1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "systemabilityfwk_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20 #include <cstdlib>
21 #include <fcntl.h>
22 #include <unistd.h>
23
24 #define private public
25 #include "string_ex.h"
26 #include "local_ability_manager.h"
27 #include "local_ability_manager_dumper.h"
28 #include "sa_mock_permission.h"
29 #include "mock_sa_realize.h"
30 #include "securec.h"
31 #include "iservice_registry.h"
32
33 namespace OHOS {
34 namespace Samgr {
35 namespace {
36 constexpr size_t THRESHOLD = 10;
37 constexpr uint8_t MAX_CALL_TRANSACTION = 16;
38 constexpr int32_t OFFSET = 4;
39 constexpr int32_t USLEEP_NUM = 200000;
40 constexpr int32_t SHIFT_FIRST = 24;
41 constexpr int32_t SHIFT_SECOND = 16;
42 constexpr int32_t SHIFT_THIRD = 8;
43 constexpr int32_t ZERO_NUM = 0;
44 constexpr int32_t FIRST_NUM = 1;
45 constexpr int32_t SECOND_NUM = 2;
46 constexpr int32_t THIRD_NUM = 3;
47 const std::u16string LOCAL_ABILITY_MANAGER_INTERFACE_TOKEN = u"ohos.localabilitymanager.accessToken";
48 const uint8_t *g_baseFuzzData = nullptr;
49 size_t g_baseFuzzSize = 0;
50 size_t g_baseFuzzPos;
51 }
52
GetData()53 template <class T> T GetData()
54 {
55 T object{};
56 size_t objectSize = sizeof(object);
57 if (g_baseFuzzData == nullptr || objectSize > g_baseFuzzSize - g_baseFuzzPos) {
58 return object;
59 }
60 errno_t ret = memcpy_s(&object, objectSize, g_baseFuzzData + g_baseFuzzPos, objectSize);
61 if (ret != EOK) {
62 return {};
63 }
64 g_baseFuzzPos += objectSize;
65 return object;
66 }
67
BuildStringFromData(const uint8_t * data,size_t size)68 std::string BuildStringFromData(const uint8_t* data, size_t size)
69 {
70 if ((data == nullptr) || (size == 0)) {
71 return "";
72 }
73 std::string strVal(reinterpret_cast<const char *>(data), size);
74 return strVal;
75 }
76
ConvertToUint32(const uint8_t * ptr)77 uint32_t ConvertToUint32(const uint8_t* ptr)
78 {
79 if (ptr == nullptr) {
80 return 0;
81 }
82 return (ptr[ZERO_NUM] << SHIFT_FIRST) | (ptr[FIRST_NUM] << SHIFT_SECOND) |
83 (ptr[SECOND_NUM] << SHIFT_THIRD) | (ptr[THIRD_NUM]);
84 }
85
InitData(const uint8_t * rawData,size_t size)86 void InitData(const uint8_t* rawData, size_t size)
87 {
88 g_baseFuzzData = rawData;
89 g_baseFuzzSize = size;
90 g_baseFuzzPos = 0;
91 }
92
FuzzListener()93 void FuzzListener()
94 {
95 SaMockPermission::MockPermission();
96 int32_t systemAbilityId = GetData<int32_t>();
97 int32_t listenerSaId = GetData<int32_t>();
98 LocalAbilityManager::GetInstance().NotifyAbilityListener(systemAbilityId, listenerSaId, "test", 1);
99
100 sptr<ISystemAbilityStatusChange> sysListener = new LocalAbilityManager::SystemAbilityListener();
101 sysListener->OnAddSystemAbility(systemAbilityId, "deviceId");
102 sysListener->OnRemoveSystemAbility(systemAbilityId, "deviceId");
103 }
104
FuzzStartTimedQuery()105 void FuzzStartTimedQuery()
106 {
107 SaMockPermission::MockPermission();
108 int32_t systemAbilityId = GetData<int32_t>();
109 LocalAbilityManager::GetInstance().StartTimedQuery();
110 LocalAbilityManager::GetInstance().IdentifyUnusedOndemand();
111 LocalAbilityManager::GetInstance().IdentifyUnusedResident();
112 LocalAbilityManager::GetInstance().NoNeedCheckUnused(systemAbilityId);
113 int32_t timeout = GetData<int32_t>();
114 LocalAbilityManager::GetInstance().LimitUnusedTimeout(systemAbilityId, timeout);
115 LocalAbilityManager::GetInstance().unusedCfgMap_.erase(systemAbilityId);
116 }
117
FuzzPhaseTasks()118 void FuzzPhaseTasks()
119 {
120 SaMockPermission::MockPermission();
121 int32_t systemAbilityId = GetData<int32_t>();
122 LocalAbilityManager::GetInstance().FindAndStartPhaseTasks(systemAbilityId);
123 std::list<SystemAbility*> systemAbilityList;
124 LocalAbilityManager::GetInstance().StartPhaseTasks(systemAbilityList);
125 systemAbilityList.push_back(nullptr);
126 LocalAbilityManager::GetInstance().StartPhaseTasks(systemAbilityList);
127 LocalAbilityManager::GetInstance().WaitForTasks();
128 }
129
FuzzSendStrategyToSA(const uint8_t * rawData,size_t size)130 void FuzzSendStrategyToSA(const uint8_t* rawData, size_t size)
131 {
132 SaMockPermission::MockPermission();
133 int32_t type = GetData<int32_t>();
134 int32_t systemAbilityId = GetData<int32_t>();
135 int32_t level = GetData<int32_t>();
136 std::string action = BuildStringFromData(rawData, size);
137 LocalAbilityManager::GetInstance().SendStrategyToSA(type, systemAbilityId, level, action);
138 }
139
FuzzSystemAbilityExtProc(const uint8_t * rawData,size_t size)140 void FuzzSystemAbilityExtProc(const uint8_t* rawData, size_t size)
141 {
142 SaMockPermission::MockPermission();
143 int32_t systemAbilityId = GetData<int32_t>();
144 SystemAbilityExtensionPara callback;
145 std::string extension = BuildStringFromData(rawData, size);
146 LocalAbilityManager::GetInstance().SystemAbilityExtProc(extension, systemAbilityId, &callback);
147 }
148
FuzzGetSaLastRequestTime()149 void FuzzGetSaLastRequestTime()
150 {
151 SaMockPermission::MockPermission();
152 int32_t systemAbilityId = GetData<int32_t>();
153 uint64_t lastRequestTime = 0;
154 LocalAbilityManager::GetInstance().GetSaLastRequestTime(systemAbilityId, lastRequestTime);
155 }
156
FuzzLocalAbilityManager(const uint8_t * rawData,size_t size)157 void FuzzLocalAbilityManager(const uint8_t* rawData, size_t size)
158 {
159 SaMockPermission::MockPermission();
160 int32_t systemAbilityId = GetData<int32_t>();
161 int32_t listenSaId = GetData<int32_t>();
162 int32_t dependSaId = GetData<int32_t>();
163 std::vector<int32_t> dependSas = {dependSaId};
164 std::string strVal = BuildStringFromData(rawData, size);
165 std::string profilePath = strVal;
166 std::string procName = strVal;
167 std::string eventStr = strVal;
168 SaProfile saProfile = {Str8ToStr16(procName), systemAbilityId};
169 std::list<SaProfile> saInfos = {saProfile};
170
171 MockSaRealize *ability = new MockSaRealize(systemAbilityId, false);
172 LocalAbilityManager::GetInstance().AddAbility(ability);
173 LocalAbilityManager::GetInstance().DoStartSAProcess(profilePath, systemAbilityId);
174 LocalAbilityManager::GetInstance().GetTraceTag(profilePath);
175 LocalAbilityManager::GetInstance().InitializeSaProfiles(systemAbilityId);
176 LocalAbilityManager::GetInstance().CheckTrustSa(profilePath, procName, saInfos);
177 LocalAbilityManager::GetInstance().RemoveAbility(systemAbilityId);
178 LocalAbilityManager::GetInstance().GetRunningStatus(systemAbilityId);
179
180 LocalAbilityManager::GetInstance().AddSystemAbilityListener(systemAbilityId, listenSaId);
181 LocalAbilityManager::GetInstance().RemoveSystemAbilityListener(systemAbilityId, listenSaId);
182 LocalAbilityManager::GetInstance().CheckDependencyStatus(dependSas);
183 LocalAbilityManager::GetInstance().StartSystemAbilityTask(ability);
184 LocalAbilityManager::GetInstance().CheckSystemAbilityManagerReady();
185 LocalAbilityManager::GetInstance().InitSystemAbilityProfiles(profilePath, systemAbilityId);
186 LocalAbilityManager::GetInstance().ClearResource();
187 LocalAbilityManager::GetInstance().StartOndemandSystemAbility(systemAbilityId);
188 LocalAbilityManager::GetInstance().StopOndemandSystemAbility(systemAbilityId);
189
190 LocalAbilityManager::GetInstance().GetStartReason(systemAbilityId);
191 LocalAbilityManager::GetInstance().GetStopReason(systemAbilityId);
192 LocalAbilityManager::GetInstance().JsonToOnDemandReason(nullptr);
193 LocalAbilityManager::GetInstance().SetStartReason(systemAbilityId, nullptr);
194 LocalAbilityManager::GetInstance().SetStopReason(systemAbilityId, nullptr);
195 LocalAbilityManager::GetInstance().OnStartAbility(systemAbilityId);
196 LocalAbilityManager::GetInstance().OnStopAbility(systemAbilityId);
197 LocalAbilityManager::GetInstance().StartAbility(systemAbilityId, eventStr);
198 LocalAbilityManager::GetInstance().StopAbility(systemAbilityId, eventStr);
199 LocalAbilityManager::GetInstance().InitializeOnDemandSaProfile(systemAbilityId);
200 LocalAbilityManager::GetInstance().InitializeSaProfilesInnerLocked(saProfile);
201 LocalAbilityManager::GetInstance().StartDependSaTask(ability);
202 LocalAbilityManager::GetInstance().RegisterOnDemandSystemAbility(systemAbilityId);
203 LocalAbilityManager::GetInstance().NeedRegisterOnDemand(saProfile, systemAbilityId);
204 LocalAbilityManager::GetInstance().Run(systemAbilityId);
205 LocalAbilityManager::GetInstance().AddLocalAbilityManager();
206 }
207
FuzzIpcStatCmdProc()208 void FuzzIpcStatCmdProc()
209 {
210 SaMockPermission::MockPermission();
211 MessageParcel data;
212 data.WriteInterfaceToken(LOCAL_ABILITY_MANAGER_INTERFACE_TOKEN);
213 int32_t fd = GetData<int32_t>();
214 data.WriteFileDescriptor(fd);
215 int32_t cmd = GetData<int32_t>();
216 data.WriteInt32(cmd);
217 MessageParcel reply;
218 MessageOption option;
219 LocalAbilityManager::GetInstance().OnRemoteRequest(static_cast<uint32_t>(
220 SafwkInterfaceCode::IPC_STAT_CMD_TRANSACTION), data, reply, option);
221 }
222
FuzzSystemAbilityFwk(const uint8_t * rawData,size_t size)223 void FuzzSystemAbilityFwk(const uint8_t* rawData, size_t size)
224 {
225 SaMockPermission::MockPermission();
226 uint32_t code = ConvertToUint32(rawData);
227 rawData = rawData + OFFSET;
228 size = size - OFFSET;
229 MessageParcel data;
230 data.WriteInterfaceToken(LOCAL_ABILITY_MANAGER_INTERFACE_TOKEN);
231 data.WriteBuffer(rawData, size);
232 data.RewindRead(0);
233 MessageParcel reply;
234 MessageOption option;
235 LocalAbilityManager::GetInstance().OnRemoteRequest(code % MAX_CALL_TRANSACTION, data, reply, option);
236 usleep(USLEEP_NUM);
237 }
238
FuzzFfrtStatCmdProc()239 void FuzzFfrtStatCmdProc()
240 {
241 SaMockPermission::MockPermission();
242 MessageParcel data;
243 data.WriteInterfaceToken(LOCAL_ABILITY_MANAGER_INTERFACE_TOKEN);
244 int32_t fd = 0;
245 data.WriteFileDescriptor(fd);
246 int32_t cmd = GetData<int32_t>();
247 data.WriteInt32(cmd);
248 MessageParcel reply;
249 MessageOption option;
250 LocalAbilityManager::GetInstance().OnRemoteRequest(static_cast<uint32_t>(
251 SafwkInterfaceCode::FFRT_STAT_CMD_TRANSACTION), data, reply, option);
252
253 LocalAbilityManager::GetInstance().FfrtStatCmdProc(fd, FFRT_STAT_CMD_START);
254 LocalAbilityManagerDumper::ClearFfrtStatistics();
255 LocalAbilityManager::GetInstance().FfrtStatCmdProc(fd, FFRT_STAT_CMD_START);
256 LocalAbilityManager::GetInstance().FfrtStatCmdProc(fd, FFRT_STAT_CMD_STOP);
257 LocalAbilityManager::GetInstance().FfrtStatCmdProc(fd, FFRT_STAT_CMD_GET);
258 }
259 }
260 }
261
262 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)263 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
264 {
265 if (size < OHOS::Samgr::THRESHOLD) {
266 return 0;
267 }
268 OHOS::Samgr::InitData(data, size);
269 OHOS::Samgr::FuzzListener();
270 OHOS::Samgr::FuzzStartTimedQuery();
271 OHOS::Samgr::FuzzPhaseTasks();
272 OHOS::Samgr::FuzzGetSaLastRequestTime();
273 OHOS::Samgr::FuzzIpcStatCmdProc();
274 OHOS::Samgr::FuzzFfrtStatCmdProc();
275 OHOS::Samgr::FuzzSystemAbilityFwk(data, size);
276 OHOS::Samgr::FuzzSendStrategyToSA(data, size);
277 OHOS::Samgr::FuzzSystemAbilityExtProc(data, size);
278 OHOS::Samgr::FuzzLocalAbilityManager(data, size);
279 return 0;
280 }
281
282