• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2023-2025 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "updatehaptokenstub_fuzzer.h"
17 
18 #include <string>
19 
20 #include "fuzzer/FuzzedDataProvider.h"
21 #include "service/accesstoken_manager_service.h"
22 
23 using namespace std;
24 using namespace OHOS::Security::AccessToken;
25 const int CONSTANTS_NUMBER_TWO = 2;
26 static const int32_t ROOT_UID = 0;
27 
28 namespace OHOS {
InitHapPolicy(FuzzedDataProvider & provider,HapPolicy & policy)29     void InitHapPolicy(FuzzedDataProvider& provider, HapPolicy& policy)
30     {
31         std::string permissionName = provider.ConsumeRandomLengthString();
32         PermissionDef def = {
33             .permissionName = permissionName,
34             .bundleName = provider.ConsumeRandomLengthString(),
35             .grantMode = static_cast<int32_t>(
36                 provider.ConsumeIntegralInRange<uint32_t>(0, static_cast<uint32_t>(GrantMode::SYSTEM_GRANT))),
37             .availableLevel = static_cast<ATokenAplEnum>(
38                 provider.ConsumeIntegralInRange<uint32_t>(0, static_cast<uint32_t>(ATokenAplEnum::APL_ENUM_BUTT))),
39             .provisionEnable = provider.ConsumeBool(),
40             .distributedSceneEnable = provider.ConsumeBool(),
41             .label = provider.ConsumeRandomLengthString(),
42             .labelId = provider.ConsumeIntegral<int32_t>(),
43             .description = provider.ConsumeRandomLengthString(),
44             .descriptionId = provider.ConsumeIntegral<int32_t>(),
45             .availableType = static_cast<ATokenAvailableTypeEnum>(provider.ConsumeIntegralInRange<uint32_t>(
46                 0, static_cast<uint32_t>(ATokenAvailableTypeEnum::AVAILABLE_TYPE_BUTT))),
47             .isKernelEffect = provider.ConsumeBool(),
48             .hasValue = provider.ConsumeBool(),
49         };
50 
51         PermissionStatus state = {
52             .permissionName = permissionName,
53             .grantStatus = static_cast<int32_t>(provider.ConsumeIntegralInRange<uint32_t>(
54                 0, static_cast<uint32_t>(PermissionState::PERMISSION_GRANTED))),
55             .grantFlag = provider.ConsumeIntegralInRange<uint32_t>(
56                 0, static_cast<uint32_t>(PermissionFlag::PERMISSION_ALLOW_THIS_TIME)),
57         };
58 
59         PreAuthorizationInfo info = {
60             .permissionName = permissionName,
61             .userCancelable = provider.ConsumeBool(),
62         };
63 
64         policy.apl = static_cast<ATokenAplEnum>(
65             provider.ConsumeIntegralInRange<uint32_t>(0, static_cast<uint32_t>(ATokenAplEnum::APL_ENUM_BUTT)));
66         policy.domain = provider.ConsumeRandomLengthString();
67         policy.permList = { def };
68         policy.permStateList = { state };
69         policy.aclRequestedList = {provider.ConsumeRandomLengthString()};
70         policy.preAuthorizationInfo = { info };
71         policy.checkIgnore = static_cast<HapPolicyCheckIgnore>(provider.ConsumeIntegralInRange<uint32_t>(
72             0, static_cast<uint32_t>(HapPolicyCheckIgnore::ACL_IGNORE_CHECK)));
73         policy.aclExtendedMap = {std::make_pair<std::string, std::string>(provider.ConsumeRandomLengthString(),
74             provider.ConsumeRandomLengthString())};
75     }
76 
UpdateHapTokenStubFuzzTest(const uint8_t * data,size_t size)77     bool UpdateHapTokenStubFuzzTest(const uint8_t* data, size_t size)
78     {
79         if ((data == nullptr) || (size == 0)) {
80             return false;
81         }
82 
83         FuzzedDataProvider provider(data, size);
84         uint64_t fullTokenId = provider.ConsumeIntegral<uint64_t>();
85         UpdateHapInfoParamsIdl infoIdl = {
86             .appIDDesc = provider.ConsumeRandomLengthString(),
87             .apiVersion = provider.ConsumeIntegral<int32_t>(),
88             .isSystemApp = provider.ConsumeBool(),
89             .appDistributionType = provider.ConsumeRandomLengthString(),
90             .isAtomicService = provider.ConsumeBool(),
91             .dataRefresh = provider.ConsumeBool(),
92         };
93 
94         HapPolicyParcel hapPolicyParcel;
95         InitHapPolicy(provider, hapPolicyParcel.hapPolicy);
96 
97         MessageParcel datas;
98         datas.WriteInterfaceToken(IAccessTokenManager::GetDescriptor());
99         if (!datas.WriteUint32(fullTokenId)) {
100             return false;
101         }
102         if (UpdateHapInfoParamsIdlBlockMarshalling(datas, infoIdl) != ERR_NONE) {
103             return false;
104         }
105         if (!datas.WriteParcelable(&hapPolicyParcel)) {
106             return false;
107         }
108         uint32_t code = static_cast<uint32_t>(IAccessTokenManagerIpcCode::COMMAND_UPDATE_HAP_TOKEN);
109         MessageParcel reply;
110         MessageOption option;
111         bool enable = ((provider.ConsumeIntegral<int32_t>() % CONSTANTS_NUMBER_TWO) == 0);
112         if (enable) {
113             setuid(CONSTANTS_NUMBER_TWO);
114         }
115         DelayedSingleton<AccessTokenManagerService>::GetInstance()->OnRemoteRequest(code, datas, reply, option);
116         setuid(ROOT_UID);
117         return true;
118     }
119 }
120 
121 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)122 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
123 {
124     /* Run your code on data */
125     OHOS::UpdateHapTokenStubFuzzTest(data, size);
126     return 0;
127 }
128