1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "usbmgrbulkcancel_fuzzer.h"
17
18 #include <array>
19 #include <optional>
20
21 #include "ashmem.h"
22 #include "iremote_object.h"
23 #include "usb_callback_test.h"
24 #include "usb_common_fuzz.h"
25 #include "usb_errors.h"
26
27 namespace {
28 const uint32_t OFFSET = 4;
29 constexpr size_t THRESHOLD = 10;
30 const uint32_t ASHMEM_MAX_SIZE = 1024;
31 const uint32_t MEM_DATA = 1024 * 1024;
32 }
33 namespace OHOS {
34 namespace USB {
GetSharedMem()35 sptr<Ashmem> GetSharedMem()
36 {
37 sptr<Ashmem> asmptr = Ashmem::CreateAshmem("ttashmem001", MEM_DATA);
38 if (asmptr == nullptr) {
39 USB_HILOGE(MODULE_USB_SERVICE, "InitAshmemOne CreateAshmem failed");
40 return nullptr;
41 }
42
43 asmptr->MapReadAndWriteAshmem();
44
45 std::array<uint8_t, ASHMEM_MAX_SIZE> tdata;
46 tdata.fill('Y');
47 uint32_t offset = 0;
48 while (offset < MEM_DATA) {
49 uint32_t tlen = (MEM_DATA - offset) < ASHMEM_MAX_SIZE ? (MEM_DATA - offset) : ASHMEM_MAX_SIZE;
50 asmptr->WriteToAshmem(tdata.data(), tlen, offset);
51 offset += tlen;
52 }
53 return asmptr;
54 }
55
UsbMgrBulkCancelFuzzTest(const uint8_t * data,size_t size)56 bool UsbMgrBulkCancelFuzzTest(const uint8_t* data, size_t size)
57 {
58 if (data == nullptr || size < sizeof(USBDevicePipe) || size < OFFSET + sizeof(USBEndpoint)) {
59 USB_HILOGE(MODULE_USB_SERVICE, "data size is insufficient!");
60 return false;
61 }
62 auto[res, pipe, interface] = UsbMgrPrepareFuzzEnv();
63 if (!res) {
64 USB_HILOGE(MODULE_USB_SERVICE, "prepare error");
65 return false;
66 }
67
68 auto& usbSrvClient = UsbSrvClient::GetInstance();
69 sptr<UsbCallbackTest> cb = new UsbCallbackTest();
70 USBEndpoint point = const_cast<UsbInterface &>(interface).GetEndpoints().at(1);
71 auto ret = usbSrvClient.RegBulkCallback(const_cast<USBDevicePipe &>(pipe), point, cb);
72 if (ret != UEC_OK) {
73 USB_HILOGE(MODULE_USB_SERVICE, "RegBulkCallback failed ret=%{public}d", ret);
74 return false;
75 }
76
77 auto sharedMem = GetSharedMem();
78 if (sharedMem == nullptr) {
79 USB_HILOGE(MODULE_USB_SERVICE, "GetSharedMem failed ret=%{public}d", ret);
80 return false;
81 }
82
83 ret = usbSrvClient.BulkWrite(const_cast<USBDevicePipe &>(pipe), point, sharedMem);
84 if (ret != UEC_OK) {
85 USB_HILOGE(MODULE_USB_SERVICE, "BulkWrite failed ret=%{public}d", ret);
86 return false;
87 }
88
89 if (usbSrvClient.BulkCancel(reinterpret_cast<USBDevicePipe &>(data),
90 reinterpret_cast<const USBEndpoint&>(std::move(data + OFFSET))) == UEC_OK) {
91 return false;
92 }
93 return true;
94 }
95 } // USB
96 } // OHOS
97
98 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)99 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
100 {
101 if (size < THRESHOLD) {
102 return 0;
103 }
104 /* Run your code on data */
105 OHOS::USB::UsbMgrBulkCancelFuzzTest(data, size);
106 return 0;
107 }
108