1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "daemonstub_fuzzer.h"
16
17 #include <cstddef>
18 #include <cstdint>
19 #include <cstring>
20 #include <string>
21
22 #include "copy/ipc_wrapper.h"
23 #include "daemon_stub.h"
24 #include "distributed_file_daemon_ipc_interface_code.h"
25 #include "ipc_skeleton.h"
26 #include "message_option.h"
27 #include "message_parcel.h"
28 #include "securec.h"
29 #include "accesstoken_kit.h"
30 #include "utils_log.h"
31 #include "nativetoken_kit.h"
32 #include "token_setproc.h"
33
34 namespace OHOS {
35 constexpr pid_t DATA_UID = 3012;
36 constexpr pid_t DAEMON_UID = 1009;
37 const pid_t PASTEBOARDUSERID = 3816;
38 static pid_t UID = DAEMON_UID;
39 #ifdef CONFIG_IPC_SINGLE
40 using namespace IPC_SINGLE;
41 #endif
GetCallingUid()42 pid_t IPCSkeleton::GetCallingUid()
43 {
44 return UID;
45 }
46 }
47
48 namespace OHOS {
49 using namespace OHOS::Storage::DistributedFile;
50
51 class DaemonStubImpl : public DaemonStub {
52 public:
53 DaemonStubImpl() = default;
~DaemonStubImpl()54 ~DaemonStubImpl() override {}
OpenP2PConnection(const DistributedHardware::DmDeviceInfo & deviceInfo)55 int32_t OpenP2PConnection(const DistributedHardware::DmDeviceInfo &deviceInfo) override
56 {
57 return 0;
58 }
59
CloseP2PConnection(const DistributedHardware::DmDeviceInfo & deviceInfo)60 int32_t CloseP2PConnection(const DistributedHardware::DmDeviceInfo &deviceInfo) override
61 {
62 return 0;
63 }
64
OpenP2PConnectionEx(const std::string & networkId,sptr<IFileDfsListener> remoteReverseObj)65 int32_t OpenP2PConnectionEx(const std::string &networkId, sptr<IFileDfsListener> remoteReverseObj) override
66 {
67 return 0;
68 }
69
CloseP2PConnectionEx(const std::string & networkId)70 int32_t CloseP2PConnectionEx(const std::string &networkId) override
71 {
72 return 0;
73 }
74
PrepareSession(const std::string & srcUri,const std::string & dstUri,const std::string & srcDeviceId,const sptr<IRemoteObject> & listener,HmdfsInfo & info)75 int32_t PrepareSession(const std::string &srcUri,
76 const std::string &dstUri,
77 const std::string &srcDeviceId,
78 const sptr<IRemoteObject> &listener,
79 HmdfsInfo &info) override
80 {
81 return 0;
82 }
83
CancelCopyTask(const std::string & sessionName)84 int32_t CancelCopyTask(const std::string &sessionName) override
85 {
86 return 0;
87 }
88
CancelCopyTask(const std::string & srcUri,const std::string & dstUri)89 int32_t CancelCopyTask(const std::string &srcUri, const std::string &dstUri) override
90 {
91 return 0;
92 }
93
RequestSendFile(const std::string & srcUri,const std::string & dstPath,const std::string & remoteDeviceId,const std::string & sessionName)94 int32_t RequestSendFile(const std::string &srcUri,
95 const std::string &dstPath,
96 const std::string &remoteDeviceId,
97 const std::string &sessionName) override
98 {
99 return 0;
100 }
101
GetRemoteCopyInfo(const std::string & srcUri,bool & isFile,bool & isDir)102 int32_t GetRemoteCopyInfo(const std::string &srcUri, bool &isFile, bool &isDir) override
103 {
104 return 0;
105 }
106
PushAsset(int32_t userId,const sptr<AssetObj> & assetObj,const sptr<IAssetSendCallback> & sendCallback)107 int32_t PushAsset(int32_t userId,
108 const sptr<AssetObj> &assetObj,
109 const sptr<IAssetSendCallback> &sendCallback) override
110 {
111 return 0;
112 }
113
RegisterAssetCallback(const sptr<IAssetRecvCallback> & recvCallback)114 int32_t RegisterAssetCallback(const sptr<IAssetRecvCallback> &recvCallback) override
115 {
116 return 0;
117 }
118
UnRegisterAssetCallback(const sptr<IAssetRecvCallback> & recvCallback)119 int32_t UnRegisterAssetCallback(const sptr<IAssetRecvCallback> &recvCallback) override
120 {
121 return 0;
122 }
123
GetDfsUrisDirFromLocal(const std::vector<std::string> & uriList,const int32_t userId,std::unordered_map<std::string,AppFileService::ModuleRemoteFileShare::HmdfsUriInfo> & uriToDfsUriMaps)124 int32_t GetDfsUrisDirFromLocal(const std::vector<std::string> &uriList,
125 const int32_t userId,
126 std::unordered_map<std::string, AppFileService::ModuleRemoteFileShare::HmdfsUriInfo>
127 &uriToDfsUriMaps) override
128 {
129 return 0;
130 }
131
GetDfsSwitchStatus(const std::string & networkId,int32_t & switchStatus)132 int32_t GetDfsSwitchStatus(const std::string &networkId, int32_t &switchStatus) override
133 {
134 return 0;
135 }
136
UpdateDfsSwitchStatus(int32_t switchStatus)137 int32_t UpdateDfsSwitchStatus(int32_t switchStatus) override
138 {
139 return 0;
140 }
141
GetConnectedDeviceList(std::vector<DfsDeviceInfo> & deviceList)142 int32_t GetConnectedDeviceList(std::vector<DfsDeviceInfo> &deviceList) override
143 {
144 return 0;
145 }
146 };
147
HandleOpenP2PConnectionFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,const uint8_t * data,size_t size)148 void HandleOpenP2PConnectionFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,
149 const uint8_t *data,
150 size_t size)
151 {
152 uint32_t code = static_cast<uint32_t>(DistributedFileDaemonInterfaceCode::DISTRIBUTED_FILE_OPEN_P2P_CONNECTION);
153 MessageParcel datas;
154 datas.WriteInterfaceToken(DaemonStub::GetDescriptor());
155 datas.WriteBuffer(data, size);
156 datas.RewindRead(0);
157 MessageParcel reply;
158 MessageOption option;
159
160 daemonStubPtr->OnRemoteRequest(code, datas, reply, option);
161 }
162
HandleCloseP2PConnectionFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,const uint8_t * data,size_t size)163 void HandleCloseP2PConnectionFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,
164 const uint8_t *data,
165 size_t size)
166 {
167 uint32_t code = static_cast<uint32_t>(DistributedFileDaemonInterfaceCode::DISTRIBUTED_FILE_CLOSE_P2P_CONNECTION);
168 MessageParcel datas;
169 datas.WriteInterfaceToken(DaemonStub::GetDescriptor());
170 datas.WriteBuffer(data, size);
171 datas.RewindRead(0);
172 MessageParcel reply;
173 MessageOption option;
174
175 daemonStubPtr->OnRemoteRequest(code, datas, reply, option);
176 }
177
HandleOpenP2PConnectionExFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,const uint8_t * data,size_t size)178 void HandleOpenP2PConnectionExFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,
179 const uint8_t *data,
180 size_t size)
181 {
182 uint32_t code = static_cast<uint32_t>(DistributedFileDaemonInterfaceCode::DISTRIBUTED_FILE_OPEN_P2P_CONNECTION_EX);
183 MessageParcel datas;
184 datas.WriteInterfaceToken(DaemonStub::GetDescriptor());
185 datas.WriteBuffer(data, size);
186 datas.RewindRead(0);
187 MessageParcel reply;
188 MessageOption option;
189
190 daemonStubPtr->OnRemoteRequest(code, datas, reply, option);
191 }
192
HandleCloseP2PConnectionExFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,const uint8_t * data,size_t size)193 void HandleCloseP2PConnectionExFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,
194 const uint8_t *data,
195 size_t size)
196 {
197 uint32_t code = static_cast<uint32_t>(DistributedFileDaemonInterfaceCode::DISTRIBUTED_FILE_CLOSE_P2P_CONNECTION_EX);
198 MessageParcel datas;
199 datas.WriteInterfaceToken(DaemonStub::GetDescriptor());
200 datas.WriteBuffer(data, size);
201 datas.RewindRead(0);
202 MessageParcel reply;
203 MessageOption option;
204
205 daemonStubPtr->OnRemoteRequest(code, datas, reply, option);
206 }
207
HandlePrepareSessionFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,const uint8_t * data,size_t size)208 void HandlePrepareSessionFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr, const uint8_t *data, size_t size)
209 {
210 uint32_t code = static_cast<uint32_t>(DistributedFileDaemonInterfaceCode::DISTRIBUTED_FILE_PREPARE_SESSION);
211 MessageParcel datas;
212 datas.WriteInterfaceToken(DaemonStub::GetDescriptor());
213 datas.WriteBuffer(data, size);
214 datas.RewindRead(0);
215 MessageParcel reply;
216 MessageOption option;
217
218 daemonStubPtr->OnRemoteRequest(code, datas, reply, option);
219 }
220
HandleCancelCopyTaskFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,const uint8_t * data,size_t size)221 void HandleCancelCopyTaskFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr, const uint8_t *data, size_t size)
222 {
223 uint32_t code = static_cast<uint32_t>(DistributedFileDaemonInterfaceCode::DISTRIBUTED_FILE_CANCEL_COPY_TASK);
224 MessageParcel datas;
225 datas.WriteInterfaceToken(DaemonStub::GetDescriptor());
226 datas.WriteBuffer(data, size);
227 datas.RewindRead(0);
228 MessageParcel reply;
229 MessageOption option;
230
231 daemonStubPtr->OnRemoteRequest(code, datas, reply, option);
232 }
233
HandleRequestSendFileFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,const uint8_t * data,size_t size)234 void HandleRequestSendFileFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,
235 const uint8_t *data,
236 size_t size)
237 {
238 OHOS::UID = DAEMON_UID;
239 uint32_t code = static_cast<uint32_t>(DistributedFileDaemonInterfaceCode::DISTRIBUTED_FILE_REQUEST_SEND_FILE);
240 MessageParcel datas;
241 datas.WriteInterfaceToken(DaemonStub::GetDescriptor());
242 datas.WriteBuffer(data, size);
243 datas.RewindRead(0);
244 MessageParcel reply;
245 MessageOption option;
246
247 daemonStubPtr->OnRemoteRequest(code, datas, reply, option);
248 }
249
HandleGetRemoteCopyInfoFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,const uint8_t * data,size_t size)250 void HandleGetRemoteCopyInfoFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,
251 const uint8_t *data,
252 size_t size)
253 {
254 OHOS::UID = DAEMON_UID;
255 uint32_t code = static_cast<uint32_t>(DistributedFileDaemonInterfaceCode::DISTRIBUTED_FILE_GET_REMOTE_COPY_INFO);
256 MessageParcel datas;
257 datas.WriteInterfaceToken(DaemonStub::GetDescriptor());
258 datas.WriteBuffer(data, size);
259 datas.RewindRead(0);
260 MessageParcel reply;
261 MessageOption option;
262
263 daemonStubPtr->OnRemoteRequest(code, datas, reply, option);
264 }
265
HandlePushAssetFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,const uint8_t * data,size_t size)266 void HandlePushAssetFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr, const uint8_t *data, size_t size)
267 {
268 OHOS::UID = DATA_UID;
269 uint32_t code = static_cast<uint32_t>(DistributedFileDaemonInterfaceCode::DISTRIBUTED_FILE_PUSH_ASSET);
270 MessageParcel datas;
271 datas.WriteInterfaceToken(DaemonStub::GetDescriptor());
272 datas.WriteBuffer(data, size);
273 datas.RewindRead(0);
274 MessageParcel reply;
275 MessageOption option;
276
277 daemonStubPtr->OnRemoteRequest(code, datas, reply, option);
278 }
279
HandleRegisterRecvCallbackFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,const uint8_t * data,size_t size)280 void HandleRegisterRecvCallbackFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,
281 const uint8_t *data,
282 size_t size)
283 {
284 OHOS::UID = DATA_UID;
285 uint32_t code = static_cast<uint32_t>(DistributedFileDaemonInterfaceCode::DISTRIBUTED_FILE_REGISTER_ASSET_CALLBACK);
286 MessageParcel datas;
287 datas.WriteInterfaceToken(DaemonStub::GetDescriptor());
288 datas.WriteBuffer(data, size);
289 datas.RewindRead(0);
290 MessageParcel reply;
291 MessageOption option;
292
293 daemonStubPtr->OnRemoteRequest(code, datas, reply, option);
294 }
295
HandleUnRegisterRecvCallbackFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,const uint8_t * data,size_t size)296 void HandleUnRegisterRecvCallbackFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,
297 const uint8_t *data,
298 size_t size)
299 {
300 OHOS::UID = DATA_UID;
301 uint32_t code =
302 static_cast<uint32_t>(DistributedFileDaemonInterfaceCode::DISTRIBUTED_FILE_UN_REGISTER_ASSET_CALLBACK);
303 MessageParcel datas;
304 datas.WriteInterfaceToken(DaemonStub::GetDescriptor());
305 datas.WriteBuffer(data, size);
306 datas.RewindRead(0);
307 MessageParcel reply;
308 MessageOption option;
309
310 daemonStubPtr->OnRemoteRequest(code, datas, reply, option);
311 }
312
HandleGetDfsUrisDirFromLocalFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,const uint8_t * data,size_t size)313 void HandleGetDfsUrisDirFromLocalFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,
314 const uint8_t *data,
315 size_t size)
316 {
317 OHOS::UID = PASTEBOARDUSERID;
318 uint32_t code =
319 static_cast<uint32_t>(DistributedFileDaemonInterfaceCode::GET_DFS_URI_IS_DIR_FROM_LOCAL);
320 MessageParcel datas;
321 datas.WriteInterfaceToken(DaemonStub::GetDescriptor());
322 datas.WriteBuffer(data, size);
323 datas.RewindRead(0);
324 MessageParcel reply;
325 MessageOption option;
326
327 daemonStubPtr->OnRemoteRequest(code, datas, reply, option);
328 }
329
HandleInnerCancelCopyTaskFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr,const uint8_t * data,size_t size)330 void HandleInnerCancelCopyTaskFuzzTest(std::shared_ptr<DaemonStub> daemonStubPtr, const uint8_t *data, size_t size)
331 {
332 OHOS::UID = DATA_UID;
333 uint32_t code =
334 static_cast<uint32_t>(DistributedFileDaemonInterfaceCode::DISTRIBUTED_FILE_CANCEL_INNER_COPY_TASK);
335 MessageParcel datas;
336 datas.WriteInterfaceToken(DaemonStub::GetDescriptor());
337 int len = size >> 1;
338 datas.WriteString(std::string(reinterpret_cast<const char *>(data), len));
339 datas.WriteString(std::string(reinterpret_cast<const char *>(data + len), len));
340 datas.RewindRead(0);
341 MessageParcel reply;
342 MessageOption option;
343
344 daemonStubPtr->OnRemoteRequest(code, datas, reply, option);
345 }
346
WriteUriByRawDataFuzzTest(const uint8_t * data,size_t size)347 void WriteUriByRawDataFuzzTest(const uint8_t *data, size_t size)
348 {
349 MessageParcel datas;
350 std::vector<std::string> uriVec { std::string(reinterpret_cast<const char *>(data), size) };
351
352 IpcWrapper::WriteUriByRawData(datas, uriVec);
353 IpcWrapper::WriteBatchUris(datas, uriVec);
354
355 void* buf = nullptr;
356 if (IpcWrapper::GetData(buf, size, data)) {
357 free(buf);
358 buf = nullptr;
359 }
360 }
361
ReadBatchUriByRawDataFuzzTest(const uint8_t * data,size_t size)362 void ReadBatchUriByRawDataFuzzTest(const uint8_t *data, size_t size)
363 {
364 MessageParcel datas;
365 std::vector<std::string> uriVec;
366
367 datas.WriteInt32(0);
368 IpcWrapper::ReadBatchUriByRawData(datas, uriVec);
369
370 datas.WriteInt32(1);
371 datas.WriteBuffer(data, size);
372 datas.RewindRead(0);
373
374 IpcWrapper::ReadBatchUriByRawData(datas, uriVec);
375 }
376
ReadBatchUrisFuzzTest(const uint8_t * data,size_t size)377 void ReadBatchUrisFuzzTest(const uint8_t *data, size_t size)
378 {
379 MessageParcel datas;
380 std::vector<std::string> uriVec;
381
382 datas.WriteUint32(0);
383 IpcWrapper::ReadBatchUris(datas, uriVec);
384
385 datas.WriteUint32(1);
386 datas.WriteBuffer(data, size);
387 datas.RewindRead(0);
388
389 IpcWrapper::ReadBatchUris(datas, uriVec);
390 }
391
SetAccessTokenPermission()392 void SetAccessTokenPermission()
393 {
394 uint64_t tokenId;
395 const char *perms[1];
396 perms[0] = "ohos.permission.DISTRIBUTED_DATASYNC";
397
398 NativeTokenInfoParams infoInstance = {
399 .dcapsNum = 0,
400 .permsNum = 1,
401 .aclsNum = 0,
402 .dcaps = nullptr,
403 .perms = perms,
404 .acls = nullptr,
405 .processName = "distributdFileDaemonstubFuzzer",
406 .aplStr = "system_basic",
407 };
408 tokenId = GetAccessTokenId(&infoInstance);
409 if (tokenId == 0) {
410 LOGE("Get Acess Token Id Failed");
411 return;
412 }
413 int ret = SetSelfTokenID(tokenId);
414 if (ret != 0) {
415 LOGE("Set Acess Token Id Failed");
416 return;
417 }
418 ret = Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
419 if (ret < 0) {
420 LOGE("Reload Native Token Info Failed");
421 return;
422 }
423 }
424 } // namespace OHOS
425
426 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)427 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
428 {
429 /* Run your code on data */
430 OHOS::SetAccessTokenPermission();
431 auto daemonStubPtr = std::make_shared<OHOS::DaemonStubImpl>();
432 OHOS::HandleOpenP2PConnectionFuzzTest(daemonStubPtr, data, size);
433 OHOS::HandleCloseP2PConnectionFuzzTest(daemonStubPtr, data, size);
434 OHOS::HandlePrepareSessionFuzzTest(daemonStubPtr, data, size);
435 OHOS::HandleRequestSendFileFuzzTest(daemonStubPtr, data, size);
436 OHOS::HandleOpenP2PConnectionExFuzzTest(daemonStubPtr, data, size);
437 OHOS::HandleCloseP2PConnectionExFuzzTest(daemonStubPtr, data, size);
438 OHOS::HandleCancelCopyTaskFuzzTest(daemonStubPtr, data, size);
439 OHOS::HandleGetRemoteCopyInfoFuzzTest(daemonStubPtr, data, size);
440 OHOS::HandlePushAssetFuzzTest(daemonStubPtr, data, size);
441 OHOS::HandleRegisterRecvCallbackFuzzTest(daemonStubPtr, data, size);
442 OHOS::HandleUnRegisterRecvCallbackFuzzTest(daemonStubPtr, data, size);
443 OHOS::HandleGetDfsUrisDirFromLocalFuzzTest(daemonStubPtr, data, size);
444 OHOS::HandleInnerCancelCopyTaskFuzzTest(daemonStubPtr, data, size);
445
446 OHOS::WriteUriByRawDataFuzzTest(data, size);
447 OHOS::ReadBatchUriByRawDataFuzzTest(data, size);
448 OHOS::ReadBatchUrisFuzzTest(data, size);
449 return 0;
450 }
451