1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #define private public
16 #define protected public
17 #include "hcesessionstub_fuzzer.h"
18
19 #include <cstddef>
20 #include <cstdint>
21 #include <securec.h>
22 #include <string>
23
24 #include "hce_session_stub.h"
25 #include "hce_session.h"
26 #include "nfc_sdk_common.h"
27 #include "nfc_service_ipc_interface_code.h"
28 #include "nfc_access_token_mock.h"
29
30 namespace OHOS {
31 using namespace OHOS::NFC::KITS;
32 using namespace OHOS::NFC::HCE;
33
34 constexpr uint32_t MESSAGE_SIZE = NFC::NfcServiceIpcInterfaceCode::COMMAND_CE_HCE_SESSION_BOTTOM;
35 constexpr const auto FUZZER_THRESHOLD = 6;
36
ConvertToUint32s(const uint8_t * ptr,uint32_t * outPara,uint16_t outParaLen)37 void ConvertToUint32s(const uint8_t* ptr, uint32_t* outPara, uint16_t outParaLen)
38 {
39 for (uint16_t i = 0 ; i < outParaLen ; i++) {
40 // 4 uint8s compose 1 uint32 , 8 16 24 is bit operation, 2 3 4 are array subscripts.
41 outPara[i] = (ptr[i * 4] << 24) | (ptr[(i * 4) + 1 ] << 16) | (ptr[(i * 4) + 2] << 8) | (ptr[(i * 4) + 3]);
42 }
43 }
44
GetU32Data(const uint8_t * data)45 uint32_t GetU32Data(const uint8_t* data)
46 {
47 /*
48 * Move the 0th digit to the left by 24 bits, the 1st digit to the left by 16 bits,
49 * the 2nd digit to the left by 8 bits, and the 3rd digit not to the left
50 */
51 return (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | (data[3]);
52 }
53
BuildAddressString(const uint8_t * data)54 std::string BuildAddressString(const uint8_t* data)
55 {
56 std::string addr("00:00:00:00:00:00");
57 char temp[18] = {0};
58 int ret = sprintf_s(temp, sizeof(temp), "%02X:%02X:%02X:%02X:%02X:%02X",
59 data[0], data[1], data[2], data[3], data[4], data[5]);
60 if (ret != -1) {
61 addr = std::string(temp);
62 }
63 return addr;
64 }
65
DoHceSessionStubFuzzTest(const uint8_t * data,size_t size)66 bool DoHceSessionStubFuzzTest(const uint8_t* data, size_t size)
67 {
68 uint32_t code = (GetU32Data(data) % MESSAGE_SIZE);
69 auto addr = BuildAddressString(data);
70
71 MessageParcel datas;
72 std::u16string descriptor = NFC::HceSessionStub::GetDescriptor();
73 datas.WriteInterfaceToken(descriptor);
74 datas.WriteInt32(*(reinterpret_cast<const int32_t *>(data)));
75 datas.WriteString(addr.c_str());
76 datas.RewindRead(0);
77 MessageParcel reply;
78 MessageOption option;
79
80 std::shared_ptr<OHOS::NFC::NfcService> nfcService = std::make_shared<OHOS::NFC::NfcService>();
81 std::shared_ptr<NFC::HCE::HceSession> hceSession = std::make_shared<NFC::HCE::HceSession>(nfcService);
82 hceSession->OnRemoteRequest(code, datas, reply, option);
83 return true;
84 }
85
StopHceFuzzTest(const uint8_t * data,size_t size)86 void StopHceFuzzTest(const uint8_t* data, size_t size)
87 {
88 ElementName element;
89 Security::AccessToken::AccessTokenID callerToken = static_cast<Security::AccessToken::AccessTokenID>(data[0]);
90 std::shared_ptr<OHOS::NFC::NfcService> nfcService = std::make_shared<OHOS::NFC::NfcService>();
91 std::shared_ptr<NFC::HCE::HceSession> hceSession = std::make_shared<NFC::HCE::HceSession>(nfcService);
92 hceSession->StopHce(element);
93 }
94
RemoveHceDeathRecipientFuzzTest(const uint8_t * data,size_t size)95 void RemoveHceDeathRecipientFuzzTest(const uint8_t* data, size_t size)
96 {
97 wptr<IRemoteObject> remote = nullptr;
98 std::shared_ptr<OHOS::NFC::NfcService> nfcService = std::make_shared<OHOS::NFC::NfcService>();
99 std::shared_ptr<NFC::HCE::HceSession> hceSession = std::make_shared<NFC::HCE::HceSession>(nfcService);
100 hceSession->RemoveHceDeathRecipient(remote);
101 }
102
FuzzHceSessionDump(const uint8_t * data,size_t size)103 void FuzzHceSessionDump(const uint8_t* data, size_t size)
104 {
105 auto addr = BuildAddressString(data);
106 std::shared_ptr<OHOS::NFC::NfcService> nfcService = std::make_shared<OHOS::NFC::NfcService>();
107 int32_t fd = 0;
108 std::vector<std::u16string> args;
109 std::shared_ptr<NFC::HCE::HceSession> hceSession = std::make_shared<NFC::HCE::HceSession>(nfcService);
110 (void)hceSession->Dump(fd, args);
111 }
112
113 }
114
115 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)116 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
117 {
118 if (size < OHOS::FUZZER_THRESHOLD) {
119 return 0;
120 }
121
122 /* Run your code on data */
123 OHOS::NFC::NfcAccessTokenMock::SetNativeTokenInfo();
124 OHOS::DoHceSessionStubFuzzTest(data, size);
125 OHOS::StopHceFuzzTest(data, size);
126 OHOS::RemoveHceDeathRecipientFuzzTest(data, size);
127 OHOS::FuzzHceSessionDump(data, size);
128 return 0;
129 }
130
131