From 518035d14720794f5e3e7cab2ba07793830da2d9 Mon Sep 17 00:00:00 2001 From: huyx Date: Fri, 19 Jul 2024 00:28:41 +0800 Subject: [PATCH 01/11] =?UTF-8?q?fuzz=E5=A2=9E=E5=8A=A0=E7=94=A8=E4=BE=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: huyx --- framework/test/fuzztest/BUILD.gn | 2 + .../fuzztest/devmgr_service_fuzzer/BUILD.gn | 90 ++++++++++++ .../devmgr_service_fuzzer/corpus/init | 7 + .../devmgr_service_fuzzer/project.xml | 17 +++ .../devmgr_service_fuzzer/service_fuzzer.cpp | 55 ++++++++ .../devmgr_service_fuzzer/service_fuzzer.h | 14 ++ .../devsvcmanagerstub_fuzzer.cpp | 7 + .../utils_fuzzer/BUILD.gn | 53 +++++++ .../utils_fuzzer/corpus/init | 7 + .../utils_fuzzer/project.xml | 17 +++ .../utils_fuzzer/utils_fuzzer.cpp | 129 ++++++++++++++++++ .../utils_fuzzer/utils_fuzzer.h | 14 ++ .../syscall_fuzzer/syscall_fuzzer.cpp | 11 ++ 13 files changed, 423 insertions(+) create mode 100644 framework/test/fuzztest/devmgr_service_fuzzer/BUILD.gn create mode 100644 framework/test/fuzztest/devmgr_service_fuzzer/corpus/init create mode 100644 framework/test/fuzztest/devmgr_service_fuzzer/project.xml create mode 100644 framework/test/fuzztest/devmgr_service_fuzzer/service_fuzzer.cpp create mode 100644 framework/test/fuzztest/devmgr_service_fuzzer/service_fuzzer.h create mode 100644 framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/BUILD.gn create mode 100644 framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/corpus/init create mode 100644 framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/project.xml create mode 100644 framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp create mode 100644 framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.h diff --git a/framework/test/fuzztest/BUILD.gn b/framework/test/fuzztest/BUILD.gn index fa07bb7db..01528bbfe 100644 --- a/framework/test/fuzztest/BUILD.gn +++ b/framework/test/fuzztest/BUILD.gn @@ -32,5 +32,7 @@ group("hdf_framework_fuzztest") { "uhdf2_shared_fuzzer/shared_fuzzer:SharedFuzzTest", "uhdf2_utils_fuzzer/hdfxcollie_fuzzer:HdfXCollieFuzzTest", "uhdf2_utils_fuzzer/inner_api_utils_fuzzer:HdfInnerApiUtilsFuzzTest", + "devmgr_service_fuzzer:ServiceFuzzTest", + "framework_utils_fuzzer/utils_fuzzer:HdfUtilsFuzzTest", ] } diff --git a/framework/test/fuzztest/devmgr_service_fuzzer/BUILD.gn b/framework/test/fuzztest/devmgr_service_fuzzer/BUILD.gn new file mode 100644 index 000000000..598b479e4 --- /dev/null +++ b/framework/test/fuzztest/devmgr_service_fuzzer/BUILD.gn @@ -0,0 +1,90 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# +# HDF is dual licensed: you can use it either under the terms of +# the GPL, or the BSD license, at your option. +# See the LICENSE file in the root of this repository for complete details. + +import("//build/config/features.gni") +import("//build/ohos.gni") +import("//build/test.gni") + +module_output_path = "hdf_core/hdf_core" + +hdf_framework_path = "../../../" +hdf_interfaces_path = "../../../../interfaces" +hdf_manager_src_path = "../../../../adapter/uhdf2/manager/src" +hdf_uhdf_path = "../../../../adapter/uhdf2" + +ohos_fuzztest("ServiceFuzzTest") { + module_out_path = module_output_path + fuzz_config_file = + "$hdf_framework_path/test/fuzztest/devmgr_service_fuzzer" + + defines = [ "__USER__" ] + include_dirs = [ + "$hdf_framework_path/core/manager/include", + "$hdf_framework_path/core/common/include/manager/", + "$hdf_framework_path/core/host/include", + "$hdf_framework_path/core/shared/include", + "$hdf_framework_path/utils/include", + "$hdf_uhdf_path/include/host", + "$hdf_uhdf_path/shared/include", + "$hdf_uhdf_path/manager/include", + "$hdf_uhdf_path/host/include", + "$hdf_uhdf_path/security/include", + "$hdf_uhdf_path/utils/include", + "$hdf_interfaces_path/inner_api/core", + "$hdf_interfaces_path/inner_api/hdi", + "$hdf_interfaces_path/inner_api/host/shared", + "$hdf_interfaces_path/inner_api/host/uhdf", + ] + + sources = [ + "$hdf_framework_path/core/common/src/hdf_attribute.c", + "$hdf_framework_path/core/manager/src/devhost_service_clnt.c", + "$hdf_framework_path/core/manager/src/device_token_clnt.c", + "$hdf_framework_path/core/manager/src/devmgr_service.c", + "$hdf_framework_path/core/manager/src/devsvc_manager.c", + "$hdf_framework_path/core/manager/src/hdf_driver_installer.c", + "$hdf_framework_path/core/manager/src/hdf_host_info.c", + "$hdf_framework_path/core/shared/src/hdf_device_info.c", + "$hdf_framework_path/core/shared/src/hdf_object_manager.c", + "$hdf_framework_path/core/shared/src/hdf_service_record.c", + "$hdf_manager_src_path/devhost_service_proxy.c", + "$hdf_manager_src_path/device_token_proxy.c", + "$hdf_manager_src_path/devmgr_dump.c", + "$hdf_manager_src_path/devmgr_object_config.c", + "$hdf_manager_src_path/devmgr_query_device.c", + "$hdf_manager_src_path/devmgr_service_full.c", + "$hdf_manager_src_path/devmgr_service_stub.c", + "$hdf_manager_src_path/devmgr_uevent.c", + "$hdf_manager_src_path/devsvc_manager_stub.c", + "$hdf_manager_src_path/driver_installer_full.c", + "$hdf_manager_src_path/servstat_listener_holder.c", + "$hdf_uhdf_path/shared/src/dev_attribute_serialize.c", + "$hdf_uhdf_path/shared/src/hcb_config_entry.c", + "service_fuzzer.cpp", + ] + deps = [ + "../../../../adapter/uhdf2/ipc:libhdf_ipc_adapter", + "../../../../adapter/uhdf2/utils:libhdf_utils", + ] + + external_deps = [ + "c_utils:utils", + "hilog:libhilog", + "init:libbegetutil", + ] + + if (build_selinux) { + external_deps += [ "selinux_adapter:libservice_checker" ] + cflags = [ "-DWITH_SELINUX" ] + } + + cflags_cc = [ "-gdwarf-2" ] +} + +group("fuzztest") { + testonly = true + deps = [ ":ServiceFuzzTest" ] +} diff --git a/framework/test/fuzztest/devmgr_service_fuzzer/corpus/init b/framework/test/fuzztest/devmgr_service_fuzzer/corpus/init new file mode 100644 index 000000000..f707fb4e4 --- /dev/null +++ b/framework/test/fuzztest/devmgr_service_fuzzer/corpus/init @@ -0,0 +1,7 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# +# HDF is dual licensed: you can use it either under the terms of +# the GPL, or the BSD license, at your option. +# See the LICENSE file in the root of this repository for complete details. + +FUZZ \ No newline at end of file diff --git a/framework/test/fuzztest/devmgr_service_fuzzer/project.xml b/framework/test/fuzztest/devmgr_service_fuzzer/project.xml new file mode 100644 index 000000000..d46b7fa02 --- /dev/null +++ b/framework/test/fuzztest/devmgr_service_fuzzer/project.xml @@ -0,0 +1,17 @@ + + + + + + 0 + + 10 + + 128 + + diff --git a/framework/test/fuzztest/devmgr_service_fuzzer/service_fuzzer.cpp b/framework/test/fuzztest/devmgr_service_fuzzer/service_fuzzer.cpp new file mode 100644 index 000000000..83851488b --- /dev/null +++ b/framework/test/fuzztest/devmgr_service_fuzzer/service_fuzzer.cpp @@ -0,0 +1,55 @@ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * + * HDF is dual licensed: you can use it either under the terms of + * the GPL, or the BSD license, at your option. + * See the LICENSE file in the root of this repository for complete details. + */ + +#include "service_fuzzer.h" + +#include "hdf_base.h" +#include "hdf_log.h" +#ifdef __cplusplus +extern "C" { +#endif +#include "devmgr_service.h" +#ifdef __cplusplus +} // extern "C" +#endif +#include "parcel.h" +#include +#include + + +#define HDF_LOG_TAG devicemanagerstart_fuzzer + +namespace OHOS { +constexpr size_t THRESHOLD = 10; + +void ServiceFuzzTest(const uint8_t *data, size_t size) +{ + if (data == nullptr) { + HDF_LOGE("%{public}s: data is nullptr!", __func__); + } + + Parcel parcel; + parcel.WriteBuffer(data, size); + struct HdfObject *object = DevmgrServiceCreate(); + struct IDevmgrService *service = DevmgrServiceGetInstance(); + struct DevmgrService *dmService = reinterpret_cast(service); + DevmgrServiceLoadLeftDriver(dmService); + service->PowerStateChange(service, POWER_STATE_SUSPEND); + DevmgrServiceRelease(object); +} +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + if (size < OHOS::THRESHOLD) { + return HDF_SUCCESS; + } + + OHOS::ServiceFuzzTest(data, size); + return HDF_SUCCESS; +} \ No newline at end of file diff --git a/framework/test/fuzztest/devmgr_service_fuzzer/service_fuzzer.h b/framework/test/fuzztest/devmgr_service_fuzzer/service_fuzzer.h new file mode 100644 index 000000000..22598fae9 --- /dev/null +++ b/framework/test/fuzztest/devmgr_service_fuzzer/service_fuzzer.h @@ -0,0 +1,14 @@ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * + * HDF is dual licensed: you can use it either under the terms of + * the GPL, or the BSD license, at your option. + * See the LICENSE file in the root of this repository for complete details. + */ + +#ifndef DEVICE_MANAGER_START_FUZZER_H +#define DEVICE_MANAGER_START_FUZZER_H + +#define FUZZ_PROJECT_NAME "devicemanagerstart_fuzzer" + +#endif // DEVICE_MANAGER_START_FUZZER_H \ No newline at end of file diff --git a/framework/test/fuzztest/devsvcmanagerstub_fuzzer/devsvcmanagerstub_fuzzer.cpp b/framework/test/fuzztest/devsvcmanagerstub_fuzzer/devsvcmanagerstub_fuzzer.cpp index 2dc432b82..f11260ebe 100644 --- a/framework/test/fuzztest/devsvcmanagerstub_fuzzer/devsvcmanagerstub_fuzzer.cpp +++ b/framework/test/fuzztest/devsvcmanagerstub_fuzzer/devsvcmanagerstub_fuzzer.cpp @@ -102,6 +102,13 @@ static bool DevsvcManagerFuzzTest(int32_t code, const uint8_t *data, size_t size HdfSbufRecycle(dataBuf); HdfSbufRecycle(replyBuf); + struct DevSvcManagerStub *stub = reinterpret_cast(instance->remote->target); + struct IDevSvcManager *super = reinterpret_cast(stub->super); + ReleaseServiceObject(instance, reinterpret_cast(data)); + CheckServiceObjectValidNoLock(instance, reinterpret_cast(data)); + CheckRemoteObjectValidNoLock(instance,instance->remote); + struct HdfDeathRecipient *recipient = reinterpret_cast(data); + DevSvcManagerOnServiceDied(recipient, instance->remote); return true; } diff --git a/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/BUILD.gn b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/BUILD.gn new file mode 100644 index 000000000..29415f3dd --- /dev/null +++ b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/BUILD.gn @@ -0,0 +1,53 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# +# HDF is dual licensed: you can use it either under the terms of +# the GPL, or the BSD license, at your option. +# See the LICENSE file in the root of this repository for complete details. + +import("//build/config/features.gni") +import("//build/ohos.gni") +import("//build/test.gni") + +module_output_path = "hdf_core/hdf_core/framework_utils_fuzzer" + +hdf_framework_path = "../../../../../framework" +hdf_uhdf_path = "../../../../../adapter/uhdf2" +hdf_interfaces_path = "../../../../interfaces" + +ohos_fuzztest("HdfUtilsFuzzTest") { + module_out_path = module_output_path + + fuzz_config_file = + "$hdf_framework_path/test/fuzztest/framework_utils_fuzzer/utils_fuzzer" + + include_dirs = [ + "$hdf_uhdf_path/utils/include", + "$hdf_uhdf_path/hdi/include", + "$hdf_framework_path/include", + "$hdf_framework_path/utils/include", + "$hdf_interfaces_path/inner_api/hdi", + "$hdf_interfaces_path/inner_api/utils", + ] + + sources = [ + "$hdf_framework_path/utils/src/hdf_sbuf.c", + "$hdf_framework_path/utils/src/hdf_sbuf_impl_raw.c", + "utils_fuzzer.cpp", + ] + + deps = [ + "../../../../../adapter/uhdf2/hdi:libhdi", + "../../../../../adapter/uhdf2/utils:libhdf_utils", + ] + + external_deps = [ + "c_utils:utils", + "hilog:libhilog", + "ipc:ipc_single", + ] +} + +group("fuzztest") { + testonly = true + deps = [ ":HdfUtilsFuzzTest" ] +} diff --git a/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/corpus/init b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/corpus/init new file mode 100644 index 000000000..f707fb4e4 --- /dev/null +++ b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/corpus/init @@ -0,0 +1,7 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# +# HDF is dual licensed: you can use it either under the terms of +# the GPL, or the BSD license, at your option. +# See the LICENSE file in the root of this repository for complete details. + +FUZZ \ No newline at end of file diff --git a/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/project.xml b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/project.xml new file mode 100644 index 000000000..e47b18640 --- /dev/null +++ b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/project.xml @@ -0,0 +1,17 @@ + + + + + + 1000 + + 120 + + 2048 + + diff --git a/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp new file mode 100644 index 000000000..052984081 --- /dev/null +++ b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp @@ -0,0 +1,129 @@ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * + * HDF is dual licensed: you can use it either under the terms of + * the GPL, or the BSD license, at your option. + * See the LICENSE file in the root of this repository for complete details. + */ +#include "utils_fuzzer.h" +#include "hdf_base.h" +#include "hdf_log.h" +#include "parcel.h" +#include +#include "osal_mem.h" +#include "hdi_support.h" +#include +#include "hdf_map.h" +#include "hdf_sbuf.h" +#include "hdf_sbuf_impl.h" + +namespace OHOS { + const int num = 23; + const static char *g_hdfSecStrArray[num] = { + "i2c", + "spi", + "gpio", + "pinctl", + "clock", + "regulator", + "mipi", + "uart", + "sdio", + "mdio", + "apb", + "pcie", + "pcm", + "i2s", + "pwm", + "dma", + "efuse", + "flash", + "emmc", + "rtc", + "adc", + "wdt", + "i3c", + }; +static void HdfUtilsFuzzTest(const uint8_t *data, size_t size) +{ + if (data == nullptr) { + HDF_LOGE("%{public}s: data is nullptr!", __func__); + } + Parcel parcel; + parcel.WriteBuffer(data, size); + const std::u16string INTERFACE_NAME = OHOS::Str8ToStr16(parcel.ReadString()); + Map testMap; + Map testMap1; + MapInit(&testMap); + MapDelete(&testMap); + for (int i = 0; i < num; ++i) { + MapSet(&testMap1, g_hdfSecStrArray[i], &i, sizeof(int *)); + } + const char *name = "i2c"; + MapGet(&testMap1, ""); + MapGet(&testMap1, name); + MapErase(&testMap1, ""); + MapErase(&testMap1, name); + MapDelete(&testMap1); + + const uint64_t value = 1; + const uint32_t value1 = 2; + const uint16_t value2 = 3; + const uint8_t value3 = 4; + uint64_t value4 = 1; + uint32_t value5 = 1; + uint16_t value6 = 1; + uint8_t value7 = 1; + struct HdfSBuf *sbuf = HdfSbufObtainDefaultSize(); + struct HdfSBuf *copy = HdfSbufCopy(sbuf); + struct HdfSBufImpl *impl = HdfSbufGetImpl(sbuf); + struct HdfSBufImpl *impl1 = HdfSbufGetImpl(copy); + HdfSbufTypedObtainInplace(value1, impl1); + HdfSbufSetDataSize(copy, size); + HdfSbufGetDataSize(copy); + HdfSbufReadUnpadBuffer(copy, size); + HdfSbufWriteUint64(copy, value); + HdfSbufWriteUint32(copy, value1); + HdfSbufWriteUint16(copy, value2); + HdfSbufWriteUint8(copy, value3); + HdfSbufReadUint64(copy, &value4); + HdfSbufReadUint32(copy, &value5); + HdfSbufReadUint16(copy, &value6); + HdfSbufReadUint8(copy, &value7); + + HdfSbufGetData(sbuf); + HdfSbufFlush(sbuf); + HdfSbufGetCapacity(sbuf); + impl->writeBuffer(impl, data, value1); + impl->writeUnpadBuffer(impl, data, value1); + impl->writeUint64(impl, value); + impl->writeUint32(impl, value1); + impl->writeUint16(impl, value2); + impl->writeUint8(impl, value3); + impl->readUnpadBuffer(impl, size); + impl->readUint64(impl, &value4); + impl->readUint32(impl, &value5); + impl->readUint16(impl, &value6); + impl->readUint8(impl, &value7); + struct HdfSBufImpl *implCopy =impl->copy(impl); + impl->setDataSize(implCopy, size); + impl->getDataSize(implCopy); + impl->getCapacity(implCopy); + impl->transDataOwnership(implCopy); + impl->move(implCopy); + impl->recycle(implCopy); + impl->recycle(impl); + HdfSbufMove(copy); + HdfSbufTransDataOwnership(copy); + HdfSbufRecycle(sbuf); + HdfSbufRecycle(copy); +} +} + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + /* Run your code on data */ + OHOS::HdfUtilsFuzzTest(data, size); + return HDF_SUCCESS; +} \ No newline at end of file diff --git a/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.h b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.h new file mode 100644 index 000000000..9b26247a8 --- /dev/null +++ b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.h @@ -0,0 +1,14 @@ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * + * HDF is dual licensed: you can use it either under the terms of + * the GPL, or the BSD license, at your option. + * See the LICENSE file in the root of this repository for complete details. + */ + +#ifndef HDI_COLLECTION_FUZZER_H +#define HDI_COLLECTION_FUZZER_H + +#define FUZZ_PROJECT_NAME "collector_fuzzer" + +#endif // HDI_COLLECTION_FUZZER_H \ No newline at end of file diff --git a/framework/test/fuzztest/syscall_fuzzer/syscall_fuzzer/syscall_fuzzer.cpp b/framework/test/fuzztest/syscall_fuzzer/syscall_fuzzer/syscall_fuzzer.cpp index 5f09ecbfc..c4e8fddcc 100644 --- a/framework/test/fuzztest/syscall_fuzzer/syscall_fuzzer/syscall_fuzzer.cpp +++ b/framework/test/fuzztest/syscall_fuzzer/syscall_fuzzer/syscall_fuzzer.cpp @@ -44,6 +44,17 @@ static void SyscallFuzzTest(const uint8_t *data, size_t size) } OsalMemFree(listener); HdfIoServiceRecycle(serv); + void *para = static_cast(data); + HdfDevEventListenTask(para); + struct HdfDevListenerThread *thread = reinterpret_cast(data); + HdfDevEventReadAndDispatch(thread); + GetListenerCount(thread); + HdfAdapterStopListenIoctl(0); + HdfAdapterExitListenIoctl(0); + struct HdfSyscallAdapterGroup *group = reinterpret_cast(data); + HdfIoServiceGroupThreadStart(group, 0); + HdfIoserviceGroupGetListenerCount(group); + HdfIoserviceGroupGetServiceCount(group); } } -- Gitee From 279ecbb2c14cd89c1ab1bde70974d1df462149b9 Mon Sep 17 00:00:00 2001 From: huyx Date: Fri, 19 Jul 2024 00:37:26 +0800 Subject: [PATCH 02/11] =?UTF-8?q?fuzz=E5=A2=9E=E5=8A=A0=E7=94=A8=E4=BE=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: huyx --- framework/test/fuzztest/BUILD.gn | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/framework/test/fuzztest/BUILD.gn b/framework/test/fuzztest/BUILD.gn index 01528bbfe..b630b113c 100644 --- a/framework/test/fuzztest/BUILD.gn +++ b/framework/test/fuzztest/BUILD.gn @@ -12,9 +12,11 @@ group("hdf_framework_fuzztest") { "devmgr_c_fuzzer/unloaddevice_fuzzer:UnloadDeviceFuzzTest", "devmgr_cpp_fuzzer/loaddevice_fuzzer:LoadDeviceFuzzTest", "devmgr_cpp_fuzzer/unloaddevice_fuzzer:UnloadDeviceFuzzTest", + "devmgr_service_fuzzer:ServiceFuzzTest", "devmgrservicestub_fuzzer:DevmgrServiceStubFuzzTest", "devsvcmanagerstub_fuzzer:DevSvcManagerStubFuzzTest", "framework_fuzzer/hcs_fuzzer:HdfHcsFuzzTest", + "framework_utils_fuzzer/utils_fuzzer:HdfUtilsFuzzTest", "ioservice_fuzzer/ioserviceadapterobtain_fuzzer:IoserviceAdapterObtainFuzzTest", "ioservice_fuzzer/ioservicebind_fuzzer:IoserviceBindFuzzTest", "ioservice_fuzzer/ioservicegrouplisten_fuzzer:IoserviceGroupListenFuzzTest", @@ -32,7 +34,5 @@ group("hdf_framework_fuzztest") { "uhdf2_shared_fuzzer/shared_fuzzer:SharedFuzzTest", "uhdf2_utils_fuzzer/hdfxcollie_fuzzer:HdfXCollieFuzzTest", "uhdf2_utils_fuzzer/inner_api_utils_fuzzer:HdfInnerApiUtilsFuzzTest", - "devmgr_service_fuzzer:ServiceFuzzTest", - "framework_utils_fuzzer/utils_fuzzer:HdfUtilsFuzzTest", ] } -- Gitee From 160c08c45c2b272cb4d984bc6ea0e6f74ae03a92 Mon Sep 17 00:00:00 2001 From: huyx Date: Fri, 19 Jul 2024 00:54:25 +0800 Subject: [PATCH 03/11] =?UTF-8?q?fuzz=E5=A2=9E=E5=8A=A0=E7=94=A8=E4=BE=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: huyx --- framework/test/fuzztest/devmgr_service_fuzzer/BUILD.gn | 2 +- .../devsvcmanagerstub_fuzzer/devsvcmanagerstub_fuzzer.cpp | 2 +- .../framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/framework/test/fuzztest/devmgr_service_fuzzer/BUILD.gn b/framework/test/fuzztest/devmgr_service_fuzzer/BUILD.gn index 598b479e4..32d197fde 100644 --- a/framework/test/fuzztest/devmgr_service_fuzzer/BUILD.gn +++ b/framework/test/fuzztest/devmgr_service_fuzzer/BUILD.gn @@ -10,7 +10,7 @@ import("//build/test.gni") module_output_path = "hdf_core/hdf_core" -hdf_framework_path = "../../../" +hdf_framework_path = "../../../../framework" hdf_interfaces_path = "../../../../interfaces" hdf_manager_src_path = "../../../../adapter/uhdf2/manager/src" hdf_uhdf_path = "../../../../adapter/uhdf2" diff --git a/framework/test/fuzztest/devsvcmanagerstub_fuzzer/devsvcmanagerstub_fuzzer.cpp b/framework/test/fuzztest/devsvcmanagerstub_fuzzer/devsvcmanagerstub_fuzzer.cpp index f11260ebe..b3bfd9c48 100644 --- a/framework/test/fuzztest/devsvcmanagerstub_fuzzer/devsvcmanagerstub_fuzzer.cpp +++ b/framework/test/fuzztest/devsvcmanagerstub_fuzzer/devsvcmanagerstub_fuzzer.cpp @@ -106,7 +106,7 @@ static bool DevsvcManagerFuzzTest(int32_t code, const uint8_t *data, size_t size struct IDevSvcManager *super = reinterpret_cast(stub->super); ReleaseServiceObject(instance, reinterpret_cast(data)); CheckServiceObjectValidNoLock(instance, reinterpret_cast(data)); - CheckRemoteObjectValidNoLock(instance,instance->remote); + CheckRemoteObjectValidNoLock(instance, instance->remote); struct HdfDeathRecipient *recipient = reinterpret_cast(data); DevSvcManagerOnServiceDied(recipient, instance->remote); return true; diff --git a/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp index 052984081..26a16b718 100644 --- a/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp +++ b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp @@ -18,8 +18,8 @@ #include "hdf_sbuf_impl.h" namespace OHOS { - const int num = 23; - const static char *g_hdfSecStrArray[num] = { + const int NUM = 23; + const static char *g_hdfSecStrArray[NUM] = { "i2c", "spi", "gpio", @@ -56,7 +56,7 @@ static void HdfUtilsFuzzTest(const uint8_t *data, size_t size) Map testMap1; MapInit(&testMap); MapDelete(&testMap); - for (int i = 0; i < num; ++i) { + for (int i = 0; i < NUM; ++i) { MapSet(&testMap1, g_hdfSecStrArray[i], &i, sizeof(int *)); } const char *name = "i2c"; @@ -105,7 +105,7 @@ static void HdfUtilsFuzzTest(const uint8_t *data, size_t size) impl->readUint32(impl, &value5); impl->readUint16(impl, &value6); impl->readUint8(impl, &value7); - struct HdfSBufImpl *implCopy =impl->copy(impl); + struct HdfSBufImpl *implCopy = impl->copy(impl); impl->setDataSize(implCopy, size); impl->getDataSize(implCopy); impl->getCapacity(implCopy); -- Gitee From 016319854410f934dc6de9b695685a7602219daa Mon Sep 17 00:00:00 2001 From: huyx Date: Fri, 19 Jul 2024 01:16:53 +0800 Subject: [PATCH 04/11] =?UTF-8?q?fuzz=E5=A2=9E=E5=8A=A0=E7=94=A8=E4=BE=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: huyx --- .../syscall_fuzzer/syscall_fuzzer.cpp | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/framework/test/fuzztest/syscall_fuzzer/syscall_fuzzer/syscall_fuzzer.cpp b/framework/test/fuzztest/syscall_fuzzer/syscall_fuzzer/syscall_fuzzer.cpp index c4e8fddcc..680e4388b 100644 --- a/framework/test/fuzztest/syscall_fuzzer/syscall_fuzzer/syscall_fuzzer.cpp +++ b/framework/test/fuzztest/syscall_fuzzer/syscall_fuzzer/syscall_fuzzer.cpp @@ -42,19 +42,15 @@ static void SyscallFuzzTest(const uint8_t *data, size_t size) HdfIoServiceRecycle(serv); } } - OsalMemFree(listener); - HdfIoServiceRecycle(serv); - void *para = static_cast(data); - HdfDevEventListenTask(para); - struct HdfDevListenerThread *thread = reinterpret_cast(data); - HdfDevEventReadAndDispatch(thread); - GetListenerCount(thread); - HdfAdapterStopListenIoctl(0); - HdfAdapterExitListenIoctl(0); - struct HdfSyscallAdapterGroup *group = reinterpret_cast(data); - HdfIoServiceGroupThreadStart(group, 0); + HdfIoserviceGetListenerCount(serv); + struct HdfIoServiceGroup *group = HdfIoServiceGroupObtain(); + HdfIoServiceGroupAddService(group, serv); HdfIoserviceGroupGetListenerCount(group); HdfIoserviceGroupGetServiceCount(group); + HdfIoServiceGroupRemoveService(group, serv); + HdfIoServiceGroupRecycle(group); + OsalMemFree(listener); + HdfIoServiceRecycle(serv); } } -- Gitee From 9d418bbe77bbe30084234fe428d9c80f6ce05867 Mon Sep 17 00:00:00 2001 From: huyx Date: Fri, 19 Jul 2024 01:26:01 +0800 Subject: [PATCH 05/11] =?UTF-8?q?fuzz=E5=A2=9E=E5=8A=A0=E7=94=A8=E4=BE=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: huyx --- framework/test/fuzztest/devmgr_service_fuzzer/BUILD.gn | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/framework/test/fuzztest/devmgr_service_fuzzer/BUILD.gn b/framework/test/fuzztest/devmgr_service_fuzzer/BUILD.gn index 32d197fde..98c99becb 100644 --- a/framework/test/fuzztest/devmgr_service_fuzzer/BUILD.gn +++ b/framework/test/fuzztest/devmgr_service_fuzzer/BUILD.gn @@ -17,8 +17,7 @@ hdf_uhdf_path = "../../../../adapter/uhdf2" ohos_fuzztest("ServiceFuzzTest") { module_out_path = module_output_path - fuzz_config_file = - "$hdf_framework_path/test/fuzztest/devmgr_service_fuzzer" + fuzz_config_file = "$hdf_framework_path/test/fuzztest/devmgr_service_fuzzer" defines = [ "__USER__" ] include_dirs = [ -- Gitee From 17d14f187a8b3b8849c4446178c19f4c7f126615 Mon Sep 17 00:00:00 2001 From: huyx Date: Fri, 19 Jul 2024 01:38:39 +0800 Subject: [PATCH 06/11] =?UTF-8?q?fuzz=E5=A2=9E=E5=8A=A0=E7=94=A8=E4=BE=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: huyx --- .../test/fuzztest/framework_utils_fuzzer/utils_fuzzer/BUILD.gn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/BUILD.gn b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/BUILD.gn index 29415f3dd..7acda433f 100644 --- a/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/BUILD.gn +++ b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/BUILD.gn @@ -32,7 +32,7 @@ ohos_fuzztest("HdfUtilsFuzzTest") { sources = [ "$hdf_framework_path/utils/src/hdf_sbuf.c", "$hdf_framework_path/utils/src/hdf_sbuf_impl_raw.c", - "utils_fuzzer.cpp", + "utils_fuzzer.cpp", ] deps = [ -- Gitee From f22b0ce5087d102cdc827c80c688d0de8f7b6c96 Mon Sep 17 00:00:00 2001 From: huyx Date: Fri, 19 Jul 2024 01:45:15 +0800 Subject: [PATCH 07/11] =?UTF-8?q?fuzz=E5=A2=9E=E5=8A=A0=E7=94=A8=E4=BE=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: huyx --- .../devsvcmanagerstub_fuzzer/devsvcmanagerstub_fuzzer.cpp | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/framework/test/fuzztest/devsvcmanagerstub_fuzzer/devsvcmanagerstub_fuzzer.cpp b/framework/test/fuzztest/devsvcmanagerstub_fuzzer/devsvcmanagerstub_fuzzer.cpp index b3bfd9c48..63c87986f 100644 --- a/framework/test/fuzztest/devsvcmanagerstub_fuzzer/devsvcmanagerstub_fuzzer.cpp +++ b/framework/test/fuzztest/devsvcmanagerstub_fuzzer/devsvcmanagerstub_fuzzer.cpp @@ -102,12 +102,10 @@ static bool DevsvcManagerFuzzTest(int32_t code, const uint8_t *data, size_t size HdfSbufRecycle(dataBuf); HdfSbufRecycle(replyBuf); - struct DevSvcManagerStub *stub = reinterpret_cast(instance->remote->target); - struct IDevSvcManager *super = reinterpret_cast(stub->super); - ReleaseServiceObject(instance, reinterpret_cast(data)); - CheckServiceObjectValidNoLock(instance, reinterpret_cast(data)); + ReleaseServiceObject(instance, reinterpret_cast(const_cast(data))); + CheckServiceObjectValidNoLock(instance, reinterpret_cast(const_cast(data))); CheckRemoteObjectValidNoLock(instance, instance->remote); - struct HdfDeathRecipient *recipient = reinterpret_cast(data); + struct HdfDeathRecipient *recipient = reinterpret_cast(const_cast(data)); DevSvcManagerOnServiceDied(recipient, instance->remote); return true; } -- Gitee From ecf919f76f051b1a59cfdcbbe5460a7cda480ef6 Mon Sep 17 00:00:00 2001 From: huyx Date: Fri, 19 Jul 2024 13:33:31 +0800 Subject: [PATCH 08/11] =?UTF-8?q?fuzz=E5=A2=9E=E5=8A=A0=E7=94=A8=E4=BE=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: huyx --- .../devsvcmanagerstub_fuzzer/devsvcmanagerstub_fuzzer.cpp | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/framework/test/fuzztest/devsvcmanagerstub_fuzzer/devsvcmanagerstub_fuzzer.cpp b/framework/test/fuzztest/devsvcmanagerstub_fuzzer/devsvcmanagerstub_fuzzer.cpp index 63c87986f..2c4699816 100644 --- a/framework/test/fuzztest/devsvcmanagerstub_fuzzer/devsvcmanagerstub_fuzzer.cpp +++ b/framework/test/fuzztest/devsvcmanagerstub_fuzzer/devsvcmanagerstub_fuzzer.cpp @@ -102,11 +102,8 @@ static bool DevsvcManagerFuzzTest(int32_t code, const uint8_t *data, size_t size HdfSbufRecycle(dataBuf); HdfSbufRecycle(replyBuf); - ReleaseServiceObject(instance, reinterpret_cast(const_cast(data))); - CheckServiceObjectValidNoLock(instance, reinterpret_cast(const_cast(data))); - CheckRemoteObjectValidNoLock(instance, instance->remote); - struct HdfDeathRecipient *recipient = reinterpret_cast(const_cast(data)); - DevSvcManagerOnServiceDied(recipient, instance->remote); + HdfObject *object = DevSvcManagerStubCreate(); + DevSvcManagerStubRelease(object); return true; } -- Gitee From 3cbe5e8f4a2b0bdd0914455ac9823443f6ef9fbb Mon Sep 17 00:00:00 2001 From: huyx Date: Fri, 19 Jul 2024 23:52:28 +0800 Subject: [PATCH 09/11] fuzz Signed-off-by: huyx --- framework/test/fuzztest/BUILD.gn | 3 +- .../hcs_fuzzer/hcs_fuzzer.cpp | 2 +- .../support/posix_fuzzer}/BUILD.gn | 27 +-- .../support/posix_fuzzer}/corpus/init | 0 .../support/posix_fuzzer/posix_fuzzer.cpp | 184 ++++++++++++++++++ .../support/posix_fuzzer/posix_fuzzer.h} | 28 +-- .../support/posix_fuzzer}/project.xml | 6 +- .../utils_fuzzer/BUILD.gn | 3 +- .../utils_fuzzer/utils_fuzzer.cpp | 61 ++---- .../collector_fuzzer/collector_fuzzer.cpp | 42 ---- .../collector_fuzzer/collector_fuzzer.h | 14 -- .../collector_fuzzer/project.xml | 17 -- .../shared_fuzzer/BUILD.gn | 52 ----- .../shared_fuzzer/corpus/init | 7 - .../shared_fuzzer/shared_fuzzer.cpp | 35 ---- 15 files changed, 232 insertions(+), 249 deletions(-) rename framework/test/fuzztest/{uhdf2_hdi_fuzzer/collector_fuzzer => framework_fuzzer/support/posix_fuzzer}/BUILD.gn (43%) rename framework/test/fuzztest/{uhdf2_hdi_fuzzer/collector_fuzzer => framework_fuzzer/support/posix_fuzzer}/corpus/init (100%) create mode 100644 framework/test/fuzztest/framework_fuzzer/support/posix_fuzzer/posix_fuzzer.cpp rename framework/test/fuzztest/{uhdf2_shared_fuzzer/shared_fuzzer/shared_fuzzer.h => framework_fuzzer/support/posix_fuzzer/posix_fuzzer.h} (62%) rename framework/test/fuzztest/{uhdf2_shared_fuzzer/shared_fuzzer => framework_fuzzer/support/posix_fuzzer}/project.xml (82%) delete mode 100644 framework/test/fuzztest/uhdf2_hdi_fuzzer/collector_fuzzer/collector_fuzzer.cpp delete mode 100644 framework/test/fuzztest/uhdf2_hdi_fuzzer/collector_fuzzer/collector_fuzzer.h delete mode 100644 framework/test/fuzztest/uhdf2_hdi_fuzzer/collector_fuzzer/project.xml delete mode 100644 framework/test/fuzztest/uhdf2_shared_fuzzer/shared_fuzzer/BUILD.gn delete mode 100644 framework/test/fuzztest/uhdf2_shared_fuzzer/shared_fuzzer/corpus/init delete mode 100644 framework/test/fuzztest/uhdf2_shared_fuzzer/shared_fuzzer/shared_fuzzer.cpp diff --git a/framework/test/fuzztest/BUILD.gn b/framework/test/fuzztest/BUILD.gn index b630b113c..00a9ab9fa 100644 --- a/framework/test/fuzztest/BUILD.gn +++ b/framework/test/fuzztest/BUILD.gn @@ -16,6 +16,7 @@ group("hdf_framework_fuzztest") { "devmgrservicestub_fuzzer:DevmgrServiceStubFuzzTest", "devsvcmanagerstub_fuzzer:DevSvcManagerStubFuzzTest", "framework_fuzzer/hcs_fuzzer:HdfHcsFuzzTest", + "framework_fuzzer/support/posix_fuzzer:HdfPosixFuzzTest", "framework_utils_fuzzer/utils_fuzzer:HdfUtilsFuzzTest", "ioservice_fuzzer/ioserviceadapterobtain_fuzzer:IoserviceAdapterObtainFuzzTest", "ioservice_fuzzer/ioservicebind_fuzzer:IoserviceBindFuzzTest", @@ -29,9 +30,7 @@ group("hdf_framework_fuzztest") { "servmgr_cpp_fuzzer/servstatlistenerstub_fuzzer:ServStatListenerStubFuzzTest", "servmgr_cpp_fuzzer/unregisterservicestatuslistener_fuzzer:UnregisterServiceStatusListenerFuzzTest", "syscall_fuzzer/syscall_fuzzer:SyscallFuzzTest", - "uhdf2_hdi_fuzzer/collector_fuzzer:CollectionFuzzTest", "uhdf2_ipc_fuzzer/ipc_fuzzer:HdfIpcFuzzTest", - "uhdf2_shared_fuzzer/shared_fuzzer:SharedFuzzTest", "uhdf2_utils_fuzzer/hdfxcollie_fuzzer:HdfXCollieFuzzTest", "uhdf2_utils_fuzzer/inner_api_utils_fuzzer:HdfInnerApiUtilsFuzzTest", ] diff --git a/framework/test/fuzztest/framework_fuzzer/hcs_fuzzer/hcs_fuzzer.cpp b/framework/test/fuzztest/framework_fuzzer/hcs_fuzzer/hcs_fuzzer.cpp index d4a209296..5ab927b27 100644 --- a/framework/test/fuzztest/framework_fuzzer/hcs_fuzzer/hcs_fuzzer.cpp +++ b/framework/test/fuzztest/framework_fuzzer/hcs_fuzzer/hcs_fuzzer.cpp @@ -43,7 +43,7 @@ void FuncHcsGetBool(const uint8_t *data, size_t size) } struct DeviceResourceNode *node = (struct DeviceResourceNode *)data; - char *attrName = (char *)(data + sizeof(struct DeviceResourceNode)); + const char *attrName = "nothing"; HcsGetBool(node, attrName); return; } diff --git a/framework/test/fuzztest/uhdf2_hdi_fuzzer/collector_fuzzer/BUILD.gn b/framework/test/fuzztest/framework_fuzzer/support/posix_fuzzer/BUILD.gn similarity index 43% rename from framework/test/fuzztest/uhdf2_hdi_fuzzer/collector_fuzzer/BUILD.gn rename to framework/test/fuzztest/framework_fuzzer/support/posix_fuzzer/BUILD.gn index 787cd8bbe..15803fc85 100644 --- a/framework/test/fuzztest/uhdf2_hdi_fuzzer/collector_fuzzer/BUILD.gn +++ b/framework/test/fuzztest/framework_fuzzer/support/posix_fuzzer/BUILD.gn @@ -8,40 +8,33 @@ import("//build/config/features.gni") import("//build/ohos.gni") import("//build/test.gni") -module_output_path = "hdf_core/hdf_core/uhdf2_hdi_fuzzer" +module_output_path = "hdf_core/hdf_core/framework_fuzzer" -hdf_framework_path = "../../../../../framework" -hdf_uhdf_path = "../../../../../adapter/uhdf2" -hdf_interfaces_path = "../../../../interfaces" +hdf_framework_path = "../../../../../../framework" +hdf_uhdf_path = "../../../../../../adapter/uhdf2" -ohos_fuzztest("CollectionFuzzTest") { +ohos_fuzztest("HdfPosixFuzzTest") { module_out_path = module_output_path fuzz_config_file = - "$hdf_framework_path/test/fuzztest/uhdf2_hdi_fuzzer/collector_fuzzer" + "$hdf_framework_path/test/fuzztest/framework_fuzzer/support/posix_fuzzer" - include_dirs = [ - "$hdf_uhdf_path/utils/include", - "$hdf_uhdf_path/hdi/include", - "$hdf_framework_path/include", - "$hdf_interfaces_path/inner_api/hdi", - ] + include_dirs = [ "$hdf_uhdf_path/utils/include" ] - sources = [ "collector_fuzzer.cpp" ] + sources = [ "posix_fuzzer.cpp" ] deps = [ - "../../../../../adapter/uhdf2/hdi:libhdi", - "../../../../../adapter/uhdf2/utils:libhdf_utils", + "$hdf_uhdf_path/pub_utils:libpub_utils", + "$hdf_uhdf_path/utils:libhdf_utils", ] external_deps = [ "c_utils:utils", "hilog:libhilog", - "ipc:ipc_single", ] } group("fuzztest") { testonly = true - deps = [ ":CollectionFuzzTest" ] + deps = [ ":HdfPosixFuzzTest" ] } diff --git a/framework/test/fuzztest/uhdf2_hdi_fuzzer/collector_fuzzer/corpus/init b/framework/test/fuzztest/framework_fuzzer/support/posix_fuzzer/corpus/init similarity index 100% rename from framework/test/fuzztest/uhdf2_hdi_fuzzer/collector_fuzzer/corpus/init rename to framework/test/fuzztest/framework_fuzzer/support/posix_fuzzer/corpus/init diff --git a/framework/test/fuzztest/framework_fuzzer/support/posix_fuzzer/posix_fuzzer.cpp b/framework/test/fuzztest/framework_fuzzer/support/posix_fuzzer/posix_fuzzer.cpp new file mode 100644 index 000000000..6649d3c64 --- /dev/null +++ b/framework/test/fuzztest/framework_fuzzer/support/posix_fuzzer/posix_fuzzer.cpp @@ -0,0 +1,184 @@ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * + * HDF is dual licensed: you can use it either under the terms of + * the GPL, or the BSD license, at your option. + * See the LICENSE file in the root of this repository for complete details. + */ + +#include "hdf_base.h" +#include "hdf_log.h" +#include "osal_mem.h" +#include "osal_sem.h" +#include "osal_time.h" +#include "osal_spinlock.h" +#include "posix_fuzzer.h" +#include + +namespace OHOS { +constexpr size_t THRESHOLD = 10; +#define HDF_LOG_TAG posix_fuzzer + +enum FuncId { + POSIX_OSALMEMALLOC, + POSIX_OSALMEMCALLOC, + POSIX_OSALMEMALLOCALIGN, + POSIX_OSALSEMWAIT, + POSIX_OSALSEMPOST, + POSIX_OSALSPINLOCK, + POSIX_OSALTIME, + HCS_END +}; + +void FuncOsalMemAlloc(const uint8_t *data, size_t size) +{ + if (size < sizeof(size_t)) { + return; + } + + size_t sz = *(size_t *)data; + uint8_t *mem = (uint8_t *)OsalMemAlloc(sz); + if (mem != nullptr) { + OsalMemFree(mem); + } + return; +} + +void FuncOsalMemCalloc(const uint8_t *data, size_t size) +{ + if (size < sizeof(size_t)) { + return; + } + + size_t sz = *(size_t *)data; + uint8_t *mem = (uint8_t *)OsalMemCalloc(sz); + if (mem != nullptr) { + OsalMemFree(mem); + } + return; +} + +void FuncOsalMemAllocAlign(const uint8_t *data, size_t size) +{ + if (size < sizeof(size_t)) { + return; + } + size_t alignment = 8; + size_t sz = 0; + + uint8_t *mem = (uint8_t *)OsalMemAllocAlign(alignment, sz); + if (mem != nullptr) { + OsalMemFree(mem); + } + + sz = 4; + mem = (uint8_t *)OsalMemAllocAlign(alignment, sz); + if (mem != nullptr) { + OsalMemFree(mem); + } + return; +} + +void FuncOsalSemWait(const uint8_t *data, size_t size) +{ + OsalSemWait(NULL, 0); + + struct OsalSem sem; + OsalSemInit(&sem, 1); + OsalSemWait(&sem, ~HDF_WAIT_FOREVER); + OsalSemDestroy(&sem); + return; +} + +void FuncOsalSemPost(const uint8_t *data, size_t size) +{ + struct OsalSem sem; + OsalSemInit(&sem, 1); + OsalSemPost(&sem); + OsalSemDestroy(&sem); + return; +} + +void FuncOsalSpinLock(const uint8_t *data, size_t size) +{ + OsalSpinInit(NULL); + OsalSpinlock spinlock; + OsalSpinInit(&spinlock); + std::thread thrd([&spinlock] { + OsalMSleep(2000); + OsalSpinUnlock(&spinlock); + }); + OsalSpinLock(&spinlock); + OsalSpinDestroy(&spinlock); + thrd.join(); + return; +} + +void FuncOsalTime(const uint8_t *data, size_t size) +{ + OsalGetTime(NULL); + OsalTimespec start, end, diff; + OsalGetTime(&start); + OsalGetTime(&end); + OsalDiffTime(&start, &end, &diff); + OsalUSleep(1); + OsalUDelay(1); + OsalMDelay(1); + uint64_t st = OsalGetSysTimeMs(); + (void)st; + return; +} + +void FuncSwitch(uint32_t cmd, const uint8_t *data, size_t size) +{ + switch (cmd) { + case POSIX_OSALMEMALLOC: { + FuncOsalMemAlloc(data, size); + break; + } + case POSIX_OSALMEMCALLOC: { + FuncOsalMemCalloc(data, size); + break; + } + case POSIX_OSALMEMALLOCALIGN: { + FuncOsalMemAllocAlign(data, size); + break; + } + case POSIX_OSALSEMWAIT: { + FuncOsalSemWait(data, size); + break; + } + case POSIX_OSALSEMPOST: { + FuncOsalSemPost(data, size); + break; + } + case POSIX_OSALSPINLOCK: { + FuncOsalSpinLock(data, size); + break; + } + case POSIX_OSALTIME: { + FuncOsalTime(data, size); + break; + } + default: + return; + } +} + +void TraverseAllFunc(const uint8_t *data, size_t size) +{ + for (uint32_t cmd = 0; cmd < HCS_END; cmd++) { + FuncSwitch(cmd, data, size); + } +} +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + if (size < OHOS::THRESHOLD) { + return HDF_SUCCESS; + } + + OHOS::TraverseAllFunc(data, size); + return HDF_SUCCESS; +} diff --git a/framework/test/fuzztest/uhdf2_shared_fuzzer/shared_fuzzer/shared_fuzzer.h b/framework/test/fuzztest/framework_fuzzer/support/posix_fuzzer/posix_fuzzer.h similarity index 62% rename from framework/test/fuzztest/uhdf2_shared_fuzzer/shared_fuzzer/shared_fuzzer.h rename to framework/test/fuzztest/framework_fuzzer/support/posix_fuzzer/posix_fuzzer.h index f3ed9b94f..c30667a39 100644 --- a/framework/test/fuzztest/uhdf2_shared_fuzzer/shared_fuzzer/shared_fuzzer.h +++ b/framework/test/fuzztest/framework_fuzzer/support/posix_fuzzer/posix_fuzzer.h @@ -1,14 +1,14 @@ -/* - * Copyright (c) 2024 Huawei Device Co., Ltd. - * - * HDF is dual licensed: you can use it either under the terms of - * the GPL, or the BSD license, at your option. - * See the LICENSE file in the root of this repository for complete details. - */ - -#ifndef HDI_COLLECTION_FUZZER_H -#define HDI_COLLECTION_FUZZER_H - -#define FUZZ_PROJECT_NAME "shared_fuzzer" - -#endif // HDI_COLLECTION_FUZZER_H \ No newline at end of file +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * + * HDF is dual licensed: you can use it either under the terms of + * the GPL, or the BSD license, at your option. + * See the LICENSE file in the root of this repository for complete details. + */ + +#ifndef HDF_POSIX_H +#define HDF_POSIX_H + +#define FUZZ_PROJECT_NAME "posix_fuzzer" + +#endif // HDF_POSIX_H \ No newline at end of file diff --git a/framework/test/fuzztest/uhdf2_shared_fuzzer/shared_fuzzer/project.xml b/framework/test/fuzztest/framework_fuzzer/support/posix_fuzzer/project.xml similarity index 82% rename from framework/test/fuzztest/uhdf2_shared_fuzzer/shared_fuzzer/project.xml rename to framework/test/fuzztest/framework_fuzzer/support/posix_fuzzer/project.xml index e47b18640..c39057510 100644 --- a/framework/test/fuzztest/uhdf2_shared_fuzzer/shared_fuzzer/project.xml +++ b/framework/test/fuzztest/framework_fuzzer/support/posix_fuzzer/project.xml @@ -8,10 +8,10 @@ - 1000 + 0 - 120 + 10 - 2048 + 128 diff --git a/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/BUILD.gn b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/BUILD.gn index 7acda433f..1760762dd 100644 --- a/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/BUILD.gn +++ b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/BUILD.gn @@ -32,7 +32,8 @@ ohos_fuzztest("HdfUtilsFuzzTest") { sources = [ "$hdf_framework_path/utils/src/hdf_sbuf.c", "$hdf_framework_path/utils/src/hdf_sbuf_impl_raw.c", - "utils_fuzzer.cpp", + "$hdf_framework_path/utils/src/hdf_cstring.c", + "utils_fuzzer.cpp", ] deps = [ diff --git a/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp index 26a16b718..0221cb016 100644 --- a/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp +++ b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp @@ -16,6 +16,8 @@ #include "hdf_map.h" #include "hdf_sbuf.h" #include "hdf_sbuf_impl.h" +#include "hdf_cstring.h" +#include "hdf_thread_ex.h" namespace OHOS { const int NUM = 23; @@ -66,55 +68,26 @@ static void HdfUtilsFuzzTest(const uint8_t *data, size_t size) MapErase(&testMap1, name); MapDelete(&testMap1); - const uint64_t value = 1; - const uint32_t value1 = 2; - const uint16_t value2 = 3; - const uint8_t value3 = 4; - uint64_t value4 = 1; - uint32_t value5 = 1; - uint16_t value6 = 1; - uint8_t value7 = 1; + const char *str = "123"; + struct HdfCString *cstr = HdfCStringObtain(str); + HdfCStringRecycle(cstr); + struct HdfThread *thread = HdfThreadNewInstance(); + HdfThreadFreeInstance(thread); + struct HdfSBuf *sbuf = HdfSbufObtainDefaultSize(); struct HdfSBuf *copy = HdfSbufCopy(sbuf); - struct HdfSBufImpl *impl = HdfSbufGetImpl(sbuf); - struct HdfSBufImpl *impl1 = HdfSbufGetImpl(copy); - HdfSbufTypedObtainInplace(value1, impl1); HdfSbufSetDataSize(copy, size); HdfSbufGetDataSize(copy); - HdfSbufReadUnpadBuffer(copy, size); - HdfSbufWriteUint64(copy, value); - HdfSbufWriteUint32(copy, value1); - HdfSbufWriteUint16(copy, value2); - HdfSbufWriteUint8(copy, value3); - HdfSbufReadUint64(copy, &value4); - HdfSbufReadUint32(copy, &value5); - HdfSbufReadUint16(copy, &value6); - HdfSbufReadUint8(copy, &value7); - - HdfSbufGetData(sbuf); - HdfSbufFlush(sbuf); - HdfSbufGetCapacity(sbuf); - impl->writeBuffer(impl, data, value1); - impl->writeUnpadBuffer(impl, data, value1); - impl->writeUint64(impl, value); - impl->writeUint32(impl, value1); - impl->writeUint16(impl, value2); - impl->writeUint8(impl, value3); - impl->readUnpadBuffer(impl, size); - impl->readUint64(impl, &value4); - impl->readUint32(impl, &value5); - impl->readUint16(impl, &value6); - impl->readUint8(impl, &value7); - struct HdfSBufImpl *implCopy = impl->copy(impl); - impl->setDataSize(implCopy, size); - impl->getDataSize(implCopy); - impl->getCapacity(implCopy); - impl->transDataOwnership(implCopy); - impl->move(implCopy); - impl->recycle(implCopy); - impl->recycle(impl); + HdfSbufGetData(copy); + struct HdfSBufImpl *impl = HdfSbufGetImpl(copy); + if (impl == nullptr) { + impl = (struct HdfSBufImpl *)OsalMemCalloc(sizeof(struct HdfSBufImpl)); + } HdfSbufMove(copy); - HdfSbufTransDataOwnership(copy); + HdfSbufTransDataOwnership(copy); + HdfSbufTypedObtainInplace(static_cast(size), impl); + HdfSbufFlush(copy); + HdfSbufGetCapacity(copy); HdfSbufRecycle(sbuf); HdfSbufRecycle(copy); } diff --git a/framework/test/fuzztest/uhdf2_hdi_fuzzer/collector_fuzzer/collector_fuzzer.cpp b/framework/test/fuzztest/uhdf2_hdi_fuzzer/collector_fuzzer/collector_fuzzer.cpp deleted file mode 100644 index 6bb211804..000000000 --- a/framework/test/fuzztest/uhdf2_hdi_fuzzer/collector_fuzzer/collector_fuzzer.cpp +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright (c) 2024 Huawei Device Co., Ltd. - * - * HDF is dual licensed: you can use it either under the terms of - * the GPL, or the BSD license, at your option. - * See the LICENSE file in the root of this repository for complete details. - */ -#include "collector_fuzzer.h" -#include "object_collector.h" -#include "hdf_base.h" -#include "hdf_log.h" -#include "parcel.h" -#include -#include "osal_mem.h" -#include "hdi_support.h" -#include - -namespace OHOS { -static void CollectionFuzzTest(const uint8_t *data, size_t size) -{ - if (data == nullptr) { - HDF_LOGE("%{public}s: data is nullptr!", __func__); - } - - Parcel parcel; - parcel.WriteBuffer(data, size); - const std::u16string INTERFACE_NAME = OHOS::Str8ToStr16(parcel.ReadString()); - HDI::HdiBase *service = (HDI::HdiBase *)OsalMemCalloc(sizeof(HDI::HdiBase)); - HDI::ObjectCollector::GetInstance().NewObject(service, INTERFACE_NAME); - HDI::ObjectCollector::GetInstance().GetOrNewObject(service, INTERFACE_NAME); - HDI::ObjectCollector::GetInstance().RemoveObject(service); - OsalMemFree(service); -} -} - -/* Fuzzer entry point */ -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) -{ - /* Run your code on data */ - OHOS::CollectionFuzzTest(data, size); - return HDF_SUCCESS; -} \ No newline at end of file diff --git a/framework/test/fuzztest/uhdf2_hdi_fuzzer/collector_fuzzer/collector_fuzzer.h b/framework/test/fuzztest/uhdf2_hdi_fuzzer/collector_fuzzer/collector_fuzzer.h deleted file mode 100644 index 9b26247a8..000000000 --- a/framework/test/fuzztest/uhdf2_hdi_fuzzer/collector_fuzzer/collector_fuzzer.h +++ /dev/null @@ -1,14 +0,0 @@ -/* - * Copyright (c) 2024 Huawei Device Co., Ltd. - * - * HDF is dual licensed: you can use it either under the terms of - * the GPL, or the BSD license, at your option. - * See the LICENSE file in the root of this repository for complete details. - */ - -#ifndef HDI_COLLECTION_FUZZER_H -#define HDI_COLLECTION_FUZZER_H - -#define FUZZ_PROJECT_NAME "collector_fuzzer" - -#endif // HDI_COLLECTION_FUZZER_H \ No newline at end of file diff --git a/framework/test/fuzztest/uhdf2_hdi_fuzzer/collector_fuzzer/project.xml b/framework/test/fuzztest/uhdf2_hdi_fuzzer/collector_fuzzer/project.xml deleted file mode 100644 index e47b18640..000000000 --- a/framework/test/fuzztest/uhdf2_hdi_fuzzer/collector_fuzzer/project.xml +++ /dev/null @@ -1,17 +0,0 @@ - - - - - - 1000 - - 120 - - 2048 - - diff --git a/framework/test/fuzztest/uhdf2_shared_fuzzer/shared_fuzzer/BUILD.gn b/framework/test/fuzztest/uhdf2_shared_fuzzer/shared_fuzzer/BUILD.gn deleted file mode 100644 index 7a2d731f4..000000000 --- a/framework/test/fuzztest/uhdf2_shared_fuzzer/shared_fuzzer/BUILD.gn +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright (c) 2024 Huawei Device Co., Ltd. -# -# HDF is dual licensed: you can use it either under the terms of -# the GPL, or the BSD license, at your option. -# See the LICENSE file in the root of this repository for complete details. - -import("//build/config/features.gni") -import("//build/ohos.gni") -import("//build/test.gni") - -module_output_path = "hdf_core/hdf_core/uhdf2_shared_fuzzer" - -hdf_framework_path = "../../../../../framework" -hdf_uhdf_path = "../../../../../adapter/uhdf2" - -ohos_fuzztest("SharedFuzzTest") { - module_out_path = module_output_path - - fuzz_config_file = - "$hdf_framework_path/test/fuzztest/uhdf2_shared_fuzzer/shared_fuzzer" - - include_dirs = [ - "$hdf_uhdf_path/shared/include", - "$hdf_uhdf_path/utils/include", - "$hdf_uhdf_path/ipc/include", - "$hdf_framework_path/include", - "$hdf_framework_path/include", - "$hdf_framework_path/core/manager/include", - "$hdf_framework_path/core/common/include/manager/", - "$hdf_framework_path/core/host/include", - "$hdf_framework_path/core/shared/include", - "$hdf_framework_path/utils/include", - ] - - sources = [ "shared_fuzzer.cpp" ] - deps = [ - "../../../../../adapter/uhdf2/host:libhdf_host", - "../../../../../adapter/uhdf2/utils:libhdf_utils", - ] - - external_deps = [ - "c_utils:utils", - "hilog:libhilog", - "init:libbegetutil", - "ipc:ipc_single", - ] -} - -group("fuzztest") { - testonly = true - deps = [ ":SharedFuzzTest" ] -} diff --git a/framework/test/fuzztest/uhdf2_shared_fuzzer/shared_fuzzer/corpus/init b/framework/test/fuzztest/uhdf2_shared_fuzzer/shared_fuzzer/corpus/init deleted file mode 100644 index f707fb4e4..000000000 --- a/framework/test/fuzztest/uhdf2_shared_fuzzer/shared_fuzzer/corpus/init +++ /dev/null @@ -1,7 +0,0 @@ -# Copyright (c) 2024 Huawei Device Co., Ltd. -# -# HDF is dual licensed: you can use it either under the terms of -# the GPL, or the BSD license, at your option. -# See the LICENSE file in the root of this repository for complete details. - -FUZZ \ No newline at end of file diff --git a/framework/test/fuzztest/uhdf2_shared_fuzzer/shared_fuzzer/shared_fuzzer.cpp b/framework/test/fuzztest/uhdf2_shared_fuzzer/shared_fuzzer/shared_fuzzer.cpp deleted file mode 100644 index 0bc30ce59..000000000 --- a/framework/test/fuzztest/uhdf2_shared_fuzzer/shared_fuzzer/shared_fuzzer.cpp +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright (c) 2024 Huawei Device Co., Ltd. - * - * HDF is dual licensed: you can use it either under the terms of - * the GPL, or the BSD license, at your option. - * See the LICENSE file in the root of this repository for complete details. - */ -#include "shared_fuzzer.h" -#include "dev_attribute_serialize.h" -#include "hdf_base.h" -#include "hdf_log.h" -#include - -namespace OHOS { -static void SharedFuzzTest(const uint8_t *data, size_t size) -{ - if (data == nullptr) { - HDF_LOGE("%{public}s: data is nullptr!", __func__); - } - - struct HdfDeviceInfo *attribute = (struct HdfDeviceInfo *)data; - struct HdfSBuf *sbuf = (struct HdfSBuf *)data; - DeviceAttributeSerialize(attribute, sbuf); - DeviceAttributeDeserialize(sbuf); - DeviceSerializedAttributeRelease(attribute); -} -} - -/* Fuzzer entry point */ -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) -{ - /* Run your code on data */ - OHOS::SharedFuzzTest(data, size); - return HDF_SUCCESS; -} \ No newline at end of file -- Gitee From 2b192cef6abe8974ae764ca42259bf04a35cae3e Mon Sep 17 00:00:00 2001 From: huyx Date: Sat, 20 Jul 2024 00:04:25 +0800 Subject: [PATCH 10/11] fuzz Signed-off-by: huyx --- .../framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp index 0221cb016..0e03315ca 100644 --- a/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp +++ b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp @@ -81,10 +81,10 @@ static void HdfUtilsFuzzTest(const uint8_t *data, size_t size) HdfSbufGetData(copy); struct HdfSBufImpl *impl = HdfSbufGetImpl(copy); if (impl == nullptr) { - impl = (struct HdfSBufImpl *)OsalMemCalloc(sizeof(struct HdfSBufImpl)); - } + impl = (struct HdfSBufImpl *)OsalMemCalloc(sizeof(struct HdfSBufImpl)); + } HdfSbufMove(copy); - HdfSbufTransDataOwnership(copy); + HdfSbufTransDataOwnership(copy); HdfSbufTypedObtainInplace(static_cast(size), impl); HdfSbufFlush(copy); HdfSbufGetCapacity(copy); -- Gitee From d196361fb3ad33ab7362569f0588bd2d534e19f7 Mon Sep 17 00:00:00 2001 From: huyx Date: Sat, 20 Jul 2024 12:58:50 +0800 Subject: [PATCH 11/11] fuzz Signed-off-by: huyx --- .../framework_fuzzer/support/posix_fuzzer/posix_fuzzer.cpp | 7 ++++--- .../framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp | 4 ++++ .../syscall_fuzzer/syscall_fuzzer/syscall_fuzzer.cpp | 1 + 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/framework/test/fuzztest/framework_fuzzer/support/posix_fuzzer/posix_fuzzer.cpp b/framework/test/fuzztest/framework_fuzzer/support/posix_fuzzer/posix_fuzzer.cpp index 6649d3c64..91baa98c3 100644 --- a/framework/test/fuzztest/framework_fuzzer/support/posix_fuzzer/posix_fuzzer.cpp +++ b/framework/test/fuzztest/framework_fuzzer/support/posix_fuzzer/posix_fuzzer.cpp @@ -70,8 +70,8 @@ void FuncOsalMemAllocAlign(const uint8_t *data, size_t size) if (mem != nullptr) { OsalMemFree(mem); } - - sz = 4; + const size_t NUM = 4; + sz = NUM; mem = (uint8_t *)OsalMemAllocAlign(alignment, sz); if (mem != nullptr) { OsalMemFree(mem); @@ -104,8 +104,9 @@ void FuncOsalSpinLock(const uint8_t *data, size_t size) OsalSpinInit(NULL); OsalSpinlock spinlock; OsalSpinInit(&spinlock); + const uint32_t SLEEPTIME = 2000; std::thread thrd([&spinlock] { - OsalMSleep(2000); + OsalMSleep(SLEEPTIME); OsalSpinUnlock(&spinlock); }); OsalSpinLock(&spinlock); diff --git a/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp index 0e03315ca..8570964ec 100644 --- a/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp +++ b/framework/test/fuzztest/framework_utils_fuzzer/utils_fuzzer/utils_fuzzer.cpp @@ -18,6 +18,7 @@ #include "hdf_sbuf_impl.h" #include "hdf_cstring.h" #include "hdf_thread_ex.h" +#include "osal_message.h" namespace OHOS { const int NUM = 23; @@ -68,6 +69,9 @@ static void HdfUtilsFuzzTest(const uint8_t *data, size_t size) MapErase(&testMap1, name); MapDelete(&testMap1); + struct HdfMessage *message = HdfMessageObtain(size); + HdfMessageDelete(reinterpret_cast(message)); + const char *str = "123"; struct HdfCString *cstr = HdfCStringObtain(str); HdfCStringRecycle(cstr); diff --git a/framework/test/fuzztest/syscall_fuzzer/syscall_fuzzer/syscall_fuzzer.cpp b/framework/test/fuzztest/syscall_fuzzer/syscall_fuzzer/syscall_fuzzer.cpp index 680e4388b..b8b81e218 100644 --- a/framework/test/fuzztest/syscall_fuzzer/syscall_fuzzer/syscall_fuzzer.cpp +++ b/framework/test/fuzztest/syscall_fuzzer/syscall_fuzzer/syscall_fuzzer.cpp @@ -44,6 +44,7 @@ static void SyscallFuzzTest(const uint8_t *data, size_t size) } HdfIoserviceGetListenerCount(serv); struct HdfIoServiceGroup *group = HdfIoServiceGroupObtain(); + HdfIoServiceGroupAddService(nullptr, nullptr); HdfIoServiceGroupAddService(group, serv); HdfIoserviceGroupGetListenerCount(group); HdfIoserviceGroupGetServiceCount(group); -- Gitee