From 08f96b12a5be2f78bbcad369372d6acb214a5198 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BA=B7=E9=A6=99=E5=A8=9F?= Date: Sat, 26 Jul 2025 18:25:07 +0800 Subject: [PATCH] add fuzztest MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 康香娟 --- .../bufferobject_fuzzer.cpp | 7 + .../dbindercallbackstub_fuzzer.cpp | 48 +++++ .../dbinderdatabusinvoker_fuzzer.cpp | 70 +++++++ .../core/dbindersessionobject_fuzzer/BUILD.gn | 5 + .../dbindersessionobject_fuzzer.cpp | 70 +++++++ .../src/core/ipcobjectproxy_fuzzer/BUILD.gn | 5 + .../ipcobjectproxy_fuzzer.cpp | 193 ++++++++++++++++++ 7 files changed, 398 insertions(+) diff --git a/test/fuzztest/ipc/native/src/core/bufferobject_fuzzer/bufferobject_fuzzer.cpp b/test/fuzztest/ipc/native/src/core/bufferobject_fuzzer/bufferobject_fuzzer.cpp index 1c26fa75..0ec7f8ef 100644 --- a/test/fuzztest/ipc/native/src/core/bufferobject_fuzzer/bufferobject_fuzzer.cpp +++ b/test/fuzztest/ipc/native/src/core/bufferobject_fuzzer/bufferobject_fuzzer.cpp @@ -323,6 +323,12 @@ void FuzzerTestInner1(const uint8_t* data, size_t size) OHOS::GetSendBufferWriteCursorTest(); OHOS::GetReceiveBufferReadCursorTest(); } + +void UpdateReceiveBufferFuzzTest() +{ + BufferObject object; + object.UpdateReceiveBuffer(); +} } // namespace OHOS /* Fuzzer entry point */ @@ -345,5 +351,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) OHOS::SetSendBufferReadCursorFuzzTest(data, size); OHOS::SetSendBufferWriteCursorFuzzTest(data, size); OHOS::FuzzerTestInner1(data, size); + OHOS::UpdateReceiveBufferFuzzTest(); return 0; } diff --git a/test/fuzztest/ipc/native/src/core/dbindercallbackstub_fuzzer/dbindercallbackstub_fuzzer.cpp b/test/fuzztest/ipc/native/src/core/dbindercallbackstub_fuzzer/dbindercallbackstub_fuzzer.cpp index 24a6f79f..568f7a83 100644 --- a/test/fuzztest/ipc/native/src/core/dbindercallbackstub_fuzzer/dbindercallbackstub_fuzzer.cpp +++ b/test/fuzztest/ipc/native/src/core/dbindercallbackstub_fuzzer/dbindercallbackstub_fuzzer.cpp @@ -286,6 +286,51 @@ void GetAndSaveDBinderDataFuzzTest(FuzzedDataProvider &provider) uid_t uid = provider.ConsumeIntegral(); stub->GetAndSaveDBinderData(pid, uid); } + +void GetServiceNameFuzzTest(FuzzedDataProvider &provider) +{ + uint64_t stubIndex = provider.ConsumeIntegral(); + uint32_t handle = provider.ConsumeIntegral(); + uint32_t tokenId = provider.ConsumeIntegral(); + std::string service = provider.ConsumeRandomLengthString(); + std::string device = provider.ConsumeRandomLengthString(); + std::string localDevice = provider.ConsumeRandomLengthString(); + auto stub = new (std::nothrow) DBinderCallbackStub(service, device, localDevice, stubIndex, handle, tokenId); + if (stub == nullptr) { + return; + } + stub->GetServiceName(); +} + +void GetStubIndexFuzzTest(FuzzedDataProvider &provider) +{ + uint64_t stubIndex = provider.ConsumeIntegral(); + uint32_t handle = provider.ConsumeIntegral(); + uint32_t tokenId = provider.ConsumeIntegral(); + std::string service = provider.ConsumeRandomLengthString(); + std::string device = provider.ConsumeRandomLengthString(); + std::string localDevice = provider.ConsumeRandomLengthString(); + auto stub = new (std::nothrow) DBinderCallbackStub(service, device, localDevice, stubIndex, handle, tokenId); + if (stub == nullptr) { + return; + } + stub->GetStubIndex(); +} + +void GetTokenIdFuzzTest(FuzzedDataProvider &provider) +{ + uint64_t stubIndex = provider.ConsumeIntegral(); + uint32_t handle = provider.ConsumeIntegral(); + uint32_t tokenId = provider.ConsumeIntegral(); + std::string service = provider.ConsumeRandomLengthString(); + std::string device = provider.ConsumeRandomLengthString(); + std::string localDevice = provider.ConsumeRandomLengthString(); + auto stub = new (std::nothrow) DBinderCallbackStub(service, device, localDevice, stubIndex, handle, tokenId); + if (stub == nullptr) { + return; + } + stub->GetTokenId(); +} } // namespace OHOS /* Fuzzer entry point */ @@ -306,5 +351,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) OHOS::AddDBinderCommAuthFuzzTest(provider); OHOS::SaveDBinderDataFuzzTest(provider); OHOS::GetAndSaveDBinderDataFuzzTest(provider); + OHOS::GetServiceNameFuzzTest(provider); + OHOS::GetStubIndexFuzzTest(provider); + OHOS::GetTokenIdFuzzTest(provider); return 0; } diff --git a/test/fuzztest/ipc/native/src/core/dbinderdatabusinvoker_fuzzer/dbinderdatabusinvoker_fuzzer.cpp b/test/fuzztest/ipc/native/src/core/dbinderdatabusinvoker_fuzzer/dbinderdatabusinvoker_fuzzer.cpp index 82aeb79f..1b44340c 100644 --- a/test/fuzztest/ipc/native/src/core/dbinderdatabusinvoker_fuzzer/dbinderdatabusinvoker_fuzzer.cpp +++ b/test/fuzztest/ipc/native/src/core/dbinderdatabusinvoker_fuzzer/dbinderdatabusinvoker_fuzzer.cpp @@ -458,6 +458,66 @@ static void CheckTransactionDataFuzzTest(const uint8_t *data, size_t size) (void)invoker.CheckTransactionData(tr); delete tr; } + +void CreateProcessThreadFuzzTest() +{ + DBinderDatabusInvoker invoker; + invoker.CreateProcessThread(); +} + +void GetSeqNumFuzzTest() +{ + DBinderDatabusInvoker invoker; + invoker.GetSeqNum(); +} + +void GetClientFdFuzzTest() +{ + DBinderDatabusInvoker invoker; + invoker.GetClientFd(); +} + +void GetStatusFuzzTest() +{ + DBinderDatabusInvoker invoker; + invoker.GetStatus(); +} + +void GetCallerUidFuzzTest() +{ + DBinderDatabusInvoker invoker; + invoker.GetCallerUid(); +} + +void GetCallerTokenIDFuzzTest() +{ + DBinderDatabusInvoker invoker; + invoker.GetCallerTokenID(); +} + +void GetFirstCallerTokenIDFuzzTest() +{ + DBinderDatabusInvoker invoker; + invoker.GetFirstCallerTokenID(); +} + +void IsLocalCallingFuzzTest() +{ + DBinderDatabusInvoker invoker; + invoker.IsLocalCalling(); +} + +void GetLocalDeviceIDFuzzTest() +{ + DBinderDatabusInvoker invoker; + invoker.GetLocalDeviceID(); +} + +void ResetCallingIdentityFuzzTest() +{ + DBinderDatabusInvoker invoker; + invoker.ResetCallingIdentity(); +} } // namespace OHOS /* Fuzzer entry point */ @@ -483,5 +543,15 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) OHOS::MakeThreadProcessInfoFuzzTest(data, size); OHOS::ProcessTransactionFuzzTest(data, size); OHOS::CheckTransactionDataFuzzTest(data, size); + OHOS::CreateProcessThreadFuzzTest(); + OHOS::GetSeqNumFuzzTest(); + OHOS::GetClientFdFuzzTest(); + OHOS::GetStatusFuzzTest(); + OHOS::GetCallerUidFuzzTest(); + OHOS::GetCallerTokenIDFuzzTest(); + OHOS::GetFirstCallerTokenIDFuzzTest(); + OHOS::IsLocalCallingFuzzTest(); + OHOS::GetLocalDeviceIDFuzzTest(); + OHOS::ResetCallingIdentityFuzzTest(); return 0; } diff --git a/test/fuzztest/ipc/native/src/core/dbindersessionobject_fuzzer/BUILD.gn b/test/fuzztest/ipc/native/src/core/dbindersessionobject_fuzzer/BUILD.gn index cd72720d..b40461ba 100644 --- a/test/fuzztest/ipc/native/src/core/dbindersessionobject_fuzzer/BUILD.gn +++ b/test/fuzztest/ipc/native/src/core/dbindersessionobject_fuzzer/BUILD.gn @@ -28,6 +28,11 @@ ohos_fuzztest("DBinderSessionObjectFuzzTest") { deps = [ "../../../../../../../test:ipc_single_test_static" ] + defines = [ + "private = public", + "protected = public", + ] + external_deps = [ "c_utils:utils", "hilog:libhilog", diff --git a/test/fuzztest/ipc/native/src/core/dbindersessionobject_fuzzer/dbindersessionobject_fuzzer.cpp b/test/fuzztest/ipc/native/src/core/dbindersessionobject_fuzzer/dbindersessionobject_fuzzer.cpp index b45c350d..582fd8af 100644 --- a/test/fuzztest/ipc/native/src/core/dbindersessionobject_fuzzer/dbindersessionobject_fuzzer.cpp +++ b/test/fuzztest/ipc/native/src/core/dbindersessionobject_fuzzer/dbindersessionobject_fuzzer.cpp @@ -14,6 +14,8 @@ */ #include "dbindersessionobject_fuzzer.h" + +#include #include "dbinder_session_object.h" #include "message_parcel.h" @@ -202,6 +204,67 @@ void SetPeerUidFuzzTest(const uint8_t *data, size_t size) DBinderSessionObject object(serviceName, serverDeviceId, stubIndex, proxy, tokenId); object.SetPeerUid(uid); } + +void CloseDatabusSessionFuzzTest(FuzzedDataProvider &provider) +{ + std::string name = provider.ConsumeRandomLengthString(); + std::string serviceName = provider.ConsumeRandomLengthString(); + std::string serverDeviceId = provider.ConsumeRandomLengthString(); + uint64_t stubIndex = provider.ConsumeIntegral(); + uint32_t tokenId = provider.ConsumeIntegral(); + DBinderSessionObject object(serviceName, serverDeviceId, stubIndex, nullptr, tokenId); + object.CloseDatabusSession(); +} + +void GetSessionBuffFuzzTest(FuzzedDataProvider &provider) +{ + std::string name = provider.ConsumeRandomLengthString(); + std::string serviceName = provider.ConsumeRandomLengthString(); + std::string serverDeviceId = provider.ConsumeRandomLengthString(); + uint64_t stubIndex = provider.ConsumeIntegral(); + uint32_t tokenId = provider.ConsumeIntegral(); + DBinderSessionObject object(serviceName, serverDeviceId, stubIndex, nullptr, tokenId); + object.GetSessionBuff(); + + object.buff_ = std::make_shared(); + if (object.buff_ == nullptr) { + return; + } + object.GetSessionBuff(); +} + +void GetFlatSessionLenFuzzTest(FuzzedDataProvider &provider) +{ + std::string name = provider.ConsumeRandomLengthString(); + std::string serviceName = provider.ConsumeRandomLengthString(); + std::string serverDeviceId = provider.ConsumeRandomLengthString(); + uint64_t stubIndex = provider.ConsumeIntegral(); + uint32_t tokenId = provider.ConsumeIntegral(); + DBinderSessionObject object(serviceName, serverDeviceId, stubIndex, nullptr, tokenId); + object.GetFlatSessionLen(); +} + +void GetPeerPidFuzzTest(FuzzedDataProvider &provider) +{ + std::string name = provider.ConsumeRandomLengthString(); + std::string serviceName = provider.ConsumeRandomLengthString(); + std::string serverDeviceId = provider.ConsumeRandomLengthString(); + uint64_t stubIndex = provider.ConsumeIntegral(); + uint32_t tokenId = provider.ConsumeIntegral(); + DBinderSessionObject object(serviceName, serverDeviceId, stubIndex, nullptr, tokenId); + object.GetPeerPid(); +} + +void GetPeerUidFuzzTest(FuzzedDataProvider &provider) +{ + std::string name = provider.ConsumeRandomLengthString(); + std::string serviceName = provider.ConsumeRandomLengthString(); + std::string serverDeviceId = provider.ConsumeRandomLengthString(); + uint64_t stubIndex = provider.ConsumeIntegral(); + uint32_t tokenId = provider.ConsumeIntegral(); + DBinderSessionObject object(serviceName, serverDeviceId, stubIndex, nullptr, tokenId); + object.GetPeerUid(); +} } // namespace OHOS /* Fuzzer entry point */ @@ -215,5 +278,12 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) OHOS::SetSocketIdFuzzTest(data, size); OHOS::SetPeerPidFuzzTest(data, size); OHOS::SetPeerUidFuzzTest(data, size); + + FuzzedDataProvider provider(data, size); + OHOS::CloseDatabusSessionFuzzTest(provider); + OHOS::GetSessionBuffFuzzTest(provider); + OHOS::GetFlatSessionLenFuzzTest(provider); + OHOS::GetPeerPidFuzzTest(provider); + OHOS::GetPeerUidFuzzTest(provider); return 0; } diff --git a/test/fuzztest/ipc/native/src/core/ipcobjectproxy_fuzzer/BUILD.gn b/test/fuzztest/ipc/native/src/core/ipcobjectproxy_fuzzer/BUILD.gn index a3df5f15..81c19478 100644 --- a/test/fuzztest/ipc/native/src/core/ipcobjectproxy_fuzzer/BUILD.gn +++ b/test/fuzztest/ipc/native/src/core/ipcobjectproxy_fuzzer/BUILD.gn @@ -28,6 +28,11 @@ ohos_fuzztest("IPCObjectProxyFuzzTest") { deps = [ "../../../../../../../test:ipc_single_test_static" ] + defines = [ + "private = public", + "protected = public", + ] + external_deps = [ "c_utils:utils", "hilog:libhilog", diff --git a/test/fuzztest/ipc/native/src/core/ipcobjectproxy_fuzzer/ipcobjectproxy_fuzzer.cpp b/test/fuzztest/ipc/native/src/core/ipcobjectproxy_fuzzer/ipcobjectproxy_fuzzer.cpp index 2e40cc9c..e0d3a844 100644 --- a/test/fuzztest/ipc/native/src/core/ipcobjectproxy_fuzzer/ipcobjectproxy_fuzzer.cpp +++ b/test/fuzztest/ipc/native/src/core/ipcobjectproxy_fuzzer/ipcobjectproxy_fuzzer.cpp @@ -14,8 +14,12 @@ */ #include "ipcobjectproxy_fuzzer.h" + +#include #include "ipc_object_proxy.h" +#include "iremote_object.h" #include "message_parcel.h" +#include "string_ex.h" namespace OHOS { class MockDeathRecipient : public IRemoteObject::DeathRecipient { @@ -220,6 +224,172 @@ void SetObjectDiedFuzzTest(const uint8_t *data, size_t size) proxy->SetObjectDied(isDied); delete proxy; } + +void GetObjectRefCountFuzzTest() +{ + IPCObjectProxy object(1); + object.GetObjectRefCount(); +} + +void GetInterfaceDescriptorFuzzTest(FuzzedDataProvider &provider) +{ + IPCObjectProxy object1(1); + object1.remoteDescriptor_ = provider.ConsumeRandomLengthString(); + object1.SetObjectDied(true); + object1.GetInterfaceDescriptor(); + object1.SetObjectDied(false); + + object1.interfaceDesc_ = Str8ToStr16(provider.ConsumeRandomLengthString()); + object1.GetInterfaceDescriptor(); + + IPCObjectProxy object2(0); + object2.GetInterfaceDescriptor(); +} + +void GetSessionNameFuzzTest(FuzzedDataProvider &provider) +{ + IPCObjectProxy object(1); + object.remoteDescriptor_ = provider.ConsumeRandomLengthString(); + object.SetObjectDied(true); + object.GetSessionName(); +} + +void GetGrantedSessionNameFuzzTest(FuzzedDataProvider &provider) +{ + IPCObjectProxy object(1); + object.remoteDescriptor_ = provider.ConsumeRandomLengthString(); + object.SetObjectDied(true); + object.GetGrantedSessionName(); +} + +void SendObituaryFuzzTest() +{ +#ifndef CONFIG_IPC_SINGLE + IPCObjectProxy object(1); + object.SendObituary(); +#endif +} + +void ClearDeathRecipientsTest() +{ + IPCObjectProxy object(1); + object.ClearDeathRecipients(); + +#ifndef CONFIG_IPC_SINGLE + sptr death = new (std::nothrow) MockDeathRecipient(); + sptr info + = new (std::nothrow) IPCObjectProxy::DeathRecipientAddrInfo(death.GetRefPtr()); + if (death == nullptr && info == nullptr) { + return; + } + object.recipients_.push_back(info); + object.ClearDeathRecipients(); +#endif +} + +void NoticeServiceDieFuzzTest(FuzzedDataProvider &provider) +{ + IPCObjectProxy object(1); + object.remoteDescriptor_ = provider.ConsumeRandomLengthString(); + object.SetObjectDied(true); + object.NoticeServiceDie(); +} + +void GetStrongRefCountForStubFuzzTest() +{ + IPCObjectProxy object(1); + object.GetStrongRefCountForStub(); +} + +void IncRefToRemoteFuzzTest(FuzzedDataProvider &provider) +{ + IPCObjectProxy object(1); + object.remoteDescriptor_ = provider.ConsumeRandomLengthString(); + object.SetObjectDied(true); + object.IncRefToRemote(); +} + +void AddDbinderDeathRecipientFuzzTest(FuzzedDataProvider &provider) +{ + IPCObjectProxy object(1); + object.AddDbinderDeathRecipient(); + + object.remoteDescriptor_ = provider.ConsumeRandomLengthString(); + object.AddDbinderDeathRecipient(); +} + +void RemoveDbinderDeathRecipientFuzzTest(FuzzedDataProvider &provider) +{ + IPCObjectProxy object(1); + object.RemoveDbinderDeathRecipient(); + + object.remoteDescriptor_ = provider.ConsumeRandomLengthString(); + object.RemoveDbinderDeathRecipient(); +} + +void CheckHaveSessionFuzzTest() +{ + IPCObjectProxy object(1); + object.CheckHaveSession(); +} + +void UpdateDatabusClientSessionFuzzTest() +{ + IPCObjectProxy object(1); + object.UpdateDatabusClientSession(); +} + +void ReleaseDatabusProtoFuzzTest(FuzzedDataProvider &provider) +{ + IPCObjectProxy object1(0); + object1.ReleaseDatabusProto(); + + IPCObjectProxy object2(1); + object2.remoteDescriptor_ = provider.ConsumeRandomLengthString(); + object2.SetObjectDied(true); + object2.ReleaseDatabusProto(); +} + +void RegisterBinderDeathRecipientFuzzTest() +{ +#ifndef CONFIG_IPC_SINGLE + IPCObjectProxy object(1); + object.RegisterBinderDeathRecipient(); +#endif +} + +void UnRegisterBinderDeathRecipientFuzzTest() +{ +#ifndef CONFIG_IPC_SINGLE + IPCObjectProxy object(1); + object.UnRegisterBinderDeathRecipient(); +#endif +} + +void IsDlclosedFuzzTest() +{ + sptr death = new (std::nothrow) MockDeathRecipient(); + sptr info + = new (std::nothrow) IPCObjectProxy::DeathRecipientAddrInfo(death.GetRefPtr()); + if (death == nullptr && info == nullptr) { + return; + } + info->IsDlclosed(); +} + +#ifdef ENABLE_IPC_TRACE +void StartLifeCycleTraceFuzzTest() +{ + IPCObjectProxy object(1); + object.StartLifeCycleTrace(); +} + +void GenLifeCycleTraceInfoFuzzTest() +{ + IPCObjectProxy object(1); + object.GenLifeCycleTraceInfo(); +} +#endif } // namespace OHOS /* Fuzzer entry point */ @@ -237,5 +407,28 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) OHOS::GetSessionNameForPidUidFuzzTest(data, size); OHOS::RemoveSessionNameFuzzTest(data, size); OHOS::SetObjectDiedFuzzTest(data, size); + + FuzzedDataProvider provider(data, size); + OHOS::GetObjectRefCountFuzzTest(); + OHOS::GetInterfaceDescriptorFuzzTest(provider); + OHOS::GetSessionNameFuzzTest(provider); + OHOS::GetGrantedSessionNameFuzzTest(provider); + OHOS::SendObituaryFuzzTest(); + OHOS::ClearDeathRecipientsTest(); + OHOS::NoticeServiceDieFuzzTest(provider); + OHOS::GetStrongRefCountForStubFuzzTest(); + OHOS::IncRefToRemoteFuzzTest(provider); + OHOS::AddDbinderDeathRecipientFuzzTest(provider); + OHOS::RemoveDbinderDeathRecipientFuzzTest(provider); + OHOS::CheckHaveSessionFuzzTest(); + OHOS::UpdateDatabusClientSessionFuzzTest(); + OHOS::ReleaseDatabusProtoFuzzTest(provider); + OHOS::RegisterBinderDeathRecipientFuzzTest(); + OHOS::UnRegisterBinderDeathRecipientFuzzTest(); + OHOS::IsDlclosedFuzzTest(); +#ifdef ENABLE_IPC_TRACE + OHOS::StartLifeCycleTraceFuzzTest(); + OHOS::GenLifeCycleTraceInfoFuzzTest(); +#endif return 0; } -- Gitee