1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "samgrcoverage_fuzzer.h"
17
18 #define private public
19 #include <fuzzer/FuzzedDataProvider.h>
20 #include "if_system_ability_manager.h"
21 #include "itest_transaction_service.h"
22 #include "sa_status_change_mock.h"
23 #include "sam_mock_permission.h"
24 #include "ability_death_recipient.h"
25 #include "system_ability_manager.h"
26 #include "iservice_registry.h"
27 #include "hisysevent_adapter.h"
28 #include "system_ability_manager_util.h"
29
30 #include <cinttypes>
31 #include <cstddef>
32 #include <cstdint>
33 #include <unistd.h>
34 #include <cstdlib>
35 #include <fcntl.h>
36
37 namespace OHOS {
38 namespace Samgr {
39 namespace {
40 constexpr size_t THRESHOLD = 10;
41 constexpr int32_t SAID = 1493;
42 constexpr int32_t ADD_SA_TRANSACTION = 3;
43 constexpr int32_t REMOVE_SA_TRANSACTION = 4;
44 constexpr int32_t MAX_STRING_LENGTH = 30;
45 }
46
FuzzOndemandLoad(const uint8_t * data,size_t size)47 void FuzzOndemandLoad(const uint8_t* data, size_t size)
48 {
49 sptr<SystemAbilityManager> saMgr = new SystemAbilityManager;
50 if (saMgr == nullptr) {
51 return;
52 }
53 FuzzedDataProvider fdp(data, size);
54 int32_t saId = fdp.ConsumeIntegral<int32_t>();
55 std::string procName = fdp.ConsumeRandomLengthString(MAX_STRING_LENGTH);
56 std::u16string procNameU16 = Str8ToStr16(procName);
57 SystemAbilityManager::AbilityItem abilityItem;
58 ISystemAbilityManager::SAExtraProp saExtraProp;
59 bool isExist = false;
60 saMgr->AddSamgrToAbilityMap();
61 saMgr->OndemandLoad();
62 saMgr->DoLoadForPerf();
63 saMgr->RemoveWhiteCommonEvent();
64 OnDemandEvent onDemandEvent;
65 SaControlInfo saControlInfo;
66 std::list<SaControlInfo> saControlList;
67 saControlList.emplace_back(saControlInfo);
68 saMgr->ProcessOnDemandEvent(onDemandEvent, saControlList);
69 saMgr->GetSystemAbilityFromRemote(saId);
70 saMgr->startingAbilityMap_[saId] = abilityItem;
71 saMgr->StartOnDemandAbility(procNameU16, saId);
72 saMgr->startingAbilityMap_.clear();
73 saMgr->StopOnDemandAbility(procNameU16, saId, onDemandEvent);
74 saMgr->AddOnDemandSystemAbilityInfo(saId, procNameU16);
75 saMgr->StartOnDemandAbility(saId, isExist);
76
77 sptr<IRemoteObject> testAbility = new TestTransactionService();
78 saMgr->AddSystemAbility(SAID, testAbility, saExtraProp);
79 nlohmann::json reason;
80 int32_t delayTime = 0;
81 saMgr->IdleSystemAbility(SAID, procNameU16, reason, delayTime);
82 saMgr->ActiveSystemAbility(SAID, procNameU16, reason);
83 saMgr->RemoveSystemAbility(SAID);
84 saMgr->AddSystemAbility(SAID, testAbility, saExtraProp);
85 saMgr->RemoveDiedSystemAbility(SAID);
86 saMgr->AddSystemAbility(SAID, testAbility, saExtraProp);
87 saMgr->RemoveSystemAbility(testAbility);
88 }
89
FuzzRemoveSystemProcess(const uint8_t * data,size_t size)90 void FuzzRemoveSystemProcess(const uint8_t* data, size_t size)
91 {
92 sptr<SystemAbilityManager> saMgr = new SystemAbilityManager;
93 if (saMgr == nullptr) {
94 return;
95 }
96 FuzzedDataProvider fdp(data, size);
97 std::string procName = fdp.ConsumeRandomLengthString(MAX_STRING_LENGTH);
98 std::u16string procNameU16 = Str8ToStr16(procName);
99 sptr<IRemoteObject> testAbility(new SaStatusChangeMock());
100 saMgr->AddSystemProcess(procNameU16, testAbility);
101 saMgr->RemoveSystemProcess(testAbility);
102
103 sptr<SaStatusChangeMock> callback(new SaStatusChangeMock());
104 saMgr->listenerMap_[SAID].push_back({callback, SAID});
105 auto& count = saMgr->subscribeCountMap_[SAID];
106 ++count;
107 saMgr->UnSubscribeSystemAbility(callback->AsObject());
108
109 std::u16string name = u"test";
110 std::string srcDeviceId = "srcDeviceId";
111 saMgr->startingProcessMap_.clear();
112 sptr<SystemAbilityLoadCallbackMock> callbackOne = new SystemAbilityLoadCallbackMock();
113 SystemAbilityManager::AbilityItem abilityItem;
114 abilityItem.callbackMap[srcDeviceId].push_back(std::make_pair(callbackOne, SAID));
115 saMgr->startingAbilityMap_[SAID] = abilityItem;
116 saMgr->CleanCallbackForLoadFailed(SAID, name, srcDeviceId, callbackOne);
117 }
118
FuzzNotifySystemAbilityLoaded(const uint8_t * data,size_t size)119 void FuzzNotifySystemAbilityLoaded(const uint8_t* data, size_t size)
120 {
121 sptr<SystemAbilityManager> saMgr = new SystemAbilityManager;
122 if (saMgr == nullptr) {
123 return;
124 }
125 sptr<SystemAbilityLoadCallbackMock> callback = new SystemAbilityLoadCallbackMock();
126 sptr<IRemoteObject> remoteObject = new TestTransactionService();
127 saMgr->NotifySystemAbilityLoaded(SAID, remoteObject, callback);
128 std::string srcDeviceId = "srcDeviceId";
129 FuzzedDataProvider fdp(data, size);
130 int32_t systemAbilityId = fdp.ConsumeIntegral<int32_t>();
131 saMgr->LoadSystemAbilityFromRpc(srcDeviceId, systemAbilityId, callback);
132 saMgr->CheckSaIsImmediatelyRecycle(systemAbilityId);
133
134 saMgr->startingAbilityMap_.clear();
135 sptr<ISystemAbilityLoadCallback> mockLoadCallback1 = new SystemAbilityLoadCallbackMock();
136 std::map<std::string, SystemAbilityManager::CallbackList> mockCallbackMap1 = {
137 {"111111", {{mockLoadCallback1, 0}}}
138 };
139 SystemAbilityManager::AbilityItem mockAbilityItem1 = {
140 SystemAbilityManager::AbilityState::INIT, mockCallbackMap1
141 };
142 saMgr->startingAbilityMap_[SAID] = mockAbilityItem1;
143 saMgr->OnAbilityCallbackDied(mockLoadCallback1->AsObject());
144
145 saMgr->remoteCallbacks_.clear();
146 sptr<ISystemAbilityLoadCallback> mockLoadCallback2 = new SystemAbilityLoadCallbackMock();
147 saMgr->remoteCallbacks_ = {
148 {"11111", {mockLoadCallback2}}
149 };
150 saMgr->OnRemoteCallbackDied(mockLoadCallback2->AsObject());
151
152 sptr<SystemAbilityLoadCallbackMock> callback2 = new SystemAbilityLoadCallbackMock();
153 std::list<sptr<ISystemAbilityLoadCallback>> callbacks;
154 callbacks.push_back(callback2);
155 saMgr->remoteCallbackDeath_ = sptr<IRemoteObject::DeathRecipient>(new RemoteCallbackDeathRecipient());
156 saMgr->RemoveRemoteCallbackLocked(callbacks, callback2);
157 }
158
FuzzGetAllOndemandSa(const uint8_t * data,size_t size)159 void FuzzGetAllOndemandSa(const uint8_t* data, size_t size)
160 {
161 sptr<SystemAbilityManager> saMgr = new SystemAbilityManager;
162 if (saMgr == nullptr) {
163 return;
164 }
165 FuzzedDataProvider fdp(data, size);
166 int32_t saId = fdp.ConsumeIntegral<int32_t>();
167 CommonSaProfile saProfile;
168 saMgr->saProfileMap_[saId] = saProfile;
169 saMgr->GetAllOndemandSa();
170 saMgr->saProfileMap_.erase(saId);
171 }
172
FuzzReportGetSAPeriodically(const uint8_t * data,size_t size)173 void FuzzReportGetSAPeriodically(const uint8_t* data, size_t size)
174 {
175 sptr<SystemAbilityManager> saMgr = new SystemAbilityManager;
176 if (saMgr == nullptr) {
177 return;
178 }
179 FuzzedDataProvider fdp(data, size);
180 int32_t saId = fdp.ConsumeIntegral<int32_t>();
181 int32_t uid = fdp.ConsumeIntegral<int32_t>();
182 uint64_t key = SamgrUtil::GenerateFreKey(uid, saId);
183 saMgr->saFrequencyMap_[key] = fdp.ConsumeIntegral<int32_t>();
184 saMgr->ReportGetSAPeriodically();
185 }
186
FuzzNotifySystemAbilityChanged(const uint8_t * data,size_t size)187 void FuzzNotifySystemAbilityChanged(const uint8_t* data, size_t size)
188 {
189 sptr<SystemAbilityManager> saMgr = new SystemAbilityManager;
190 if (saMgr == nullptr) {
191 return;
192 }
193 sptr<SaStatusChangeMock> testAbility(new SaStatusChangeMock());
194 FuzzedDataProvider fdp(data, size);
195 int32_t saId = fdp.ConsumeIntegral<int32_t>();
196 saMgr->NotifySystemAbilityChanged(saId, "deviceId", 1, nullptr);
197 saMgr->NotifySystemAbilityChanged(saId, "deviceId", ADD_SA_TRANSACTION, testAbility);
198 saMgr->NotifySystemAbilityChanged(saId, "deviceId", REMOVE_SA_TRANSACTION, testAbility);
199 }
200
FuzzRemoveOnDemandSaInDiedProc(const uint8_t * data,size_t size)201 void FuzzRemoveOnDemandSaInDiedProc(const uint8_t* data, size_t size)
202 {
203 sptr<SystemAbilityManager> saMgr = new SystemAbilityManager;
204 if (saMgr == nullptr) {
205 return;
206 }
207 FuzzedDataProvider fdp(data, size);
208 int32_t saId = fdp.ConsumeIntegral<int32_t>();
209 auto processContext = std::make_shared<SystemProcessContext>();
210 processContext->saList.push_back(saId);
211 saMgr->RemoveOnDemandSaInDiedProc(processContext);
212 }
213
FuzzDoLoadOnDemandAbility(const uint8_t * data,size_t size)214 void FuzzDoLoadOnDemandAbility(const uint8_t* data, size_t size)
215 {
216 sptr<SystemAbilityManager> saMgr = new SystemAbilityManager;
217 if (saMgr == nullptr) {
218 return;
219 }
220 FuzzedDataProvider fdp(data, size);
221 int32_t saId = fdp.ConsumeIntegral<int32_t>();
222 bool isExist = false;
223 saMgr->DoLoadOnDemandAbility(saId, isExist);
224 }
225
FuzzNotifySystemAbilityAddedByAsync(const uint8_t * data,size_t size)226 void FuzzNotifySystemAbilityAddedByAsync(const uint8_t* data, size_t size)
227 {
228 sptr<SystemAbilityManager> saMgr = new SystemAbilityManager;
229 if (saMgr == nullptr) {
230 return;
231 }
232 FuzzedDataProvider fdp(data, size);
233 int32_t saId = fdp.ConsumeIntegral<int32_t>();
234 sptr<ISystemAbilityStatusChange> listener;
235 saMgr->NotifySystemAbilityAddedByAsync(saId, listener);
236 }
237
FuzzSendLoadedSystemAbilityMsg(const uint8_t * data,size_t size)238 void FuzzSendLoadedSystemAbilityMsg(const uint8_t* data, size_t size)
239 {
240 sptr<SystemAbilityManager> saMgr = new SystemAbilityManager;
241 if (saMgr == nullptr) {
242 return;
243 }
244 FuzzedDataProvider fdp(data, size);
245 int32_t saId = fdp.ConsumeIntegral<int32_t>();
246 sptr<IRemoteObject> testAbility(nullptr);
247 sptr<SystemAbilityLoadCallbackMock> callback = new SystemAbilityLoadCallbackMock();
248 saMgr->SendLoadedSystemAbilityMsg(saId, testAbility, callback);
249 }
250
FuzzNotifySystemAbilityLoadFail(const uint8_t * data,size_t size)251 void FuzzNotifySystemAbilityLoadFail(const uint8_t* data, size_t size)
252 {
253 sptr<SystemAbilityManager> saMgr = new SystemAbilityManager;
254 if (saMgr == nullptr) {
255 return;
256 }
257 FuzzedDataProvider fdp(data, size);
258 int32_t saId = fdp.ConsumeIntegral<int32_t>();
259 sptr<SystemAbilityLoadCallbackMock> callback = new SystemAbilityLoadCallbackMock();
260 saMgr->NotifySystemAbilityLoadFail(saId, callback);
261 }
262
FuzzStartingSystemProcessLocked(const uint8_t * data,size_t size)263 void FuzzStartingSystemProcessLocked(const uint8_t* data, size_t size)
264 {
265 sptr<SystemAbilityManager> saMgr = new SystemAbilityManager;
266 if (saMgr == nullptr) {
267 return;
268 }
269 FuzzedDataProvider fdp(data, size);
270 int32_t saId = fdp.ConsumeIntegral<int32_t>();
271 OnDemandEvent event;
272 saMgr->StartingSystemProcessLocked(u"procName", saId, event);
273 }
274
FuzzDoLoadSystemAbilityFromRpc(const uint8_t * data,size_t size)275 void FuzzDoLoadSystemAbilityFromRpc(const uint8_t* data, size_t size)
276 {
277 sptr<SystemAbilityManager> saMgr = new SystemAbilityManager;
278 if (saMgr == nullptr) {
279 return;
280 }
281 FuzzedDataProvider fdp(data, size);
282 int32_t saId = fdp.ConsumeIntegral<int32_t>();
283 sptr<ISystemAbilityLoadCallback> callback = new SystemAbilityLoadCallbackMock();
284 OnDemandEvent event;
285 saMgr->DoLoadSystemAbilityFromRpc("srcDeviceId", saId, u"procName", callback, event);
286 }
287
FuzzDoUnloadSystemAbility(const uint8_t * data,size_t size)288 void FuzzDoUnloadSystemAbility(const uint8_t* data, size_t size)
289 {
290 sptr<SystemAbilityManager> saMgr = new SystemAbilityManager;
291 if (saMgr == nullptr) {
292 return;
293 }
294 FuzzedDataProvider fdp(data, size);
295 int32_t saId = fdp.ConsumeIntegral<int32_t>();
296 OnDemandEvent event;
297 saMgr->DoUnloadSystemAbility(saId, u"procName", event);
298 }
299
FuzzNotifyRpcLoadCompleted(const uint8_t * data,size_t size)300 void FuzzNotifyRpcLoadCompleted(const uint8_t* data, size_t size)
301 {
302 sptr<SystemAbilityManager> saMgr = new SystemAbilityManager;
303 if (saMgr == nullptr) {
304 return;
305 }
306 FuzzedDataProvider fdp(data, size);
307 int32_t saId = fdp.ConsumeIntegral<int32_t>();
308 sptr<IRemoteObject> testAbility(nullptr);
309 saMgr->NotifyRpcLoadCompleted("srcDeviceId", saId, testAbility);
310 }
311 }
312 }
313
314 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)315 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
316 {
317 if (size < OHOS::Samgr::THRESHOLD) {
318 return 0;
319 }
320 OHOS::Samgr::FuzzOndemandLoad(data, size);
321 OHOS::Samgr::FuzzRemoveSystemProcess(data, size);
322 OHOS::Samgr::FuzzNotifySystemAbilityLoaded(data, size);
323 OHOS::Samgr::FuzzGetAllOndemandSa(data, size);
324 OHOS::Samgr::FuzzReportGetSAPeriodically(data, size);
325 OHOS::Samgr::FuzzNotifySystemAbilityChanged(data, size);
326 OHOS::Samgr::FuzzRemoveOnDemandSaInDiedProc(data, size);
327 OHOS::Samgr::FuzzDoLoadOnDemandAbility(data, size);
328 OHOS::Samgr::FuzzNotifySystemAbilityAddedByAsync(data, size);
329 OHOS::Samgr::FuzzSendLoadedSystemAbilityMsg(data, size);
330 OHOS::Samgr::FuzzNotifySystemAbilityLoadFail(data, size);
331 OHOS::Samgr::FuzzStartingSystemProcessLocked(data, size);
332 OHOS::Samgr::FuzzDoLoadSystemAbilityFromRpc(data, size);
333 OHOS::Samgr::FuzzDoUnloadSystemAbility(data, size);
334 OHOS::Samgr::FuzzNotifyRpcLoadCompleted(data, size);
335 return 0;
336 }
337
338