1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "usbmgrex_fuzzer.h"
17 #include <cstddef>
18 #include <cstdint>
19 #include "usb_service.h"
20
21 using namespace OHOS::HDI::Usb::V1_0;
22 using namespace OHOS::USB;
23
24 namespace OHOS {
25 constexpr size_t THRESHOLD = 10;
26 constexpr int32_t OFFSET = 4;
27 enum class UsbInterfaceCode {
28 USB_FUN_HAS_RIGHT = 0,
29 USB_FUN_REQUEST_RIGHT,
30 USB_FUN_REMOVE_RIGHT,
31 USB_FUN_OPEN_DEVICE,
32 USB_FUN_RESET_DEVICE,
33 USB_FUN_GET_DEVICE,
34 USB_FUN_GET_DEVICES,
35 USB_FUN_GET_CURRENT_FUNCTIONS,
36 USB_FUN_SET_CURRENT_FUNCTIONS,
37 USB_FUN_USB_FUNCTIONS_FROM_STRING,
38 USB_FUN_USB_FUNCTIONS_TO_STRING,
39 USB_FUN_CLAIM_INTERFACE,
40 USB_FUN_RELEASE_INTERFACE,
41 USB_FUN_BULK_TRANSFER_READ,
42 USB_FUN_BULK_TRANSFER_WRITE,
43 USB_FUN_CONTROL_TRANSFER,
44 USB_FUN_USB_CONTROL_TRANSFER,
45 USB_FUN_SET_ACTIVE_CONFIG,
46 USB_FUN_GET_ACTIVE_CONFIG,
47 USB_FUN_SET_INTERFACE,
48 USB_FUN_GET_PORTS,
49 USB_FUN_GET_SUPPORTED_MODES,
50 USB_FUN_SET_PORT_ROLE,
51 USB_FUN_REQUEST_QUEUE,
52 USB_FUN_REQUEST_WAIT,
53 USB_FUN_REQUEST_CANCEL,
54 USB_FUN_GET_DESCRIPTOR,
55 USB_FUN_GET_FILEDESCRIPTOR,
56 USB_FUN_CLOSE_DEVICE,
57 USB_FUN_SUBMIT_TRANSFER,
58 USB_FUN_CANCEL_TRANSFER,
59 USB_FUN_BULK_AYSNC_READ,
60 USB_FUN_BULK_AYSNC_WRITE,
61 USB_FUN_BULK_AYSNC_CANCEL,
62 USB_FUN_REG_BULK_CALLBACK,
63 USB_FUN_UNREG_BULK_CALLBACK,
64 USB_FUN_ADD_RIGHT,
65 USB_FUN_DISABLE_GLOBAL_INTERFACE,
66 USB_FUN_DISABLE_DEVICE,
67 USB_FUN_DISABLE_INTERFACE_TYPE,
68 USB_FUN_CLEAR_HALT,
69 USB_FUN_GET_DEVICE_SPEED,
70 USB_FUN_GET_DRIVER_ACTIVE_STATUS,
71 USB_FUN_ADD_ACCESS_RIGHT,
72 USB_FUN_BULK_TRANSFER_READ_WITH_LENGTH,
73 USB_FUN_ATTACH_KERNEL_DRIVER,
74 USB_FUN_DETACH_KERNEL_DRIVER,
75 USB_FUN_GET_ACCESSORY_LIST,
76 USB_FUN_OPEN_ACCESSORY,
77 USB_FUN_CLOSE_ACCESSORY,
78 USB_FUN_HAS_ACCESSORY_RIGHT,
79 USB_FUN_REQUEST_ACCESSORY_RIGHT,
80 USB_FUN_REMOVE_ACCESSORY_RIGHT,
81 USB_FUN_ADD_ACCESSORY_RIGHT,
82 USB_FUN_SERIAL_OPEN,
83 USB_FUN_SERIAL_CLOSE,
84 USB_FUN_SERIAL_READ,
85 USB_FUN_SERIAL_WRITE,
86 USB_FUN_SERIAL_GET_ATTRIBUTE,
87 USB_FUN_SERIAL_SET_ATTRIBUTE,
88 USB_FUN_SERIAL_GET_PORTLIST,
89 USB_FUN_HAS_SERIAL_RIGHT,
90 USB_FUN_ADD_SERIAL_RIGHT,
91 USB_FUN_CANCEL_SERIAL_RIGHT,
92 USB_FUN_REQUEST_SERIAL_RIGHT
93 };
94 const std::u16string USB_INTERFACE_TOKEN = u"ohos.usb.IUsbServer";
95 static uint32_t g_usbInterfaceCode = 0;
96 static constexpr uint32_t USB_INTERFACE_CODE_COUNT = 64;
97
SetTestCaseNative(TokenInfoParams * infoInstance)98 void SetTestCaseNative(TokenInfoParams *infoInstance)
99 {
100 uint64_t tokenId = GetAccessTokenId(infoInstance);
101 int ret = SetSelfTokenID(tokenId);
102 if (ret == 0) {
103 USB_HILOGI(MODULE_USB_SERVICE, "SetSelfTokenID success %{public}d", __LINE__);
104 } else {
105 USB_HILOGE(MODULE_USB_SERVICE, "SetSelfTokenID fail %{public}d", ret);
106 }
107 ret = Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
108 if (ret == 0) {
109 USB_HILOGI(MODULE_USB_SERVICE, "ReloadNativeTokenInfo success %{public}d", __LINE__);
110 } else {
111 USB_HILOGE(MODULE_USB_SERVICE, "ReloadNativeTokenInfo fail %{public}d", ret);
112 }
113 }
114
GrantPermissionSysNative()115 void GrantPermissionSysNative()
116 {
117 const char **permsInfo = new(std::nothrow)const char* [1];
118 permsInfo[0] = "ohos.permission.MANAGE_USB_CONFIG";
119 TokenInfoParams g_sysInfoInstance = {
120 .dcapsNum = 0,
121 .permsNum = 1,
122 .aclsNum = 0,
123 .dcaps = nullptr,
124 .perms = permsInfo,
125 .acls = nullptr,
126 .processName = "usb_manager_test_sys_with_perms",
127 .aplStr = "system_basic",
128 };
129 SetTestCaseNative(&g_sysInfoInstance);
130 }
131
GrantPermissionNormalNative()132 void GrantPermissionNormalNative()
133 {
134 TokenInfoParams g_normalInfoInstance = {
135 .dcapsNum = 0,
136 .permsNum = 0,
137 .aclsNum = 0,
138 .dcaps = nullptr,
139 .perms = nullptr,
140 .acls = nullptr,
141 .processName = "usb_manager_test_normal",
142 .aplStr = "normal",
143 };
144 SetTestCaseNative(&g_normalInfoInstance);
145 }
146
DoSomethingInterestingWithMyAPI(const uint8_t * rawData,size_t size)147 bool DoSomethingInterestingWithMyAPI(const uint8_t *rawData, size_t size)
148 {
149 if (rawData == nullptr || size < OFFSET) {
150 return false;
151 }
152 if (g_usbInterfaceCode > USB_INTERFACE_CODE_COUNT) {
153 return true;
154 }
155 uint32_t code = g_usbInterfaceCode;
156 if (code <= USB_INTERFACE_CODE_COUNT) {
157 g_usbInterfaceCode += 1;
158 }
159 rawData = rawData + OFFSET;
160 size = size - OFFSET;
161
162 MessageParcel data;
163 data.WriteInterfaceToken(USB_INTERFACE_TOKEN);
164 data.WriteBuffer(rawData, size);
165 data.RewindRead(0);
166 MessageParcel reply;
167 MessageOption option;
168 UsbService::GetGlobalInstance()->OnRemoteRequest(code, data, reply, option);
169 return true;
170 }
171 } // namespace OHOS
172
173 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)174 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
175 {
176 if (size < OHOS::THRESHOLD) {
177 return 0;
178 }
179
180 /* Run your code on data */
181 OHOS::DoSomethingInterestingWithMyAPI(data, size);
182 return 0;
183 }
184