1 /*
2 * Copyright (C) 2022 Huawei Technologies Co., Ltd.
3 * Licensed under the Mulan PSL v2.
4 * You can use this software according to the terms and conditions of the Mulan PSL v2.
5 * You may obtain a copy of Mulan PSL v2 at:
6 * http://license.coscl.org.cn/MulanPSL2
7 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
8 * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
9 * PURPOSE.
10 * See the Mulan PSL v2 for more details.
11 */
12
13 #include "libteecvendorrequestcancellation_fuzzer.h"
14
15 #include <cstddef>
16 #include <cstdint>
17 #include <malloc.h>
18 #include "tee_client_api.h"
19 #include "tee_client_constants.h"
20 #include "tee_client_type.h"
21
22 namespace OHOS {
LibteecVendorRequestCancellationFuzzTest(const uint8_t * data,size_t size)23 bool LibteecVendorRequestCancellationFuzzTest(const uint8_t *data, size_t size)
24 {
25 bool result = false;
26 if (size > sizeof(TEEC_Session) + sizeof(TEEC_Operation) + sizeof(TEEC_Context) +
27 sizeof(TEEC_Parameter) + sizeof(TEEC_SharedMemory)) {
28 uint8_t *temp = const_cast<uint8_t *>(data);
29 TEEC_Session session = *reinterpret_cast<TEEC_Session *>(temp);
30 temp += sizeof(TEEC_Session);
31 TEEC_Operation operation = *reinterpret_cast<TEEC_Operation *>(temp);
32 temp += sizeof(TEEC_Operation);
33 TEEC_Context context = *reinterpret_cast<TEEC_Context *>(temp);
34 temp += sizeof(TEEC_Context);
35 TEEC_Parameter param = *reinterpret_cast<TEEC_Parameter *>(temp);
36 temp += sizeof(TEEC_Parameter);
37 TEEC_SharedMemory memory = *reinterpret_cast<TEEC_SharedMemory *>(temp);
38
39 TEEC_Result ret = TEEC_AllocateSharedMemory(&context, &memory);
40 if (ret != TEEC_SUCCESS) {
41 return result;
42 }
43 if (param.tmpref.size > 0) {
44 param.tmpref.buffer = malloc(param.tmpref.size);
45 if (param.tmpref.buffer == nullptr) {
46 return result;
47 }
48 }
49
50 session.context = &context;
51 param.memref.parent = &memory;
52 operation.params[0] = param;
53 operation.params[1] = param;
54 operation.params[2] = param;
55 operation.params[3] = param;
56 operation.session = &session;
57
58 (void)TEEC_RequestCancellation(&operation);
59
60 if (param.tmpref.size > 0 && param.tmpref.buffer != nullptr) {
61 free(param.tmpref.buffer);
62 param.tmpref.buffer = nullptr;
63 }
64 TEEC_ReleaseSharedMemory(&memory);
65 }
66 return result;
67 }
TEEC_RequestCancellationTest_001(const uint8_t * data,size_t size)68 void TEEC_RequestCancellationTest_001(const uint8_t *data, size_t size)
69 {
70 (void)data;
71 (void)size;
72 TEEC_Operation operation = { 0 };
73
74 TEEC_RequestCancellation(nullptr);
75
76 operation.session = nullptr;
77 TEEC_RequestCancellation(&operation);
78
79 TEEC_Session session = { 0 };
80 operation.session = &session;
81 session.context = nullptr;
82 TEEC_RequestCancellation(&operation);
83
84 TEEC_Context context = { 0 };
85 TEEC_Result result = TEEC_InitializeContext(nullptr, &context);
86 operation.started = 1;
87 operation.paramTypes = TEEC_PARAM_TYPES(TEEC_NONE, TEEC_NONE, TEEC_NONE, TEEC_NONE);
88 TEEC_UUID uuid = { 0xabe89147, 0xcd61, 0xf43f, { 0x71, 0xc4, 0x1a, 0x31, 0x7e, 0x40, 0x53, 0x12 } };
89 result = TEEC_OpenSession(&context, &session, &uuid, TEEC_LOGIN_IDENTIFY, nullptr, &operation, nullptr);
90
91 TEEC_RequestCancellation(&operation);
92 }
93 }
94
95 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)96 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
97 {
98 /* Run your code on data */
99 OHOS::LibteecVendorRequestCancellationFuzzTest(data, size);
100 OHOS::TEEC_RequestCancellationTest_001(data, size);
101 return 0;
102 }