From da1eea6051078c391c93e56689e040f394d234b1 Mon Sep 17 00:00:00 2001 From: liuyuxiu Date: Fri, 19 Apr 2024 14:13:10 +0800 Subject: [PATCH 1/4] qos_manager high risk module add fuzz Signed-off-by: liuyuxiu --- .../concurrent_fuzzer/concurrent_fuzzer.cpp | 272 ++++++++++++++++++ 1 file changed, 272 insertions(+) diff --git a/test/fuzztest/concurrent_fuzzer/concurrent_fuzzer.cpp b/test/fuzztest/concurrent_fuzzer/concurrent_fuzzer.cpp index f04e160..fa024bd 100644 --- a/test/fuzztest/concurrent_fuzzer/concurrent_fuzzer.cpp +++ b/test/fuzztest/concurrent_fuzzer/concurrent_fuzzer.cpp @@ -17,6 +17,7 @@ #define private public #include "concurrent_task_client.h" #include "concurrent_task_service_ability.h" +#include "concurrent_task_controller.h" #undef private #include "concurrent_task_service_proxy.h" #include "concurrent_task_service.h" @@ -702,6 +703,260 @@ bool FuzzConcurrentTaskServiceProxyRequestAuth(const uint8_t* data, size_t size) } return true; } + +bool FuzzTaskControllerQueryRenderService(const uint8_t* data, size_t size) +{ + g_baseFuzzData = data; + g_baseFuzzSize = size; + g_baseFuzzPos = 0; + if (size > sizeof(int) + sizeof(int) + sizeof(int) + sizeof(int)) { + int uid = GetData(); + IntervalReply queryRs; + queryRs.tid = GetData(); + queryRs.rtgId = GetData(); + queryRs.paramA = 1; + queryRs.paramB = 1; + TaskController::GetInstance().renderServiceGrpId_ = GetData(); + TaskController::GetInstance().QueryRenderService(uid, queryRs); + } + return true; +} + +bool FuzzTaskControllerQueryExecutorStart(const uint8_t* data, size_t size) +{ + g_baseFuzzData = data; + g_baseFuzzSize = size; + g_baseFuzzPos = 0; + if (size > sizeof(int) + sizeof(int) + sizeof(int) + sizeof(int)) { + int uid = GetData(); + IntervalReply queryRs; + queryRs.tid = GetData(); + queryRs.rtgId = GetData(); + queryRs.paramA = 1; + queryRs.paramB = 1; + TaskController::GetInstance().renderServiceGrpId_ = GetData(); + TaskController::GetInstance().QueryRenderService(uid, queryRs); + } + return true; +} + +bool FuzzTaskControllerGetRequestType(const uint8_t* data, size_t size) +{ + g_baseFuzzData = data; + g_baseFuzzSize = size; + g_baseFuzzPos = 0; + if (size > sizeof(int)) { + std::string msgType = std::to_string(GetData()); + TaskController::GetInstance().GetRequestType(msgType); + } + return true; +} + +bool FuzzTaskControllerDealSystemRequest(const uint8_t* data, size_t size) +{ + g_baseFuzzData = data; + g_baseFuzzSize = size; + g_baseFuzzPos = 0; + if (size > sizeof(int) + sizeof(int) + sizeof(int)) { + Json::Value payload; + payload["pid"] = GetData(); + payload["uid"] = GetData(); + int requestType = GetData(); + TaskController::GetInstance().DealSystemRequest(requestType, payload); + } + return true; +} + +bool FuzzTaskControllerNewForeground(const uint8_t* data, size_t size) +{ + g_baseFuzzData = data; + g_baseFuzzSize = size; + g_baseFuzzPos = 0; + if (size > sizeof(int) + sizeof(int)) { + int uid = GetData(); + int pid = GetData(); + TaskController::GetInstance().NewForeground(uid, pid); + } + return true; +} + +bool FuzzTaskControllerNewForegroundAppRecord(const uint8_t* data, size_t size) +{ + g_baseFuzzData = data; + g_baseFuzzSize = size; + g_baseFuzzPos = 0; + if (size > sizeof(int) + sizeof(int) + sizeof(int)) { + int pid = GetData(); + int uiPid = GetData(); + bool ddlEnable = GetData(); + TaskController::GetInstance().NewForegroundAppRecord(pid, uiPid, ddlEnable); + } + return true; +} + +bool FuzzTaskControllerNewBackground(const uint8_t* data, size_t size) +{ + g_baseFuzzData = data; + g_baseFuzzSize = size; + g_baseFuzzPos = 0; + if (size > sizeof(int) + sizeof(int)) { + int pid = GetData(); + int uid = GetData(); + TaskController::GetInstance().NewBackground(uid, pid); + } + return true; +} + +bool FuzzTaskControllerNewAppStart(const uint8_t* data, size_t size) +{ + g_baseFuzzData = data; + g_baseFuzzSize = size; + g_baseFuzzPos = 0; + if (size > sizeof(int) + sizeof(int)) { + int pid = GetData(); + int uid = GetData(); + TaskController::GetInstance().NewAppStart(uid, pid); + } + return true; +} + +bool FuzzTaskControllerAppKilled(const uint8_t* data, size_t size) +{ + g_baseFuzzData = data; + g_baseFuzzSize = size; + g_baseFuzzPos = 0; + if (size > sizeof(int) + sizeof(int)) { + int pid = GetData(); + int uid = GetData(); + TaskController::GetInstance().AppKilled(uid, pid); + } + return true; +} + +bool FuzzTaskControllerAuthSystemProcess(const uint8_t* data, size_t size) +{ + g_baseFuzzData = data; + g_baseFuzzSize = size; + g_baseFuzzPos = 0; + if (size > sizeof(int)) { + int pid = GetData(); + TaskController::GetInstance().AuthSystemProcess(pid); + } + return true; +} + +bool FuzzTaskControllerContinuousTaskProcess(const uint8_t* data, size_t size) +{ + g_baseFuzzData = data; + g_baseFuzzSize = size; + g_baseFuzzPos = 0; + if (size > sizeof(int) + sizeof(int) + sizeof(int)) { + int pid = GetData(); + int uid = GetData(); + int status = GetData(); + TaskController::GetInstance().ContinuousTaskProcess(uid, pid, status); + } + return true; +} + +bool FuzzTaskControllerFocusStatusProcess(const uint8_t* data, size_t size) +{ + g_baseFuzzData = data; + g_baseFuzzSize = size; + g_baseFuzzPos = 0; + if (size > sizeof(int) + sizeof(int) + sizeof(int)) { + int pid = GetData(); + int uid = GetData(); + int status = GetData(); + TaskController::GetInstance().FocusStatusProcess(uid, pid, status); + } + return true; +} + +bool FuzzTaskControllerModifyGameState(const uint8_t* data, size_t size) +{ + g_baseFuzzData = data; + g_baseFuzzSize = size; + g_baseFuzzPos = 0; + if (size > sizeof(int) + sizeof(int)) { + const char* str1; + str1 = reinterpret_cast(data + g_baseFuzzPos); + size_t size1 = (size - g_baseFuzzPos) > LEN ? LEN : (size - g_baseFuzzPos); + std::string gameMsg(str1, size1); + Json::Value payload; + payload["gameMsg"] = gameMsg.c_str(); + TaskController::GetInstance().ModifyGameState(payload); + } else { + Json::Value payload; + payload["gameMsg"] = "gameScene\":\"1"; + TaskController::GetInstance().ModifyGameState(payload); + } + return true; +} + +bool FuzzTaskControllerModifySystemRate(const uint8_t* data, size_t size) +{ + g_baseFuzzData = data; + g_baseFuzzSize = size; + g_baseFuzzPos = 0; + if (size > sizeof(int) + sizeof(int)) { + const char* str1; + str1 = reinterpret_cast(data + g_baseFuzzPos); + size_t size1 = (size - g_baseFuzzPos) > LEN ? LEN : (size - g_baseFuzzPos); + std::string gameMsg(str1, size1); + Json::Value payload; + payload["gameMsg"] = gameMsg.c_str(); + TaskController::GetInstance().ModifyGameState(payload); + } else { + Json::Value payload; + payload["gameMsg"] = "gameScene\":\"1"; + TaskController::GetInstance().ModifyGameState(payload); + } + return true; +} + +bool FuzzTaskControllerSetAppRate(const uint8_t* data, size_t size) +{ + g_baseFuzzData = data; + g_baseFuzzSize = size; + g_baseFuzzPos = 0; + if (size > sizeof(int) + sizeof(int) + sizeof(int)) { + Json::Value payload; + payload[std::to_string(GetData()).c_str()] = std::to_string(GetData()).c_str(); + TaskController::GetInstance().SetAppRate(payload); + } else { + Json::Value payload; + payload["-1"] = std::to_string(GetData()).c_str(); + TaskController::GetInstance().SetAppRate(payload); + } + return true; +} + +bool FuzzTaskControllerSetRenderServiceRate(const uint8_t* data, size_t size) +{ + g_baseFuzzData = data; + g_baseFuzzSize = size; + g_baseFuzzPos = 0; + if (size > sizeof(int) + sizeof(int) + sizeof(int)) { + Json::Value payload; + payload[std::to_string(GetData()).c_str()] = std::to_string(GetData()).c_str(); + TaskController::GetInstance().SetRenderServiceRate(payload); + } + return true; +} + +bool FuzzTaskControllerCheckJsonValid(const uint8_t* data, size_t size) +{ + g_baseFuzzData = data; + g_baseFuzzSize = size; + g_baseFuzzPos = 0; + if (size > sizeof(int) + sizeof(int)) { + Json::Value payload; + payload[std::to_string(GetData()).c_str()] = std::to_string(GetData()).c_str(); + TaskController::GetInstance().CheckJsonValid(payload); + } + return true; +} } // namespace OHOS /* Fuzzer entry point */ @@ -746,5 +1001,22 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) OHOS::FuzzConcurrentTaskServiceProxyQueryInterval(data, size); OHOS::FuzzConcurrentTaskServiceProxyQueryDeadline(data, size); OHOS::FuzzConcurrentTaskServiceProxyRequestAuth(data, size); + OHOS::FuzzTaskControllerQueryRenderService(data, size); + OHOS::FuzzTaskControllerQueryExecutorStart(data, size); + OHOS::FuzzTaskControllerGetRequestType(data, size); + OHOS::FuzzTaskControllerDealSystemRequest(data, size); + OHOS::FuzzTaskControllerNewForeground(data, size); + OHOS::FuzzTaskControllerNewForegroundAppRecord(data, size); + OHOS::FuzzTaskControllerNewBackground(data, size); + OHOS::FuzzTaskControllerNewAppStart(data, size); + OHOS::FuzzTaskControllerAppKilled(data, size); + OHOS::FuzzTaskControllerAuthSystemProcess(data, size); + OHOS::FuzzTaskControllerContinuousTaskProcess(data, size); + OHOS::FuzzTaskControllerFocusStatusProcess(data, size); + OHOS::FuzzTaskControllerModifyGameState(data, size); + OHOS::FuzzTaskControllerSetAppRate(data, size); + OHOS::FuzzTaskControllerModifySystemRate(data, size); + OHOS::FuzzTaskControllerSetRenderServiceRate(data, size); + OHOS::FuzzTaskControllerCheckJsonValid(data, size); return 0; } -- Gitee From 957e2d59f07e35cb94beeced301b70a75234e303 Mon Sep 17 00:00:00 2001 From: liuyuxiu Date: Fri, 19 Apr 2024 16:10:58 +0800 Subject: [PATCH 2/4] qos_manager high risk module add fuzz Signed-off-by: liuyuxiu --- .../concurrent_fuzzer/concurrent_fuzzer.cpp | 44 ++++++++++--------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/test/fuzztest/concurrent_fuzzer/concurrent_fuzzer.cpp b/test/fuzztest/concurrent_fuzzer/concurrent_fuzzer.cpp index fa024bd..aa91567 100644 --- a/test/fuzztest/concurrent_fuzzer/concurrent_fuzzer.cpp +++ b/test/fuzztest/concurrent_fuzzer/concurrent_fuzzer.cpp @@ -879,8 +879,7 @@ bool FuzzTaskControllerModifyGameState(const uint8_t* data, size_t size) g_baseFuzzSize = size; g_baseFuzzPos = 0; if (size > sizeof(int) + sizeof(int)) { - const char* str1; - str1 = reinterpret_cast(data + g_baseFuzzPos); + const char* str1 = reinterpret_cast(data + g_baseFuzzPos); size_t size1 = (size - g_baseFuzzPos) > LEN ? LEN : (size - g_baseFuzzPos); std::string gameMsg(str1, size1); Json::Value payload; @@ -900,8 +899,7 @@ bool FuzzTaskControllerModifySystemRate(const uint8_t* data, size_t size) g_baseFuzzSize = size; g_baseFuzzPos = 0; if (size > sizeof(int) + sizeof(int)) { - const char* str1; - str1 = reinterpret_cast(data + g_baseFuzzPos); + const char* str1 = reinterpret_cast(data + g_baseFuzzPos); size_t size1 = (size - g_baseFuzzPos) > LEN ? LEN : (size - g_baseFuzzPos); std::string gameMsg(str1, size1); Json::Value payload; @@ -959,6 +957,26 @@ bool FuzzTaskControllerCheckJsonValid(const uint8_t* data, size_t size) } } // namespace OHOS +void TaskControllerFuzzTestSuit(const uint8_t *data, size_t size) { + OHOS::FuzzTaskControllerQueryRenderService(data, size); + OHOS::FuzzTaskControllerQueryExecutorStart(data, size); + OHOS::FuzzTaskControllerGetRequestType(data, size); + OHOS::FuzzTaskControllerDealSystemRequest(data, size); + OHOS::FuzzTaskControllerNewForeground(data, size); + OHOS::FuzzTaskControllerNewForegroundAppRecord(data, size); + OHOS::FuzzTaskControllerNewBackground(data, size); + OHOS::FuzzTaskControllerNewAppStart(data, size); + OHOS::FuzzTaskControllerAppKilled(data, size); + OHOS::FuzzTaskControllerAuthSystemProcess(data, size); + OHOS::FuzzTaskControllerContinuousTaskProcess(data, size); + OHOS::FuzzTaskControllerFocusStatusProcess(data, size); + OHOS::FuzzTaskControllerModifyGameState(data, size); + OHOS::FuzzTaskControllerSetAppRate(data, size); + OHOS::FuzzTaskControllerModifySystemRate(data, size); + OHOS::FuzzTaskControllerSetRenderServiceRate(data, size); + OHOS::FuzzTaskControllerCheckJsonValid(data, size); +} + /* Fuzzer entry point */ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { @@ -1001,22 +1019,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) OHOS::FuzzConcurrentTaskServiceProxyQueryInterval(data, size); OHOS::FuzzConcurrentTaskServiceProxyQueryDeadline(data, size); OHOS::FuzzConcurrentTaskServiceProxyRequestAuth(data, size); - OHOS::FuzzTaskControllerQueryRenderService(data, size); - OHOS::FuzzTaskControllerQueryExecutorStart(data, size); - OHOS::FuzzTaskControllerGetRequestType(data, size); - OHOS::FuzzTaskControllerDealSystemRequest(data, size); - OHOS::FuzzTaskControllerNewForeground(data, size); - OHOS::FuzzTaskControllerNewForegroundAppRecord(data, size); - OHOS::FuzzTaskControllerNewBackground(data, size); - OHOS::FuzzTaskControllerNewAppStart(data, size); - OHOS::FuzzTaskControllerAppKilled(data, size); - OHOS::FuzzTaskControllerAuthSystemProcess(data, size); - OHOS::FuzzTaskControllerContinuousTaskProcess(data, size); - OHOS::FuzzTaskControllerFocusStatusProcess(data, size); - OHOS::FuzzTaskControllerModifyGameState(data, size); - OHOS::FuzzTaskControllerSetAppRate(data, size); - OHOS::FuzzTaskControllerModifySystemRate(data, size); - OHOS::FuzzTaskControllerSetRenderServiceRate(data, size); - OHOS::FuzzTaskControllerCheckJsonValid(data, size); + TaskControllerFuzzTestSuit(data, size); return 0; } -- Gitee From 89f1ef1b1de289cb43156297c90fa5fae8196005 Mon Sep 17 00:00:00 2001 From: liuyuxiu Date: Fri, 19 Apr 2024 16:15:29 +0800 Subject: [PATCH 3/4] qos_manager high risk module add fuzz Signed-off-by: liuyuxiu --- test/fuzztest/concurrent_fuzzer/concurrent_fuzzer.cpp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/test/fuzztest/concurrent_fuzzer/concurrent_fuzzer.cpp b/test/fuzztest/concurrent_fuzzer/concurrent_fuzzer.cpp index aa91567..76e1abc 100644 --- a/test/fuzztest/concurrent_fuzzer/concurrent_fuzzer.cpp +++ b/test/fuzztest/concurrent_fuzzer/concurrent_fuzzer.cpp @@ -812,10 +812,11 @@ bool FuzzTaskControllerNewAppStart(const uint8_t* data, size_t size) g_baseFuzzData = data; g_baseFuzzSize = size; g_baseFuzzPos = 0; - if (size > sizeof(int) + sizeof(int)) { + if (size > sizeof(int) + sizeof(int) + sizeof(int)) { int pid = GetData(); int uid = GetData(); - TaskController::GetInstance().NewAppStart(uid, pid); + std::string bundleName = std::to_string(GetData()); + TaskController::GetInstance().NewAppStart(uid, pid, bundleName); } return true; } -- Gitee From 71e03aeefa1e3e6972f22f92ebfc8c59abcfdec4 Mon Sep 17 00:00:00 2001 From: liuyuxiu Date: Fri, 19 Apr 2024 17:00:05 +0800 Subject: [PATCH 4/4] qos_manager high risk module add fuzz Signed-off-by: liuyuxiu --- test/fuzztest/concurrent_fuzzer/concurrent_fuzzer.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/fuzztest/concurrent_fuzzer/concurrent_fuzzer.cpp b/test/fuzztest/concurrent_fuzzer/concurrent_fuzzer.cpp index 76e1abc..44b5b79 100644 --- a/test/fuzztest/concurrent_fuzzer/concurrent_fuzzer.cpp +++ b/test/fuzztest/concurrent_fuzzer/concurrent_fuzzer.cpp @@ -958,7 +958,8 @@ bool FuzzTaskControllerCheckJsonValid(const uint8_t* data, size_t size) } } // namespace OHOS -void TaskControllerFuzzTestSuit(const uint8_t *data, size_t size) { +void TaskControllerFuzzTestSuit(const uint8_t *data, size_t size) +{ OHOS::FuzzTaskControllerQueryRenderService(data, size); OHOS::FuzzTaskControllerQueryExecutorStart(data, size); OHOS::FuzzTaskControllerGetRequestType(data, size); -- Gitee