1 /*
2 * Copyright (c) 2023-2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "allochaptokenstub_fuzzer.h"
17
18 #include <string>
19
20 #undef private
21 #include "accesstoken_manager_service.h"
22 #include "fuzzer/FuzzedDataProvider.h"
23 #include "hap_info_parcel.h"
24 #include "iaccess_token_manager.h"
25
26 using namespace std;
27 using namespace OHOS::Security::AccessToken;
28 const int CONSTANTS_NUMBER_TWO = 2;
29 static const int32_t ROOT_UID = 0;
30
31 namespace OHOS {
InitHapInfoParams(const std::string & bundleName,FuzzedDataProvider & provider,HapInfoParams & param)32 void InitHapInfoParams(const std::string& bundleName, FuzzedDataProvider& provider, HapInfoParams& param)
33 {
34 param.userID = provider.ConsumeIntegral<int32_t>();
35 param.bundleName = bundleName;
36 param.instIndex = provider.ConsumeIntegral<int32_t>();
37 param.dlpType = static_cast<int32_t>(
38 provider.ConsumeIntegralInRange<uint32_t>(0, static_cast<uint32_t>(HapDlpType::BUTT_DLP_TYPE)));
39 param.appIDDesc = provider.ConsumeRandomLengthString();
40 param.apiVersion = provider.ConsumeIntegral<int32_t>();
41 param.isSystemApp = provider.ConsumeBool();
42 param.appDistributionType = provider.ConsumeRandomLengthString();
43 param.isRestore = provider.ConsumeBool();
44 param.tokenID = provider.ConsumeIntegral<AccessTokenID>();
45 param.isAtomicService = provider.ConsumeBool();
46 }
47
InitHapPolicy(const std::string & permissionName,const std::string & bundleName,FuzzedDataProvider & provider,HapPolicy & policy)48 void InitHapPolicy(const std::string& permissionName, const std::string& bundleName, FuzzedDataProvider& provider,
49 HapPolicy& policy)
50 {
51 PermissionDef def = {
52 .permissionName = permissionName,
53 .bundleName = bundleName,
54 .grantMode = static_cast<int32_t>(
55 provider.ConsumeIntegralInRange<uint32_t>(0, static_cast<uint32_t>(GrantMode::SYSTEM_GRANT))),
56 .availableLevel = static_cast<ATokenAplEnum>(
57 provider.ConsumeIntegralInRange<uint32_t>(0, static_cast<uint32_t>(ATokenAplEnum::APL_ENUM_BUTT))),
58 .provisionEnable = provider.ConsumeBool(),
59 .distributedSceneEnable = provider.ConsumeBool(),
60 .label = provider.ConsumeRandomLengthString(),
61 .labelId = provider.ConsumeIntegral<int32_t>(),
62 .description = provider.ConsumeRandomLengthString(),
63 .descriptionId = provider.ConsumeIntegral<int32_t>(),
64 .availableType = static_cast<ATokenAvailableTypeEnum>(provider.ConsumeIntegralInRange<uint32_t>(
65 0, static_cast<uint32_t>(ATokenAvailableTypeEnum::AVAILABLE_TYPE_BUTT))),
66 .isKernelEffect = provider.ConsumeBool(),
67 .hasValue = provider.ConsumeBool(),
68 };
69
70 PermissionStatus state = {
71 .permissionName = permissionName,
72 .grantStatus = static_cast<int32_t>(provider.ConsumeIntegralInRange<uint32_t>(
73 0, static_cast<uint32_t>(PermissionState::PERMISSION_GRANTED))),
74 .grantFlag = provider.ConsumeIntegralInRange<uint32_t>(
75 0, static_cast<uint32_t>(PermissionFlag::PERMISSION_ALLOW_THIS_TIME)),
76 };
77
78 PreAuthorizationInfo info = {
79 .permissionName = permissionName,
80 .userCancelable = provider.ConsumeBool(),
81 };
82
83 policy.apl = static_cast<ATokenAplEnum>(
84 provider.ConsumeIntegralInRange<uint32_t>(0, static_cast<uint32_t>(ATokenAplEnum::APL_ENUM_BUTT)));
85 policy.domain = provider.ConsumeRandomLengthString();
86 policy.permList = { def };
87 policy.permStateList = { state };
88 policy.aclRequestedList = {provider.ConsumeRandomLengthString()};
89 policy.preAuthorizationInfo = { info };
90 policy.checkIgnore = static_cast<HapPolicyCheckIgnore>(provider.ConsumeIntegralInRange<uint32_t>(
91 0, static_cast<uint32_t>(HapPolicyCheckIgnore::ACL_IGNORE_CHECK)));
92 policy.aclExtendedMap = {std::make_pair<std::string, std::string>(provider.ConsumeRandomLengthString(),
93 provider.ConsumeRandomLengthString())};
94 }
95
AllocHapTokenStubFuzzTest(const uint8_t * data,size_t size)96 bool AllocHapTokenStubFuzzTest(const uint8_t* data, size_t size)
97 {
98 if ((data == nullptr) || (size == 0)) {
99 return false;
100 }
101
102 FuzzedDataProvider provider(data, size);
103 std::string permissionName = provider.ConsumeRandomLengthString();
104 std::string bundleName = provider.ConsumeRandomLengthString();
105
106 HapInfoParcel hapInfoParcel;
107 InitHapInfoParams(bundleName, provider, hapInfoParcel.hapInfoParameter);
108
109 HapPolicyParcel hapPolicyParcel;
110 InitHapPolicy(permissionName, bundleName, provider, hapPolicyParcel.hapPolicy);
111
112 MessageParcel datas;
113 datas.WriteInterfaceToken(IAccessTokenManager::GetDescriptor());
114 if (!datas.WriteParcelable(&hapInfoParcel)) {
115 return false;
116 }
117 if (!datas.WriteParcelable(&hapPolicyParcel)) {
118 return false;
119 }
120
121 uint32_t code = static_cast<uint32_t>(
122 IAccessTokenManagerIpcCode::COMMAND_ALLOC_HAP_TOKEN);
123
124 MessageParcel reply;
125 MessageOption option;
126 bool enable = ((provider.ConsumeIntegral<int32_t>() % CONSTANTS_NUMBER_TWO) == 0);
127 if (enable) {
128 setuid(CONSTANTS_NUMBER_TWO);
129 }
130 DelayedSingleton<AccessTokenManagerService>::GetInstance()->OnRemoteRequest(code, datas, reply, option);
131 setuid(ROOT_UID);
132
133 return true;
134 }
135 } // namespace OHOS
136
137 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)138 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
139 {
140 /* Run your code on data */
141 OHOS::AllocHapTokenStubFuzzTest(data, size);
142 return 0;
143 }
144