1 /*
2 * Copyright (c) 2022-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "user_idm_service_fuzzer.h"
17
18 #include <cstdio>
19 #include "parcel.h"
20 #include "securec.h"
21
22 #include "iam_callback_proxy.h"
23 #include "iam_fuzz_test.h"
24 #include "iam_logger.h"
25 #include "iam_ptr.h"
26 #include "user_idm_service.h"
27 #include "dummy_iam_callback_interface.h"
28
29 #undef private
30
31 using namespace std;
32 using namespace OHOS::UserIam::Common;
33
34 #define LOG_TAG "USER_AUTH_SA"
35
36 namespace OHOS {
37 namespace UserIam {
38 namespace UserAuth {
39 namespace {
40 const int CMD_LEN = 19;
41 std::u16string cmd[] = {u"-h", u"-lc", u"-ls", u"-c", u"-c [base system]", u"-s", u"-s [SA0 SA1]", u"-s [SA] -a [-h]",
42 u"-e", u"--net", u"--storage", u"-p", u"-p [pid]", u"--cpuusage [pid]", u"cified pid", u"--cpufreq", u"--mem [pid]",
43 u"--zip", u"--mem-smaps pid [-v]"};
44
45 class DummyIdmGetCredentialInfoCallback : public IIdmGetCredInfoCallback {
46 public:
OnCredentialInfos(int32_t result,const std::vector<IpcCredentialInfo> & credInfoList)47 int32_t OnCredentialInfos(int32_t result, const std::vector<IpcCredentialInfo> &credInfoList) override
48 {
49 IAM_LOGI("start");
50 return SUCCESS;
51 }
52
AsObject()53 sptr<IRemoteObject> AsObject() override
54 {
55 sptr<IRemoteObject> tmp(nullptr);
56 return tmp;
57 }
58 };
59
60 class DummyIdmGetSecureUserInfoCallback : public IIdmGetSecureUserInfoCallback {
61 public:
OnSecureUserInfo(int32_t result,const IpcSecUserInfo & secUserInfo)62 int32_t OnSecureUserInfo(int32_t result, const IpcSecUserInfo &secUserInfo) override
63 {
64 IAM_LOGI("start");
65 return SUCCESS;
66 }
67
AsObject()68 sptr<IRemoteObject> AsObject() override
69 {
70 sptr<IRemoteObject> tmp(nullptr);
71 return tmp;
72 }
73 };
74
75 class DummyIdmCallback : public IIamCallback {
76 public:
OnResult(int32_t result,const std::vector<uint8_t> & reqRet)77 int32_t OnResult(int32_t result, const std::vector<uint8_t> &reqRet) override
78 {
79 IAM_LOGI("start");
80 return SUCCESS;
81 }
82
OnAcquireInfo(int32_t module,int32_t acquire,const std::vector<uint8_t> & reqRet)83 int32_t OnAcquireInfo(int32_t module, int32_t acquire, const std::vector<uint8_t> &reqRet) override
84 {
85 IAM_LOGI("start");
86 return SUCCESS;
87 }
88
AsObject()89 sptr<IRemoteObject> AsObject() override
90 {
91 sptr<IRemoteObject> tmp(nullptr);
92 return tmp;
93 }
94 };
95
96 class DummyCredChangeEventListener : public IEventListenerCallback {
97 public:
98 ~DummyCredChangeEventListener() override = default;
99
AsObject()100 sptr<IRemoteObject> AsObject() override
101 {
102 sptr<IRemoteObject> tmp(nullptr);
103 return tmp;
104 }
105
OnNotifyAuthSuccessEvent(int32_t userId,int32_t authType,int32_t callerType,const std::string & callerName)106 int32_t OnNotifyAuthSuccessEvent(int32_t userId, int32_t authType, int32_t callerType,
107 const std::string &callerName) override
108 {
109 IAM_LOGI("start");
110 return SUCCESS;
111 }
OnNotifyCredChangeEvent(int32_t userId,int32_t authType,int32_t eventType,const IpcCredChangeEventInfo & changeInfo)112 int32_t OnNotifyCredChangeEvent(int32_t userId, int32_t authType, int32_t eventType,
113 const IpcCredChangeEventInfo &changeInfo) override
114 {
115 IAM_LOGI("start");
116 return SUCCESS;
117 }
118 };
119
GetFuzzOptionalUserId(Parcel & parcel)120 int32_t GetFuzzOptionalUserId(Parcel &parcel)
121 {
122 if (parcel.ReadBool()) {
123 return parcel.ReadInt32();
124 }
125 return 0;
126 }
127
GetFuzzIdmGetCredentialInfoCallback(Parcel & parcel)128 sptr<IIdmGetCredInfoCallback> GetFuzzIdmGetCredentialInfoCallback(Parcel &parcel)
129 {
130 sptr<IIdmGetCredInfoCallback> tmp(nullptr);
131 if (parcel.ReadBool()) {
132 tmp = sptr<IIdmGetCredInfoCallback>(new (std::nothrow) DummyIdmGetCredentialInfoCallback());
133 }
134 return tmp;
135 }
136
GetFuzzIdmGetSecureUserInfoCallback(Parcel & parcel)137 sptr<IIdmGetSecureUserInfoCallback> GetFuzzIdmGetSecureUserInfoCallback(Parcel &parcel)
138 {
139 sptr<IIdmGetSecureUserInfoCallback> tmp(nullptr);
140 if (parcel.ReadBool()) {
141 tmp = sptr<IIdmGetSecureUserInfoCallback>(new (std::nothrow) DummyIdmGetSecureUserInfoCallback());
142 }
143 return tmp;
144 }
145
GetFuzzIdmCallback(Parcel & parcel)146 sptr<IIamCallback> GetFuzzIdmCallback(Parcel &parcel)
147 {
148 sptr<IIamCallback> tmp(nullptr);
149 if (parcel.ReadBool()) {
150 tmp = sptr<IIamCallback>(new (std::nothrow) DummyIdmCallback());
151 }
152 return tmp;
153 }
154
155 UserIdmService g_userIdmService(SUBSYS_USERIAM_SYS_ABILITY_USERIDM, true);
156
FuzzOpenSession(Parcel & parcel)157 void FuzzOpenSession(Parcel &parcel)
158 {
159 IAM_LOGI("begin");
160 int32_t userId = GetFuzzOptionalUserId(parcel);
161 std::vector<uint8_t> challenge;
162 FillFuzzUint8Vector(parcel, challenge);
163 g_userIdmService.OpenSession(userId, challenge);
164 IAM_LOGI("end");
165 }
166
FuzzCloseSession(Parcel & parcel)167 void FuzzCloseSession(Parcel &parcel)
168 {
169 IAM_LOGI("begin");
170 int32_t userId = GetFuzzOptionalUserId(parcel);
171 g_userIdmService.CloseSession(userId);
172 IAM_LOGI("end");
173 }
174
FuzzGetCredentialInfo(Parcel & parcel)175 void FuzzGetCredentialInfo(Parcel &parcel)
176 {
177 IAM_LOGI("begin");
178 int32_t userId = GetFuzzOptionalUserId(parcel);
179 int32_t authType = parcel.ReadUint32();
180 sptr<IIdmGetCredInfoCallback> callback = GetFuzzIdmGetCredentialInfoCallback(parcel);
181 int32_t funcResult = SUCCESS;
182 g_userIdmService.GetCredentialInfo(userId, authType, callback, funcResult);
183 IAM_LOGI("end");
184 }
185
FuzzGetSecInfo(Parcel & parcel)186 void FuzzGetSecInfo(Parcel &parcel)
187 {
188 IAM_LOGI("begin");
189 int32_t userId = GetFuzzOptionalUserId(parcel);
190 sptr<IIdmGetSecureUserInfoCallback> callback = GetFuzzIdmGetSecureUserInfoCallback(parcel);
191 g_userIdmService.GetSecInfo(userId, callback);
192 IAM_LOGI("end");
193 }
194
FuzzAddCredential(Parcel & parcel)195 void FuzzAddCredential(Parcel &parcel)
196 {
197 IAM_LOGI("begin");
198 int32_t userId = parcel.ReadInt32();
199 IpcCredentialPara para = {};
200 para.authType = parcel.ReadInt32();
201 para.pinType = parcel.ReadInt32();
202 FillFuzzUint8Vector(parcel, para.token);
203 sptr<IIamCallback> callback = GetFuzzIdmCallback(parcel);
204 g_userIdmService.AddCredential(userId, para, callback, false);
205 IAM_LOGI("end");
206 }
207
FuzzUpdateCredential(Parcel & parcel)208 void FuzzUpdateCredential(Parcel &parcel)
209 {
210 IAM_LOGI("begin");
211 int32_t userId = parcel.ReadInt32();
212 IpcCredentialPara para = {};
213 para.authType = parcel.ReadInt32();
214 para.pinType = parcel.ReadInt32();
215 FillFuzzUint8Vector(parcel, para.token);
216 sptr<IIamCallback> callback = GetFuzzIdmCallback(parcel);
217 g_userIdmService.UpdateCredential(userId, para, callback);
218 IAM_LOGI("end");
219 }
220
FuzzCancel(Parcel & parcel)221 void FuzzCancel(Parcel &parcel)
222 {
223 IAM_LOGI("begin");
224 int32_t userId = parcel.ReadInt32();
225 g_userIdmService.Cancel(userId);
226 IAM_LOGI("end");
227 }
228
FuzzEnforceDelUser(Parcel & parcel)229 void FuzzEnforceDelUser(Parcel &parcel)
230 {
231 IAM_LOGI("begin");
232 int32_t userId = parcel.ReadInt32();
233 sptr<IIamCallback> callback = GetFuzzIdmCallback(parcel);
234 g_userIdmService.EnforceDelUser(userId, callback);
235 IAM_LOGI("end");
236 }
237
FuzzDelUser(Parcel & parcel)238 void FuzzDelUser(Parcel &parcel)
239 {
240 IAM_LOGI("begin");
241 int32_t userId = parcel.ReadInt32();
242 std::vector<uint8_t> authToken;
243 FillFuzzUint8Vector(parcel, authToken);
244 sptr<IIamCallback> callback = GetFuzzIdmCallback(parcel);
245 g_userIdmService.DelUser(userId, authToken, callback);
246 IAM_LOGI("end");
247 }
248
FuzzDump(Parcel & parcel)249 void FuzzDump(Parcel &parcel)
250 {
251 IAM_LOGI("FuzzDump begin");
252 std::vector<uint8_t> msg;
253 Common::FillFuzzUint8Vector(parcel, msg);
254 int32_t fd = parcel.ReadInt32();
255 std::string fileName = to_string(fd) + ".txt";
256 FILE *file = fopen(fileName.c_str(), "w");
257 if (file != nullptr) {
258 fd = fileno(file);
259 std::vector<std::u16string> args;
260 for (uint32_t i = 0; i < msg.size(); i++) {
261 args.push_back(cmd[msg[i] % CMD_LEN]);
262 }
263 g_userIdmService.Dump(fd, args);
264 fclose(file);
265 remove(fileName.c_str());
266 }
267 IAM_LOGI("FuzzDump end");
268 }
269
DelCredential(Parcel & parcel)270 void DelCredential(Parcel &parcel)
271 {
272 IAM_LOGI("begin");
273 int32_t userId = parcel.ReadInt32();
274 uint64_t credentialId = parcel.ReadUint64();
275 std::vector<uint8_t> authToken;
276 FillFuzzUint8Vector(parcel, authToken);
277 sptr<IIamCallback> callback = GetFuzzIdmCallback(parcel);
278 g_userIdmService.DelCredential(userId, credentialId, authToken, callback);
279 IAM_LOGI("end");
280 }
281
FuzzClearRedundancyCredential(Parcel & parcel)282 void FuzzClearRedundancyCredential(Parcel &parcel)
283 {
284 IAM_LOGI("begin");
285 sptr<IIamCallback> callback = GetFuzzIdmCallback(parcel);
286 g_userIdmService.ClearRedundancyCredential(callback);
287 IAM_LOGI("end");
288 }
289
FuzzClearRedundancyCredentialInner(Parcel & parcel)290 void FuzzClearRedundancyCredentialInner(Parcel &parcel)
291 {
292 IAM_LOGI("begin");
293 std::string callerName = parcel.ReadString();
294 int32_t callerType = parcel.ReadInt32();
295 g_userIdmService.ClearRedundancyCredentialInner(callerName, callerType);
296 IAM_LOGI("end");
297 }
298
FuzzEnforceDelUserInner(Parcel & parcel)299 void FuzzEnforceDelUserInner(Parcel &parcel)
300 {
301 IAM_LOGI("begin");
302 int32_t userId = 100;
303 sptr<IIamCallback> iamCallback = sptr<IIamCallback>(new (nothrow) DummyIamCallbackInterface);
304 std::shared_ptr<ContextCallback> callbackForTrace =
305 ContextCallback::NewInstance(iamCallback, TRACE_ENFORCE_DELETE_USER);
306 std::string changeReasonTrace = parcel.ReadString();
307 CredChangeEventInfo changeInfo = {};
308 changeInfo.credentialId = parcel.ReadUint64();
309 changeInfo.lastCredentialId = parcel.ReadUint64();
310 changeInfo.callerName = parcel.ReadString();
311 changeInfo.isSilentCredChange = parcel.ReadBool();
312 g_userIdmService.EnforceDelUserInner(userId, callbackForTrace, changeReasonTrace, changeInfo);
313 IAM_LOGI("end");
314 }
315
FuzzCancelCurrentEnroll(Parcel & parcel)316 void FuzzCancelCurrentEnroll(Parcel &parcel)
317 {
318 IAM_LOGI("begin");
319 g_userIdmService.CancelCurrentEnrollIfExist();
320 IAM_LOGI("end");
321 }
322
FuzzStartEnroll(Parcel & parcel)323 void FuzzStartEnroll(Parcel &parcel)
324 {
325 IAM_LOGI("begin");
326 Enrollment::EnrollmentPara para = {};
327 sptr<IIamCallback> iamCallback = sptr<IIamCallback>(new (nothrow) DummyIamCallbackInterface);
328 std::shared_ptr<ContextCallback> contextCallback = ContextCallback::NewInstance(iamCallback, TRACE_ADD_CREDENTIAL);
329 Attributes extraInfo;
330 g_userIdmService.StartEnroll(para, contextCallback, extraInfo, true);
331 IAM_LOGI("end");
332 }
333
FuzzRegistCredChangeEventListener(Parcel & parcel)334 void FuzzRegistCredChangeEventListener(Parcel &parcel)
335 {
336 IAM_LOGI("begin");
337 sptr<IEventListenerCallback> callback(nullptr);
338 if (parcel.ReadBool()) {
339 callback = sptr<IEventListenerCallback>(new (std::nothrow) DummyCredChangeEventListener());
340 }
341
342 g_userIdmService.RegistCredChangeEventListener(callback);
343 g_userIdmService.UnRegistCredChangeEventListener(callback);
344 IAM_LOGI("end");
345 }
346
FuzzGetCredentialInfoSync(Parcel & parcel)347 void FuzzGetCredentialInfoSync(Parcel &parcel)
348 {
349 IAM_LOGI("begin");
350 int32_t userId = parcel.ReadInt32();
351 auto authType = static_cast<AuthType>(parcel.ReadInt32());
352 IpcCredentialInfo info = {};
353 info.authType = static_cast<AuthType>(parcel.ReadInt32());
354 info.credentialId = parcel.ReadUint64();
355 info.templateId = parcel.ReadUint64();
356 info.pinType = static_cast<PinSubType>(parcel.ReadInt32());
357 std::vector<IpcCredentialInfo> credentialInfoList = {info};
358 g_userIdmService.GetCredentialInfoSync(userId, authType, credentialInfoList);
359 IAM_LOGI("end");
360 }
361
FuzzClearUnavailableCredential(Parcel & parcel)362 void FuzzClearUnavailableCredential(Parcel &parcel)
363 {
364 IAM_LOGI("begin");
365 int32_t userId = parcel.ReadInt32();
366 g_userIdmService.ClearUnavailableCredential(userId);
367 IAM_LOGI("end");
368 }
369
370 using FuzzFunc = decltype(FuzzOpenSession);
371 FuzzFunc *g_fuzzFuncs[] = {
372 FuzzOpenSession,
373 FuzzCloseSession,
374 FuzzGetCredentialInfo,
375 FuzzGetSecInfo,
376 FuzzAddCredential,
377 FuzzUpdateCredential,
378 FuzzCancel,
379 FuzzEnforceDelUser,
380 FuzzDelUser,
381 DelCredential,
382 FuzzDump,
383 FuzzClearRedundancyCredential,
384 FuzzClearRedundancyCredentialInner,
385 FuzzEnforceDelUserInner,
386 FuzzCancelCurrentEnroll,
387 FuzzStartEnroll,
388 FuzzRegistCredChangeEventListener,
389 FuzzGetCredentialInfoSync,
390 FuzzClearUnavailableCredential,
391 };
392
UserIdmFuzzTest(const uint8_t * data,size_t size)393 void UserIdmFuzzTest(const uint8_t *data, size_t size)
394 {
395 Parcel parcel;
396 parcel.WriteBuffer(data, size);
397 parcel.RewindRead(0);
398 uint32_t index = parcel.ReadUint32() % (sizeof(g_fuzzFuncs) / sizeof(FuzzFunc *));
399 auto fuzzFunc = g_fuzzFuncs[index];
400 fuzzFunc(parcel);
401 return;
402 }
403 } // namespace
404 } // namespace UserAuth
405 } // namespace UserIam
406 } // namespace OHOS
407
408 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)409 extern "C" int32_t LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
410 {
411 OHOS::UserIam::UserAuth::UserIdmFuzzTest(data, size);
412 return 0;
413 }
414