size - offset);
209 datas.WriteInterfaceToken(IRiskAnalysisManagerCallback::GetDescriptor());
210 datas.WriteUint32(*(reinterpret_cast<const uint32_t *>(data)));
211 datas.WriteString(string);
212 datas.WriteString(string);
213 stub.OnRemoteRequest(code, datas, reply, option);
214
215 ResultCallback callback;
216 RiskAnalysisManagerCallbackService service(callback);
217 service.ResponseSecurityModelResult(string, code, string);
218 service.callback_ = TestResultCallback;
219 service.ResponseSecurityModelResult(string, code, string);
220 }
221
RiskAnalysisManagerProxyFuzzTest(const uint8_t * data,size_t size)222 void RiskAnalysisManagerProxyFuzzTest(const uint8_t* data, size_t size)
223 {
224 if (data == nullptr || size < sizeof(uint32_t)) {
225 return;
226 }
227 size_t offset = 0;
228 sptr<IRemoteObject> obj(new (std::nothrow) MockRemoteObject());
229 ResultCallback func = [] (const std::string &devId, uint32_t modelId, const std::string &result) -> int32_t {
230 return 0;
231 };
232 sptr<RiskAnalysisManagerCallbackService> callback = new (std::nothrow) RiskAnalysisManagerCallbackService(func);
233 uint32_t uint32 = *(reinterpret_cast<const uint32_t *>(data));
234 offset += sizeof(uint32_t);
235 std::string string(reinterpret_cast<const char*>(data + offset), size - offset);
236 RiskAnalysisManagerProxy proxy{obj};
237 proxy.RequestSecurityModelResult(string, uint32, string, callback);
238 proxy.SetModelState(uint32, true);
239 }
240 #endif
CollectorManagerFuzzTest(const uint8_t * data,size_t size)241 void CollectorManagerFuzzTest(const uint8_t* data, size_t size)
242 {
243 if (data == nullptr || size < sizeof(int64_t)) {
244 return;
245 }
246 FuzzedDataProvider fdp(data, size);
247 Security::SecurityCollector::Event event{fdp.ConsumeIntegral<int64_t>(),
248 fdp.ConsumeRandomLengthString(MAX_STRING_SIZE), fdp.ConsumeRandomLengthString(MAX_STRING_SIZE),
249 fdp.ConsumeRandomLengthString(MAX_STRING_SIZE)};
250 auto subscriber = std::make_shared<MockCollectorSubscriber>(event);
251 std::vector<SecurityEventRuler> rulers{};
252 std::vector<SecurityEvent> events{};
253 SecurityCollectorSubscribeInfo subscribeInfo{};
254 CollectorManager::GetInstance().Subscribe(subscriber);
255 CollectorManager::GetInstance().Unsubscribe(subscriber);
256 CollectorManager::GetInstance().QuerySecurityEvent(rulers, events);
257 CollectorManager::GetInstance().CollectorStart(subscribeInfo);
258 CollectorManager::GetInstance().CollectorStop(subscribeInfo);
259
260 CollectorManager manager;
261 sptr<Security::SecurityCollector::SecurityCollectorManagerCallbackService> callback =
262 new (std::nothrow) Security::SecurityCollector::SecurityCollectorManagerCallbackService(nullptr);
263 manager.eventListeners_[subscriber] = callback;
264 manager.Subscribe(nullptr);
265 manager.Subscribe(subscriber);
266 manager.Unsubscribe(nullptr);
267 manager.Unsubscribe(subscriber);
268 SecurityCollectorEventMuteFilter filter {};
269 filter.eventId = fdp.ConsumeIntegral<int64_t>();
270 filter.type = fdp.ConsumeIntegral<int64_t>();
271 filter.isSetMute = static_cast<bool>(fdp.ConsumeBool());
272 filter.mutes.insert(fdp.ConsumeRandomLengthString(MAX_STRING_SIZE));
273 SecurityCollectorEventFilter subscribeMute(filter);
274 CollectorManager::GetInstance().AddFilter(subscribeMute);
275 CollectorManager::GetInstance().RemoveFilter(subscribeMute);
276 Parcel parcel;
277 subscribeMute.ReadFromParcel(parcel);
278 subscribeMute.Marshalling(parcel);
279 subscribeMute.Unmarshalling(parcel);
280 }
281
DataCollectManagerCallbackStubFuzzTest(const uint8_t * data,size_t size)282 void DataCollectManagerCallbackStubFuzzTest(const uint8_t* data, size_t size)
283 {
284 if (data == nullptr || size < sizeof(uint32_t)) {
285 return;
286 }
287 size_t offset = 0;
288 MockDataCollectManagerCallbackStub stub;
289 MessageParcel datas;
290 MessageParcel reply;
291 MessageOption option;
292 uint32_t uint32 = *(reinterpret_cast<const uint32_t *>(data + offset));
293 offset += sizeof(uint32_t);
294 std::string string(reinterpret_cast<const char*>(data + offset), size - offset);
295 datas.WriteInterfaceToken(IDataCollectManagerCallback::GetDescriptor());
296 datas.WriteString(string);
297 datas.WriteUint32(uint32);
298 datas.WriteString(string);
299 stub.OnRemoteRequest(DataCollectManagerCallbackStub::CMD_SET_REQUEST_DATA, datas, reply, option);
300
301 RequestRiskDataCallback callback;
302 DataCollectManagerCallbackService service(callback);
303 service.ResponseRiskData(string, string, uint32, string);
304 service.callback_ = TestRequestRiskDataCallback;
305 service.ResponseRiskData(string, string, uint32, string);
306 }
307
SecurityCollectorManagerCallbackStubFuzzTest(const uint8_t * data,size_t size)308 void SecurityCollectorManagerCallbackStubFuzzTest(const uint8_t* data, size_t size)
309 {
310 if (data == nullptr || size < sizeof(uint32_t) + sizeof(uint32_t)) {
311 return;
312 }
313 size_t offset = 0;
314 MockSecurityCollectorManagerCallbackStub stub;
315 MessageParcel datas;
316 MessageParcel reply;
317 MessageOption option;
318 uint32_t code = *(reinterpret_cast<const uint32_t *>(data + offset));
319 offset += sizeof(uint32_t);
320 uint32_t uint32 = *(reinterpret_cast<const uint32_t *>(data + offset));
321 offset += sizeof(uint32_t);
322 std::string string(reinterpret_cast<const char*>(data + offset), size - offset);
323 datas.WriteInterfaceToken(ISecurityCollectorManagerCallback::GetDescriptor());
324 datas.WriteUint32(uint32);
325 datas.WriteString(string);
326 datas.WriteString(string);
327 datas.WriteString(string);
328 stub.OnRemoteRequest(code, datas, reply, option);
329 }
330
SecurityCollectorManagerProxyFuzzTest(const uint8_t * data,size_t size)331 void SecurityCollectorManagerProxyFuzzTest(const uint8_t* data, size_t size)
332 {
333 if (data == nullptr || size < sizeof(int64_t)) {
334 return;
335 }
336 sptr<IRemoteObject> obj(new (std::nothrow) MockRemoteObject());
337 sptr<Security::SecurityCollector::SecurityCollectorManagerCallbackService> callback =
338 new (std::nothrow) Security::SecurityCollector::SecurityCollectorManagerCallbackService(nullptr);
339 std::string string(reinterpret_cast<const char *>(data), size);
340 int64_t int64 = *(reinterpret_cast<const int64_t *>(data));
341 SecurityCollectorSubscribeInfo subscribeInfo({int64, string, string, string});
342 SecurityCollectorManagerProxy proxy{obj};
343 std::vector<SecurityEventRuler> rulers{};
344 std::vector<SecurityEvent> events{};
345 proxy.Subscribe(subscribeInfo, callback);
346 proxy.Unsubscribe(callback);
347 proxy.CollectorStart(subscribeInfo, callback);
348 proxy.CollectorStop(subscribeInfo, callback);
349 proxy.QuerySecurityEvent(rulers, events);
350 }
351
SecurityCollectorSubscribeInfoFuzzTest(const uint8_t * data,size_t size)352 void SecurityCollectorSubscribeInfoFuzzTest(const uint8_t* data, size_t size)
353 {
354 std::string string(reinterpret_cast<const char*>(data), size);
355 int64_t int64 = static_cast<int64_t>(size);
356 SecurityCollectorSubscribeInfo info;
357 Parcel parcel;
358 info.Marshalling(parcel);
359 info.Unmarshalling(parcel);
360 info.ReadFromParcel(parcel);
361
362 parcel.WriteInt64(int64);
363 info.ReadFromParcel(parcel);
364
365 parcel.WriteInt64(int64);
366 parcel.WriteBool(true);
367 info.ReadFromParcel(parcel);
368
369 parcel.WriteInt64(int64);
370 parcel.WriteBool(true);
371 parcel.WriteInt64(int64);
372 info.ReadFromParcel(parcel);
373
374 parcel.WriteInt64(int64);
375 parcel.WriteBool(true);
376 parcel.WriteInt64(int64);
377 parcel.WriteString(string);
378 info.ReadFromParcel(parcel);
379
380 parcel.WriteInt64(int64);
381 parcel.WriteBool(true);
382 parcel.WriteInt64(int64);
383 parcel.WriteString(string);
384 parcel.WriteString(string);
385 info.ReadFromParcel(parcel);
386
387 parcel.WriteInt64(int64);
388 parcel.WriteBool(true);
389 parcel.WriteInt64(int64);
390 parcel.WriteString(string);
391 parcel.WriteString(string);
392 parcel.WriteString(string);
393 info.ReadFromParcel(parcel);
394
395 info.Unmarshalling(parcel);
396 }
397
SecurityEventFuzzTest(const uint8_t * data,size_t size)398 void SecurityEventFuzzTest(const uint8_t* data, size_t size)
399 {
400 std::string string(reinterpret_cast<const char*>(data), size);
401 int64_t int64 = static_cast<int64_t>(size);
402 SecurityEvent event;
403 Parcel parcel;
404 event.Marshalling(parcel);
405 event.Unmarshalling(parcel);
406 event.ReadFromParcel(parcel);
407
408 parcel.WriteInt64(int64);
409 event.ReadFromParcel(parcel);
410
411 parcel.WriteInt64(int64);
412 parcel.WriteString(string);
413 event.ReadFromParcel(parcel);
414
415 parcel.WriteInt64(int64);
416 parcel.WriteString(string);
417 parcel.WriteString(string);
418 event.ReadFromParcel(parcel);
419
420 event.Unmarshalling(parcel);
421 }
422
SecurityEventRulerFuzzTest(const uint8_t * data,size_t size)423 void SecurityEventRulerFuzzTest(const uint8_t* data, size_t size)
424 {
425 std::string string(reinterpret_cast<const char*>(data), size);
426 int64_t int64 = static_cast<int64_t>(size);
427 SecurityEventRuler ruler;
428 Parcel parcel;
429 ruler.Marshalling(parcel);
430 ruler.Unmarshalling(parcel);
431 ruler.ReadFromParcel(parcel);
432
433 parcel.WriteInt64(int64);
434 ruler.ReadFromParcel(parcel);
435
436 parcel.WriteInt64(int64);
437 parcel.WriteString(string);
438 ruler.ReadFromParcel(parcel);
439
440 parcel.WriteInt64(int64);
441 parcel.WriteString(string);
442 parcel.WriteString(string);
443 ruler.ReadFromParcel(parcel);
444
445 parcel.WriteInt64(int64);
446 parcel.WriteString(string);
447 parcel.WriteString(string);
448 parcel.WriteString(string);
449 ruler.ReadFromParcel(parcel);
450
451 ruler.Unmarshalling(parcel);
452 }
453
EventSubscribeClientFuzzTest(const uint8_t * data,size_t size)454 void EventSubscribeClientFuzzTest(const uint8_t* data, size_t size)
455 {
456 FuzzedDataProvider fdp(data, size);
457 EventSubscribeClient client {};
458 std::shared_ptr<EventSubscribeClient> client1;
459 auto func = [] (const Security::SecurityCollector::Event &event) {
460 };
461 EventSubscribeClient::CreatClient(fdp.ConsumeRandomLengthString(MAX_STRING_SIZE), func, client1);
462 client.Subscribe(fdp.ConsumeIntegral<int64_t>());
463 client.Unsubscribe(fdp.ConsumeIntegral<int64_t>());
464 }
465 } // namespace OHOS
466
467 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)468 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
469 {
470 /* Run your code on date */
471 OHOS::AcquireDataManagerFuzzTest(data, size);
472 OHOS::AcquireDataManagerCallbackServiceFuzzTest(data, size);
473 OHOS::AcquireDataManagerCallbackStubFuzzTest(data, size);
474 #ifndef SECURITY_GUARD_TRIM_MODEL_ANALYSIS
475 OHOS::RiskAnalysisManagerCallbackStubFuzzTest(data, size);
476 OHOS::RiskAnalysisManagerProxyFuzzTest(data, size);
477 #endif
478 OHOS::CollectorManagerFuzzTest(data, size);
479 OHOS::DataCollectManagerCallbackStubFuzzTest(data, size);
480 OHOS::SecurityCollectorManagerCallbackStubFuzzTest(data, size);
481 OHOS::SecurityCollectorManagerProxyFuzzTest(data, size);
482 OHOS::SecurityCollectorSubscribeInfoFuzzTest(data, size);
483 OHOS::SecurityEventFuzzTest(data, size);
484 OHOS::SecurityEventRulerFuzzTest(data, size);
485 OHOS::DataCollectManagerFuzzTest(data, size);
486 OHOS::EventSubscribeClientFuzzTest(data, size);
487 return 0;
488 }