1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "security_collector_manager_fuzzer.h"
17
18 #include <string>
19
20 #include "security_collector_manager_callback_service.h"
21 #include "security_collector_manager_service.h"
22 #include "security_guard_log.h"
23
24
25 namespace OHOS::Security::SecurityCollector {
26 SecurityCollectorManagerService g_service(SECURITY_COLLECTOR_MANAGER_SA_ID, true);
27 constexpr int32_t REMAINDER_VALUE = 5;
28 constexpr int32_t CMD_COLLECTOR_SUBCRIBE_VALUE = 0;
29 constexpr int32_t CMD_COLLECTOR_UNSUBCRIBE_VALUE = 1;
30 constexpr int32_t CMD_COLLECTOR_START_VALUE = 2;
31 constexpr int32_t CMD_COLLECTOR_STOP_VALUE = 3;
32 constexpr int32_t CMD_SECURITY_EVENT_QUERY_VALUE = 4;
33 void OnRemoteSubscribeRequest(const uint8_t* data, size_t size, MessageParcel* datas,
34 MessageParcel* reply, MessageOption* option);
35 void OnRemoteUnsubscribeRequest(const uint8_t* data, size_t size, MessageParcel* datas,
36 MessageParcel* reply, MessageOption* option);
37 void OnRemoteStartRequest(const uint8_t* data, size_t size, MessageParcel* datas,
38 MessageParcel* reply, MessageOption* option);
39 void OnRemoteStopRequest(const uint8_t* data, size_t size, MessageParcel* datas,
40 MessageParcel* reply, MessageOption* option);
41 void OnRemoteSecurityEventQuery(const uint8_t* data, size_t size, MessageParcel* datas,
42 MessageParcel* reply, MessageOption* option);
43
OnRemoteRequestFuzzTest(const uint8_t * data,size_t size)44 void OnRemoteRequestFuzzTest(const uint8_t* data, size_t size)
45 {
46 MessageParcel datas;
47 MessageParcel reply;
48 MessageOption option;
49 datas.WriteInterfaceToken(ISecurityCollectorManager::GetDescriptor());
50 if (size % REMAINDER_VALUE == CMD_COLLECTOR_SUBCRIBE_VALUE) {
51 // handle data collect cmd
52 OnRemoteSubscribeRequest(data, size, &datas, &reply, &option);
53 return;
54 } else if (size % REMAINDER_VALUE == CMD_COLLECTOR_UNSUBCRIBE_VALUE) {
55 // handle data request cmd
56 OnRemoteUnsubscribeRequest(data, size, &datas, &reply, &option);
57 return;
58 } else if (size % REMAINDER_VALUE == CMD_COLLECTOR_START_VALUE) {
59 // handle data subscribe cmd
60 OnRemoteStartRequest(data, size, &datas, &reply, &option);
61 return;
62 } else if (size % REMAINDER_VALUE == CMD_COLLECTOR_STOP_VALUE) {
63 // handle data unsubscribe cmd
64 OnRemoteStopRequest(data, size, &datas, &reply, &option);
65 return;
66 } else if (size % REMAINDER_VALUE == CMD_SECURITY_EVENT_QUERY_VALUE) {
67 // handle security event query cmd
68 OnRemoteSecurityEventQuery(data, size, &datas, &reply, &option);
69 return;
70 }
71 }
72
OnRemoteSubscribeRequest(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)73 void OnRemoteSubscribeRequest(const uint8_t* data, size_t size, MessageParcel* datas,
74 MessageParcel* reply, MessageOption* option)
75 {
76 if (data == nullptr || size < sizeof(int64_t) + sizeof(int64_t)) {
77 return;
78 }
79 size_t offset = 0;
80 int64_t eventId = *(reinterpret_cast<const int64_t *>(data + offset));
81 offset += sizeof(int64_t);
82 int64_t duration = *(reinterpret_cast<const int64_t *>(data + offset));
83 offset += sizeof(int64_t);
84 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
85 Event event;
86 event.eventId = eventId;
87 event.version = string;
88 event.content = string;
89 event.extra = string;
90 SecurityCollectorSubscribeInfo subscriberInfo{event, duration, true};
91 datas->WriteParcelable(&subscriberInfo);
92 sptr<SecurityCollectorManagerCallbackService> callback =
93 new (std::nothrow) SecurityCollectorManagerCallbackService(nullptr);
94 datas->WriteRemoteObject(callback);
95 g_service.OnRemoteRequest(SecurityCollectorManagerStub::CMD_COLLECTOR_SUBCRIBE, *datas, *reply, *option);
96 }
97
OnRemoteUnsubscribeRequest(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)98 void OnRemoteUnsubscribeRequest(const uint8_t* data, size_t size, MessageParcel* datas,
99 MessageParcel* reply, MessageOption* option)
100 {
101 if (data == nullptr || size < sizeof(int64_t)) {
102 return;
103 }
104 size_t offset = 0;
105 int64_t eventId = *(reinterpret_cast<const int64_t *>(data));
106 offset += sizeof(int64_t);
107 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
108 Event event;
109 event.eventId = eventId;
110 event.version = string;
111 event.content = string;
112 event.extra = string;
113 SecurityCollectorSubscribeInfo subscriberInfo{event, -1, true};
114 datas->WriteParcelable(&subscriberInfo);
115 sptr<SecurityCollectorManagerCallbackService> callback =
116 new (std::nothrow) SecurityCollectorManagerCallbackService(nullptr);
117 datas->WriteRemoteObject(callback);
118 g_service.OnRemoteRequest(SecurityCollectorManagerStub::CMD_COLLECTOR_UNSUBCRIBE, *datas, *reply, *option);
119 }
120
OnRemoteStartRequest(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)121 void OnRemoteStartRequest(const uint8_t* data, size_t size, MessageParcel* datas,
122 MessageParcel* reply, MessageOption* option)
123 {
124 if (data == nullptr || size < sizeof(int64_t) + sizeof(int64_t)) {
125 return;
126 }
127 size_t offset = 0;
128 int64_t eventId = *(reinterpret_cast<const int64_t *>(data + offset));
129 offset += sizeof(int64_t);
130 int64_t duration = *(reinterpret_cast<const int64_t *>(data + offset));
131 offset += sizeof(int64_t);
132 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
133 Event event;
134 event.eventId = eventId;
135 event.version = string;
136 event.content = string;
137 event.extra = string;
138 SecurityCollectorSubscribeInfo subscriberInfo{event, duration, true};
139 datas->WriteParcelable(&subscriberInfo);
140 sptr<SecurityCollectorManagerCallbackService> callback =
141 new (std::nothrow) SecurityCollectorManagerCallbackService(nullptr);
142 datas->WriteRemoteObject(callback);
143 g_service.OnRemoteRequest(SecurityCollectorManagerStub::CMD_COLLECTOR_START, *datas, *reply, *option);
144 }
145
OnRemoteStopRequest(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)146 void OnRemoteStopRequest(const uint8_t* data, size_t size, MessageParcel* datas,
147 MessageParcel* reply, MessageOption* option)
148 {
149 if (data == nullptr || size < sizeof(int64_t) + sizeof(int64_t)) {
150 return;
151 }
152 size_t offset = 0;
153 int64_t eventId = *(reinterpret_cast<const int64_t *>(data));
154 offset += sizeof(int64_t);
155 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
156 Event event;
157 event.eventId = eventId;
158 event.version = string;
159 event.content = string;
160 event.extra = string;
161 SecurityCollectorSubscribeInfo subscriberInfo{event, -1, true};
162 datas->WriteParcelable(&subscriberInfo);
163 sptr<SecurityCollectorManagerCallbackService> callback =
164 new (std::nothrow) SecurityCollectorManagerCallbackService(nullptr);
165 datas->WriteRemoteObject(callback);
166 g_service.OnRemoteRequest(SecurityCollectorManagerStub::CMD_COLLECTOR_STOP, *datas, *reply, *option);
167 }
168
OnRemoteSecurityEventQuery(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)169 void OnRemoteSecurityEventQuery(const uint8_t* data, size_t size, MessageParcel* datas,
170 MessageParcel* reply, MessageOption* option)
171 {
172 if (data == nullptr || size < sizeof(uint32_t) + sizeof(int64_t)) {
173 return;
174 }
175 size_t offset = 0;
176 uint32_t uint32 = *(reinterpret_cast<const uint32_t *>(data));
177 uint32_t rulerSize = uint32 >= MAX_QUERY_EVENT_SIZE ? MAX_QUERY_EVENT_SIZE : uint32;
178 datas->WriteUint32(rulerSize);
179 offset += sizeof(uint32_t);
180 int64_t eventId = *(reinterpret_cast<const int64_t *>(data + offset));
181 offset += sizeof(int64_t);
182 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
183 for (uint32_t i = 0; i < rulerSize; i++) {
184 SecurityEventRuler ruler =
185 SecurityEventRuler(eventId, string, string, string);
186 datas->WriteParcelable(&ruler);
187 }
188 sptr<SecurityCollectorManagerCallbackService> callback =
189 new (std::nothrow) SecurityCollectorManagerCallbackService(nullptr);
190 datas->WriteRemoteObject(callback);
191 g_service.OnRemoteRequest(SecurityCollectorManagerStub::CMD_SECURITY_EVENT_QUERY, *datas, *reply, *option);
192 }
193
OnRemoteMute(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)194 void OnRemoteMute(const uint8_t* data, size_t size, MessageParcel* datas,
195 MessageParcel* reply, MessageOption* option)
196 {
197 if (data == nullptr || size < sizeof(uint32_t) + sizeof(int64_t)) {
198 return;
199 }
200 size_t offset = 0;
201 offset += sizeof(uint32_t);
202 int64_t eventId = *(reinterpret_cast<const int64_t *>(data + offset));
203 offset += sizeof(int64_t);
204 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
205 SecurityCollectorEventMuteFilter info {};
206 info.eventId = eventId;
207 info.mutes.insert(string);
208 SecurityCollectorEventFilter filter(info);
209 datas->WriteParcelable(&filter);
210 datas->WriteString(string);
211 g_service.OnRemoteRequest(SecurityCollectorManagerStub::CMD_SECURITY_EVENT_MUTE, *datas, *reply, *option);
212 }
213
OnRemoteUnmute(const uint8_t * data,size_t size,MessageParcel * datas,MessageParcel * reply,MessageOption * option)214 void OnRemoteUnmute(const uint8_t* data, size_t size, MessageParcel* datas,
215 MessageParcel* reply, MessageOption* option)
216 {
217 if (data == nullptr || size < sizeof(uint32_t) + sizeof(int64_t)) {
218 return;
219 }
220 size_t offset = 0;
221 offset += sizeof(uint32_t);
222 int64_t eventId = *(reinterpret_cast<const int64_t *>(data + offset));
223 offset += sizeof(int64_t);
224 std::string string(reinterpret_cast<const char *>(data + offset), size - offset);
225 SecurityCollectorEventMuteFilter info {};
226 info.eventId = eventId;
227 info.mutes.insert(string);
228 SecurityCollectorEventFilter filter(info);
229 datas->WriteParcelable(&filter);
230 datas->WriteString(string);
231 g_service.OnRemoteRequest(SecurityCollectorManagerStub::CMD_SECURITY_EVENT_UNMUTE, *datas, *reply, *option);
232 }
233 } // namespace OHOS::Security::SecurityCollector
234
235 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)236 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
237 {
238 /* Run your code on date */
239 OHOS::Security::SecurityCollector::OnRemoteRequestFuzzTest(data, size);
240 return 0;
241 }
242