1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "unlockpin_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20 #include <string_ex.h>
21 #include <thread>
22
23 #define private public
24 #include "addcoreservicetoken_fuzzer.h"
25 #include "core_service.h"
26 #include "napi_util.h"
27 #include "system_ability_definition.h"
28 #include "tel_event_handler.h"
29 #include "unistd.h"
30
31 using namespace OHOS::Telephony;
32 namespace OHOS {
33 static bool g_isInited = false;
34 constexpr int32_t SLOT_NUM = 2;
35 constexpr int32_t SLEEP_TIME_SECONDS = 3;
36
IsServiceInited()37 bool IsServiceInited()
38 {
39 if (!g_isInited) {
40 DelayedSingleton<CoreService>::GetInstance()->OnStart();
41 if (DelayedSingleton<CoreService>::GetInstance()->GetServiceRunningState() ==
42 static_cast<int32_t>(ServiceRunningState::STATE_RUNNING)) {
43 g_isInited = true;
44 }
45 }
46 return g_isInited;
47 }
48
UnlockPin(const uint8_t * data,size_t size)49 void UnlockPin(const uint8_t *data, size_t size)
50 {
51 if (!IsServiceInited()) {
52 return;
53 }
54
55 MessageParcel dataMessageParcel;
56 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
57 dataMessageParcel.WriteInt32(slotId);
58 std::string pin(reinterpret_cast<const char *>(data), size);
59 std::u16string pinStr = Str8ToStr16(pin);
60 dataMessageParcel.WriteString16(pinStr);
61 MessageParcel reply;
62 DelayedSingleton<CoreService>::GetInstance()->OnUnlockPin(dataMessageParcel, reply);
63 }
64
UnlockPuk(const uint8_t * data,size_t size)65 void UnlockPuk(const uint8_t *data, size_t size)
66 {
67 if (!IsServiceInited()) {
68 return;
69 }
70
71 MessageParcel dataMessageParcel;
72 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
73 dataMessageParcel.WriteInt32(slotId);
74 std::string pin(reinterpret_cast<const char *>(data), size);
75 std::u16string pinStr = Str8ToStr16(pin);
76 dataMessageParcel.WriteString16(pinStr);
77 std::string puk(reinterpret_cast<const char *>(data), size);
78 std::u16string pukStr = Str8ToStr16(puk);
79 dataMessageParcel.WriteString16(pukStr);
80 MessageParcel reply;
81 DelayedSingleton<CoreService>::GetInstance()->OnUnlockPuk(dataMessageParcel, reply);
82 }
83
AlterPin(const uint8_t * data,size_t size)84 void AlterPin(const uint8_t *data, size_t size)
85 {
86 if (!IsServiceInited()) {
87 return;
88 }
89
90 MessageParcel dataMessageParcel;
91 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
92 dataMessageParcel.WriteInt32(slotId);
93 std::string newPin(reinterpret_cast<const char *>(data), size);
94 std::u16string newPinStr = Str8ToStr16(newPin);
95 dataMessageParcel.WriteString16(newPinStr);
96 std::string oldPin(reinterpret_cast<const char *>(data), size);
97 std::u16string oldPinStr = Str8ToStr16(oldPin);
98 dataMessageParcel.WriteString16(oldPinStr);
99 MessageParcel reply;
100 DelayedSingleton<CoreService>::GetInstance()->OnAlterPin(dataMessageParcel, reply);
101 }
102
UnlockPin2(const uint8_t * data,size_t size)103 void UnlockPin2(const uint8_t *data, size_t size)
104 {
105 if (!IsServiceInited()) {
106 return;
107 }
108
109 MessageParcel dataMessageParcel;
110 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
111 dataMessageParcel.WriteInt32(slotId);
112 std::string pin2(reinterpret_cast<const char *>(data), size);
113 std::u16string pin2Str = Str8ToStr16(pin2);
114 dataMessageParcel.WriteString16(pin2Str);
115 MessageParcel reply;
116 DelayedSingleton<CoreService>::GetInstance()->OnUnlockPin2(dataMessageParcel, reply);
117 }
118
UnlockPuk2(const uint8_t * data,size_t size)119 void UnlockPuk2(const uint8_t *data, size_t size)
120 {
121 if (!IsServiceInited()) {
122 return;
123 }
124
125 MessageParcel dataMessageParcel;
126 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
127 dataMessageParcel.WriteInt32(slotId);
128 std::string pin2(reinterpret_cast<const char *>(data), size);
129 std::u16string pin2Str = Str8ToStr16(pin2);
130 dataMessageParcel.WriteString16(pin2Str);
131 std::string puk2(reinterpret_cast<const char *>(data), size);
132 std::u16string puk2Str = Str8ToStr16(puk2);
133 dataMessageParcel.WriteString16(puk2Str);
134 MessageParcel reply;
135 DelayedSingleton<CoreService>::GetInstance()->OnUnlockPuk2(dataMessageParcel, reply);
136 }
137
AlterPin2(const uint8_t * data,size_t size)138 void AlterPin2(const uint8_t *data, size_t size)
139 {
140 if (!IsServiceInited()) {
141 return;
142 }
143
144 MessageParcel dataMessageParcel;
145 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
146 dataMessageParcel.WriteInt32(slotId);
147 std::string newPin2(reinterpret_cast<const char *>(data), size);
148 std::u16string newPin2Str = Str8ToStr16(newPin2);
149 dataMessageParcel.WriteString16(newPin2Str);
150 std::string oldPin2(reinterpret_cast<const char *>(data), size);
151 std::u16string oldPin2Str = Str8ToStr16(oldPin2);
152 dataMessageParcel.WriteString16(oldPin2Str);
153 MessageParcel reply;
154 DelayedSingleton<CoreService>::GetInstance()->OnAlterPin2(dataMessageParcel, reply);
155 }
156
SetLockState(const uint8_t * data,size_t size)157 void SetLockState(const uint8_t *data, size_t size)
158 {
159 if (!IsServiceInited()) {
160 return;
161 }
162
163 MessageParcel dataMessageParcel;
164 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
165 dataMessageParcel.WriteInt32(slotId);
166 int32_t offset = 0;
167 int32_t lockType = static_cast<int32_t>(*data + offset);
168 dataMessageParcel.WriteInt32(lockType);
169 offset += sizeof(int32_t);
170 int32_t lockState = static_cast<int32_t>(*data + offset);
171 dataMessageParcel.WriteInt32(lockState);
172 std::string password(reinterpret_cast<const char *>(data), size);
173 std::u16string passwordStr = Str8ToStr16(password);
174 dataMessageParcel.WriteString16(passwordStr);
175 MessageParcel reply;
176 DelayedSingleton<CoreService>::GetInstance()->OnSetLockState(dataMessageParcel, reply);
177 }
178
SetActiveSim(const uint8_t * data,size_t size)179 void SetActiveSim(const uint8_t *data, size_t size)
180 {
181 if (!IsServiceInited()) {
182 return;
183 }
184
185 MessageParcel dataMessageParcel;
186 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
187 dataMessageParcel.WriteInt32(slotId);
188 int32_t enable = static_cast<int32_t>(*data + sizeof(int32_t));
189 dataMessageParcel.WriteInt32(enable);
190 MessageParcel reply;
191 DelayedSingleton<CoreService>::GetInstance()->OnSetActiveSim(dataMessageParcel, reply);
192 }
193
DiallingNumbersGet(const uint8_t * data,size_t size)194 void DiallingNumbersGet(const uint8_t *data, size_t size)
195 {
196 if (!IsServiceInited()) {
197 return;
198 }
199
200 MessageParcel dataMessageParcel;
201 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
202 dataMessageParcel.WriteInt32(slotId);
203 int32_t type = static_cast<int32_t>(*data + sizeof(int32_t));
204 dataMessageParcel.WriteInt32(type);
205 MessageParcel reply;
206 DelayedSingleton<CoreService>::GetInstance()->OnDiallingNumbersGet(dataMessageParcel, reply);
207 }
208
DelIccDiallingNumbers(const uint8_t * data,size_t size)209 void DelIccDiallingNumbers(const uint8_t *data, size_t size)
210 {
211 if (!IsServiceInited()) {
212 return;
213 }
214
215 MessageParcel dataMessageParcel;
216 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
217 dataMessageParcel.WriteInt32(slotId);
218 int32_t type = static_cast<int32_t>(*data + sizeof(int32_t));
219 dataMessageParcel.WriteInt32(type);
220 MessageParcel reply;
221 DelayedSingleton<CoreService>::GetInstance()->OnDelIccDiallingNumbers(dataMessageParcel, reply);
222 }
223
UnlockSimLock(const uint8_t * data,size_t size)224 void UnlockSimLock(const uint8_t *data, size_t size)
225 {
226 if (!IsServiceInited()) {
227 return;
228 }
229
230 MessageParcel dataMessageParcel;
231 int32_t slotId = static_cast<int32_t>(*data % SLOT_NUM);
232 dataMessageParcel.WriteInt32(slotId);
233 int32_t lockType = static_cast<int32_t>(*data + sizeof(int32_t));
234 dataMessageParcel.WriteInt32(lockType);
235 std::string password(reinterpret_cast<const char *>(data), size);
236 std::u16string passwordStr = Str8ToStr16(password);
237 dataMessageParcel.WriteString16(passwordStr);
238 MessageParcel reply;
239 DelayedSingleton<CoreService>::GetInstance()->OnUnlockSimLock(dataMessageParcel, reply);
240 }
241
DoSomethingInterestingWithMyAPI(const uint8_t * data,size_t size)242 void DoSomethingInterestingWithMyAPI(const uint8_t *data, size_t size)
243 {
244 if (data == nullptr || size == 0) {
245 return;
246 }
247
248 UnlockPin(data, size);
249 UnlockPuk(data, size);
250 AlterPin(data, size);
251 UnlockPin2(data, size);
252 UnlockPuk2(data, size);
253 AlterPin2(data, size);
254 SetLockState(data, size);
255 SetActiveSim(data, size);
256 DiallingNumbersGet(data, size);
257 DelIccDiallingNumbers(data, size);
258 UnlockSimLock(data, size);
259 auto telRilManager = DelayedSingleton<CoreService>::GetInstance()->telRilManager_;
260 if (telRilManager == nullptr || telRilManager->handler_ == nullptr) {
261 return;
262 }
263 auto handler = telRilManager->handler_;
264 if (handler != nullptr) {
265 handler->RemoveAllEvents();
266 handler->SendEvent(0, 0, AppExecFwk::EventQueue::Priority::HIGH);
267 sleep(SLEEP_TIME_SECONDS);
268 }
269 telRilManager->handler_->ClearFfrt(false);
270 telRilManager->handler_->queue_ = nullptr;
271 return;
272 }
273 } // namespace OHOS
274
275 /* Fuzzer entry point */
LLVMFuzzerInitialize(int * argc,char *** argv)276 extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv)
277 {
278 OHOS::AddCoreServiceTokenFuzzer token;
279 return 0;
280 }
281
282 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)283 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
284 {
285 /* Run your code on data */
286 OHOS::DoSomethingInterestingWithMyAPI(data, size);
287 OHOS::DelayedSingleton<CoreService>::DestroyInstance();
288 return 0;
289 }
290