1 /*
2 * Copyright (C) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "imf_sa_stub_fuzz_util.h"
17
18 #include "accesstoken_kit.h"
19 #include "fuzzer/FuzzedDataProvider.h"
20 #include "global.h"
21 #include "ime_cfg_manager.h"
22 #include "input_client_service_impl.h"
23 #include "input_method_agent_service_impl.h"
24 #include "input_method_core_service_impl.h"
25 #include "iservice_registry.h"
26 #include "message_parcel.h"
27 #include "nativetoken_kit.h"
28 #include "system_ability_definition.h"
29 #include "text_listener.h"
30 #include "token_setproc.h"
31
32 namespace OHOS {
33 namespace MiscServices {
34 using namespace OHOS::Security::AccessToken;
35 bool ImfSaStubFuzzUtil::isInitialize_ = false;
36 std::mutex ImfSaStubFuzzUtil::initMutex_;
37
GrantNativePermission()38 void ImfSaStubFuzzUtil::GrantNativePermission()
39 {
40 const char **perms = new const char *[1];
41 perms[0] = "ohos.permission.CONNECT_IME_ABILITY";
42 TokenInfoParams infoInstance = {
43 .dcapsNum = 0,
44 .permsNum = 1,
45 .aclsNum = 0,
46 .dcaps = nullptr,
47 .perms = perms,
48 .acls = nullptr,
49 .processName = "broker",
50 .aplStr = "system_basic",
51 };
52 uint64_t tokenId = GetAccessTokenId(&infoInstance);
53 int res = SetSelfTokenID(tokenId);
54 if (res == 0) {
55 IMSA_HILOGI("SetSelfTokenID success!");
56 } else {
57 IMSA_HILOGE("SetSelfTokenID fail!");
58 }
59 AccessTokenKit::ReloadNativeTokenInfo();
60 delete[] perms;
61 }
62
SwitchIpcCode(IInputMethodSystemAbilityIpcCode code,MessageParcel & datas,int32_t fuzzedInt32)63 bool ImfSaStubFuzzUtil::SwitchIpcCode(IInputMethodSystemAbilityIpcCode code, MessageParcel &datas, int32_t fuzzedInt32)
64 {
65 auto writeInputClient = [&datas]() {
66 sptr<IInputClient> client = new (std::nothrow) InputClientServiceImpl();
67 if (client == nullptr || !datas.WriteRemoteObject(client->AsObject())) {
68 return false;
69 }
70 return true;
71 };
72
73 auto writeInputMethodCore = [&datas]() {
74 sptr<IInputMethodCore> core = new (std::nothrow) InputMethodCoreServiceImpl();
75 if (core == nullptr || !datas.WriteRemoteObject(core->AsObject())) {
76 return false;
77 }
78 return true;
79 };
80
81 auto writeInputMethodAgent = [&datas]() {
82 sptr<IInputMethodAgent> agent = new (std::nothrow) InputMethodAgentServiceImpl();
83 if (agent == nullptr || !datas.WriteRemoteObject(agent->AsObject())) {
84 return false;
85 }
86 return true;
87 };
88 switch (code) {
89 case IInputMethodSystemAbilityIpcCode::COMMAND_START_INPUT: {
90 InputClientInfoInner clientInfoInner = {};
91 if (!datas.WriteParcelable(&clientInfoInner)) {
92 return false;
93 }
94 break;
95 }
96 case IInputMethodSystemAbilityIpcCode::COMMAND_SHOW_INPUT:
97 return writeInputClient();
98 case IInputMethodSystemAbilityIpcCode::COMMAND_SET_CORE_AND_AGENT:
99 return writeInputMethodCore() && writeInputMethodAgent();
100 case IInputMethodSystemAbilityIpcCode::COMMAND_UN_REGISTERED_PROXY_IME:
101 if (!datas.WriteInt32(fuzzedInt32)) {
102 return false;
103 }
104 return writeInputMethodCore();
105 case IInputMethodSystemAbilityIpcCode::COMMAND_RELEASE_INPUT:
106 return writeInputClient();
107 case IInputMethodSystemAbilityIpcCode::COMMAND_HIDE_INPUT:
108 return writeInputClient();
109 case IInputMethodSystemAbilityIpcCode::COMMAND_BIND_IME_MIRROR:
110 return writeInputMethodCore() && writeInputMethodAgent();
111 default:
112 return true;
113 }
114 return true;
115 }
116
FuzzInputMethodSystemAbility(const uint8_t * rawData,size_t size,IInputMethodSystemAbilityIpcCode code)117 bool ImfSaStubFuzzUtil::FuzzInputMethodSystemAbility(const uint8_t *rawData, size_t size,
118 IInputMethodSystemAbilityIpcCode code)
119 {
120 if (!isInitialize_) {
121 Initialize();
122 }
123 FuzzedDataProvider provider(rawData, size);
124 auto fuzzedInt32 = provider.ConsumeIntegral<int32_t>();
125 GrantNativePermission();
126
127 MessageParcel datas;
128 datas.WriteInterfaceToken(SYSTEMABILITY_INTERFACE_TOKEN);
129 SwitchIpcCode(code, datas, fuzzedInt32);
130 datas.WriteBuffer(rawData, size);
131 datas.RewindRead(0);
132 MessageParcel reply;
133 MessageOption option;
134 DelayedSingleton<InputMethodSystemAbility>::GetInstance()->OnRemoteRequest(
135 static_cast<int32_t>(code), datas, reply, option);
136 return true;
137 }
138
Initialize()139 void ImfSaStubFuzzUtil::Initialize()
140 {
141 std::lock_guard<std::mutex> lock(initMutex_);
142 if (isInitialize_) {
143 return;
144 }
145 DelayedSingleton<InputMethodSystemAbility>::GetInstance()->Initialize();
146 DelayedSingleton<InputMethodSystemAbility>::GetInstance()->InitServiceHandler();
147 DelayedSingleton<InputMethodSystemAbility>::GetInstance()->state_ = ServiceRunningState::STATE_RUNNING;
148 ImeCfgManager::GetInstance().Init();
149 DelayedSingleton<InputMethodSystemAbility>::GetInstance()->SubscribeCommonEvent();
150 int32_t ret = DelayedSingleton<InputMethodSystemAbility>::GetInstance()->InitKeyEventMonitor();
151 IMSA_HILOGI("init KeyEvent monitor %{public}s", ret == ErrorCode::NO_ERROR ? "success" : "failed");
152 ret = DelayedSingleton<InputMethodSystemAbility>::GetInstance()->InitWmsMonitor();
153 ImeInfoInquirer::GetInstance().InitSystemConfig();
154 IMSA_HILOGI("init wms monitor %{public}s", ret ? "success" : "failed");
155 isInitialize_ = true;
156 }
157 } // namespace MiscServices
158 } // namespace OHOS
159