1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "gnssability_fuzzer.h"
17
18 #include "if_system_ability_manager.h"
19 #include "iservice_registry.h"
20 #include "message_option.h"
21 #include "message_parcel.h"
22 #include "system_ability_definition.h"
23 #include "locator_ability.h"
24 #include "locationhub_ipc_interface_code.h"
25 #include "accesstoken_kit.h"
26 #include "nativetoken_kit.h"
27 #include "token_setproc.h"
28
29 #ifdef FEATURE_GNSS_SUPPORT
30 #include "gnss_ability.h"
31 #endif
32 #include "permission_manager.h"
33
34 namespace OHOS {
35 using namespace OHOS::Location;
36 const int32_t MAX_MEM_SIZE = 4 * 1024 * 1024;
37 const int32_t SLEEP_TIMES = 1000;
38 const int32_t LOCATION_PERM_NUM = 4;
MockNativePermission()39 void MockNativePermission()
40 {
41 const char *perms[] = {
42 ACCESS_LOCATION.c_str(), ACCESS_APPROXIMATELY_LOCATION.c_str(),
43 ACCESS_BACKGROUND_LOCATION.c_str(), MANAGE_SECURE_SETTINGS.c_str(),
44 };
45 NativeTokenInfoParams infoInstance = {
46 .dcapsNum = 0,
47 .permsNum = LOCATION_PERM_NUM,
48 .aclsNum = 0,
49 .dcaps = nullptr,
50 .perms = perms,
51 .acls = nullptr,
52 .processName = "GnssAbility_FuzzTest",
53 .aplStr = "system_basic",
54 };
55 auto tokenId = GetAccessTokenId(&infoInstance);
56 SetSelfTokenID(tokenId);
57 Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
58 LocatorAbility::GetInstance()->EnableAbility(true);
59 }
60
ParseData(const uint8_t * data,size_t size)61 char* ParseData(const uint8_t* data, size_t size)
62 {
63 if (data == nullptr) {
64 return nullptr;
65 }
66
67 if (size > MAX_MEM_SIZE) {
68 return nullptr;
69 }
70
71 char* ch = (char *)malloc(size + 1);
72 if (ch == nullptr) {
73 return nullptr;
74 }
75
76 (void)memset_s(ch, size + 1, 0x00, size + 1);
77 if (memcpy_s(ch, size, data, size) != EOK) {
78 free(ch);
79 ch = nullptr;
80 return nullptr;
81 }
82 return ch;
83 }
84
85 #ifdef FEATURE_GNSS_SUPPORT
GnssAbility001FuzzTest(const char * data,size_t size)86 bool GnssAbility001FuzzTest(const char* data, size_t size)
87 {
88 MessageParcel requestParcel;
89 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
90 requestParcel.WriteBuffer(data, size);
91 requestParcel.RewindRead(0);
92 MessageParcel reply;
93 MessageOption option;
94
95 auto ability = GnssAbility::GetInstance();
96 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::SET_MOCKED_LOCATIONS),
97 requestParcel, reply, option);
98 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
99 return true;
100 }
101
GnssAbility002FuzzTest(const char * data,size_t size)102 bool GnssAbility002FuzzTest(const char* data, size_t size)
103 {
104 MessageParcel requestParcel;
105 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
106 requestParcel.WriteBuffer(data, size);
107 requestParcel.RewindRead(0);
108 MessageParcel reply;
109 MessageOption option;
110
111 auto ability = GnssAbility::GetInstance();
112 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::SEND_LOCATION_REQUEST),
113 requestParcel, reply, option);
114
115 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
116 return true;
117 }
118
GnssAbility003FuzzTest(const char * data,size_t size)119 bool GnssAbility003FuzzTest(const char* data, size_t size)
120 {
121 MessageParcel requestParcel;
122 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
123 requestParcel.WriteBuffer(data, size);
124 requestParcel.RewindRead(0);
125 MessageParcel reply;
126 MessageOption option;
127
128 auto ability = GnssAbility::GetInstance();
129 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::SET_ENABLE),
130 requestParcel, reply, option);
131
132 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
133 return true;
134 }
135
GnssAbility004FuzzTest(const char * data,size_t size)136 bool GnssAbility004FuzzTest(const char* data, size_t size)
137 {
138 MessageParcel requestParcel;
139 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
140 requestParcel.WriteBuffer(data, size);
141 requestParcel.RewindRead(0);
142 MessageParcel reply;
143 MessageOption option;
144
145 auto ability = GnssAbility::GetInstance();
146 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REFRESH_REQUESTS),
147 requestParcel, reply, option);
148
149 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
150 return true;
151 }
152
GnssAbility005FuzzTest(const char * data,size_t size)153 bool GnssAbility005FuzzTest(const char* data, size_t size)
154 {
155 MessageParcel requestParcel;
156 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
157 requestParcel.WriteBuffer(data, size);
158 requestParcel.RewindRead(0);
159 MessageParcel reply;
160 MessageOption option;
161
162 auto ability = GnssAbility::GetInstance();
163 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REG_GNSS_STATUS),
164 requestParcel, reply, option);
165
166 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
167 return true;
168 }
169
GnssAbility006FuzzTest(const char * data,size_t size)170 bool GnssAbility006FuzzTest(const char* data, size_t size)
171 {
172 MessageParcel requestParcel;
173 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
174 requestParcel.WriteBuffer(data, size);
175 requestParcel.RewindRead(0);
176 MessageParcel reply;
177 MessageOption option;
178
179 auto ability = GnssAbility::GetInstance();
180 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::UNREG_GNSS_STATUS),
181 requestParcel, reply, option);
182
183 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
184 return true;
185 }
186
GnssAbility007FuzzTest(const char * data,size_t size)187 bool GnssAbility007FuzzTest(const char* data, size_t size)
188 {
189 MessageParcel requestParcel;
190 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
191 requestParcel.WriteBuffer(data, size);
192 requestParcel.RewindRead(0);
193 MessageParcel reply;
194 MessageOption option;
195
196 auto ability = GnssAbility::GetInstance();
197 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REG_NMEA),
198 requestParcel, reply, option);
199 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
200 return true;
201 }
202
GnssAbility008FuzzTest(const char * data,size_t size)203 bool GnssAbility008FuzzTest(const char* data, size_t size)
204 {
205 MessageParcel requestParcel;
206 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
207 requestParcel.WriteBuffer(data, size);
208 requestParcel.RewindRead(0);
209 MessageParcel reply;
210 MessageOption option;
211
212 auto ability = GnssAbility::GetInstance();
213 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::UNREG_NMEA),
214 requestParcel, reply, option);
215
216 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
217 return true;
218 }
219
GnssAbility009FuzzTest(const char * data,size_t size)220 bool GnssAbility009FuzzTest(const char* data, size_t size)
221 {
222 MessageParcel requestParcel;
223 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
224 requestParcel.WriteBuffer(data, size);
225 requestParcel.RewindRead(0);
226 MessageParcel reply;
227 MessageOption option;
228
229 auto ability = GnssAbility::GetInstance();
230 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REG_CACHED),
231 requestParcel, reply, option);
232
233 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
234 return true;
235 }
236
GnssAbility010FuzzTest(const char * data,size_t size)237 bool GnssAbility010FuzzTest(const char* data, size_t size)
238 {
239 MessageParcel requestParcel;
240 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
241 requestParcel.WriteBuffer(data, size);
242 requestParcel.RewindRead(0);
243 MessageParcel reply;
244 MessageOption option;
245
246 auto ability = GnssAbility::GetInstance();
247 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::UNREG_CACHED),
248 requestParcel, reply, option);
249
250 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
251 return true;
252 }
253
GnssAbility011FuzzTest(const char * data,size_t size)254 bool GnssAbility011FuzzTest(const char* data, size_t size)
255 {
256 MessageParcel requestParcel;
257 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
258 requestParcel.WriteBuffer(data, size);
259 requestParcel.RewindRead(0);
260 MessageParcel reply;
261 MessageOption option;
262
263 auto ability = GnssAbility::GetInstance();
264 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::GET_CACHED_SIZE),
265 requestParcel, reply, option);
266
267 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
268 return true;
269 }
270
GnssAbility012FuzzTest(const char * data,size_t size)271 bool GnssAbility012FuzzTest(const char* data, size_t size)
272 {
273 MessageParcel requestParcel;
274 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
275 requestParcel.WriteBuffer(data, size);
276 requestParcel.RewindRead(0);
277 MessageParcel reply;
278 MessageOption option;
279
280 auto ability = GnssAbility::GetInstance();
281 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::FLUSH_CACHED),
282 requestParcel, reply, option);
283
284 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
285 return true;
286 }
287
GnssAbility013FuzzTest(const char * data,size_t size)288 bool GnssAbility013FuzzTest(const char* data, size_t size)
289 {
290 MessageParcel requestParcel;
291 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
292 requestParcel.WriteBuffer(data, size);
293 requestParcel.RewindRead(0);
294 MessageParcel reply;
295 MessageOption option;
296
297 auto ability = GnssAbility::GetInstance();
298 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::SEND_COMMANDS),
299 requestParcel, reply, option);
300
301 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
302 return true;
303 }
304
GnssAbility014FuzzTest(const char * data,size_t size)305 bool GnssAbility014FuzzTest(const char* data, size_t size)
306 {
307 MessageParcel requestParcel;
308 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
309 requestParcel.WriteBuffer(data, size);
310 requestParcel.RewindRead(0);
311 MessageParcel reply;
312 MessageOption option;
313
314 auto ability = GnssAbility::GetInstance();
315 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::ENABLE_LOCATION_MOCK),
316 requestParcel, reply, option);
317
318 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
319 return true;
320 }
321
GnssAbility015FuzzTest(const char * data,size_t size)322 bool GnssAbility015FuzzTest(const char* data, size_t size)
323 {
324 MessageParcel requestParcel;
325 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
326 requestParcel.WriteBuffer(data, size);
327 requestParcel.RewindRead(0);
328 MessageParcel reply;
329 MessageOption option;
330
331 auto ability = GnssAbility::GetInstance();
332 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::DISABLE_LOCATION_MOCK),
333 requestParcel, reply, option);
334
335 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
336 return true;
337 }
338
GnssAbility016FuzzTest(const char * data,size_t size)339 bool GnssAbility016FuzzTest(const char* data, size_t size)
340 {
341 MessageParcel requestParcel;
342 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
343 requestParcel.WriteBuffer(data, size);
344 requestParcel.RewindRead(0);
345 MessageParcel reply;
346 MessageOption option;
347
348 auto ability = GnssAbility::GetInstance();
349 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::ADD_FENCE_INFO),
350 requestParcel, reply, option);
351
352 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
353 return true;
354 }
355
GnssAbility017FuzzTest(const char * data,size_t size)356 bool GnssAbility017FuzzTest(const char* data, size_t size)
357 {
358 MessageParcel requestParcel;
359 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
360 requestParcel.WriteBuffer(data, size);
361 requestParcel.RewindRead(0);
362 MessageParcel reply;
363 MessageOption option;
364
365 auto ability = GnssAbility::GetInstance();
366 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REMOVE_FENCE_INFO),
367 requestParcel, reply, option);
368
369 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
370 return true;
371 }
372
GnssAbility018FuzzTest(const char * data,size_t size)373 bool GnssAbility018FuzzTest(const char* data, size_t size)
374 {
375 MessageParcel requestParcel;
376 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
377 requestParcel.WriteBuffer(data, size);
378 requestParcel.RewindRead(0);
379 MessageParcel reply;
380 MessageOption option;
381
382 auto ability = GnssAbility::GetInstance();
383 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::ADD_GNSS_GEOFENCE),
384 requestParcel, reply, option);
385
386 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
387 return true;
388 }
389
GnssAbility019FuzzTest(const char * data,size_t size)390 bool GnssAbility019FuzzTest(const char* data, size_t size)
391 {
392 MessageParcel requestParcel;
393 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
394 requestParcel.WriteBuffer(data, size);
395 requestParcel.RewindRead(0);
396 MessageParcel reply;
397 MessageOption option;
398
399 auto ability = GnssAbility::GetInstance();
400 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::REMOVE_GNSS_GEOFENCE),
401 requestParcel, reply, option);
402
403 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
404 return true;
405 }
406
GnssAbility020FuzzTest(const char * data,size_t size)407 bool GnssAbility020FuzzTest(const char* data, size_t size)
408 {
409 MessageParcel requestParcel;
410 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
411 requestParcel.WriteBuffer(data, size);
412 requestParcel.RewindRead(0);
413 MessageParcel reply;
414 MessageOption option;
415
416 auto ability = GnssAbility::GetInstance();
417 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::GET_GEOFENCE_SUPPORT_COORDINATE_SYSTEM_TYPE),
418 requestParcel, reply, option);
419
420 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
421 return true;
422 }
423
GnssAbility021FuzzTest(const char * data,size_t size)424 bool GnssAbility021FuzzTest(const char* data, size_t size)
425 {
426 MessageParcel requestParcel;
427 requestParcel.WriteInterfaceToken(u"location.IGnssAbility");
428 requestParcel.WriteBuffer(data, size);
429 requestParcel.RewindRead(0);
430 MessageParcel reply;
431 MessageOption option;
432
433 auto ability = GnssAbility::GetInstance();
434 ability->OnRemoteRequest(static_cast<uint32_t>(GnssInterfaceCode::SEND_NETWORK_LOCATION),
435 requestParcel, reply, option);
436
437 std::this_thread::sleep_for(std::chrono::milliseconds(SLEEP_TIMES));
438 return true;
439 }
440 #endif
441 } // namespace OHOS
442
443 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)444 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
445 {
446 OHOS::MockNativePermission();
447 char* ch = OHOS::ParseData(data, size);
448 if (ch != nullptr) {
449 #ifdef FEATURE_GNSS_SUPPORT
450 OHOS::GnssAbility001FuzzTest(ch, size);
451 OHOS::GnssAbility002FuzzTest(ch, size);
452 OHOS::GnssAbility003FuzzTest(ch, size);
453 OHOS::GnssAbility004FuzzTest(ch, size);
454 OHOS::GnssAbility005FuzzTest(ch, size);
455 OHOS::GnssAbility006FuzzTest(ch, size);
456 OHOS::GnssAbility007FuzzTest(ch, size);
457 OHOS::GnssAbility008FuzzTest(ch, size);
458 OHOS::GnssAbility009FuzzTest(ch, size);
459 OHOS::GnssAbility010FuzzTest(ch, size);
460 OHOS::GnssAbility011FuzzTest(ch, size);
461 OHOS::GnssAbility012FuzzTest(ch, size);
462 OHOS::GnssAbility013FuzzTest(ch, size);
463 OHOS::GnssAbility014FuzzTest(ch, size);
464 OHOS::GnssAbility015FuzzTest(ch, size);
465 OHOS::GnssAbility016FuzzTest(ch, size);
466 OHOS::GnssAbility017FuzzTest(ch, size);
467 OHOS::GnssAbility018FuzzTest(ch, size);
468 OHOS::GnssAbility019FuzzTest(ch, size);
469 OHOS::GnssAbility020FuzzTest(ch, size);
470 OHOS::GnssAbility021FuzzTest(ch, size);
471 #endif
472 free(ch);
473 ch = nullptr;
474 }
475 return 0;
476 }
477
478