1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "sessioninterface_fuzzer.h"
17
18 #include <iremote_broker.h>
19
20 #include "ability_context_impl.h"
21 #include "session_manager.h"
22 #include "window_manager_hilog.h"
23 #include "window_scene_session_impl.h"
24 #include "zidl/session_ipc_interface_code.h"
25 #include "zidl/session_proxy.h"
26 #include "data_source.h"
27
28 namespace OHOS::Rosen {
29 namespace {
30 constexpr HiviewDFX::HiLogLabel LABEL = {LOG_CORE, HILOG_DOMAIN_WINDOW, "SessionInterfaceFuzzTest"};
31 }
32
33 static std::shared_ptr<AbilityRuntime::AbilityContext> abilityContext =
34 std::make_shared<AbilityRuntime::AbilityContextImpl>();
35 static sptr<WindowSessionImpl> savedWindow;
36
GetProxy()37 std::pair<sptr<ISession>, sptr<IRemoteObject>> GetProxy()
38 {
39 if (savedWindow) {
40 savedWindow->Destroy();
41 savedWindow = nullptr;
42 }
43
44 sptr<WindowOption> option = new WindowOption();
45 option->SetWindowName("SessionInterfaceFuzzTest");
46 option->SetWindowType(WindowType::WINDOW_TYPE_WALLPAPER);
47
48 sptr<WindowSessionImpl> window = new WindowSceneSessionImpl(option);
49 WMError err = window->Create(abilityContext, nullptr);
50 if (err != WMError::WM_OK) {
51 WLOGFE("Failed to create window: %{public}d", static_cast<int>(err));
52 return {nullptr, nullptr};
53 }
54
55 auto session = window->GetHostSession();
56 if (!session) {
57 WLOGFE("Session is nullptr");
58 return {nullptr, nullptr};
59 }
60
61 sptr<SessionProxy> proxy = new SessionProxy(session->AsObject());
62 savedWindow = window;
63
64 WLOGFD("GetProxy success");
65
66 return {proxy, session->AsObject()};
67 }
68
69 template<class T>
UnmarshallingDataTo(const uint8_t * data,size_t size)70 T* UnmarshallingDataTo(const uint8_t* data, size_t size)
71 {
72 MessageParcel parcel;
73 if (data) {
74 parcel.WriteBuffer(data, size);
75 }
76 return T::Unmarshalling(parcel);
77 }
78
IPCFuzzTest(const uint8_t * data,size_t size)79 void IPCFuzzTest(const uint8_t* data, size_t size)
80 {
81 auto [proxy, remoteObject] = GetProxy();
82 if (!proxy || !remoteObject) {
83 return;
84 }
85
86 DataSource source(data, size);
87 uint32_t code = source.GetObject<uint32_t>();
88 int flags = source.GetObject<int>();
89 int waitTime = source.GetObject<int>();
90
91 MessageParcel sendData;
92 MessageParcel reply;
93 MessageOption option(flags, waitTime);
94 auto rawSize = source.size_ - source.pos_;
95 auto buf = source.GetRaw(rawSize);
96 if (buf) {
97 sendData.WriteBuffer(buf, rawSize);
98 }
99 remoteObject->SendRequest(code, sendData, reply, option);
100 }
101
IPCSpecificInterfaceFuzzTest1(sptr<IRemoteObject> proxy,MessageParcel & sendData,MessageParcel & reply,MessageOption & option)102 void IPCSpecificInterfaceFuzzTest1(sptr<IRemoteObject> proxy, MessageParcel& sendData, MessageParcel& reply,
103 MessageOption& option)
104 {
105 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_CONNECT),
106 sendData, reply, option);
107 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_FOREGROUND),
108 sendData, reply, option);
109 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_BACKGROUND),
110 sendData, reply, option);
111 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_DISCONNECT),
112 sendData, reply, option);
113 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_SESSION_EVENT),
114 sendData, reply, option);
115 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_SYNC_SESSION_EVENT),
116 sendData, reply, option);
117 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_UPDATE_SESSION_RECT),
118 sendData, reply, option);
119 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_RAISE_TO_APP_TOP),
120 sendData, reply, option);
121 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_BACKPRESSED),
122 sendData, reply, option);
123 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_MARK_PROCESSED),
124 sendData, reply, option);
125 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_SET_MAXIMIZE_MODE),
126 sendData, reply, option);
127 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_GET_MAXIMIZE_MODE),
128 sendData, reply, option);
129 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_CHANGE_KEYBOARD_VIEW_MODE),
130 sendData, reply, option);
131 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_SET_KEYBOARD_DID_SHOW_REGISTERED),
132 sendData, reply, option);
133 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_SET_KEYBOARD_DID_HIDE_REGISTERED),
134 sendData, reply, option);
135 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_SET_KEYBOARD_WILL_SHOW_REGISTERED),
136 sendData, reply, option);
137 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_SET_KEYBOARD_WILL_HIDE_REGISTERED),
138 sendData, reply, option);
139 }
140
IPCSpecificInterfaceFuzzTest2(sptr<IRemoteObject> proxy,MessageParcel & sendData,MessageParcel & reply,MessageOption & option)141 void IPCSpecificInterfaceFuzzTest2(sptr<IRemoteObject> proxy, MessageParcel& sendData, MessageParcel& reply,
142 MessageOption& option)
143 {
144 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_NEED_AVOID),
145 sendData, reply, option);
146 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_GET_AVOID_AREA),
147 sendData, reply, option);
148 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_SET_ASPECT_RATIO),
149 sendData, reply, option);
150 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_UPDATE_WINDOW_ANIMATION_FLAG),
151 sendData, reply, option);
152 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_UPDATE_CUSTOM_ANIMATION),
153 sendData, reply, option);
154 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_RAISE_ABOVE_TARGET),
155 sendData, reply, option);
156 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_RAISE_MAIN_WINDOW_ABOVE_TARGET),
157 sendData, reply, option);
158 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_ACTIVE_PENDING_SESSION),
159 sendData, reply, option);
160 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_TERMINATE),
161 sendData, reply, option);
162 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_EXCEPTION),
163 sendData, reply, option);
164 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_TRANSFER_ABILITY_RESULT),
165 sendData, reply, option);
166 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_TRANSFER_EXTENSION_DATA),
167 sendData, reply, option);
168 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_NOTIFY_EXTENSION_DIED),
169 sendData, reply, option);
170 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_SET_WINDOW_RECT_AUTO_SAVE),
171 sendData, reply, option);
172 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_SET_START_WINDOW_BACKGROUND_COLOR),
173 sendData, reply, option);
174 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_IS_SET_IMAGE_FOR_RECENT),
175 sendData, reply, option);
176 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_UPDATE_FLOATING_BALL),
177 sendData, reply, option);
178 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_NOTIFY_FLOATING_BALL_PREPARE_CLOSE),
179 sendData, reply, option);
180 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_START_FLOATING_BALL_MAIN_WINDOW),
181 sendData, reply, option);
182 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_GET_FLOATING_BALL_WINDOW_ID),
183 sendData, reply, option);
184 proxy->SendRequest(static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_NOTIFY_SNAPSHOT_UPDATE),
185 sendData, reply, option);
186 proxy->SendRequest(
187 static_cast<uint32_t>(SessionInterfaceCode::TRANS_ID_NOTIFY_WINDOW_ATTACH_STATE_LISTENER_REGISTERED),
188 sendData, reply, option);
189 }
190
IPCInterfaceFuzzTest(const uint8_t * data,size_t size)191 void IPCInterfaceFuzzTest(const uint8_t* data, size_t size)
192 {
193 auto [proxy, remoteObject] = GetProxy();
194 if (!proxy || !remoteObject) {
195 return;
196 }
197
198 DataSource source(data, size);
199 int flags = source.GetObject<int>();
200 int waitTime = source.GetObject<int>();
201
202 MessageParcel sendData;
203 MessageParcel reply;
204 MessageOption option(flags, waitTime);
205 sendData.WriteInterfaceToken(proxy->GetDescriptor());
206 auto rawSize = source.size_ - source.pos_;
207 auto buf = source.GetRaw(rawSize);
208 if (buf) {
209 sendData.WriteBuffer(buf, rawSize);
210 }
211 IPCSpecificInterfaceFuzzTest1(remoteObject, sendData, reply, option);
212 IPCSpecificInterfaceFuzzTest2(remoteObject, sendData, reply, option);
213 }
214
ProxyInterfaceFuzzTestPart1(const uint8_t * data,size_t size)215 void ProxyInterfaceFuzzTestPart1(const uint8_t* data, size_t size)
216 {
217 auto [proxy, remoteObject] = GetProxy();
218 if (!proxy || !remoteObject) {
219 return;
220 }
221
222 DataSource source(data, size);
223
224 sptr<WindowSessionProperty> property = UnmarshallingDataTo<WindowSessionProperty>(data, size);
225 proxy->Foreground(property);
226 proxy->Background();
227 proxy->RaiseToAppTop();
228
229 SessionEvent event = source.GetObject<SessionEvent>();
230 proxy->OnSessionEvent(event);
231
232 WSRect rect = source.GetObject<WSRect>();
233 SizeChangeReason reason = source.GetObject<SizeChangeReason>();
234 proxy->UpdateSessionRect(rect, reason);
235
236 bool needMoveToBackground = source.GetObject<bool>();
237 proxy->RequestSessionBack(needMoveToBackground);
238 }
239
ProxyInterfaceFuzzTestPart2(const uint8_t * data,size_t size)240 void ProxyInterfaceFuzzTestPart2(const uint8_t* data, size_t size)
241 {
242 auto [proxy, remoteObject] = GetProxy();
243 if (!proxy || !remoteObject) {
244 return;
245 }
246
247 DataSource source(data, size);
248
249 int32_t eventId = source.GetObject<int32_t>();
250 proxy->MarkProcessed(eventId);
251
252 MaximizeMode mode = source.GetObject<MaximizeMode>();
253 proxy->SetGlobalMaximizeMode(mode);
254 proxy->GetGlobalMaximizeMode(mode);
255
256 bool status = source.GetObject<bool>();
257 proxy->OnNeedAvoid(status);
258
259 AvoidAreaType type = source.GetObject<AvoidAreaType>();
260 proxy->GetAvoidAreaByType(type);
261
262 float ratio = source.GetObject<float>();
263 proxy->SetAspectRatio(ratio);
264
265 bool needDefaultAnimationFlag = source.GetObject<bool>();
266 proxy->UpdateWindowAnimationFlag(needDefaultAnimationFlag);
267
268 bool isAdd = source.GetObject<bool>();
269 proxy->UpdateWindowSceneAfterCustomAnimation(isAdd);
270 }
271
ProxyInterfaceFuzzTestPart3(const uint8_t * data,size_t size)272 void ProxyInterfaceFuzzTestPart3(const uint8_t* data, size_t size)
273 {
274 auto [proxy, remoteObject] = GetProxy();
275 if (!proxy || !remoteObject) {
276 return;
277 }
278
279 DataSource source(data, size);
280
281 int32_t subWindowId = source.GetObject<int32_t>();
282 proxy->RaiseAboveTarget(subWindowId);
283
284 sptr<AAFwk::SessionInfo> sessionInfo = UnmarshallingDataTo<AAFwk::SessionInfo>(data, size);
285 proxy->PendingSessionActivation(sessionInfo);
286 proxy->TerminateSession(sessionInfo);
287 ExceptionInfo exceptionInfo;
288 proxy->NotifySessionException(sessionInfo, exceptionInfo);
289
290 uint32_t resultCode = source.GetObject<uint32_t>();
291 sptr<AAFwk::Want> want = UnmarshallingDataTo<AAFwk::Want>(data, size);
292 proxy->TransferAbilityResult(resultCode, *want);
293
294 sptr<AAFwk::WantParams> wantParams = UnmarshallingDataTo<AAFwk::WantParams>(data, size);
295 proxy->TransferExtensionData(*wantParams);
296 proxy->NotifyExtensionDied();
297 int32_t errorCode = 1;
298 proxy->NotifyExtensionTimeout(errorCode);
299 }
300
ProxyInterfaceFuzzTest(const uint8_t * data,size_t size)301 void ProxyInterfaceFuzzTest(const uint8_t* data, size_t size)
302 {
303 ProxyInterfaceFuzzTestPart1(data, size);
304 ProxyInterfaceFuzzTestPart2(data, size);
305 ProxyInterfaceFuzzTestPart3(data, size);
306 }
307 }
308
309 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)310 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
311 {
312 /* Run your code on data */
313 OHOS::Rosen::IPCFuzzTest(data, size);
314 OHOS::Rosen::IPCInterfaceFuzzTest(data, size);
315 OHOS::Rosen::ProxyInterfaceFuzzTest(data, size);
316 return 0;
317 }
318