• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2022 Huawei Technologies Co., Ltd.
3  * Licensed under the Mulan PSL v2.
4  * You can use this software according to the terms and conditions of the Mulan PSL v2.
5  * You may obtain a copy of Mulan PSL v2 at:
6  *     http://license.coscl.org.cn/MulanPSL2
7  * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
8  * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
9  * PURPOSE.
10  * See the Mulan PSL v2 for more details.
11  */
12 
13 #include "libteecvendorinvokecommand_fuzzer.h"
14 
15 #include <cstddef>
16 #include <cstdint>
17 #include <malloc.h>
18 #include <map>
19 #include "tee_client_api.h"
20 #include "tee_client_constants.h"
21 #include "tee_client_type.h"
22 #include "tee_client_inner_api.h"
23 
24 #define MAX_PARAM_COUNT 4
25 
26 #define IS_TEMP_MEM(paramType)                                                              \
27     (((paramType) == TEEC_MEMREF_TEMP_INPUT) || ((paramType) == TEEC_MEMREF_TEMP_OUTPUT) || \
28      ((paramType) == TEEC_MEMREF_TEMP_INOUT))
29 
30 #define IS_PARTIAL_MEM(paramType)                                                        \
31     (((paramType) == TEEC_MEMREF_WHOLE) || ((paramType) == TEEC_MEMREF_PARTIAL_INPUT) || \
32      ((paramType) == TEEC_MEMREF_PARTIAL_OUTPUT) || ((paramType) == TEEC_MEMREF_PARTIAL_INOUT))
33 
34 namespace OHOS {
35     std::map<int, int> g_recordShareMemory;
36     uint32_t g_paramType[TEEC_PARAM_NUM];
37     uint32_t g_shareMemoryCnt = 0;
38 
InitTeecParam(uint8_t * temp,TEEC_Parameter (& param)[4],TEEC_Operation & operation,TEEC_SharedMemory (& memory)[4],TEEC_Context context)39     void InitTeecParam(uint8_t *temp, TEEC_Parameter (&param)[4], TEEC_Operation &operation,
40                        TEEC_SharedMemory (&memory)[4], TEEC_Context context)
41     {
42         for (uint32_t paramCnt = 0; paramCnt < TEEC_PARAM_NUM; paramCnt++) {
43             param[paramCnt] = *reinterpret_cast<TEEC_Parameter *>(temp);
44             temp += sizeof(TEEC_Parameter);
45             g_paramType[paramCnt] = TEEC_PARAM_TYPE_GET(operation.paramTypes, paramCnt);
46             if (IS_TEMP_MEM(g_paramType[paramCnt])) {
47                 if (param[paramCnt].tmpref.size > 0) {
48                     param[paramCnt].tmpref.buffer = malloc(param[paramCnt].tmpref.size);
49                 }
50             } else if (IS_PARTIAL_MEM(g_paramType[paramCnt])) {
51                 memory[g_shareMemoryCnt] = *reinterpret_cast<TEEC_SharedMemory *>(temp);
52                 temp += sizeof(TEEC_SharedMemory);
53                 TEEC_Result allocRet = TEEC_AllocateSharedMemory(&context, &memory[g_shareMemoryCnt]);
54                 if (allocRet == TEEC_SUCCESS) {
55                     g_recordShareMemory[g_shareMemoryCnt] = paramCnt;
56                     param[paramCnt].memref.parent = &memory[g_shareMemoryCnt];
57                     g_shareMemoryCnt++;
58                 } else {
59                     param[paramCnt].memref.parent = nullptr;
60                 }
61             }
62         }
63     }
64 
ReleaseTeecParam(TEEC_Parameter (& param)[4],TEEC_SharedMemory (& memory)[4])65     void ReleaseTeecParam(TEEC_Parameter (&param)[4], TEEC_SharedMemory (&memory)[4])
66     {
67         g_shareMemoryCnt = 0;
68         for (uint32_t paramCnt = 0; paramCnt < TEEC_PARAM_NUM; paramCnt++) {
69             if (IS_TEMP_MEM(g_paramType[paramCnt])) {
70                 if (param[paramCnt].tmpref.size > 0 && param[paramCnt].tmpref.buffer != nullptr) {
71                     free(param[paramCnt].tmpref.buffer);
72                     param[paramCnt].tmpref.buffer = nullptr;
73                 }
74             } else if (IS_PARTIAL_MEM(g_paramType[paramCnt]) && g_recordShareMemory[g_shareMemoryCnt] == paramCnt) {
75                 TEEC_ReleaseSharedMemory(&memory[g_shareMemoryCnt]);
76                 g_shareMemoryCnt++;
77             }
78         }
79     }
80 
LibteecVendorInvokeCommandFuzzTest(const uint8_t * data,size_t size)81     bool LibteecVendorInvokeCommandFuzzTest(const uint8_t *data, size_t size)
82     {
83         bool result = false;
84         if (size > sizeof(TEEC_Session) + sizeof(uint32_t) + sizeof(TEEC_Operation) + sizeof(uint32_t) +
85             sizeof(TEEC_Context) + sizeof(TEEC_Parameter) * MAX_PARAM_COUNT +
86             sizeof(TEEC_SharedMemory) * MAX_PARAM_COUNT) {
87             uint8_t *temp = const_cast<uint8_t *>(data);
88             TEEC_Session session = *reinterpret_cast<TEEC_Session *>(temp);
89             temp += sizeof(TEEC_Session);
90             uint32_t commandID = *reinterpret_cast<uint32_t *>(temp);
91             temp += sizeof(uint32_t);
92             TEEC_Operation operation = *reinterpret_cast<TEEC_Operation *>(temp);
93             temp += sizeof(TEEC_Operation);
94             uint32_t returnOrigin = *reinterpret_cast<uint32_t *>(temp);
95             temp += sizeof(uint32_t);
96             TEEC_Context context = *reinterpret_cast<TEEC_Context *>(temp);
97             temp += sizeof(TEEC_Context);
98             TEEC_Parameter param[4];
99             TEEC_SharedMemory memory[4];
100             InitTeecParam(temp, param, operation, memory, context);
101 
102             session.context = &context;
103             operation.params[0] = param[0];
104             operation.params[1] = param[1];
105             operation.params[2] = param[2];
106             operation.params[3] = param[3];
107             operation.session = &session;
108 
109             (void)TEEC_InvokeCommand(&session, commandID, &operation, &returnOrigin);
110 
111             ReleaseTeecParam(param, memory);
112         }
113         return result;
114     }
115 
TEEC_InvokeCommandFuzzTest_001(const uint8_t * data,size_t size)116     void TEEC_InvokeCommandFuzzTest_001(const uint8_t *data, size_t size)
117     {
118         TEEC_Session session = { 0 };
119         TEEC_Operation operation = { 0 };
120         uint32_t returnOrigin = 0;
121 
122         TEEC_Result ret = TEEC_InvokeCommand(NULL, 0, &operation, &returnOrigin);
123 
124         session.context = NULL;
125         ret = TEEC_InvokeCommand(&session, 0, NULL, &returnOrigin);
126 
127         TEEC_Context context = { 0 };
128         ret = TEEC_InitializeContext(NULL, &context);
129         TEEC_UUID uuid = { 0xabe89147, 0xcd61, 0xf43f, { 0x71, 0xc4, 0x1a, 0x31, 0x7e, 0x40, 0x53, 0x12 } };
130         ret = TEEC_OpenSession(&context, &session, &uuid, TEEC_LOGIN_IDENTIFY, NULL, NULL, NULL);
131         session.context = &context;
132         ret = TEEC_InvokeCommand(&session, 0, NULL, &returnOrigin);
133         TEEC_CloseSession(&session);
134         TEEC_FinalizeContext(&context);
135         (void)data;
136         (void)size;
137     }
138 
TEEC_InvokeCommandInnerFuzzTest_001(void)139     void TEEC_InvokeCommandInnerFuzzTest_001(void)
140     {
141         TEEC_ContextInner context = { 0 };
142         TEEC_Session session = { 0 };
143         TEEC_Operation operation = { 0 };
144 
145         TEEC_Result ret = TEEC_InvokeCommandInner(NULL, &session, 0, NULL, NULL);
146 
147         ret = TEEC_InvokeCommandInner(&context, NULL, 0, NULL, NULL);
148 
149         operation.started = 0;
150         ret = TEEC_InvokeCommandInner(&context, &session, 0, &operation, NULL);
151         (void)ret;
152     }
153 }
154 
155 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)156 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
157 {
158     /* Run your code on data */
159     OHOS::LibteecVendorInvokeCommandFuzzTest(data, size);
160     OHOS::TEEC_InvokeCommandFuzzTest_001(data, size);
161     OHOS::TEEC_InvokeCommandInnerFuzzTest_001();
162     return 0;
163 }