1 /*
2 * Copyright (C) 2022 Huawei Technologies Co., Ltd.
3 * Licensed under the Mulan PSL v2.
4 * You can use this software according to the terms and conditions of the Mulan PSL v2.
5 * You may obtain a copy of Mulan PSL v2 at:
6 * http://license.coscl.org.cn/MulanPSL2
7 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
8 * IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
9 * PURPOSE.
10 * See the Mulan PSL v2 for more details.
11 */
12
13 #include "teeclientonremoterequest_fuzzer.h"
14
15 #include <cstddef>
16 #include <cstdint>
17 #include "tee_client_api.h"
18 #include "tee_client_constants.h"
19 #include "tee_client_type.h"
20 #include "cadaemon_stub.h"
21 #include "message_parcel.h"
22 #include "securec.h"
23 #include "cadaemon_service.h"
24 #include "cadaemon_ipc_interface_code.h"
25
26 namespace OHOS {
27 namespace CaDaemon {
28 constexpr size_t FOO_MAX_LEN = 1024;
29 constexpr size_t U32_AT_SIZE = 4;
30 const std::u16string FORMMGR_INTERFACE_TOKEN = u"ohos.tee_client.accessToken";
31
TeeClientOnRemoteRequestFuzzTest(const uint8_t * data,size_t size)32 bool TeeClientOnRemoteRequestFuzzTest(const uint8_t *data, size_t size)
33 {
34 MessageParcel datas;
35 datas.WriteInterfaceToken(FORMMGR_INTERFACE_TOKEN);
36 datas.WriteBuffer(data, size);
37 datas.RewindRead(0);
38 MessageParcel *reply = new MessageParcel();
39 MessageOption option;
40 CaDaemonService *tmp = new CaDaemonService(1, 0);
41 tmp->CaDaemonStub::OnRemoteRequest(static_cast<uint32_t>(CadaemonOperationInterfaceCode::INIT_CONTEXT),
42 datas, *reply, option);
43 tmp->CaDaemonStub::OnRemoteRequest(static_cast<uint32_t>(CadaemonOperationInterfaceCode::FINAL_CONTEXT),
44 datas, *reply, option);
45 tmp->CaDaemonStub::OnRemoteRequest(static_cast<uint32_t>(CadaemonOperationInterfaceCode::OPEN_SESSION),
46 datas, *reply, option);
47 tmp->CaDaemonStub::OnRemoteRequest(static_cast<uint32_t>(CadaemonOperationInterfaceCode::CLOSE_SESSION),
48 datas, *reply, option);
49 tmp->CaDaemonStub::OnRemoteRequest(static_cast<uint32_t>(CadaemonOperationInterfaceCode::INVOKE_COMMND),
50 datas, *reply, option);
51 tmp->CaDaemonStub::OnRemoteRequest(static_cast<uint32_t>(CadaemonOperationInterfaceCode::REGISTER_MEM),
52 datas, *reply, option);
53 tmp->CaDaemonStub::OnRemoteRequest(static_cast<uint32_t>(CadaemonOperationInterfaceCode::ALLOC_MEM),
54 datas, *reply, option);
55 tmp->CaDaemonStub::OnRemoteRequest(static_cast<uint32_t>(CadaemonOperationInterfaceCode::RELEASE_MEM),
56 datas, *reply, option);
57 tmp->CaDaemonStub::OnRemoteRequest(static_cast<uint32_t>(CadaemonOperationInterfaceCode::SET_CALL_BACK),
58 datas, *reply, option);
59 tmp->CaDaemonStub::OnRemoteRequest(static_cast<uint32_t>(CadaemonOperationInterfaceCode::SEND_SECFILE),
60 datas, *reply, option);
61 tmp->CaDaemonStub::OnRemoteRequest(static_cast<uint32_t>(CadaemonOperationInterfaceCode::GET_TEE_VERSION),
62 datas, *reply, option);
63 delete (tmp);
64 delete (reply);
65 return true;
66 }
67 }
68 }
69
70 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)71 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
72 {
73 tloge("begin LLVMFuzzerTestOneInput\n");
74 /* Run your code on data */
75 if (data == nullptr) {
76 return 0;
77 }
78
79 if (size < OHOS::CaDaemon::U32_AT_SIZE) {
80 return 0;
81 }
82
83 /* Validate the length of size */
84 if (size == 0 || size > OHOS::CaDaemon::FOO_MAX_LEN) {
85 return 0;
86 }
87
88 uint8_t *ch = static_cast<uint8_t *>(malloc(size + 1));
89 if (ch == nullptr) {
90 return 0;
91 }
92
93 (void)memset_s(ch, size + 1, 0x00, size + 1);
94 if (memcpy_s(ch, size, data, size) != EOK) {
95 free(ch);
96 ch = nullptr;
97 return 0;
98 }
99 /* Run your code on data */
100 OHOS::CaDaemon::TeeClientOnRemoteRequestFuzzTest(ch, size);
101 free(ch);
102 ch = nullptr;
103 return 0;
104 }