• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2025 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "updateuserpolicystub_fuzzer.h"
17 
18 #include <string>
19 #include <thread>
20 #include <vector>
21 
22 #undef private
23 #include "access_token.h"
24 #include "accesstoken_kit.h"
25 #include "accesstoken_manager_service.h"
26 #include "fuzzer/FuzzedDataProvider.h"
27 #include "iaccess_token_manager.h"
28 #include "nativetoken_kit.h"
29 #include "token_setproc.h"
30 
31 using namespace std;
32 using namespace OHOS::Security::AccessToken;
33 static AccessTokenID g_selfTokenId = 0;
34 static uint64_t g_mockTokenId = 0;
35 const int32_t CONSTANTS_NUMBER_TWO = 2;
36 
37 namespace OHOS {
GetNativeToken()38     void GetNativeToken()
39     {
40         if (g_mockTokenId != 0) {
41             SetSelfTokenID(g_mockTokenId);
42             return;
43         }
44         const char** perms = new (std::nothrow) const char *[1];
45         if (perms == nullptr) {
46             return;
47         }
48 
49         perms[0] = "ohos.permission.GET_SENSITIVE_PERMISSIONS";
50 
51         NativeTokenInfoParams infoInstance = {
52             .dcapsNum = 0,
53             .permsNum = 1,
54             .aclsNum = 0,
55             .dcaps = nullptr,
56             .perms = perms,
57             .acls = nullptr,
58             .processName = "updateuserpolicystub_fuzzer_test",
59             .aplStr = "system_core",
60         };
61 
62         g_mockTokenId = GetAccessTokenId(&infoInstance);
63         g_selfTokenId = GetSelfTokenID();
64         SetSelfTokenID(g_mockTokenId);
65         AccessTokenKit::ReloadNativeTokenInfo();
66         delete[] perms;
67     }
UpdateUserPolicyStubFuzzTest(const uint8_t * data,size_t size)68     bool UpdateUserPolicyStubFuzzTest(const uint8_t* data, size_t size)
69     {
70         if ((data == nullptr) || (size == 0)) {
71             return false;
72         }
73 
74         FuzzedDataProvider provider(data, size);
75 
76         UserStateIdl dataBlock;
77         dataBlock.userId = provider.ConsumeIntegral<int32_t>();
78         dataBlock.isActive = provider.ConsumeBool();
79 
80         MessageParcel datas;
81         datas.WriteInterfaceToken(IAccessTokenManager::GetDescriptor());
82         if (!datas.WriteUint32(1)) {
83             return false;
84         }
85         if (UserStateIdlBlockMarshalling(datas, dataBlock) != ERR_NONE) {
86             return false;
87         }
88 
89         uint32_t code = static_cast<uint32_t>(
90             IAccessTokenManagerIpcCode::COMMAND_UPDATE_USER_POLICY);
91 
92         MessageParcel reply;
93         MessageOption option;
94         bool enable = ((provider.ConsumeIntegral<int32_t>() % CONSTANTS_NUMBER_TWO) == 0);
95         if (enable) {
96             GetNativeToken();
97         } else {
98             SetSelfTokenID(g_selfTokenId);
99         }
100         DelayedSingleton<AccessTokenManagerService>::GetInstance()->OnRemoteRequest(code, datas, reply, option);
101 
102         return true;
103     }
104 } // namespace OHOS
105 
106 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)107 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
108 {
109     /* Run your code on data */
110     OHOS::UpdateUserPolicyStubFuzzTest(data, size);
111     return 0;
112 }
113