1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "locator_fuzzer.h"
17
18 #include "accesstoken_kit.h"
19 #include "if_system_ability_manager.h"
20 #include "iservice_registry.h"
21 #include "message_option.h"
22 #include "message_parcel.h"
23 #include "nativetoken_kit.h"
24 #include "system_ability_definition.h"
25 #include "token_setproc.h"
26
27 #ifdef FEATURE_GNSS_SUPPORT
28 #include "cached_locations_callback_host.h"
29 #endif
30 #include "common_utils.h"
31 #include "constant_definition.h"
32 #include "country_code_callback_host.h"
33 #ifdef FEATURE_GEOCODE_SUPPORT
34 #include "geo_address.h"
35 #include "geo_coding_mock_info.h"
36 #endif
37 #ifdef FEATURE_GNSS_SUPPORT
38 #include "gnss_status_callback_host.h"
39 #endif
40 #include "i_locator_callback.h"
41 #include "location.h"
42 #include "location_switch_callback_host.h"
43 #include "locator_callback_host.h"
44 #include "location_log.h"
45 #ifdef FEATURE_GNSS_SUPPORT
46 #include "nmea_message_callback_host.h"
47 #endif
48 #include "request_config.h"
49 #ifdef FEATURE_GNSS_SUPPORT
50 #include "satellite_status.h"
51 #endif
52
53 namespace OHOS {
54 using namespace OHOS::Location;
55 auto locatorCallbackHostForTest_ =
56 sptr<LocatorCallbackHost>(new (std::nothrow) LocatorCallbackHost());
57 bool g_isGrant = false;
58 const int32_t MAX_CODE_LEN = 512;
59 const int32_t MAX_CODE_NUM = 40;
60 const int32_t MIN_SIZE_NUM = 10;
61 const int32_t SWITCH_STATE_ON = 1;
62 const int32_t WAIT_TIME_SEC = 1000;
63 const int32_t COUNT = 10;
64
LocatorProxySendRequestTest(const uint8_t * data,size_t size)65 bool LocatorProxySendRequestTest(const uint8_t* data, size_t size)
66 {
67 if ((data == nullptr) || (size > MAX_CODE_LEN)) {
68 LBSLOGE(LOCATOR, "param error");
69 return false;
70 }
71 sptr<ISystemAbilityManager> systemAbilityManager =
72 SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
73 if (systemAbilityManager == nullptr) {
74 LBSLOGE(LOCATOR, "systemAbilityManager is nullptr");
75 return false;
76 }
77 sptr<IRemoteObject> object = systemAbilityManager->GetSystemAbility(LOCATION_LOCATOR_SA_ID);
78 auto client = std::make_unique<LocatorProxyTestFuzzer>(object);
79 if (client == nullptr) {
80 LBSLOGE(LOCATOR, "client is nullptr");
81 return false;
82 }
83 MessageParcel request;
84 if (!request.WriteInterfaceToken(client->GetDescriptor())) {
85 LBSLOGE(LOCATOR, "cannot write interface token");
86 return false;
87 }
88 MessageParcel reply;
89 MessageOption option;
90 sptr<IRemoteObject> remote = client->GetRemote();
91 if (remote == nullptr) {
92 LBSLOGE(LOCATOR, "cannot get remote object");
93 return false;
94 }
95 int index = 0;
96 int32_t result = remote->SendRequest(data[index++] % MAX_CODE_NUM, request, reply, option);
97 return result == SUCCESS;
98 }
99
AddPermission()100 void AddPermission()
101 {
102 if (!g_isGrant) {
103 const char *perms[] = {
104 ACCESS_LOCATION.c_str(), ACCESS_APPROXIMATELY_LOCATION.c_str(),
105 ACCESS_BACKGROUND_LOCATION.c_str(), MANAGE_SECURE_SETTINGS.c_str(),
106 };
107 NativeTokenInfoParams infoInstance = {
108 .dcapsNum = 0,
109 .permsNum = 4,
110 .aclsNum = 0,
111 .dcaps = nullptr,
112 .perms = perms,
113 .acls = nullptr,
114 .processName = "LocatorFuzzer",
115 .aplStr = "system_basic",
116 };
117 uint64_t tokenId = GetAccessTokenId(&infoInstance);
118 SetSelfTokenID(tokenId);
119 Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
120 g_isGrant = true;
121 }
122 }
123
124 #ifdef FEATURE_GNSS_SUPPORT
CachedLocationsCallbackHostFuzzerTest(const uint8_t * data,size_t size)125 bool CachedLocationsCallbackHostFuzzerTest(const uint8_t* data, size_t size)
126 {
127 int index = 0;
128 auto cachedCallbackHost =
129 sptr<CachedLocationsCallbackHost>(new (std::nothrow) CachedLocationsCallbackHost());
130 MessageParcel request;
131 MessageParcel reply;
132 MessageOption option;
133 cachedCallbackHost->OnRemoteRequest(data[index++], request, reply, option);
134 cachedCallbackHost->IsRemoteDied();
135
136 std::vector<std::shared_ptr<OHOS::Location::Location>> locationsForSend;
137 cachedCallbackHost->Send(locationsForSend);
138 std::vector<std::unique_ptr<OHOS::Location::Location>> locationsForReport;
139 cachedCallbackHost->OnCacheLocationsReport(locationsForReport);
140 cachedCallbackHost->DeleteHandler();
141 return true;
142 }
143 #endif
144
CountryCodeCallbackHostFuzzerTest(const uint8_t * data,size_t size)145 bool CountryCodeCallbackHostFuzzerTest(const uint8_t* data, size_t size)
146 {
147 int index = 0;
148 auto callbackHost =
149 sptr<CountryCodeCallbackHost>(new (std::nothrow) CountryCodeCallbackHost());
150 MessageParcel request;
151 MessageParcel reply;
152 MessageOption option;
153 callbackHost->OnRemoteRequest(data[index++], request, reply, option);
154
155 auto countryCodePtr = CountryCode::Unmarshalling(request);
156 callbackHost->Send(countryCodePtr);
157 callbackHost->SetEnv(nullptr);
158 callbackHost->SetCallback(nullptr);
159 callbackHost->OnCountryCodeChange(countryCodePtr);
160 callbackHost->DeleteHandler();
161 return true;
162 }
163
164 #ifdef FEATURE_GNSS_SUPPORT
GnssStatusCallbackHostFuzzerTest(const uint8_t * data,size_t size)165 bool GnssStatusCallbackHostFuzzerTest(const uint8_t* data, size_t size)
166 {
167 int index = 0;
168 auto gnssCallbackHost =
169 sptr<GnssStatusCallbackHost>(new (std::nothrow) GnssStatusCallbackHost());
170 MessageParcel request;
171 MessageParcel reply;
172 MessageOption option;
173 gnssCallbackHost->OnRemoteRequest(data[index++], request, reply, option);
174 gnssCallbackHost->IsRemoteDied();
175 std::unique_ptr<SatelliteStatus> statusInfo = nullptr;
176 gnssCallbackHost->Send(statusInfo);
177
178 gnssCallbackHost->OnStatusChange(statusInfo);
179 gnssCallbackHost->DeleteHandler();
180 return true;
181 }
182 #endif
183
LocationSwitchCallbackHostFuzzerTest(const uint8_t * data,size_t size)184 bool LocationSwitchCallbackHostFuzzerTest(const uint8_t* data, size_t size)
185 {
186 int index = 0;
187 auto switchCallbackHost =
188 sptr<LocationSwitchCallbackHost>(new (std::nothrow) LocationSwitchCallbackHost());
189 MessageParcel request;
190 MessageParcel reply;
191 MessageOption option;
192 switchCallbackHost->OnRemoteRequest(data[index++], request, reply, option);
193 switchCallbackHost->IsRemoteDied();
194 switchCallbackHost->PackResult(true);
195 switchCallbackHost->Send(SWITCH_STATE_ON);
196
197 switchCallbackHost->OnSwitchChange(SWITCH_STATE_ON);
198 switchCallbackHost->DeleteHandler();
199 return true;
200 }
201
LocationCallbackHostFuzzerTest(const uint8_t * data,size_t size)202 bool LocationCallbackHostFuzzerTest(const uint8_t* data, size_t size)
203 {
204 int index = 0;
205 auto callbackHost =
206 sptr<LocatorCallbackHost>(new (std::nothrow) LocatorCallbackHost());
207 MessageParcel request;
208 MessageParcel reply;
209 MessageOption option;
210 callbackHost->OnRemoteRequest(data[index++], request, reply, option);
211 callbackHost->OnErrorReport(SUCCESS);
212 std::unique_ptr<OHOS::Location::Location> location =
213 std::make_unique<OHOS::Location::Location>();
214 callbackHost->OnLocationReport(location);
215 callbackHost->OnLocatingStatusChange(SWITCH_STATE_ON);
216
217 callbackHost->DeleteAllCallbacks();
218 callbackHost->IsSystemGeoLocationApi();
219 callbackHost->IsSingleLocationRequest();
220 callbackHost->CountDown();
221 callbackHost->Wait(data[index++] % WAIT_TIME_SEC);
222 callbackHost->SetCount(data[index++] % COUNT);
223 callbackHost->GetCount();
224 return true;
225 }
226
227 #ifdef FEATURE_GNSS_SUPPORT
NmeaMessageCallbackHostFuzzerTest(const uint8_t * data,size_t size)228 bool NmeaMessageCallbackHostFuzzerTest(const uint8_t* data, size_t size)
229 {
230 int index = 0;
231 auto nmeaCallbackHost =
232 sptr<NmeaMessageCallbackHost>(new (std::nothrow) NmeaMessageCallbackHost());
233 MessageParcel request;
234 MessageParcel reply;
235 MessageOption option;
236 nmeaCallbackHost->OnRemoteRequest(data[index++], request, reply, option);
237 nmeaCallbackHost->IsRemoteDied();
238 std::string msg(reinterpret_cast<const char*>(data), size);
239 nmeaCallbackHost->PackResult(msg);
240 nmeaCallbackHost->Send(msg);
241 int64_t timestamp = 0;
242 nmeaCallbackHost->OnMessageChange(timestamp, msg);
243 nmeaCallbackHost->DeleteHandler();
244 return true;
245 }
246 #endif
247 } // namespace OHOS
248
249 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)250 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
251 {
252 if (size < OHOS::MIN_SIZE_NUM) {
253 return 0;
254 }
255 /* Run your code on data */
256 OHOS::AddPermission();
257 OHOS::LocatorProxySendRequestTest(data, size);
258 #ifdef FEATURE_GNSS_SUPPORT
259 OHOS::CachedLocationsCallbackHostFuzzerTest(data, size);
260 #endif
261 OHOS::CountryCodeCallbackHostFuzzerTest(data, size);
262 #ifdef FEATURE_GNSS_SUPPORT
263 OHOS::GnssStatusCallbackHostFuzzerTest(data, size);
264 #endif
265 OHOS::LocationSwitchCallbackHostFuzzerTest(data, size);
266 OHOS::LocationCallbackHostFuzzerTest(data, size);
267 #ifdef FEATURE_GNSS_SUPPORT
268 OHOS::NmeaMessageCallbackHostFuzzerTest(data, size);
269 #endif
270 return 0;
271 }
272
273