• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2022 Huawei Technologies Co., Ltd.
3  * Licensed under the Mulan PSL v2.
4  * You can use this software according to the terms and conditions of the Mulan PSL v2.
5  * You may obtain a copy of Mulan PSL v2 at:
6  *     http://license.coscl.org.cn/MulanPSL2
7  * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
8  * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
9  * PURPOSE.
10  * See the Mulan PSL v2 for more details.
11  */
12 
13 #include "teeclientinvokecommand_fuzzer.h"
14 
15 #include <cstddef>
16 #include <cstdint>
17 #include <malloc.h>
18 #include <map>
19 #include "tee_client_api.h"
20 #include "tee_client_constants.h"
21 #include "tee_client_type.h"
22 
23 #define MAX_PARAM_COUNT 4
24 
25 #define IS_TEMP_MEM(paramType)                                                              \
26     (((paramType) == TEEC_MEMREF_TEMP_INPUT) || ((paramType) == TEEC_MEMREF_TEMP_OUTPUT) || \
27      ((paramType) == TEEC_MEMREF_TEMP_INOUT))
28 
29 #define IS_PARTIAL_MEM(paramType)                                                        \
30     (((paramType) == TEEC_MEMREF_WHOLE) || ((paramType) == TEEC_MEMREF_PARTIAL_INPUT) || \
31      ((paramType) == TEEC_MEMREF_PARTIAL_OUTPUT) || ((paramType) == TEEC_MEMREF_PARTIAL_INOUT))
32 
33 namespace OHOS {
34     std::map<int, int> g_recordShareMemory;
35     uint32_t g_paramType[TEEC_PARAM_NUM];
36     uint32_t g_shareMemoryCnt = 0;
37 
InitTeecParam(uint8_t * temp,TEEC_Parameter (& param)[4],TEEC_Operation & operation,TEEC_SharedMemory (& memory)[4],TEEC_Context context)38     void InitTeecParam(uint8_t *temp, TEEC_Parameter (&param)[4], TEEC_Operation &operation,
39                        TEEC_SharedMemory (&memory)[4], TEEC_Context context)
40     {
41         for (uint32_t paramCnt = 0; paramCnt < TEEC_PARAM_NUM; paramCnt++) {
42             param[paramCnt] = *reinterpret_cast<TEEC_Parameter *>(temp);
43             temp += sizeof(TEEC_Parameter);
44             g_paramType[paramCnt] = TEEC_PARAM_TYPE_GET(operation.paramTypes, paramCnt);
45             if (IS_TEMP_MEM(g_paramType[paramCnt])) {
46                 if (param[paramCnt].tmpref.size > 0) {
47                     param[paramCnt].tmpref.buffer = malloc(param[paramCnt].tmpref.size);
48                 }
49             } else if (IS_PARTIAL_MEM(g_paramType[paramCnt])) {
50                 memory[g_shareMemoryCnt] = *reinterpret_cast<TEEC_SharedMemory *>(temp);
51                 temp += sizeof(TEEC_SharedMemory);
52                 TEEC_Result allocRet = TEEC_AllocateSharedMemory(&context, &memory[g_shareMemoryCnt]);
53                 if (allocRet == TEEC_SUCCESS) {
54                     g_recordShareMemory[g_shareMemoryCnt] = paramCnt;
55                     param[paramCnt].memref.parent = &memory[g_shareMemoryCnt];
56                     g_shareMemoryCnt++;
57                 } else {
58                     param[paramCnt].memref.parent = nullptr;
59                 }
60             }
61         }
62     }
63 
ReleaseTeecParam(TEEC_Parameter (& param)[4],TEEC_SharedMemory (& memory)[4])64     void ReleaseTeecParam(TEEC_Parameter (&param)[4], TEEC_SharedMemory (&memory)[4])
65     {
66         g_shareMemoryCnt = 0;
67         for (uint32_t paramCnt = 0; paramCnt < TEEC_PARAM_NUM; paramCnt++) {
68             if (IS_TEMP_MEM(g_paramType[paramCnt])) {
69                 if (param[paramCnt].tmpref.size > 0 && param[paramCnt].tmpref.buffer != nullptr) {
70                     free(param[paramCnt].tmpref.buffer);
71                     param[paramCnt].tmpref.buffer = nullptr;
72                 }
73             } else if (IS_PARTIAL_MEM(g_paramType[paramCnt]) && g_recordShareMemory[g_shareMemoryCnt] == paramCnt) {
74                 TEEC_ReleaseSharedMemory(&memory[g_shareMemoryCnt]);
75                 g_shareMemoryCnt++;
76             }
77         }
78     }
79 
TeeClientInvokeCommandFuzzTest(const uint8_t * data,size_t size)80     bool TeeClientInvokeCommandFuzzTest(const uint8_t *data, size_t size)
81     {
82         bool result = false;
83         if (size > sizeof(TEEC_Session) + sizeof(uint32_t) + sizeof(TEEC_Operation) + sizeof(uint32_t) +
84             sizeof(TEEC_Context) + sizeof(TEEC_Parameter) * MAX_PARAM_COUNT +
85             sizeof(TEEC_SharedMemory) * MAX_PARAM_COUNT) {
86             uint8_t *temp = const_cast<uint8_t *>(data);
87             TEEC_Session session = *reinterpret_cast<TEEC_Session *>(temp);
88             temp += sizeof(TEEC_Session);
89             uint32_t commandID = *reinterpret_cast<uint32_t *>(temp);
90             temp += sizeof(uint32_t);
91             TEEC_Operation operation = *reinterpret_cast<TEEC_Operation *>(temp);
92             temp += sizeof(TEEC_Operation);
93             uint32_t returnOrigin = *reinterpret_cast<uint32_t *>(temp);
94             temp += sizeof(uint32_t);
95             TEEC_Context context = *reinterpret_cast<TEEC_Context *>(temp);
96             temp += sizeof(TEEC_Context);
97             TEEC_Parameter param[4];
98             TEEC_SharedMemory memory[4];
99             InitTeecParam(temp, param, operation, memory, context);
100 
101             session.context = &context;
102             operation.params[0] = param[0];
103             operation.params[1] = param[1];
104             operation.params[2] = param[2];
105             operation.params[3] = param[3];
106             operation.session = &session;
107 
108             (void)TEEC_InvokeCommand(&session, commandID, &operation, &returnOrigin);
109 
110             ReleaseTeecParam(param, memory);
111         }
112         return result;
113     }
114 }
115 
116 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)117 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
118 {
119     /* Run your code on data */
120     OHOS::TeeClientInvokeCommandFuzzTest(data, size);
121     return 0;
122 }