1 /*
2 * Copyright (c) 2022-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "user_idm_service_fuzzer.h"
17
18 #include "parcel.h"
19 #include "securec.h"
20
21 #include "iam_fuzz_test.h"
22 #include "iam_logger.h"
23 #include "iam_ptr.h"
24 #include "user_idm_service.h"
25 #include "user_idm_callback_proxy.h"
26 #include "dummy_iam_callback_interface.h"
27
28 #undef private
29
30 using namespace std;
31 using namespace OHOS::UserIam::Common;
32
33 #define LOG_TAG "USER_AUTH_SA"
34
35 namespace OHOS {
36 namespace UserIam {
37 namespace UserAuth {
38 namespace {
39 const int CMD_LEN = 19;
40 std::u16string cmd[] = {u"-h", u"-lc", u"-ls", u"-c", u"-c [base system]", u"-s", u"-s [SA0 SA1]", u"-s [SA] -a [-h]",
41 u"-e", u"--net", u"--storage", u"-p", u"-p [pid]", u"--cpuusage [pid]", u"cified pid", u"--cpufreq", u"--mem [pid]",
42 u"--zip", u"--mem-smaps pid [-v]"};
43
44 class DummyIdmGetCredentialInfoCallback : public IdmGetCredInfoCallbackInterface {
45 public:
OnCredentialInfos(const std::vector<CredentialInfo> & credInfoList)46 void OnCredentialInfos(const std::vector<CredentialInfo> &credInfoList) override
47 {
48 IAM_LOGI("start");
49 return;
50 }
51
AsObject()52 sptr<IRemoteObject> AsObject() override
53 {
54 sptr<IRemoteObject> tmp(nullptr);
55 return tmp;
56 }
57 };
58
59 class DummyIdmGetSecureUserInfoCallback : public IdmGetSecureUserInfoCallbackInterface {
60 public:
OnSecureUserInfo(const SecUserInfo & secUserInfo)61 void OnSecureUserInfo(const SecUserInfo &secUserInfo) override
62 {
63 IAM_LOGI("start");
64 return;
65 }
66
AsObject()67 sptr<IRemoteObject> AsObject() override
68 {
69 sptr<IRemoteObject> tmp(nullptr);
70 return tmp;
71 }
72 };
73
74 class DummyIdmCallback : public IdmCallbackInterface {
75 public:
OnResult(int32_t result,const Attributes & reqRet)76 void OnResult(int32_t result, const Attributes &reqRet) override
77 {
78 IAM_LOGI("start");
79 return;
80 }
81
OnAcquireInfo(int32_t module,int32_t acquire,const Attributes & reqRet)82 void OnAcquireInfo(int32_t module, int32_t acquire, const Attributes &reqRet) override
83 {
84 IAM_LOGI("start");
85 return;
86 }
87
AsObject()88 sptr<IRemoteObject> AsObject() override
89 {
90 sptr<IRemoteObject> tmp(nullptr);
91 return tmp;
92 }
93 };
94
GetFuzzOptionalUserId(Parcel & parcel)95 int32_t GetFuzzOptionalUserId(Parcel &parcel)
96 {
97 if (parcel.ReadBool()) {
98 return parcel.ReadInt32();
99 }
100 return 0;
101 }
102
GetFuzzIdmGetCredentialInfoCallback(Parcel & parcel)103 sptr<IdmGetCredInfoCallbackInterface> GetFuzzIdmGetCredentialInfoCallback(Parcel &parcel)
104 {
105 sptr<IdmGetCredInfoCallbackInterface> tmp(nullptr);
106 if (parcel.ReadBool()) {
107 tmp = sptr<IdmGetCredInfoCallbackInterface>(new (std::nothrow) DummyIdmGetCredentialInfoCallback());
108 }
109 return tmp;
110 }
111
GetFuzzIdmGetSecureUserInfoCallback(Parcel & parcel)112 sptr<IdmGetSecureUserInfoCallbackInterface> GetFuzzIdmGetSecureUserInfoCallback(Parcel &parcel)
113 {
114 sptr<IdmGetSecureUserInfoCallbackInterface> tmp(nullptr);
115 if (parcel.ReadBool()) {
116 tmp = sptr<IdmGetSecureUserInfoCallbackInterface>(new (std::nothrow) DummyIdmGetSecureUserInfoCallback());
117 }
118 return tmp;
119 }
120
GetFuzzIdmCallback(Parcel & parcel)121 sptr<IdmCallbackInterface> GetFuzzIdmCallback(Parcel &parcel)
122 {
123 sptr<IdmCallbackInterface> tmp(nullptr);
124 if (parcel.ReadBool()) {
125 tmp = sptr<IdmCallbackInterface>(new (std::nothrow) DummyIdmCallback());
126 }
127 return tmp;
128 }
129
130 UserIdmService g_UserIdmService(SUBSYS_USERIAM_SYS_ABILITY_USERIDM, true);
131
FuzzOpenSession(Parcel & parcel)132 void FuzzOpenSession(Parcel &parcel)
133 {
134 IAM_LOGI("begin");
135 int32_t userId = GetFuzzOptionalUserId(parcel);
136 std::vector<uint8_t> challenge;
137 FillFuzzUint8Vector(parcel, challenge);
138 g_UserIdmService.OpenSession(userId, challenge);
139 IAM_LOGI("end");
140 }
141
FuzzCloseSession(Parcel & parcel)142 void FuzzCloseSession(Parcel &parcel)
143 {
144 IAM_LOGI("begin");
145 int32_t userId = GetFuzzOptionalUserId(parcel);
146 g_UserIdmService.CloseSession(userId);
147 IAM_LOGI("end");
148 }
149
FuzzGetCredentialInfo(Parcel & parcel)150 void FuzzGetCredentialInfo(Parcel &parcel)
151 {
152 IAM_LOGI("begin");
153 int32_t userId = GetFuzzOptionalUserId(parcel);
154 AuthType authType = static_cast<AuthType>(parcel.ReadUint32());
155 sptr<IdmGetCredInfoCallbackInterface> callback = GetFuzzIdmGetCredentialInfoCallback(parcel);
156 g_UserIdmService.GetCredentialInfo(userId, authType, callback);
157 IAM_LOGI("end");
158 }
159
FuzzGetSecInfo(Parcel & parcel)160 void FuzzGetSecInfo(Parcel &parcel)
161 {
162 IAM_LOGI("begin");
163 int32_t userId = GetFuzzOptionalUserId(parcel);
164 sptr<IdmGetSecureUserInfoCallbackInterface> callback = GetFuzzIdmGetSecureUserInfoCallback(parcel);
165 g_UserIdmService.GetSecInfo(userId, callback);
166 IAM_LOGI("end");
167 }
168
FuzzAddCredential(Parcel & parcel)169 void FuzzAddCredential(Parcel &parcel)
170 {
171 IAM_LOGI("begin");
172 int32_t userId = parcel.ReadInt32();
173 UserIdmInterface::CredentialPara para = {};
174 para.authType = static_cast<AuthType>(parcel.ReadInt32());
175 para.pinType = static_cast<PinSubType>(parcel.ReadInt32());
176 FillFuzzUint8Vector(parcel, para.token);
177 sptr<IdmCallbackInterface> callback = GetFuzzIdmCallback(parcel);
178 g_UserIdmService.AddCredential(userId, para, callback, false);
179 IAM_LOGI("end");
180 }
181
FuzzUpdateCredential(Parcel & parcel)182 void FuzzUpdateCredential(Parcel &parcel)
183 {
184 IAM_LOGI("begin");
185 int32_t userId = parcel.ReadInt32();
186 UserIdmInterface::CredentialPara para = {};
187 para.authType = static_cast<AuthType>(parcel.ReadInt32());
188 para.pinType = static_cast<PinSubType>(parcel.ReadInt32());
189 FillFuzzUint8Vector(parcel, para.token);
190 sptr<IdmCallbackInterface> callback = GetFuzzIdmCallback(parcel);
191 g_UserIdmService.UpdateCredential(userId, para, callback);
192 IAM_LOGI("end");
193 }
194
FuzzCancel(Parcel & parcel)195 void FuzzCancel(Parcel &parcel)
196 {
197 IAM_LOGI("begin");
198 int32_t userId = parcel.ReadInt32();
199 g_UserIdmService.Cancel(userId);
200 IAM_LOGI("end");
201 }
202
FuzzEnforceDelUser(Parcel & parcel)203 void FuzzEnforceDelUser(Parcel &parcel)
204 {
205 IAM_LOGI("begin");
206 int32_t userId = parcel.ReadInt32();
207 sptr<IdmCallbackInterface> callback = GetFuzzIdmCallback(parcel);
208 g_UserIdmService.EnforceDelUser(userId, callback);
209 IAM_LOGI("end");
210 }
211
FuzzDelUser(Parcel & parcel)212 void FuzzDelUser(Parcel &parcel)
213 {
214 IAM_LOGI("begin");
215 int32_t userId = parcel.ReadInt32();
216 std::vector<uint8_t> authToken;
217 FillFuzzUint8Vector(parcel, authToken);
218 sptr<IdmCallbackInterface> callback = GetFuzzIdmCallback(parcel);
219 g_UserIdmService.DelUser(userId, authToken, callback);
220 IAM_LOGI("end");
221 }
222
FuzzDump(Parcel & parcel)223 void FuzzDump(Parcel &parcel)
224 {
225 IAM_LOGI("FuzzDump begin");
226 std::vector<uint8_t> msg;
227 Common::FillFuzzUint8Vector(parcel, msg);
228 int32_t fd = parcel.ReadInt32();
229 std::vector<std::u16string> args;
230 for (uint32_t i = 0; i < msg.size(); i++) {
231 args.push_back(cmd[msg[i] % CMD_LEN]);
232 }
233 g_UserIdmService.Dump(fd, args);
234 IAM_LOGI("FuzzDump end");
235 }
236
DelCredential(Parcel & parcel)237 void DelCredential(Parcel &parcel)
238 {
239 IAM_LOGI("begin");
240 int32_t userId = parcel.ReadInt32();
241 uint64_t credentialId = parcel.ReadUint64();
242 std::vector<uint8_t> authToken;
243 FillFuzzUint8Vector(parcel, authToken);
244 sptr<IdmCallbackInterface> callback = GetFuzzIdmCallback(parcel);
245 g_UserIdmService.DelCredential(userId, credentialId, authToken, callback);
246 IAM_LOGI("end");
247 }
248
FuzzClearRedundancyCredential(Parcel & parcel)249 void FuzzClearRedundancyCredential(Parcel &parcel)
250 {
251 IAM_LOGI("begin");
252 sptr<IdmCallbackInterface> callback = GetFuzzIdmCallback(parcel);
253 g_UserIdmService.ClearRedundancyCredential(callback);
254 IAM_LOGI("end");
255 }
256
FuzzClearRedundancyCredentialInner(Parcel & parcel)257 void FuzzClearRedundancyCredentialInner(Parcel &parcel)
258 {
259 IAM_LOGI("begin");
260 std::string callerName = parcel.ReadString();
261 int32_t callerType = parcel.ReadInt32();
262 g_UserIdmService.ClearRedundancyCredentialInner(callerName, callerType);
263 IAM_LOGI("end");
264 }
265
FuzzEnforceDelUserInner(Parcel & parcel)266 void FuzzEnforceDelUserInner(Parcel &parcel)
267 {
268 IAM_LOGI("begin");
269 int32_t userId = 100;
270 sptr<IamCallbackInterface> iamCallback = sptr<IamCallbackInterface>(new (nothrow) DummyIamCallbackInterface);
271 std::shared_ptr<ContextCallback> callbackForTrace =
272 ContextCallback::NewInstance(iamCallback, TRACE_ENFORCE_DELETE_USER);
273 std::string changeReasonTrace = parcel.ReadString();
274 g_UserIdmService.EnforceDelUserInner(userId, callbackForTrace, changeReasonTrace);
275 IAM_LOGI("end");
276 }
277
FuzzCancelCurrentEnroll(Parcel & parcel)278 void FuzzCancelCurrentEnroll(Parcel &parcel)
279 {
280 IAM_LOGI("begin");
281 g_UserIdmService.CancelCurrentEnroll();
282 g_UserIdmService.CancelCurrentEnrollIfExist();
283 IAM_LOGI("end");
284 }
285
FuzzStartEnroll(Parcel & parcel)286 void FuzzStartEnroll(Parcel &parcel)
287 {
288 IAM_LOGI("begin");
289 Enrollment::EnrollmentPara para = {};
290 sptr<IamCallbackInterface> iamCallback = sptr<IamCallbackInterface>(new (nothrow) DummyIamCallbackInterface);
291 std::shared_ptr<ContextCallback> contextCallback = ContextCallback::NewInstance(iamCallback, TRACE_ADD_CREDENTIAL);
292 Attributes extraInfo;
293 g_UserIdmService.StartEnroll(para, contextCallback, extraInfo);
294 IAM_LOGI("end");
295 }
296
FuzzCheckEnrollPermissionAndEnableStatus(Parcel & parcel)297 void FuzzCheckEnrollPermissionAndEnableStatus(Parcel &parcel)
298 {
299 IAM_LOGI("begin");
300 sptr<IamCallbackInterface> iamCallback = sptr<IamCallbackInterface>(new (nothrow) DummyIamCallbackInterface);
301 std::shared_ptr<ContextCallback> contextCallback = ContextCallback::NewInstance(iamCallback, TRACE_ADD_CREDENTIAL);
302 AuthType authType = PIN;
303 g_UserIdmService.CheckEnrollPermissionAndEnableStatus(contextCallback, authType);
304 IAM_LOGI("end");
305 }
306
307 using FuzzFunc = decltype(FuzzOpenSession);
308 FuzzFunc *g_fuzzFuncs[] = {
309 FuzzOpenSession,
310 FuzzCloseSession,
311 FuzzGetCredentialInfo,
312 FuzzGetSecInfo,
313 FuzzAddCredential,
314 FuzzUpdateCredential,
315 FuzzCancel,
316 FuzzEnforceDelUser,
317 FuzzDelUser,
318 DelCredential,
319 FuzzClearRedundancyCredential,
320 FuzzDump,
321 FuzzClearRedundancyCredentialInner,
322 FuzzEnforceDelUserInner,
323 FuzzCancelCurrentEnroll,
324 FuzzStartEnroll,
325 FuzzCheckEnrollPermissionAndEnableStatus,
326 };
327
UserIdmFuzzTest(const uint8_t * data,size_t size)328 void UserIdmFuzzTest(const uint8_t *data, size_t size)
329 {
330 Parcel parcel;
331 parcel.WriteBuffer(data, size);
332 parcel.RewindRead(0);
333 uint32_t index = parcel.ReadUint32() % (sizeof(g_fuzzFuncs) / sizeof(FuzzFunc *));
334 auto fuzzFunc = g_fuzzFuncs[index];
335 fuzzFunc(parcel);
336 return;
337 }
338 } // namespace
339 } // namespace UserAuth
340 } // namespace UserIam
341 } // namespace OHOS
342
343 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)344 extern "C" int32_t LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
345 {
346 OHOS::UserIam::UserAuth::UserIdmFuzzTest(data, size);
347 return 0;
348 }
349