1 /*
2 * Copyright (C) 2022 Huawei Technologies Co., Ltd.
3 * Licensed under the Mulan PSL v2.
4 * You can use this software according to the terms and conditions of the Mulan PSL v2.
5 * You may obtain a copy of Mulan PSL v2 at:
6 * http://license.coscl.org.cn/MulanPSL2
7 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
8 * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
9 * PURPOSE.
10 * See the Mulan PSL v2 for more details.
11 */
12
13 #include "libteecvendorteecextapi_fuzzer.h"
14
15 #include <cstddef>
16 #include <cstdint>
17 #include <malloc.h>
18 #include <string>
19 #include "tee_client_api.h"
20 #include "tee_client_ext_api.h"
21 #include "tee_client_inner_api.h"
22 #include "tee_client_constants.h"
23 #include "tee_client_type.h"
24 #include "tee_client_app_load.h"
25 #include "load_sec_file.h"
26
27 namespace OHOS {
LibteecVendorExtRegisterAgentFuzzTest(const uint8_t * data,size_t size)28 bool LibteecVendorExtRegisterAgentFuzzTest(const uint8_t *data, size_t size)
29 {
30 bool result = false;
31 if (size > sizeof(uint32_t) + sizeof(int)) {
32 uint8_t *temp = const_cast<uint8_t *>(data);
33 uint32_t agentId = *reinterpret_cast<uint32_t *>(temp);
34 temp += sizeof(agentId);
35 int *devFd = reinterpret_cast<int *>(temp);
36 temp += sizeof(int);
37
38 uint8_t *buffer;
39 TEEC_Result ret = TEEC_EXT_RegisterAgent(agentId, devFd, (void **)&buffer);
40 if (ret != TEEC_SUCCESS) {
41 return result;
42 }
43 }
44 return result;
45 }
46
TEEC_EXT_RegisterAgentTest_001(const uint8_t * data,size_t size)47 void TEEC_EXT_RegisterAgentTest_001(const uint8_t *data, size_t size)
48 {
49 (void)data;
50 (void)size;
51 int devFd = 0;
52 char *buf = nullptr;
53
54 TEEC_Result ret = TEEC_EXT_RegisterAgent(0, nullptr, (void **)nullptr);
55
56 ret = TEEC_EXT_RegisterAgent(0, &devFd, (void **)nullptr);
57
58 ret = TEEC_EXT_RegisterAgent(0, &devFd, (void **)&buf);
59 }
60
LibteecVendorExtWaitEventFuzzTest(const uint8_t * data,size_t size)61 bool LibteecVendorExtWaitEventFuzzTest(const uint8_t *data, size_t size)
62 {
63 bool result = false;
64 if (size > sizeof(uint32_t) + sizeof(int)) {
65 uint8_t *temp = const_cast<uint8_t *>(data);
66 uint32_t agentId = *reinterpret_cast<uint32_t*>(temp);
67 temp += sizeof(agentId);
68 int devFd = *reinterpret_cast<int *>(temp);
69 temp += sizeof(int);
70
71 TEEC_Result ret = TEEC_EXT_WaitEvent(agentId, devFd);
72 if (ret != TEEC_SUCCESS) {
73 return result;
74 }
75 }
76 return result;
77 }
78
TEEC_EXT_WaitEventTest_001(const uint8_t * data,size_t size)79 void TEEC_EXT_WaitEventTest_001(const uint8_t *data, size_t size)
80 {
81 (void)data;
82 (void)size;
83 TEEC_EXT_WaitEvent(0, 0);
84 }
85
LibteecVendorExtUnregisterAgentFuzzTest(const uint8_t * data,size_t size)86 bool LibteecVendorExtUnregisterAgentFuzzTest(const uint8_t *data, size_t size)
87 {
88 bool result = false;
89 if (size > sizeof(uint32_t) + sizeof(int)) {
90 uint8_t *temp = const_cast<uint8_t *>(data);
91 uint32_t agentId = *reinterpret_cast<uint32_t *>(temp);
92 temp += sizeof(agentId);
93 int devFd = *reinterpret_cast<int *>(temp);
94 temp += sizeof(int);
95 devFd = devFd > 0 ? 0x7fffffff : devFd;
96 uint8_t *buffer;
97 TEEC_Result ret = TEEC_EXT_UnregisterAgent(agentId, devFd, (void **)&buffer);
98 if (ret != TEEC_SUCCESS) {
99 return result;
100 }
101 }
102 return result;
103 }
104
TEEC_EXT_UnregisterAgentTest_001(const uint8_t * data,size_t size)105 void TEEC_EXT_UnregisterAgentTest_001(const uint8_t *data, size_t size)
106 {
107 (void)data;
108 (void)size;
109 char *buf = nullptr;
110
111 TEEC_Result ret = TEEC_EXT_UnregisterAgent(0, 0, nullptr);
112
113 ret = TEEC_EXT_UnregisterAgent(0, 0, (void**)&buf);
114
115 ret = TEEC_EXT_UnregisterAgent(0, -1, (void**)&buf);
116 }
117
LibteecVendorSendSecfileFuzzTest(const uint8_t * data,size_t size)118 void LibteecVendorSendSecfileFuzzTest(const uint8_t *data, size_t size)
119 {
120 if (size > sizeof(uint8_t) + sizeof(TEEC_Session)) {
121 uint8_t *temp = const_cast<uint8_t *>(data);
122 TEEC_Session session = *reinterpret_cast<TEEC_Session *>(temp);
123 temp += sizeof(TEEC_Session);
124 char *path = reinterpret_cast<char *>(temp);
125
126 TEEC_SendSecfile(path, &session);
127 }
128 }
129
TEEC_SendSecfileTest_001(const uint8_t * data,size_t size)130 void TEEC_SendSecfileTest_001(const uint8_t *data, size_t size)
131 {
132 (void)data;
133 (void)size;
134 TEEC_Result ret = TEEC_SendSecfile(nullptr, nullptr);
135
136 char path[] = "/data/app/el2/100/base/files/abe89147-cd61-f43f-71c4-1a317e405312.sec";
137 ret = TEEC_SendSecfile(path, nullptr);
138
139 TEEC_Session session = { 0 };
140 session.context = nullptr;
141 ret = TEEC_SendSecfile(path, &session);
142
143 TEEC_UUID uuid = { 0xabe89147, 0xcd61, 0xf43f, { 0x71, 0xc4, 0x1a, 0x31, 0x7e, 0x40, 0x53, 0x12 } };
144 TEEC_Context context = { 0 };
145 ret = TEEC_InitializeContext(nullptr, &context);
146
147 TEEC_Operation operation = { 0 };
148 operation.started = 1;
149 operation.paramTypes = TEEC_PARAM_TYPES(TEEC_NONE, TEEC_NONE, TEEC_NONE, TEEC_NONE);
150 ret = TEEC_OpenSession(&context, &session, &uuid, TEEC_LOGIN_IDENTIFY, nullptr, &operation, nullptr);
151 ret = TEEC_SendSecfile(path, &session);
152 }
153
LibteecVendorSendSecfileInnerFuzzTest(const uint8_t * data,size_t size)154 bool LibteecVendorSendSecfileInnerFuzzTest(const uint8_t *data, size_t size)
155 {
156 bool result = false;
157 if (size > sizeof(int) + sizeof(FILE)) {
158 uint8_t *temp = const_cast<uint8_t *>(data);
159 int tzFd = *reinterpret_cast<int *>(temp);
160 temp += sizeof(int);
161 FILE *fp = reinterpret_cast<FILE *>(temp);
162 temp += sizeof(FILE);
163 char *path = reinterpret_cast<char *>(temp);
164
165 result = TEEC_SendSecfileInner(path, tzFd, fp);
166 }
167 return result;
168 }
169
TEEC_SendSecfileInnerTest_001(const uint8_t * data,size_t size)170 void TEEC_SendSecfileInnerTest_001(const uint8_t *data, size_t size)
171 {
172 (void)data;
173 (void)size;
174 TEEC_Result result = TEEC_SendSecfileInner(nullptr, 0, nullptr);
175
176 char path[] = "/data/app/el2/100/base/files/abe89147-cd61-f43f-71c4-1a317e405312.sec";
177 result = TEEC_SendSecfileInner(path, 0, nullptr);
178 }
179
LibteecVendorSendEventResponseFuzzTest(const uint8_t * data,size_t size)180 bool LibteecVendorSendEventResponseFuzzTest(const uint8_t *data, size_t size)
181 {
182 bool result = false;
183 if (size > sizeof(uint32_t) + sizeof(FILE)) {
184 uint8_t *temp = const_cast<uint8_t *>(data);
185 int devFd = *reinterpret_cast<int *>(temp);
186 temp += sizeof(int);
187 uint32_t agentId = *reinterpret_cast<uint32_t *>(temp);
188
189 result = TEEC_EXT_SendEventResponse(agentId, devFd);
190 }
191 return result;
192 }
193
TEEC_EXT_SendEventResponseTest_001(const uint8_t * data,size_t size)194 void TEEC_EXT_SendEventResponseTest_001(const uint8_t *data, size_t size)
195 {
196 (void)data;
197 (void)size;
198 TEEC_EXT_SendEventResponse(0, 0);
199 }
200
LibteecVendorLoadSecfileFuzzTest(const uint8_t * data,size_t size)201 bool LibteecVendorLoadSecfileFuzzTest(const uint8_t *data, size_t size)
202 {
203 bool result = false;
204 if (size > sizeof(int) + sizeof(FILE)) {
205 uint8_t *temp = const_cast<uint8_t *>(data);
206 int tzFd = *reinterpret_cast<int *>(temp);
207 temp += sizeof(int);
208 FILE *fp = reinterpret_cast<FILE *>(temp);
209 temp += sizeof(FILE);
210 char *path = reinterpret_cast<char *>(temp);
211
212 TEEC_LoadSecfile(path, tzFd, fp);
213 }
214 return result;
215 }
216
LibteecVendorGetAppFuzzTest(const uint8_t * data,size_t size)217 void LibteecVendorGetAppFuzzTest(const uint8_t *data, size_t size)
218 {
219 int ret = 0;
220 TaFileInfo taFile = { 0 };
221 TEEC_UUID srvUuid = { 0 };
222 TC_NS_ClientContext cliContext = { { 0 } };
223
224 ret = TEEC_GetApp(nullptr, nullptr, nullptr);
225
226 std::string str("./ClientAppLoad_002.txt");
227 taFile.taPath = reinterpret_cast<const uint8_t*>(str.c_str());
228 ret = TEEC_GetApp(&taFile, &srvUuid, &cliContext);
229
230 FILE *fp = fopen("./ClientAppLoad_001.sec", "w+");
231 ret = TEEC_GetApp(&taFile, &srvUuid, &cliContext);
232 (void)fclose(fp);
233
234 taFile.taPath = data;
235 ret = TEEC_GetApp(&taFile, &srvUuid, &cliContext);
236 }
237
LibteecVendorLoadSecfileFuzzTest_001(const uint8_t * data,size_t size)238 void LibteecVendorLoadSecfileFuzzTest_001(const uint8_t *data, size_t size)
239 {
240 int ret = 0;
241 FILE *fp = fopen("./ClientAppLoad_002.txt", "w+");
242
243 ret = TEEC_LoadSecfile(nullptr, -1, nullptr);
244
245 std::string str("./ClientAppLoad_002.txt");
246 ret = TEEC_LoadSecfile(str.c_str(), 0, fp);
247
248 ret = TEEC_LoadSecfile(str.c_str(), 0, nullptr);
249
250 uint8_t *temp = const_cast<uint8_t*>(data);
251 ret = TEEC_LoadSecfile(reinterpret_cast<char *>(temp), 0, fp);
252 (void)fclose(fp);
253 }
254
255 #define MAX_BUFFER_LEN (8 * 1024 * 1024)
LibteecVendorLoadSecfileFuzzTest_002(const uint8_t * data,size_t size)256 void LibteecVendorLoadSecfileFuzzTest_002(const uint8_t *data, size_t size)
257 {
258 int tzFd = 0;
259 int ret = 0;
260
261 FILE *fp = fopen("./LoadSecfile_002.txt", "w+");
262 ret = LoadSecFile(tzFd, fp, LOAD_TA, nullptr);
263 (void)fclose(fp);
264
265 fp = fopen("./LoadSecfile_002.txt", "w+");
266 (void)fseek(fp, MAX_BUFFER_LEN + 1, SEEK_SET);
267 char chr = 0;
268 (void)fwrite(&chr, 1, sizeof(chr), fp);
269 ret = LoadSecFile(tzFd, fp, LOAD_TA, nullptr);
270 (void)fclose(fp);
271
272 fp = fopen("./LoadSecfile_002.txt", "w+");
273 (void)fprintf(fp, "%s", "LoadSecfile_002");
274 ret = LoadSecFile(tzFd, fp, LOAD_TA, nullptr);
275 (void)fclose(fp);
276
277 uint8_t *temp = const_cast<uint8_t *>(data);
278 if (size > sizeof(int)) {
279 tzFd = *reinterpret_cast<int*>(temp);
280 ret = LoadSecFile(tzFd, fp, LOAD_TA, NULL);
281 }
282 }
283
284 }
285
286 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)287 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
288 {
289 /* Run your code on data */
290 OHOS::LibteecVendorExtRegisterAgentFuzzTest(data, size);
291 OHOS::TEEC_EXT_RegisterAgentTest_001(data, size);
292 OHOS::LibteecVendorExtWaitEventFuzzTest(data, size);
293 OHOS::TEEC_EXT_WaitEventTest_001(data, size);
294 OHOS::LibteecVendorExtUnregisterAgentFuzzTest(data, size);
295 OHOS::TEEC_EXT_UnregisterAgentTest_001(data, size);
296 OHOS::LibteecVendorSendSecfileFuzzTest(data, size);
297 OHOS::TEEC_SendSecfileTest_001(data, size);
298 OHOS::LibteecVendorSendSecfileInnerFuzzTest(data, size);
299 OHOS::TEEC_SendSecfileInnerTest_001(data, size);
300 OHOS::LibteecVendorSendEventResponseFuzzTest(data, size);
301 OHOS::TEEC_EXT_SendEventResponseTest_001(data, size);
302 OHOS::LibteecVendorLoadSecfileFuzzTest(data, size);
303 OHOS::LibteecVendorGetAppFuzzTest(data, size);
304 OHOS::LibteecVendorLoadSecfileFuzzTest_001(data, size);
305 OHOS::LibteecVendorLoadSecfileFuzzTest_002(data, size);
306 return 0;
307 }