1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "unlockpin_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20 #include <string_ex.h>
21 #include <thread>
22
23 #define private public
24 #include "addcoreservicetoken_fuzzer.h"
25 #include "core_service.h"
26 #include "napi_util.h"
27 #include "system_ability_definition.h"
28 #include "tel_event_handler.h"
29 #include "unistd.h"
30 #include "tel_ril_manager.h"
31
32 using namespace OHOS::Telephony;
33 namespace OHOS {
34 static bool g_isInited = false;
35 constexpr int32_t SLOT_NUM = 2;
36 constexpr int32_t SLEEP_TIME_SECONDS = 3;
37
IsServiceInited()38 bool IsServiceInited()
39 {
40 if (!g_isInited) {
41 DelayedSingleton<CoreService>::GetInstance()->OnStart();
42 if (DelayedSingleton<CoreService>::GetInstance()->GetServiceRunningState() ==
43 static_cast<int32_t>(ServiceRunningState::STATE_RUNNING)) {
44 g_isInited = true;
45 }
46 }
47 return g_isInited;
48 }
49
UnlockPin(const uint8_t * data,size_t size)50 void UnlockPin(const uint8_t *data, size_t size)
51 {
52 if (!IsServiceInited()) {
53 return;
54 }
55
56 MessageParcel dataMessageParcel;
57 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
58 dataMessageParcel.WriteInt32(slotId);
59 std::string pin(reinterpret_cast<const char *>(data), size);
60 std::u16string pinStr = Str8ToStr16(pin);
61 dataMessageParcel.WriteString16(pinStr);
62 MessageParcel reply;
63 DelayedSingleton<CoreService>::GetInstance()->OnUnlockPin(dataMessageParcel, reply);
64 }
65
UnlockPuk(const uint8_t * data,size_t size)66 void UnlockPuk(const uint8_t *data, size_t size)
67 {
68 if (!IsServiceInited()) {
69 return;
70 }
71
72 MessageParcel dataMessageParcel;
73 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
74 dataMessageParcel.WriteInt32(slotId);
75 std::string pin(reinterpret_cast<const char *>(data), size);
76 std::u16string pinStr = Str8ToStr16(pin);
77 dataMessageParcel.WriteString16(pinStr);
78 std::string puk(reinterpret_cast<const char *>(data), size);
79 std::u16string pukStr = Str8ToStr16(puk);
80 dataMessageParcel.WriteString16(pukStr);
81 MessageParcel reply;
82 DelayedSingleton<CoreService>::GetInstance()->OnUnlockPuk(dataMessageParcel, reply);
83 }
84
AlterPin(const uint8_t * data,size_t size)85 void AlterPin(const uint8_t *data, size_t size)
86 {
87 if (!IsServiceInited()) {
88 return;
89 }
90
91 MessageParcel dataMessageParcel;
92 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
93 dataMessageParcel.WriteInt32(slotId);
94 std::string newPin(reinterpret_cast<const char *>(data), size);
95 std::u16string newPinStr = Str8ToStr16(newPin);
96 dataMessageParcel.WriteString16(newPinStr);
97 std::string oldPin(reinterpret_cast<const char *>(data), size);
98 std::u16string oldPinStr = Str8ToStr16(oldPin);
99 dataMessageParcel.WriteString16(oldPinStr);
100 MessageParcel reply;
101 DelayedSingleton<CoreService>::GetInstance()->OnAlterPin(dataMessageParcel, reply);
102 }
103
UnlockPin2(const uint8_t * data,size_t size)104 void UnlockPin2(const uint8_t *data, size_t size)
105 {
106 if (!IsServiceInited()) {
107 return;
108 }
109
110 MessageParcel dataMessageParcel;
111 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
112 dataMessageParcel.WriteInt32(slotId);
113 std::string pin2(reinterpret_cast<const char *>(data), size);
114 std::u16string pin2Str = Str8ToStr16(pin2);
115 dataMessageParcel.WriteString16(pin2Str);
116 MessageParcel reply;
117 DelayedSingleton<CoreService>::GetInstance()->OnUnlockPin2(dataMessageParcel, reply);
118 }
119
UnlockPuk2(const uint8_t * data,size_t size)120 void UnlockPuk2(const uint8_t *data, size_t size)
121 {
122 if (!IsServiceInited()) {
123 return;
124 }
125
126 MessageParcel dataMessageParcel;
127 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
128 dataMessageParcel.WriteInt32(slotId);
129 std::string pin2(reinterpret_cast<const char *>(data), size);
130 std::u16string pin2Str = Str8ToStr16(pin2);
131 dataMessageParcel.WriteString16(pin2Str);
132 std::string puk2(reinterpret_cast<const char *>(data), size);
133 std::u16string puk2Str = Str8ToStr16(puk2);
134 dataMessageParcel.WriteString16(puk2Str);
135 MessageParcel reply;
136 DelayedSingleton<CoreService>::GetInstance()->OnUnlockPuk2(dataMessageParcel, reply);
137 }
138
AlterPin2(const uint8_t * data,size_t size)139 void AlterPin2(const uint8_t *data, size_t size)
140 {
141 if (!IsServiceInited()) {
142 return;
143 }
144
145 MessageParcel dataMessageParcel;
146 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
147 dataMessageParcel.WriteInt32(slotId);
148 std::string newPin2(reinterpret_cast<const char *>(data), size);
149 std::u16string newPin2Str = Str8ToStr16(newPin2);
150 dataMessageParcel.WriteString16(newPin2Str);
151 std::string oldPin2(reinterpret_cast<const char *>(data), size);
152 std::u16string oldPin2Str = Str8ToStr16(oldPin2);
153 dataMessageParcel.WriteString16(oldPin2Str);
154 MessageParcel reply;
155 DelayedSingleton<CoreService>::GetInstance()->OnAlterPin2(dataMessageParcel, reply);
156 }
157
SetLockState(const uint8_t * data,size_t size)158 void SetLockState(const uint8_t *data, size_t size)
159 {
160 if (!IsServiceInited()) {
161 return;
162 }
163
164 MessageParcel dataMessageParcel;
165 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
166 dataMessageParcel.WriteInt32(slotId);
167 int32_t offset = 0;
168 int32_t lockType = static_cast<int32_t>(*data + offset);
169 dataMessageParcel.WriteInt32(lockType);
170 offset += sizeof(int32_t);
171 int32_t lockState = static_cast<int32_t>(*data + offset);
172 dataMessageParcel.WriteInt32(lockState);
173 std::string password(reinterpret_cast<const char *>(data), size);
174 std::u16string passwordStr = Str8ToStr16(password);
175 dataMessageParcel.WriteString16(passwordStr);
176 MessageParcel reply;
177 DelayedSingleton<CoreService>::GetInstance()->OnSetLockState(dataMessageParcel, reply);
178 }
179
SetActiveSim(const uint8_t * data,size_t size)180 void SetActiveSim(const uint8_t *data, size_t size)
181 {
182 if (!IsServiceInited()) {
183 return;
184 }
185
186 MessageParcel dataMessageParcel;
187 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
188 dataMessageParcel.WriteInt32(slotId);
189 int32_t enable = static_cast<int32_t>(*data + sizeof(int32_t));
190 dataMessageParcel.WriteInt32(enable);
191 MessageParcel reply;
192 DelayedSingleton<CoreService>::GetInstance()->OnSetActiveSim(dataMessageParcel, reply);
193 }
194
DiallingNumbersGet(const uint8_t * data,size_t size)195 void DiallingNumbersGet(const uint8_t *data, size_t size)
196 {
197 if (!IsServiceInited()) {
198 return;
199 }
200
201 MessageParcel dataMessageParcel;
202 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
203 dataMessageParcel.WriteInt32(slotId);
204 int32_t type = static_cast<int32_t>(*data + sizeof(int32_t));
205 dataMessageParcel.WriteInt32(type);
206 MessageParcel reply;
207 DelayedSingleton<CoreService>::GetInstance()->OnDiallingNumbersGet(dataMessageParcel, reply);
208 }
209
DelIccDiallingNumbers(const uint8_t * data,size_t size)210 void DelIccDiallingNumbers(const uint8_t *data, size_t size)
211 {
212 if (!IsServiceInited()) {
213 return;
214 }
215
216 MessageParcel dataMessageParcel;
217 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
218 dataMessageParcel.WriteInt32(slotId);
219 int32_t type = static_cast<int32_t>(*data + sizeof(int32_t));
220 dataMessageParcel.WriteInt32(type);
221 MessageParcel reply;
222 DelayedSingleton<CoreService>::GetInstance()->OnDelIccDiallingNumbers(dataMessageParcel, reply);
223 }
224
UnlockSimLock(const uint8_t * data,size_t size)225 void UnlockSimLock(const uint8_t *data, size_t size)
226 {
227 if (!IsServiceInited()) {
228 return;
229 }
230
231 MessageParcel dataMessageParcel;
232 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
233 dataMessageParcel.WriteInt32(slotId);
234 int32_t lockType = static_cast<int32_t>(*data + sizeof(int32_t));
235 dataMessageParcel.WriteInt32(lockType);
236 std::string password(reinterpret_cast<const char *>(data), size);
237 std::u16string passwordStr = Str8ToStr16(password);
238 dataMessageParcel.WriteString16(passwordStr);
239 MessageParcel reply;
240 DelayedSingleton<CoreService>::GetInstance()->OnUnlockSimLock(dataMessageParcel, reply);
241 }
242
DoSomethingInterestingWithMyAPI(const uint8_t * data,size_t size)243 void DoSomethingInterestingWithMyAPI(const uint8_t *data, size_t size)
244 {
245 if (data == nullptr || size == 0) {
246 return;
247 }
248
249 UnlockPin(data, size);
250 UnlockPuk(data, size);
251 AlterPin(data, size);
252 UnlockPin2(data, size);
253 UnlockPuk2(data, size);
254 AlterPin2(data, size);
255 SetLockState(data, size);
256 SetActiveSim(data, size);
257 DiallingNumbersGet(data, size);
258 DelIccDiallingNumbers(data, size);
259 UnlockSimLock(data, size);
260 auto telRilManager = std::static_pointer_cast<TelRilManager>(
261 DelayedSingleton<CoreService>::GetInstance()->telRilManager_);
262 if (telRilManager == nullptr || telRilManager->handler_ == nullptr) {
263 return;
264 }
265 auto handler = telRilManager->handler_;
266 if (handler != nullptr) {
267 handler->RemoveAllEvents();
268 handler->SendEvent(0, 0, AppExecFwk::EventQueue::Priority::HIGH);
269 sleep(SLEEP_TIME_SECONDS);
270 }
271 telRilManager->handler_->ClearFfrt(false);
272 telRilManager->handler_->queue_ = nullptr;
273 return;
274 }
275 } // namespace OHOS
276
277 /* Fuzzer entry point */
LLVMFuzzerInitialize(int * argc,char *** argv)278 extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv)
279 {
280 OHOS::AddCoreServiceTokenFuzzer token;
281 return 0;
282 }
283
284 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)285 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
286 {
287 /* Run your code on data */
288 OHOS::DoSomethingInterestingWithMyAPI(data, size);
289 OHOS::DelayedSingleton<CoreService>::DestroyInstance();
290 return 0;
291 }
292