diff --git a/test/fuzztest/BUILD.gn b/test/fuzztest/BUILD.gn index 3bff21b9ec7e4ce55e62804996bb5ca81145b188..b3eb30ca9695f069a0ed9256c855427d686bfcf5 100644 --- a/test/fuzztest/BUILD.gn +++ b/test/fuzztest/BUILD.gn @@ -18,7 +18,7 @@ group("fuzztest") { "ipc/native/src/core/adddeathrecipient_fuzzer:AddDeathRecipientFuzzTest", "ipc/native/src/core/bind_fuzzer:BindFuzzTest", "ipc/native/src/core/binderinvoker_fuzzer:BinderInvokerFuzzTest", - "ipc/native/src/core/binderinvokernew_fuzzer:BinderInvokerNewFuzzTest", + "ipc/native/src/core/binderinvokernew:binderinvokernewfuzz", "ipc/native/src/core/bufferobject_fuzzer:BufferObjectFuzzTest", "ipc/native/src/core/databussocketlistener_fuzzer:DataBusSocketListenerFuzzTest", "ipc/native/src/mock/databussocketlistenermock_fuzzer:DataBusSocketListenerMockFuzzTest", diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/BUILD.gn b/test/fuzztest/ipc/native/src/core/binderinvokernew/BUILD.gn new file mode 100644 index 0000000000000000000000000000000000000000..580c094f51b79e3f952f494fe5e3f0b0de94206c --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/BUILD.gn @@ -0,0 +1,25 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +group("binderinvokernewfuzz") { + testonly = true + deps = [ + "binderinvokernew001_fuzzer:BinderInvokerNew001FuzzTest", + "binderinvokernew002_fuzzer:BinderInvokerNew002FuzzTest", + "binderinvokernew003_fuzzer:BinderInvokerNew003FuzzTest", + "binderinvokernew004_fuzzer:BinderInvokerNew004FuzzTest", + "binderinvokernew005_fuzzer:BinderInvokerNew005FuzzTest", + "binderinvokernew006_fuzzer:BinderInvokerNew006FuzzTest", + "binderinvokernew007_fuzzer:BinderInvokerNew007FuzzTest", + ] +} diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew_fuzzer/BUILD.gn b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew001_fuzzer/BUILD.gn similarity index 80% rename from test/fuzztest/ipc/native/src/core/binderinvokernew_fuzzer/BUILD.gn rename to test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew001_fuzzer/BUILD.gn index 410204bcfa928cacd6d6d76bbfb86ae350d91668..515406cc72941eb9ec79d664d7f8a3ab524203f2 100644 --- a/test/fuzztest/ipc/native/src/core/binderinvokernew_fuzzer/BUILD.gn +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew001_fuzzer/BUILD.gn @@ -16,17 +16,18 @@ import("//build/config/features.gni") import("//build/test.gni") ##############################fuzztest########################################## -ohos_fuzztest("BinderInvokerNewFuzzTest") { +ohos_fuzztest("BinderInvokerNew001FuzzTest") { module_out_path = "ipc/ipc" - fuzz_config_file = "../binderinvokernew_fuzzer" + fuzz_config_file = "../binderinvokernew001_fuzzer" cflags = [ "-Wno-unused-variable", "-fno-omit-frame-pointer", ] - sources = [ "binderinvokernew_fuzzer.cpp" ] + include_dirs = [ "../include" ] + sources = [ "binderinvokernew001_fuzzer.cpp" ] - deps = [ "../../../../../../../test:ipc_single_test_static" ] + deps = [ "../../../../../../../../test:ipc_single_test_static" ] defines = [ "private = public", diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew001_fuzzer/binderinvokernew001_fuzzer.cpp b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew001_fuzzer/binderinvokernew001_fuzzer.cpp new file mode 100644 index 0000000000000000000000000000000000000000..770906599a0da280421a29cdba27b632b7d9b447 --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew001_fuzzer/binderinvokernew001_fuzzer.cpp @@ -0,0 +1,92 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "binderinvokernew_fuzzer.h" +#include "binder_invoker.h" +#include "ipc_object_proxy.h" +#include "ipc_object_stub.h" +#include "message_parcel.h" +#include "string_ex.h" +#include + +namespace OHOS { +static constexpr size_t MAX_BYTES_SIZE = 50; +static constexpr pid_t INVALID_PID = -1; + +void AcquireHandleFuzzTest(FuzzedDataProvider &provider) +{ + int32_t handle = provider.ConsumeIntegral(); + + BinderInvoker invoker; + invoker.AcquireHandle(handle); +} + +void TranslateDBinderProxyFuzzTest(FuzzedDataProvider &provider) +{ + MessageParcel dataParcel; + size_t bytesSize = provider.ConsumeIntegralInRange(1, MAX_BYTES_SIZE); + std::vector bytes = provider.ConsumeBytes(bytesSize); + dataParcel.WriteBuffer(bytes.data(), bytes.size()); + int32_t handle = provider.ConsumeIntegral(); + + BinderInvoker invoker; + invoker.TranslateDBinderProxy(handle, dataParcel); +} + +void AddCommAuthFuzzTest(FuzzedDataProvider &provider) +{ + int32_t handle = provider.ConsumeIntegral(); + flat_binder_object flat; + flat.handle = provider.ConsumeIntegral(); + + BinderInvoker invoker; + invoker.AddCommAuth(handle, &flat); +} + +void GetDBinderCallingPidUidFuzzTest001(FuzzedDataProvider &provider) +{ + int32_t handle = provider.ConsumeIntegral(); + bool isReply = provider.ConsumeBool(); + pid_t pid = static_cast(provider.ConsumeIntegral()); + uid_t uid = static_cast(provider.ConsumeIntegral()); + + BinderInvoker invoker; + invoker.GetDBinderCallingPidUid(handle, isReply, pid, uid); +} + +void GetDBinderCallingPidUidFuzzTest002(FuzzedDataProvider &provider) +{ + int32_t handle = provider.ConsumeIntegral(); + bool isReply = provider.ConsumeBool(); + pid_t pid = INVALID_PID; + uid_t uid = static_cast(provider.ConsumeIntegral()); + + BinderInvoker invoker; + invoker.GetDBinderCallingPidUid(handle, isReply, pid, uid); +} + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + /* Run your code on data */ + FuzzedDataProvider provider(data, size); + OHOS::AcquireHandleFuzzTest(provider); + OHOS::TranslateDBinderProxyFuzzTest(provider); + OHOS::AddCommAuthFuzzTest(provider); + OHOS::GetDBinderCallingPidUidFuzzTest001(provider); + OHOS::GetDBinderCallingPidUidFuzzTest002(provider); + return 0; +} +} // namespace OHOS \ No newline at end of file diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew_fuzzer/corpus/init b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew001_fuzzer/corpus/init similarity index 100% rename from test/fuzztest/ipc/native/src/core/binderinvokernew_fuzzer/corpus/init rename to test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew001_fuzzer/corpus/init diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew_fuzzer/project.xml b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew001_fuzzer/project.xml similarity index 100% rename from test/fuzztest/ipc/native/src/core/binderinvokernew_fuzzer/project.xml rename to test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew001_fuzzer/project.xml diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew002_fuzzer/BUILD.gn b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew002_fuzzer/BUILD.gn new file mode 100644 index 0000000000000000000000000000000000000000..4283f25e7a5f35cb67ca0bc5e6d089eef744ed15 --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew002_fuzzer/BUILD.gn @@ -0,0 +1,41 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#####################hydra-fuzz################### +import("//build/config/features.gni") +import("//build/test.gni") + +##############################fuzztest########################################## +ohos_fuzztest("BinderInvokerNew002FuzzTest") { + module_out_path = "ipc/ipc" + fuzz_config_file = "../binderinvokernew002_fuzzer" + + cflags = [ + "-Wno-unused-variable", + "-fno-omit-frame-pointer", + ] + include_dirs = [ "../include" ] + sources = [ "binderinvokernew002_fuzzer.cpp" ] + + deps = [ "../../../../../../../../test:ipc_single_test_static" ] + + defines = [ + "private = public", + "protected = public", + ] + + external_deps = [ + "c_utils:utils", + "hilog:libhilog", + ] +} diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew002_fuzzer/binderinvokernew002_fuzzer.cpp b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew002_fuzzer/binderinvokernew002_fuzzer.cpp new file mode 100644 index 0000000000000000000000000000000000000000..de9532f4b9e80c11be4e84b7152be13f65c3705c --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew002_fuzzer/binderinvokernew002_fuzzer.cpp @@ -0,0 +1,88 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "binderinvokernew_fuzzer.h" +#include "binder_invoker.h" +#include "ipc_object_proxy.h" +#include "ipc_object_stub.h" +#include "message_parcel.h" +#include "string_ex.h" +#include + +namespace OHOS { +static constexpr size_t MAX_BYTES_SIZE = 50; + +void TranslateDBinderStubFuzzTest(FuzzedDataProvider &provider) +{ + MessageParcel dataParcel; + size_t bytesSize = provider.ConsumeIntegralInRange(1, MAX_BYTES_SIZE); + std::vector bytes = provider.ConsumeBytes(bytesSize); + dataParcel.WriteBuffer(bytes.data(), bytes.size()); + int32_t handle = provider.ConsumeIntegral(); + bool isReply = provider.ConsumeBool(); + size_t totalDBinderBufSize; + + BinderInvoker invoker; + invoker.TranslateDBinderStub(handle, dataParcel, isReply, totalDBinderBufSize); +} + +void OnAcquireObjectFuzzTest(FuzzedDataProvider &provider) +{ + uint32_t cmd = provider.ConsumeIntegral(); + + BinderInvoker invoker; + invoker.OnAcquireObject(cmd); +} + +void OnReleaseObjectFuzzTest(FuzzedDataProvider &provider) +{ + uint32_t cmd = provider.ConsumeIntegral(); + + BinderInvoker invoker; + invoker.OnReleaseObject(cmd); +} + +void GetAccessTokenFuzzTest(FuzzedDataProvider &provider) +{ + uint64_t callerTokenID = provider.ConsumeIntegral(); + uint64_t firstTokenID = provider.ConsumeIntegral(); + + BinderInvoker invoker; + invoker.GetAccessToken(callerTokenID, firstTokenID); +} + +void GetSenderInfoFuzzTest(FuzzedDataProvider &provider) +{ + uint64_t callerTokenID = provider.ConsumeIntegral(); + uint64_t firstTokenID = provider.ConsumeIntegral(); + pid_t realPid; + + BinderInvoker invoker; + invoker.GetSenderInfo(callerTokenID, firstTokenID, realPid); +} + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + /* Run your code on data */ + FuzzedDataProvider provider(data, size); + OHOS::TranslateDBinderStubFuzzTest(provider); + OHOS::OnAcquireObjectFuzzTest(provider); + OHOS::OnReleaseObjectFuzzTest(provider); + OHOS::GetAccessTokenFuzzTest(provider); + OHOS::GetSenderInfoFuzzTest(provider); + return 0; +} +} // namespace OHOS \ No newline at end of file diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew002_fuzzer/corpus/init b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew002_fuzzer/corpus/init new file mode 100644 index 0000000000000000000000000000000000000000..7ade8a0faafeaedba7241e7d4a97b8e1f9691932 --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew002_fuzzer/corpus/init @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +FUZZ \ No newline at end of file diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew002_fuzzer/project.xml b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew002_fuzzer/project.xml new file mode 100644 index 0000000000000000000000000000000000000000..226522bd2ad3eaf2db4f710f1924d82d2912c235 --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew002_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 10000 + + 300 + + 4096 + + diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew003_fuzzer/BUILD.gn b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew003_fuzzer/BUILD.gn new file mode 100644 index 0000000000000000000000000000000000000000..881f7bcc5a96c986e39d7eec3227ac7aafd2cb5f --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew003_fuzzer/BUILD.gn @@ -0,0 +1,41 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#####################hydra-fuzz################### +import("//build/config/features.gni") +import("//build/test.gni") + +##############################fuzztest########################################## +ohos_fuzztest("BinderInvokerNew003FuzzTest") { + module_out_path = "ipc/ipc" + fuzz_config_file = "../binderinvokernew003_fuzzer" + + cflags = [ + "-Wno-unused-variable", + "-fno-omit-frame-pointer", + ] + include_dirs = [ "../include" ] + sources = [ "binderinvokernew003_fuzzer.cpp" ] + + deps = [ "../../../../../../../../test:ipc_single_test_static" ] + + defines = [ + "private = public", + "protected = public", + ] + + external_deps = [ + "c_utils:utils", + "hilog:libhilog", + ] +} diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew003_fuzzer/binderinvokernew003_fuzzer.cpp b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew003_fuzzer/binderinvokernew003_fuzzer.cpp new file mode 100644 index 0000000000000000000000000000000000000000..92872455830602cb2f1e4f244855b87a57fe3c93 --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew003_fuzzer/binderinvokernew003_fuzzer.cpp @@ -0,0 +1,111 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "binderinvokernew_fuzzer.h" +#include "binder_invoker.h" +#include "ipc_object_proxy.h" +#include "ipc_object_stub.h" +#include "message_parcel.h" +#include "string_ex.h" +#include + +namespace OHOS { +static constexpr size_t MAX_BYTES_SIZE = 50; + +void SamgrServiceSendRequestFuzzTest(FuzzedDataProvider &provider) +{ + MessageParcel dataParcel; + size_t bytesSize = provider.ConsumeIntegralInRange(1, MAX_BYTES_SIZE); + std::vector bytes = provider.ConsumeBytes(bytesSize); + dataParcel.WriteBuffer(bytes.data(), bytes.size()); + binder_transaction_data transData; + MessageParcel reply; + MessageOption option; + + BinderInvoker invoker; + invoker.SamgrServiceSendRequest(transData, dataParcel, reply, option); +} + +void GeneralServiceSendRequestFuzzTest(FuzzedDataProvider &provider) +{ + MessageParcel dataParcel; + size_t bytesSize = provider.ConsumeIntegralInRange(1, MAX_BYTES_SIZE); + std::vector bytes = provider.ConsumeBytes(bytesSize); + dataParcel.WriteBuffer(bytes.data(), bytes.size()); + binder_transaction_data transData; + transData.target.ptr = 0; + transData.code = provider.ConsumeIntegral(); + transData.cookie = provider.ConsumeIntegral(); + MessageParcel reply; + MessageOption option; + + BinderInvoker invoker; + invoker.GeneralServiceSendRequest(transData, dataParcel, reply, option); +} + +void TargetStubSendRequestFuzzTest(FuzzedDataProvider &provider) +{ + MessageParcel dataParcel; + binder_transaction_data transData; + transData.target.ptr = provider.ConsumeIntegral(); + transData.flags = provider.ConsumeIntegral(); + MessageParcel reply; + MessageOption option; + uint32_t flagValue; + + BinderInvoker invoker; + invoker.TargetStubSendRequest(transData, dataParcel, reply, option, flagValue); +} + +void OnTransactionFuzzTest001(FuzzedDataProvider &provider) +{ + uint32_t cmd = provider.ConsumeIntegral(); + int32_t error; + + BinderInvoker invoker; + invoker.OnTransaction(cmd, error); +} + +void OnTransactionFuzzTest002(FuzzedDataProvider &provider) +{ + uint32_t cmd = provider.ConsumeIntegral(); + int32_t error; + MessageParcel dataParcel; + + BinderInvoker invoker; + if (cmd != static_cast(BR_TRANSACTION_SEC_CTX)) { + binder_transaction_data tr {}; + invoker.input_.WriteBuffer(&tr, sizeof(binder_transaction_data)); + invoker.OnTransaction(cmd, error); + } + cmd = static_cast(BR_TRANSACTION_SEC_CTX); + binder_transaction_data_secctx trSecctx {}; + invoker.input_.WriteBuffer(&trSecctx, sizeof(binder_transaction_data_secctx)); + invoker.OnTransaction(cmd, error); +} + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + /* Run your code on data */ + FuzzedDataProvider provider(data, size); + OHOS::SamgrServiceSendRequestFuzzTest(provider); + OHOS::GeneralServiceSendRequestFuzzTest(provider); + OHOS::TargetStubSendRequestFuzzTest(provider); + OHOS::OnTransactionFuzzTest001(provider); + OHOS::OnTransactionFuzzTest002(provider); + return 0; +} +} // namespace OHOS \ No newline at end of file diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew003_fuzzer/corpus/init b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew003_fuzzer/corpus/init new file mode 100644 index 0000000000000000000000000000000000000000..7ade8a0faafeaedba7241e7d4a97b8e1f9691932 --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew003_fuzzer/corpus/init @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +FUZZ \ No newline at end of file diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew003_fuzzer/project.xml b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew003_fuzzer/project.xml new file mode 100644 index 0000000000000000000000000000000000000000..226522bd2ad3eaf2db4f710f1924d82d2912c235 --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew003_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 10000 + + 300 + + 4096 + + diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew004_fuzzer/BUILD.gn b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew004_fuzzer/BUILD.gn new file mode 100644 index 0000000000000000000000000000000000000000..ec79cf65d16233ec30b01a578dca24df63b4ee73 --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew004_fuzzer/BUILD.gn @@ -0,0 +1,41 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#####################hydra-fuzz################### +import("//build/config/features.gni") +import("//build/test.gni") + +##############################fuzztest########################################## +ohos_fuzztest("BinderInvokerNew004FuzzTest") { + module_out_path = "ipc/ipc" + fuzz_config_file = "../binderinvokernew004_fuzzer" + + cflags = [ + "-Wno-unused-variable", + "-fno-omit-frame-pointer", + ] + include_dirs = [ "../include" ] + sources = [ "binderinvokernew004_fuzzer.cpp" ] + + deps = [ "../../../../../../../../test:ipc_single_test_static" ] + + defines = [ + "private = public", + "protected = public", + ] + + external_deps = [ + "c_utils:utils", + "hilog:libhilog", + ] +} diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew004_fuzzer/binderinvokernew004_fuzzer.cpp b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew004_fuzzer/binderinvokernew004_fuzzer.cpp new file mode 100644 index 0000000000000000000000000000000000000000..3c886ed54e4274ad69f0cba6ffa951ea1ee6a1bb --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew004_fuzzer/binderinvokernew004_fuzzer.cpp @@ -0,0 +1,102 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "binderinvokernew_fuzzer.h" +#include "binder_invoker.h" +#include "ipc_object_proxy.h" +#include "ipc_object_stub.h" +#include "message_parcel.h" +#include "string_ex.h" +#include + +namespace OHOS { +static constexpr size_t MAX_BYTES_SIZE = 50; +static const std::vector cmdList = { + binder_driver_return_protocol::BR_ERROR, + binder_driver_return_protocol::BR_OK, + binder_driver_return_protocol::BR_TRANSACTION_SEC_CTX, + binder_driver_return_protocol::BR_TRANSACTION, + binder_driver_return_protocol::BR_REPLY, + binder_driver_return_protocol::BR_DEAD_REPLY, + binder_driver_return_protocol::BR_TRANSACTION_COMPLETE, + binder_driver_return_protocol::BR_INCREFS, + binder_driver_return_protocol::BR_ACQUIRE, + binder_driver_return_protocol::BR_RELEASE, + binder_driver_return_protocol::BR_DECREFS, + binder_driver_return_protocol::BR_ATTEMPT_ACQUIRE, + binder_driver_return_protocol::BR_NOOP, + binder_driver_return_protocol::BR_SPAWN_LOOPER, + binder_driver_return_protocol::BR_FINISHED, + binder_driver_return_protocol::BR_DEAD_BINDER, + binder_driver_return_protocol::BR_CLEAR_DEATH_NOTIFICATION_DONE, + binder_driver_return_protocol::BR_FAILED_REPLY, + binder_driver_return_protocol::BR_RELEASE_NODE, +}; + +void HandleReplyFuzzTest(FuzzedDataProvider &provider) +{ + MessageParcel dataParcel; + size_t bytesSize = provider.ConsumeIntegralInRange(1, MAX_BYTES_SIZE); + std::vector bytes = provider.ConsumeBytes(bytesSize); + dataParcel.WriteBuffer(bytes.data(), bytes.size()); + bool isStubRet; + + BinderInvoker invoker; + invoker.HandleReply(&dataParcel, isStubRet); +} + +void HandleCommandsInnerFuzzTest001(FuzzedDataProvider &provider) +{ + uint32_t cmd = provider.ConsumeIntegral(); + + BinderInvoker invoker; + invoker.HandleCommandsInner(cmd); + + for (auto cmd : cmdList) { + BinderInvoker invoker; + invoker.HandleCommandsInner(cmd); + } +} + +void HandleCommandsFuzzTest(FuzzedDataProvider &provider) +{ + uint32_t cmd = provider.ConsumeIntegral(); + + BinderInvoker invoker; + invoker.HandleCommands(cmd); +} + +void UpdateConsumedDataFuzzTest(FuzzedDataProvider &provider) +{ + binder_write_read bwr; + bwr.write_consumed = provider.ConsumeIntegral(); + bwr.read_consumed = provider.ConsumeIntegral(); + size_t outAvail = provider.ConsumeIntegral(); + BinderInvoker invoker; + invoker.UpdateConsumedData(bwr, outAvail); +} + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + /* Run your code on data */ + FuzzedDataProvider provider(data, size); + OHOS::HandleReplyFuzzTest(provider); + OHOS::HandleCommandsInnerFuzzTest001(provider); + OHOS::HandleCommandsFuzzTest(provider); + OHOS::UpdateConsumedDataFuzzTest(provider); + return 0; +} +} // namespace OHOS \ No newline at end of file diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew004_fuzzer/corpus/init b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew004_fuzzer/corpus/init new file mode 100644 index 0000000000000000000000000000000000000000..7ade8a0faafeaedba7241e7d4a97b8e1f9691932 --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew004_fuzzer/corpus/init @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +FUZZ \ No newline at end of file diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew004_fuzzer/project.xml b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew004_fuzzer/project.xml new file mode 100644 index 0000000000000000000000000000000000000000..226522bd2ad3eaf2db4f710f1924d82d2912c235 --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew004_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 10000 + + 300 + + 4096 + + diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew005_fuzzer/BUILD.gn b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew005_fuzzer/BUILD.gn new file mode 100644 index 0000000000000000000000000000000000000000..e19d42df4b4b2a20d95484e6c4531ddcbf7cd50a --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew005_fuzzer/BUILD.gn @@ -0,0 +1,41 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#####################hydra-fuzz################### +import("//build/config/features.gni") +import("//build/test.gni") + +##############################fuzztest########################################## +ohos_fuzztest("BinderInvokerNew005FuzzTest") { + module_out_path = "ipc/ipc" + fuzz_config_file = "../binderinvokernew005_fuzzer" + + cflags = [ + "-Wno-unused-variable", + "-fno-omit-frame-pointer", + ] + include_dirs = [ "../include" ] + sources = [ "binderinvokernew005_fuzzer.cpp" ] + + deps = [ "../../../../../../../../test:ipc_single_test_static" ] + + defines = [ + "private = public", + "protected = public", + ] + + external_deps = [ + "c_utils:utils", + "hilog:libhilog", + ] +} diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew005_fuzzer/binderinvokernew005_fuzzer.cpp b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew005_fuzzer/binderinvokernew005_fuzzer.cpp new file mode 100644 index 0000000000000000000000000000000000000000..fafe37ce866ef787406dd8b278bbd1585a1265f9 --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew005_fuzzer/binderinvokernew005_fuzzer.cpp @@ -0,0 +1,103 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "binderinvokernew_fuzzer.h" +#include "binder_invoker.h" +#include "ipc_object_proxy.h" +#include "ipc_object_stub.h" +#include "message_parcel.h" +#include "string_ex.h" +#include + +namespace OHOS { +static constexpr size_t MAX_BYTES_SIZE = 50; + +void WriteTransactionFuzzTest(FuzzedDataProvider &provider) +{ + MessageParcel dataParcel; + size_t bytesSize = provider.ConsumeIntegralInRange(1, MAX_BYTES_SIZE); + std::vector bytes = provider.ConsumeBytes(bytesSize); + dataParcel.WriteBuffer(bytes.data(), bytes.size()); + int cmd = provider.ConsumeIntegral(); + uint32_t flags = provider.ConsumeIntegral(); + int32_t handle = provider.ConsumeIntegral(); + uint32_t code = provider.ConsumeIntegral(); + size_t statusSize = provider.ConsumeIntegralInRange(1, MAX_BYTES_SIZE); + std::vector statusBytes = provider.ConsumeBytes(statusSize); + int32_t *status = reinterpret_cast(statusBytes.data()); + size_t totalDBinderBufSize = provider.ConsumeIntegralInRange(1, MAX_BYTES_SIZE); + + BinderInvoker invoker; + invoker.WriteTransaction(cmd, flags, handle, code, dataParcel, status, totalDBinderBufSize); +} + +void OnReplyFuzzTest(FuzzedDataProvider &provider) +{ + MessageParcel reply; + size_t bytesSize = provider.ConsumeIntegralInRange(1, MAX_BYTES_SIZE); + std::vector bytes = provider.ConsumeBytes(bytesSize); + reply.WriteBuffer(bytes.data(), bytes.size()); + uint32_t cmd = provider.ConsumeIntegral(); + bool continueLoop; + int32_t error; + + BinderInvoker invoker; + invoker.OnReply(&reply, continueLoop, error, cmd); +} + +void DealWithCmdFuzzTest(FuzzedDataProvider &provider) +{ + MessageParcel reply; + uint32_t cmd = provider.ConsumeIntegral(); + bool continueLoop; + int32_t error; + + BinderInvoker invoker; + invoker.DealWithCmd(&reply, continueLoop, error, cmd); +} + +void SetRegistryObjectFuzzTest(FuzzedDataProvider &provider) +{ + MessageParcel dataParcel; + size_t bytesSize = provider.ConsumeIntegralInRange(1, MAX_BYTES_SIZE); + std::vector bytes = provider.ConsumeBytes(bytesSize); + dataParcel.WriteBuffer(bytes.data(), bytes.size()); + sptr object = dataParcel.ReadRemoteObject(); + + BinderInvoker invoker; + invoker.SetRegistryObject(object); +} + +void EnableIPCThreadReclaimFuzzTest(FuzzedDataProvider &provider) +{ + bool enable = provider.ConsumeBool(); + + BinderInvoker invoker; + invoker.EnableIPCThreadReclaim(enable); +} + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + /* Run your code on data */ + FuzzedDataProvider provider(data, size); + OHOS::WriteTransactionFuzzTest(provider); + OHOS::OnReplyFuzzTest(provider); + OHOS::DealWithCmdFuzzTest(provider); + OHOS::SetRegistryObjectFuzzTest(provider); + OHOS::EnableIPCThreadReclaimFuzzTest(provider); + return 0; +} +} // namespace OHOS \ No newline at end of file diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew005_fuzzer/corpus/init b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew005_fuzzer/corpus/init new file mode 100644 index 0000000000000000000000000000000000000000..7ade8a0faafeaedba7241e7d4a97b8e1f9691932 --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew005_fuzzer/corpus/init @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +FUZZ \ No newline at end of file diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew005_fuzzer/project.xml b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew005_fuzzer/project.xml new file mode 100644 index 0000000000000000000000000000000000000000..226522bd2ad3eaf2db4f710f1924d82d2912c235 --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew005_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 10000 + + 300 + + 4096 + + diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew006_fuzzer/BUILD.gn b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew006_fuzzer/BUILD.gn new file mode 100644 index 0000000000000000000000000000000000000000..b8c5c2ebb928e8e77b214593b0bb63d5dcae36cc --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew006_fuzzer/BUILD.gn @@ -0,0 +1,41 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#####################hydra-fuzz################### +import("//build/config/features.gni") +import("//build/test.gni") + +##############################fuzztest########################################## +ohos_fuzztest("BinderInvokerNew006FuzzTest") { + module_out_path = "ipc/ipc" + fuzz_config_file = "../binderinvokernew006_fuzzer" + + cflags = [ + "-Wno-unused-variable", + "-fno-omit-frame-pointer", + ] + include_dirs = [ "../include" ] + sources = [ "binderinvokernew006_fuzzer.cpp" ] + + deps = [ "../../../../../../../../test:ipc_single_test_static" ] + + defines = [ + "private = public", + "protected = public", + ] + + external_deps = [ + "c_utils:utils", + "hilog:libhilog", + ] +} diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew006_fuzzer/binderinvokernew006_fuzzer.cpp b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew006_fuzzer/binderinvokernew006_fuzzer.cpp new file mode 100644 index 0000000000000000000000000000000000000000..edb0529eb68c6c9893d5d530fb7d5357021764ed --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew006_fuzzer/binderinvokernew006_fuzzer.cpp @@ -0,0 +1,98 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "binderinvokernew_fuzzer.h" +#include "binder_invoker.h" +#include "ipc_object_proxy.h" +#include "ipc_object_stub.h" +#include "message_parcel.h" +#include "string_ex.h" +#include + +namespace OHOS { +static constexpr size_t STR_MAX_LEN = 100; +static constexpr size_t MAX_BYTES_SIZE = 50; + +void PrintParcelDataFuzzTest(FuzzedDataProvider &provider) +{ + MessageParcel dataParcel; + size_t bytesSize = provider.ConsumeIntegralInRange(1, MAX_BYTES_SIZE); + std::vector bytes = provider.ConsumeBytes(bytesSize); + dataParcel.WriteBuffer(bytes.data(), bytes.size()); + std::string parcelName = provider.ConsumeRandomLengthString(STR_MAX_LEN); + + BinderInvoker invoker; + invoker.PrintParcelData(dataParcel, parcelName); +} + +void GetUint64ValueByStrSliceFuzzTest(FuzzedDataProvider &provider) +{ + std::string str = provider.ConsumeRandomLengthString(STR_MAX_LEN); + size_t offset = provider.ConsumeIntegral(); + size_t length = provider.ConsumeIntegralInRange(0, std::numeric_limits::max() - offset); + uint64_t value; + + BinderInvoker invoker; + invoker.GetUint64ValueByStrSlice(str, offset, length, value); +} + +void GetCallerRealPidByStrFuzzTest001(FuzzedDataProvider &provider) +{ + std::string str = provider.ConsumeRandomLengthString(STR_MAX_LEN); + size_t offset = provider.ConsumeIntegral(); + size_t length = provider.ConsumeIntegralInRange(0, std::numeric_limits::max() - offset); + pid_t callerRealPid; + + BinderInvoker invoker; + invoker.GetCallerRealPidByStr(str, offset, length, callerRealPid); +} + +void GetCallerRealPidByStrFuzzTest002(FuzzedDataProvider &provider) +{ + int32_t num = provider.ConsumeIntegral(); + std::string identity = "<" + std::to_string(num); + size_t offset = provider.ConsumeIntegralInRange(0, identity.length()); + size_t length = provider.ConsumeIntegralInRange(0, identity.length()); + pid_t callerRealPid; + + BinderInvoker invoker; + invoker.GetCallerRealPidByStr(identity, offset, length, callerRealPid); +} + +void GetCallerPidAndUidByStrFuzzTest(FuzzedDataProvider &provider) +{ + int32_t num = provider.ConsumeIntegral(); + std::string str = "<" + std::to_string(num); + size_t offset = provider.ConsumeIntegralInRange(0, str.length()); + pid_t pid = 0; + pid_t uid = 0; + + BinderInvoker binderInvoker; + binderInvoker.GetCallerPidAndUidByStr(str, offset, pid, uid); +} + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + /* Run your code on data */ + FuzzedDataProvider provider(data, size); + OHOS::PrintParcelDataFuzzTest(provider); + OHOS::GetUint64ValueByStrSliceFuzzTest(provider); + OHOS::GetCallerRealPidByStrFuzzTest001(provider); + OHOS::GetCallerRealPidByStrFuzzTest002(provider); + OHOS::GetCallerPidAndUidByStrFuzzTest(provider); + return 0; +} +} // namespace OHOS \ No newline at end of file diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew006_fuzzer/corpus/init b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew006_fuzzer/corpus/init new file mode 100644 index 0000000000000000000000000000000000000000..7ade8a0faafeaedba7241e7d4a97b8e1f9691932 --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew006_fuzzer/corpus/init @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +FUZZ \ No newline at end of file diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew006_fuzzer/project.xml b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew006_fuzzer/project.xml new file mode 100644 index 0000000000000000000000000000000000000000..226522bd2ad3eaf2db4f710f1924d82d2912c235 --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew006_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 10000 + + 300 + + 4096 + + diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew007_fuzzer/BUILD.gn b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew007_fuzzer/BUILD.gn new file mode 100644 index 0000000000000000000000000000000000000000..4c6bccb12cb2d9a6aa4677b596c56fae0acef5b3 --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew007_fuzzer/BUILD.gn @@ -0,0 +1,41 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#####################hydra-fuzz################### +import("//build/config/features.gni") +import("//build/test.gni") + +##############################fuzztest########################################## +ohos_fuzztest("BinderInvokerNew007FuzzTest") { + module_out_path = "ipc/ipc" + fuzz_config_file = "../binderinvokernew007_fuzzer" + + cflags = [ + "-Wno-unused-variable", + "-fno-omit-frame-pointer", + ] + include_dirs = [ "../include" ] + sources = [ "binderinvokernew007_fuzzer.cpp" ] + + deps = [ "../../../../../../../../test:ipc_single_test_static" ] + + defines = [ + "private = public", + "protected = public", + ] + + external_deps = [ + "c_utils:utils", + "hilog:libhilog", + ] +} diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew007_fuzzer/binderinvokernew007_fuzzer.cpp b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew007_fuzzer/binderinvokernew007_fuzzer.cpp new file mode 100644 index 0000000000000000000000000000000000000000..b34ce513fa59a247f481b6647ff9c6bf97b194c1 --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew007_fuzzer/binderinvokernew007_fuzzer.cpp @@ -0,0 +1,118 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "binderinvokernew_fuzzer.h" +#include "binder_invoker.h" +#include "ipc_object_proxy.h" +#include "ipc_object_stub.h" +#include "message_parcel.h" +#include "string_ex.h" +#include + +namespace OHOS { +static const std::vector binderTypeList = { + BINDER_TYPE_BINDER, + BINDER_TYPE_WEAK_BINDER, + BINDER_TYPE_HANDLE, + BINDER_TYPE_WEAK_HANDLE, + BINDER_TYPE_FD, + BINDER_TYPE_FDA, + BINDER_TYPE_PTR, +}; + +void SetCallingIdentityFuzzTest(FuzzedDataProvider &provider) +{ + BinderInvoker invoker; + std::string identity = invoker.ResetCallingIdentity(); + bool flag = provider.ConsumeBool(); + invoker.SetCallingIdentity(identity, flag); +} + +void UnFlattenDBinderObjectFuzzTest001(FuzzedDataProvider &provider) +{ + MessageParcel dataParcel; + binder_buffer_object obj; + int index = provider.ConsumeIntegralInRange(0, binderTypeList.size() - 1); + obj.hdr.type = binderTypeList[index]; + obj.flags = provider.ConsumeIntegral(); + obj.length = provider.ConsumeIntegral(); + obj.parent = provider.ConsumeIntegral(); + obj.parent_offset = provider.ConsumeIntegral(); + dataParcel.WriteBuffer(&obj, sizeof(binder_buffer_object)); + dbinder_negotiation_data dbinderData; + + BinderInvoker invoker; + invoker.UnFlattenDBinderObject(dataParcel, dbinderData); + dataParcel.FlushBuffer(); +} + +void UnFlattenDBinderObjectFuzzTest002(FuzzedDataProvider &provider) +{ + MessageParcel dataParcel; + binder_buffer_object obj; + obj.hdr.type = BINDER_TYPE_PTR; + obj.flags = provider.ConsumeIntegral() | BINDER_BUFFER_FLAG_HAS_DBINDER; + obj.length = sizeof(dbinder_negotiation_data); + obj.parent = provider.ConsumeIntegral(); + obj.parent_offset = provider.ConsumeIntegral(); + std::shared_ptr buffer = std::make_shared(); + if (buffer == nullptr) { + return; + } + obj.buffer = reinterpret_cast(buffer.get()); + dataParcel.WriteBuffer(&obj, sizeof(binder_buffer_object)); + dbinder_negotiation_data dbinderData; + + BinderInvoker invoker; + invoker.UnFlattenDBinderObject(dataParcel, dbinderData); + dataParcel.FlushBuffer(); +} + +void SetMaxWorkThreadFuzzTest(FuzzedDataProvider &provider) +{ + int32_t maxWorkThread = provider.ConsumeIntegral(); + + BinderInvoker invoker; + invoker.SetMaxWorkThread(maxWorkThread); + invoker.binderConnector_ = nullptr; + invoker.SetMaxWorkThread(maxWorkThread); +} + +void WaitForCompletionFuzzTest(FuzzedDataProvider &provider) +{ + MessageParcel reply; + + BinderInvoker invoker; + bool isDead = provider.ConsumeBool(); + uint32_t cmd = isDead ? BR_DEAD_REPLY : BR_FAILED_REPLY; + invoker.input_.WriteUint32(cmd); + invoker.WaitForCompletion(&reply); + invoker.binderConnector_ = nullptr; + invoker.WaitForCompletion(&reply); +} + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + /* Run your code on data */ + FuzzedDataProvider provider(data, size); + OHOS::UnFlattenDBinderObjectFuzzTest001(provider); + OHOS::UnFlattenDBinderObjectFuzzTest002(provider); + OHOS::SetMaxWorkThreadFuzzTest(provider); + OHOS::WaitForCompletionFuzzTest(provider); + OHOS::SetCallingIdentityFuzzTest(provider); + return 0; +} +} // namespace OHOS \ No newline at end of file diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew007_fuzzer/corpus/init b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew007_fuzzer/corpus/init new file mode 100644 index 0000000000000000000000000000000000000000..7ade8a0faafeaedba7241e7d4a97b8e1f9691932 --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew007_fuzzer/corpus/init @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +FUZZ \ No newline at end of file diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew007_fuzzer/project.xml b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew007_fuzzer/project.xml new file mode 100644 index 0000000000000000000000000000000000000000..226522bd2ad3eaf2db4f710f1924d82d2912c235 --- /dev/null +++ b/test/fuzztest/ipc/native/src/core/binderinvokernew/binderinvokernew007_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 10000 + + 300 + + 4096 + + diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew_fuzzer/binderinvokernew_fuzzer.h b/test/fuzztest/ipc/native/src/core/binderinvokernew/include/binderinvokernew_fuzzer.h similarity index 100% rename from test/fuzztest/ipc/native/src/core/binderinvokernew_fuzzer/binderinvokernew_fuzzer.h rename to test/fuzztest/ipc/native/src/core/binderinvokernew/include/binderinvokernew_fuzzer.h diff --git a/test/fuzztest/ipc/native/src/core/binderinvokernew_fuzzer/binderinvokernew_fuzzer.cpp b/test/fuzztest/ipc/native/src/core/binderinvokernew_fuzzer/binderinvokernew_fuzzer.cpp deleted file mode 100644 index 89196cb964122cf320c58b8c052f090d0e2e8268..0000000000000000000000000000000000000000 --- a/test/fuzztest/ipc/native/src/core/binderinvokernew_fuzzer/binderinvokernew_fuzzer.cpp +++ /dev/null @@ -1,510 +0,0 @@ -/* - * Copyright (c) 2025 Huawei Device Co., Ltd. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "binderinvokernew_fuzzer.h" -#include "binder_invoker.h" -#include "ipc_object_proxy.h" -#include "ipc_object_stub.h" -#include "message_parcel.h" -#include "string_ex.h" -#include - -namespace OHOS { - -static constexpr size_t STR_MAX_LEN = 100; -static constexpr pid_t INVALID_PID = -1; -static const std::vector cmdList = { - binder_driver_return_protocol::BR_ERROR, - binder_driver_return_protocol::BR_OK, - binder_driver_return_protocol::BR_TRANSACTION_SEC_CTX, - binder_driver_return_protocol::BR_TRANSACTION, - binder_driver_return_protocol::BR_REPLY, - binder_driver_return_protocol::BR_DEAD_REPLY, - binder_driver_return_protocol::BR_TRANSACTION_COMPLETE, - binder_driver_return_protocol::BR_INCREFS, - binder_driver_return_protocol::BR_ACQUIRE, - binder_driver_return_protocol::BR_RELEASE, - binder_driver_return_protocol::BR_DECREFS, - binder_driver_return_protocol::BR_ATTEMPT_ACQUIRE, - binder_driver_return_protocol::BR_NOOP, - binder_driver_return_protocol::BR_SPAWN_LOOPER, - binder_driver_return_protocol::BR_FINISHED, - binder_driver_return_protocol::BR_DEAD_BINDER, - binder_driver_return_protocol::BR_CLEAR_DEATH_NOTIFICATION_DONE, - binder_driver_return_protocol::BR_FAILED_REPLY, - binder_driver_return_protocol::BR_RELEASE_NODE, -}; -static const std::vector binderTypeList = { - BINDER_TYPE_BINDER, - BINDER_TYPE_WEAK_BINDER, - BINDER_TYPE_HANDLE, - BINDER_TYPE_WEAK_HANDLE, - BINDER_TYPE_FD, - BINDER_TYPE_FDA, - BINDER_TYPE_PTR, -}; - -void AcquireHandleFuzzTest(FuzzedDataProvider &provider) -{ - int32_t handle = provider.ConsumeIntegral(); - - BinderInvoker invoker; - invoker.AcquireHandle(handle); -} - -void TranslateDBinderProxyFuzzTest(FuzzedDataProvider &provider) -{ - MessageParcel dataParcel; - size_t bytesSize = provider.ConsumeIntegralInRange(1, 50); - std::vector bytes = provider.ConsumeBytes(bytesSize); - dataParcel.WriteBuffer(bytes.data(), bytes.size()); - int32_t handle = provider.ConsumeIntegral(); - - BinderInvoker invoker; - invoker.TranslateDBinderProxy(handle, dataParcel); -} - -void AddCommAuthFuzzTest(FuzzedDataProvider &provider) -{ - int32_t handle = provider.ConsumeIntegral(); - flat_binder_object flat; - flat.handle = provider.ConsumeIntegral(); - - BinderInvoker invoker; - invoker.AddCommAuth(handle, &flat); -} - -void GetDBinderCallingPidUidFuzzTest001(FuzzedDataProvider &provider) -{ - int32_t handle = provider.ConsumeIntegral(); - bool isReply = provider.ConsumeBool(); - pid_t pid = static_cast(provider.ConsumeIntegral()); - uid_t uid = static_cast(provider.ConsumeIntegral()); - - BinderInvoker invoker; - invoker.GetDBinderCallingPidUid(handle, isReply, pid, uid); -} - -void GetDBinderCallingPidUidFuzzTest002(FuzzedDataProvider &provider) -{ - int32_t handle = provider.ConsumeIntegral(); - bool isReply = provider.ConsumeBool(); - pid_t pid = INVALID_PID; - uid_t uid = static_cast(provider.ConsumeIntegral()); - - BinderInvoker invoker; - invoker.GetDBinderCallingPidUid(handle, isReply, pid, uid); -} - -void TranslateDBinderStubFuzzTest(FuzzedDataProvider &provider) -{ - MessageParcel dataParcel; - size_t bytesSize = provider.ConsumeIntegralInRange(1, 50); - std::vector bytes = provider.ConsumeBytes(bytesSize); - dataParcel.WriteBuffer(bytes.data(), bytes.size()); - int32_t handle = provider.ConsumeIntegral(); - bool isReply = provider.ConsumeBool(); - size_t totalDBinderBufSize; - - BinderInvoker invoker; - invoker.TranslateDBinderStub(handle, dataParcel, isReply, totalDBinderBufSize); -} - -void OnAcquireObjectFuzzTest(FuzzedDataProvider &provider) -{ - uint32_t cmd = provider.ConsumeIntegral(); - - BinderInvoker invoker; - invoker.OnAcquireObject(cmd); -} - -void OnReleaseObjectFuzzTest(FuzzedDataProvider &provider) -{ - uint32_t cmd = provider.ConsumeIntegral(); - - BinderInvoker invoker; - invoker.OnReleaseObject(cmd); -} - -void GetAccessTokenFuzzTest(FuzzedDataProvider &provider) -{ - uint64_t callerTokenID = provider.ConsumeIntegral(); - uint64_t firstTokenID = provider.ConsumeIntegral(); - - BinderInvoker invoker; - invoker.GetAccessToken(callerTokenID, firstTokenID); -} - -void GetSenderInfoFuzzTest(FuzzedDataProvider &provider) -{ - uint64_t callerTokenID = provider.ConsumeIntegral(); - uint64_t firstTokenID = provider.ConsumeIntegral(); - pid_t realPid; - - BinderInvoker invoker; - invoker.GetSenderInfo(callerTokenID, firstTokenID, realPid); -} - -void SamgrServiceSendRequestFuzzTest(FuzzedDataProvider &provider) -{ - MessageParcel dataParcel; - size_t bytesSize = provider.ConsumeIntegralInRange(1, 50); - std::vector bytes = provider.ConsumeBytes(bytesSize); - dataParcel.WriteBuffer(bytes.data(), bytes.size()); - binder_transaction_data transData; - MessageParcel reply; - MessageOption option; - - BinderInvoker invoker; - invoker.SamgrServiceSendRequest(transData, dataParcel, reply, option); -} - -void GeneralServiceSendRequestFuzzTest(FuzzedDataProvider &provider) -{ - MessageParcel dataParcel; - size_t bytesSize = provider.ConsumeIntegralInRange(1, 50); - std::vector bytes = provider.ConsumeBytes(bytesSize); - dataParcel.WriteBuffer(bytes.data(), bytes.size()); - binder_transaction_data transData; - transData.target.ptr = 0; - transData.code = provider.ConsumeIntegral(); - transData.cookie = provider.ConsumeIntegral(); - MessageParcel reply; - MessageOption option; - - BinderInvoker invoker; - invoker.GeneralServiceSendRequest(transData, dataParcel, reply, option); -} - -void TargetStubSendRequestFuzzTest(FuzzedDataProvider &provider) -{ - MessageParcel dataParcel; - binder_transaction_data transData; - transData.target.ptr = provider.ConsumeIntegral(); - transData.flags = provider.ConsumeIntegral(); - MessageParcel reply; - MessageOption option; - uint32_t flagValue; - - BinderInvoker invoker; - invoker.TargetStubSendRequest(transData, dataParcel, reply, option, flagValue); -} - -void OnTransactionFuzzTest001(FuzzedDataProvider &provider) -{ - uint32_t cmd = provider.ConsumeIntegral(); - int32_t error; - - BinderInvoker invoker; - invoker.OnTransaction(cmd, error); -} - -void OnTransactionFuzzTest002(FuzzedDataProvider &provider) -{ - uint32_t cmd = provider.ConsumeIntegral(); - int32_t error; - MessageParcel dataParcel; - - BinderInvoker invoker; - if (cmd == static_cast(BR_TRANSACTION_SEC_CTX)) { - binder_transaction_data_secctx trSecctx {}; - invoker.input_.WriteBuffer(&trSecctx, sizeof(binder_transaction_data_secctx)); - } else { - binder_transaction_data tr {}; - invoker.input_.WriteBuffer(&tr, sizeof(binder_transaction_data)); - } - invoker.OnTransaction(cmd, error); -} - -void HandleReplyFuzzTest(FuzzedDataProvider &provider) -{ - MessageParcel dataParcel; - size_t bytesSize = provider.ConsumeIntegralInRange(1, 50); - std::vector bytes = provider.ConsumeBytes(bytesSize); - dataParcel.WriteBuffer(bytes.data(), bytes.size()); - bool isStubRet; - - BinderInvoker invoker; - invoker.HandleReply(&dataParcel, isStubRet); -} - -void HandleCommandsInnerFuzzTest001(FuzzedDataProvider &provider) -{ - uint32_t cmd = provider.ConsumeIntegral(); - - BinderInvoker invoker; - invoker.HandleCommandsInner(cmd); -} - -void HandleCommandsInnerFuzzTest002() -{ - for (auto cmd : cmdList) { - BinderInvoker invoker; - invoker.HandleCommandsInner(cmd); - } -} - -void HandleCommandsFuzzTest(FuzzedDataProvider &provider) -{ - uint32_t cmd = provider.ConsumeIntegral(); - - BinderInvoker invoker; - invoker.HandleCommands(cmd); -} - -void UpdateConsumedDataFuzzTest(FuzzedDataProvider &provider) -{ - binder_write_read bwr; - bwr.write_consumed = provider.ConsumeIntegral(); - bwr.read_consumed = provider.ConsumeIntegral(); - size_t outAvail = provider.ConsumeIntegral(); - BinderInvoker invoker; - invoker.UpdateConsumedData(bwr, outAvail); -} - -void WriteTransactionFuzzTest(FuzzedDataProvider &provider) -{ - MessageParcel dataParcel; - size_t bytesSize = provider.ConsumeIntegralInRange(1, 50); - std::vector bytes = provider.ConsumeBytes(bytesSize); - dataParcel.WriteBuffer(bytes.data(), bytes.size()); - int cmd = provider.ConsumeIntegral(); - uint32_t flags = provider.ConsumeIntegral(); - int32_t handle = provider.ConsumeIntegral(); - uint32_t code = provider.ConsumeIntegral(); - size_t statusSize = provider.ConsumeIntegralInRange(1, 50); - std::vector statusBytes = provider.ConsumeBytes(statusSize); - int32_t *status = reinterpret_cast(statusBytes.data()); - size_t totalDBinderBufSize = provider.ConsumeIntegralInRange(1, 50); - - BinderInvoker invoker; - invoker.WriteTransaction(cmd, flags, handle, code, dataParcel, status, totalDBinderBufSize); -} - -void OnReplyFuzzTest(FuzzedDataProvider &provider) -{ - MessageParcel reply; - size_t bytesSize = provider.ConsumeIntegralInRange(1, 50); - std::vector bytes = provider.ConsumeBytes(bytesSize); - reply.WriteBuffer(bytes.data(), bytes.size()); - uint32_t cmd = provider.ConsumeIntegral(); - bool continueLoop; - int32_t error; - - BinderInvoker invoker; - invoker.OnReply(&reply, continueLoop, error, cmd); -} - -void DealWithCmdFuzzTest(FuzzedDataProvider &provider) -{ - MessageParcel reply; - uint32_t cmd = provider.ConsumeIntegral(); - bool continueLoop; - int32_t error; - - BinderInvoker invoker; - invoker.DealWithCmd(&reply, continueLoop, error, cmd); -} - -void SetRegistryObjectFuzzTest(FuzzedDataProvider &provider) -{ - MessageParcel dataParcel; - size_t bytesSize = provider.ConsumeIntegralInRange(1, 50); - std::vector bytes = provider.ConsumeBytes(bytesSize); - dataParcel.WriteBuffer(bytes.data(), bytes.size()); - sptr object = dataParcel.ReadRemoteObject(); - - BinderInvoker invoker; - invoker.SetRegistryObject(object); -} - -void EnableIPCThreadReclaimFuzzTest(FuzzedDataProvider &provider) -{ - bool enable = provider.ConsumeBool(); - - BinderInvoker invoker; - invoker.EnableIPCThreadReclaim(enable); -} - -void PrintParcelDataFuzzTest(FuzzedDataProvider &provider) -{ - MessageParcel dataParcel; - size_t bytesSize = provider.ConsumeIntegralInRange(1, 50); - std::vector bytes = provider.ConsumeBytes(bytesSize); - dataParcel.WriteBuffer(bytes.data(), bytes.size()); - std::string parcelName = provider.ConsumeRandomLengthString(STR_MAX_LEN); - - BinderInvoker invoker; - invoker.PrintParcelData(dataParcel, parcelName); -} - -void GetUint64ValueByStrSliceFuzzTest(FuzzedDataProvider &provider) -{ - std::string str = provider.ConsumeRandomLengthString(STR_MAX_LEN); - size_t offset = provider.ConsumeIntegral(); - size_t length = provider.ConsumeIntegralInRange(0, std::numeric_limits::max() - offset); - uint64_t value; - - BinderInvoker invoker; - invoker.GetUint64ValueByStrSlice(str, offset, length, value); -} - -void GetCallerRealPidByStrFuzzTest001(FuzzedDataProvider &provider) -{ - std::string str = provider.ConsumeRandomLengthString(STR_MAX_LEN); - size_t offset = provider.ConsumeIntegral(); - size_t length = provider.ConsumeIntegralInRange(0, std::numeric_limits::max() - offset); - pid_t callerRealPid; - - BinderInvoker invoker; - invoker.GetCallerRealPidByStr(str, offset, length, callerRealPid); -} - -void GetCallerRealPidByStrFuzzTest002(FuzzedDataProvider &provider) -{ - int32_t num = provider.ConsumeIntegral(); - std::string identity = "<" + std::to_string(num); - size_t offset = provider.ConsumeIntegralInRange(0, identity.length()); - size_t length = provider.ConsumeIntegralInRange(0, identity.length()); - pid_t callerRealPid; - - BinderInvoker invoker; - invoker.GetCallerRealPidByStr(identity, offset, length, callerRealPid); -} - -void GetCallerPidAndUidByStrFuzzTest(FuzzedDataProvider &provider) -{ - int32_t num = provider.ConsumeIntegral(); - std::string str = "<" + std::to_string(num); - size_t offset = provider.ConsumeIntegralInRange(0, str.length()); - pid_t pid = 0; - pid_t uid = 0; - - BinderInvoker binderInvoker; - binderInvoker.GetCallerPidAndUidByStr(str, offset, pid, uid); -} - -void SetCallingIdentityFuzzTest(FuzzedDataProvider &provider) -{ - BinderInvoker invoker; - std::string identity = invoker.ResetCallingIdentity(); - bool flag = provider.ConsumeBool(); - invoker.SetCallingIdentity(identity, flag); -} - -void UnFlattenDBinderObjectFuzzTest001(FuzzedDataProvider &provider) -{ - MessageParcel dataParcel; - binder_buffer_object obj; - int index = provider.ConsumeIntegralInRange(0, binderTypeList.size() - 1); - obj.hdr.type = binderTypeList[index]; - obj.flags = provider.ConsumeIntegral(); - obj.length = provider.ConsumeIntegral(); - obj.parent = provider.ConsumeIntegral(); - obj.parent_offset = provider.ConsumeIntegral(); - dataParcel.WriteBuffer(&obj, sizeof(binder_buffer_object)); - dbinder_negotiation_data dbinderData; - - BinderInvoker invoker; - invoker.UnFlattenDBinderObject(dataParcel, dbinderData); -} - -void UnFlattenDBinderObjectFuzzTest002(FuzzedDataProvider &provider) -{ - MessageParcel dataParcel; - binder_buffer_object obj; - obj.hdr.type = BINDER_TYPE_PTR; - obj.flags = provider.ConsumeIntegral() | BINDER_BUFFER_FLAG_HAS_DBINDER; - obj.length = sizeof(dbinder_negotiation_data); - obj.parent = provider.ConsumeIntegral(); - obj.parent_offset = provider.ConsumeIntegral(); - std::shared_ptr buffer = std::make_shared(); - if (buffer == nullptr) { - return; - } - obj.buffer = reinterpret_cast(buffer.get()); - dataParcel.WriteBuffer(&obj, sizeof(binder_buffer_object)); - dbinder_negotiation_data dbinderData; - - BinderInvoker invoker; - invoker.UnFlattenDBinderObject(dataParcel, dbinderData); -} - -void SetMaxWorkThreadFuzzTest(FuzzedDataProvider &provider) -{ - int32_t maxWorkThread = provider.ConsumeIntegral(); - - BinderInvoker invoker; - invoker.SetMaxWorkThread(maxWorkThread); - invoker.binderConnector_ = nullptr; - invoker.SetMaxWorkThread(maxWorkThread); -} - -void WaitForCompletionFuzzTest(FuzzedDataProvider &provider) -{ - MessageParcel reply; - - BinderInvoker invoker; - bool isDead = provider.ConsumeBool(); - uint32_t cmd = isDead ? BR_DEAD_REPLY : BR_FAILED_REPLY; - invoker.input_.WriteUint32(cmd); - invoker.WaitForCompletion(&reply); - invoker.binderConnector_ = nullptr; - invoker.WaitForCompletion(&reply); -} - -/* Fuzzer entry point */ -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) -{ - /* Run your code on data */ - FuzzedDataProvider provider(data, size); - OHOS::AcquireHandleFuzzTest(provider); - OHOS::TranslateDBinderProxyFuzzTest(provider); - OHOS::AddCommAuthFuzzTest(provider); - OHOS::GetDBinderCallingPidUidFuzzTest001(provider); - OHOS::GetDBinderCallingPidUidFuzzTest002(provider); - OHOS::TranslateDBinderStubFuzzTest(provider); - OHOS::OnAcquireObjectFuzzTest(provider); - OHOS::OnReleaseObjectFuzzTest(provider); - OHOS::GetAccessTokenFuzzTest(provider); - OHOS::GetSenderInfoFuzzTest(provider); - OHOS::SamgrServiceSendRequestFuzzTest(provider); - OHOS::GeneralServiceSendRequestFuzzTest(provider); - OHOS::TargetStubSendRequestFuzzTest(provider); - OHOS::OnTransactionFuzzTest001(provider); - OHOS::OnTransactionFuzzTest002(provider); - OHOS::HandleReplyFuzzTest(provider); - OHOS::HandleCommandsInnerFuzzTest001(provider); - OHOS::HandleCommandsInnerFuzzTest002(); - OHOS::HandleCommandsFuzzTest(provider); - OHOS::UpdateConsumedDataFuzzTest(provider); - OHOS::WriteTransactionFuzzTest(provider); - OHOS::OnReplyFuzzTest(provider); - OHOS::DealWithCmdFuzzTest(provider); - OHOS::SetRegistryObjectFuzzTest(provider); - OHOS::EnableIPCThreadReclaimFuzzTest(provider); - OHOS::PrintParcelDataFuzzTest(provider); - OHOS::GetUint64ValueByStrSliceFuzzTest(provider); - OHOS::GetCallerRealPidByStrFuzzTest001(provider); - OHOS::GetCallerRealPidByStrFuzzTest002(provider); - OHOS::GetCallerPidAndUidByStrFuzzTest(provider); - OHOS::UnFlattenDBinderObjectFuzzTest001(provider); - OHOS::UnFlattenDBinderObjectFuzzTest002(provider); - OHOS::SetMaxWorkThreadFuzzTest(provider); - OHOS::WaitForCompletionFuzzTest(provider); - OHOS::SetCallingIdentityFuzzTest(provider); - return 0; -} -} // namespace OHOS \ No newline at end of file