1 /*
2 * Copyright (c) 2023-2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "grantpermissionstub_fuzzer.h"
17
18 #include <sys/types.h>
19 #include <unistd.h>
20 #include <string>
21 #include <thread>
22 #include <vector>
23
24 #undef private
25 #include "access_token.h"
26 #include "accesstoken_info_manager.h"
27 #include "accesstoken_kit.h"
28 #include "accesstoken_manager_service.h"
29 #include "fuzzer/FuzzedDataProvider.h"
30 #include "iaccess_token_manager.h"
31 #include "token_setproc.h"
32
33 using namespace std;
34 using namespace OHOS::Security::AccessToken;
35 static HapInfoParams g_InfoParms = {
36 .userID = 1,
37 .bundleName = "GrantPermissionStubFuzzTest",
38 .instIndex = 0,
39 .appIDDesc = "test.bundle",
40 .isSystemApp = false
41 };
42 static HapPolicyParams g_PolicyPrams = {
43 .apl = APL_NORMAL,
44 .domain = "test.domain",
45 .permList = {},
46 .permStateList = {}
47 };
48 const int CONSTANTS_NUMBER_TWO = 2;
49 const int CONSTANTS_NUMBER_THREE = 3;
50 static const int32_t ROOT_UID = 0;
51
52 namespace OHOS {
GrantPermissionStubFuzzTest(const uint8_t * data,size_t size)53 bool GrantPermissionStubFuzzTest(const uint8_t* data, size_t size)
54 {
55 if ((data == nullptr) || (size == 0)) {
56 return false;
57 }
58
59 FuzzedDataProvider provider(data, size);
60 AccessTokenID tokenId = provider.ConsumeIntegral<AccessTokenID>();
61 std::string permissionName = provider.ConsumeRandomLengthString();
62 uint32_t flag = provider.ConsumeIntegralInRange<uint32_t>(
63 0, static_cast<uint32_t>(PermissionFlag::PERMISSION_ALLOW_THIS_TIME));
64 MessageParcel datas;
65 datas.WriteInterfaceToken(IAccessTokenManager::GetDescriptor());
66 if (!datas.WriteUint32(tokenId) || !datas.WriteString(permissionName) || !datas.WriteInt32(flag)) {
67 return false;
68 }
69
70 uint32_t code = static_cast<uint32_t>(
71 IAccessTokenManagerIpcCode::COMMAND_GRANT_PERMISSION);
72
73 MessageParcel reply;
74 MessageOption option;
75 AccessTokenID tokenIdHap;
76 bool enable2 = ((provider.ConsumeIntegral<int32_t>() % CONSTANTS_NUMBER_THREE) == 0);
77 if (enable2) {
78 AccessTokenIDEx tokenIdEx = AccessTokenKit::AllocHapToken(g_InfoParms, g_PolicyPrams);
79 tokenIdHap = tokenIdEx.tokenIDEx;
80 SetSelfTokenID(tokenIdHap);
81 uint32_t hapSize = 0;
82 uint32_t nativeSize = 0;
83 uint32_t pefDefSize = 0;
84 uint32_t dlpSize = 0;
85 std::map<int32_t, TokenIdInfo> tokenIdAplMap;
86 AccessTokenInfoManager::GetInstance().Init(hapSize, nativeSize, pefDefSize, dlpSize, tokenIdAplMap);
87 }
88 bool enable = ((provider.ConsumeIntegral<int32_t>() % CONSTANTS_NUMBER_TWO) == 0);
89 if (enable) {
90 setuid(CONSTANTS_NUMBER_TWO);
91 }
92 DelayedSingleton<AccessTokenManagerService>::GetInstance()->OnRemoteRequest(code, datas, reply, option);
93 setuid(ROOT_UID);
94 if (enable2) {
95 AccessTokenKit::DeleteToken(tokenIdHap);
96 AccessTokenID hdcd = AccessTokenKit::GetNativeTokenId("hdcd");
97 SetSelfTokenID(hdcd);
98 }
99
100 return true;
101 }
102 } // namespace OHOS
103
104 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)105 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
106 {
107 /* Run your code on data */
108 OHOS::GrantPermissionStubFuzzTest(data, size);
109 return 0;
110 }
111