1 /*
2 * Copyright (c) 2023-2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "updatehaptokenstub_fuzzer.h"
17
18 #include <string>
19
20 #include "fuzzer/FuzzedDataProvider.h"
21 #include "service/accesstoken_manager_service.h"
22
23 using namespace std;
24 using namespace OHOS::Security::AccessToken;
25 const int CONSTANTS_NUMBER_TWO = 2;
26 static const int32_t ROOT_UID = 0;
27
28 namespace OHOS {
InitHapPolicy(FuzzedDataProvider & provider,HapPolicy & policy)29 void InitHapPolicy(FuzzedDataProvider& provider, HapPolicy& policy)
30 {
31 std::string permissionName = provider.ConsumeRandomLengthString();
32 PermissionDef def = {
33 .permissionName = permissionName,
34 .bundleName = provider.ConsumeRandomLengthString(),
35 .grantMode = static_cast<int32_t>(
36 provider.ConsumeIntegralInRange<uint32_t>(0, static_cast<uint32_t>(GrantMode::SYSTEM_GRANT))),
37 .availableLevel = static_cast<ATokenAplEnum>(
38 provider.ConsumeIntegralInRange<uint32_t>(0, static_cast<uint32_t>(ATokenAplEnum::APL_ENUM_BUTT))),
39 .provisionEnable = provider.ConsumeBool(),
40 .distributedSceneEnable = provider.ConsumeBool(),
41 .label = provider.ConsumeRandomLengthString(),
42 .labelId = provider.ConsumeIntegral<int32_t>(),
43 .description = provider.ConsumeRandomLengthString(),
44 .descriptionId = provider.ConsumeIntegral<int32_t>(),
45 .availableType = static_cast<ATokenAvailableTypeEnum>(provider.ConsumeIntegralInRange<uint32_t>(
46 0, static_cast<uint32_t>(ATokenAvailableTypeEnum::AVAILABLE_TYPE_BUTT))),
47 .isKernelEffect = provider.ConsumeBool(),
48 .hasValue = provider.ConsumeBool(),
49 };
50
51 PermissionStatus state = {
52 .permissionName = permissionName,
53 .grantStatus = static_cast<int32_t>(provider.ConsumeIntegralInRange<uint32_t>(
54 0, static_cast<uint32_t>(PermissionState::PERMISSION_GRANTED))),
55 .grantFlag = provider.ConsumeIntegralInRange<uint32_t>(
56 0, static_cast<uint32_t>(PermissionFlag::PERMISSION_ALLOW_THIS_TIME)),
57 };
58
59 PreAuthorizationInfo info = {
60 .permissionName = permissionName,
61 .userCancelable = provider.ConsumeBool(),
62 };
63
64 policy.apl = static_cast<ATokenAplEnum>(
65 provider.ConsumeIntegralInRange<uint32_t>(0, static_cast<uint32_t>(ATokenAplEnum::APL_ENUM_BUTT)));
66 policy.domain = provider.ConsumeRandomLengthString();
67 policy.permList = { def };
68 policy.permStateList = { state };
69 policy.aclRequestedList = {provider.ConsumeRandomLengthString()};
70 policy.preAuthorizationInfo = { info };
71 policy.checkIgnore = static_cast<HapPolicyCheckIgnore>(provider.ConsumeIntegralInRange<uint32_t>(
72 0, static_cast<uint32_t>(HapPolicyCheckIgnore::ACL_IGNORE_CHECK)));
73 policy.aclExtendedMap = {std::make_pair<std::string, std::string>(provider.ConsumeRandomLengthString(),
74 provider.ConsumeRandomLengthString())};
75 }
76
UpdateHapTokenStubFuzzTest(const uint8_t * data,size_t size)77 bool UpdateHapTokenStubFuzzTest(const uint8_t* data, size_t size)
78 {
79 if ((data == nullptr) || (size == 0)) {
80 return false;
81 }
82
83 FuzzedDataProvider provider(data, size);
84 uint64_t fullTokenId = provider.ConsumeIntegral<uint64_t>();
85 UpdateHapInfoParamsIdl infoIdl = {
86 .appIDDesc = provider.ConsumeRandomLengthString(),
87 .apiVersion = provider.ConsumeIntegral<int32_t>(),
88 .isSystemApp = provider.ConsumeBool(),
89 .appDistributionType = provider.ConsumeRandomLengthString(),
90 .isAtomicService = provider.ConsumeBool(),
91 .dataRefresh = provider.ConsumeBool(),
92 };
93
94 HapPolicyParcel hapPolicyParcel;
95 InitHapPolicy(provider, hapPolicyParcel.hapPolicy);
96
97 MessageParcel datas;
98 datas.WriteInterfaceToken(IAccessTokenManager::GetDescriptor());
99 if (!datas.WriteUint32(fullTokenId)) {
100 return false;
101 }
102 if (UpdateHapInfoParamsIdlBlockMarshalling(datas, infoIdl) != ERR_NONE) {
103 return false;
104 }
105 if (!datas.WriteParcelable(&hapPolicyParcel)) {
106 return false;
107 }
108 uint32_t code = static_cast<uint32_t>(IAccessTokenManagerIpcCode::COMMAND_UPDATE_HAP_TOKEN);
109 MessageParcel reply;
110 MessageOption option;
111 bool enable = ((provider.ConsumeIntegral<int32_t>() % CONSTANTS_NUMBER_TWO) == 0);
112 if (enable) {
113 setuid(CONSTANTS_NUMBER_TWO);
114 }
115 DelayedSingleton<AccessTokenManagerService>::GetInstance()->OnRemoteRequest(code, datas, reply, option);
116 setuid(ROOT_UID);
117 return true;
118 }
119 }
120
121 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)122 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
123 {
124 /* Run your code on data */
125 OHOS::UpdateHapTokenStubFuzzTest(data, size);
126 return 0;
127 }
128