From 7782edc064d30af342db738e65e73dbc40e1908c Mon Sep 17 00:00:00 2001
From: wu-liushuan <wuliushuan.30044128@h-partners.com>
Date: Fri, 18 Jul 2025 15:15:30 +0800
Subject: [PATCH] =?UTF-8?q?fuzz=E8=A6=86=E7=9B=96=E7=8E=87=E6=8F=90?=
 =?UTF-8?q?=E5=8D=8720250718?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: wu-liushuan <wuliushuan.30044128@h-partners.com>
Change-Id: I4b2b464c261a2d980cca910f4735dab832ba82b6
---
 .../src/app_status_change_callback.cpp        |  3 +-
 test/fuzztest/innerkits/accesstoken/BUILD.gn  |  2 +-
 .../dumptokeninfo_fuzzer.cpp                  | 46 ++++++-----
 .../registertokensynccallback_fuzzer.cpp      |  3 +-
 test/fuzztest/services/accesstoken/BUILD.gn   |  1 +
 .../istoastshownneededstub_fuzzer/BUILD.gn    |  4 +
 .../BUILD.gn                                  | 50 ++++++++++++
 .../corpus/init                               | 14 ++++
 .../project.xml                               | 25 ++++++
 ...tpermissionstatuswithpolicystub_fuzzer.cpp | 81 +++++++++++++++++++
 ...setpermissionstatuswithpolicystub_fuzzer.h | 21 +++++
 11 files changed, 227 insertions(+), 23 deletions(-)
 create mode 100644 test/fuzztest/services/accesstoken/setpermissionstatuswithpolicystub_fuzzer/BUILD.gn
 create mode 100644 test/fuzztest/services/accesstoken/setpermissionstatuswithpolicystub_fuzzer/corpus/init
 create mode 100644 test/fuzztest/services/accesstoken/setpermissionstatuswithpolicystub_fuzzer/project.xml
 create mode 100644 test/fuzztest/services/accesstoken/setpermissionstatuswithpolicystub_fuzzer/setpermissionstatuswithpolicystub_fuzzer.cpp
 create mode 100644 test/fuzztest/services/accesstoken/setpermissionstatuswithpolicystub_fuzzer/setpermissionstatuswithpolicystub_fuzzer.h

diff --git a/services/common/app_manager/src/app_status_change_callback.cpp b/services/common/app_manager/src/app_status_change_callback.cpp
index a87ced615..564aacf52 100644
--- a/services/common/app_manager/src/app_status_change_callback.cpp
+++ b/services/common/app_manager/src/app_status_change_callback.cpp
@@ -70,8 +70,7 @@ int32_t ApplicationStateObserverStub::OnRemoteRequest(
         case IApplicationStateObserver::Message::TRANSACT_ON_PAGE_HIDE:
         case IApplicationStateObserver::Message::TRANSACT_ON_WINDOW_SHOW:
         case IApplicationStateObserver::Message::TRANSACT_ON_WINDOW_HIDDEN:
-        case IApplicationStateObserver::Message::TRANSACT_ON_PROCESS_BINDINGRELATION_CHANGED:
-        {
+        case IApplicationStateObserver::Message::TRANSACT_ON_PROCESS_BINDINGRELATION_CHANGED: {
             return NO_ERROR;
         }
         default: {
diff --git a/test/fuzztest/innerkits/accesstoken/BUILD.gn b/test/fuzztest/innerkits/accesstoken/BUILD.gn
index 4f799c5aa..af0cdfed9 100644
--- a/test/fuzztest/innerkits/accesstoken/BUILD.gn
+++ b/test/fuzztest/innerkits/accesstoken/BUILD.gn
@@ -56,13 +56,13 @@ group("fuzztest") {
     "revokeusergrantedpermission_fuzzer:RevokeUserGrantedPermissionFuzzTest",
     "setpermdialogcap_fuzzer:SetPermDialogCapFuzzTest",
     "setpermissionrequesttogglestatus_fuzzer:SetPermissionRequestToggleStatusFuzzTest",
+    "setpermissionstatuswithpolicy_fuzzer:SetPermissionStatusWithPolicyFuzzTest",
     "setremotehaptokeninfo_fuzzer:SetRemoteHapTokenInfoFuzzTest",
     "unregisterpermstatechangecallback_fuzzer:UnRegisterPermStateChangeCallbackFuzzTest",
     "updatehaptoken_fuzzer:UpdateHapTokenFuzzTest",
     "verifyaccesstoken001_fuzzer:VerifyAccessToken001FuzzTest",
     "verifyaccesstoken_fuzzer:VerifyAccessTokenFuzzTest",
     "verifyaccesstokenwithlist_fuzzer:VerifyAccessTokenWithListFuzzTest",
-    "setpermissionstatuswithpolicy_fuzzer:SetPermissionStatusWithPolicyFuzzTest",
   ]
   if (security_component_enhance_enable) {
     deps += [
diff --git a/test/fuzztest/innerkits/accesstoken/dumptokeninfo_fuzzer/dumptokeninfo_fuzzer.cpp b/test/fuzztest/innerkits/accesstoken/dumptokeninfo_fuzzer/dumptokeninfo_fuzzer.cpp
index 9087de6ad..a98394fd4 100644
--- a/test/fuzztest/innerkits/accesstoken/dumptokeninfo_fuzzer/dumptokeninfo_fuzzer.cpp
+++ b/test/fuzztest/innerkits/accesstoken/dumptokeninfo_fuzzer/dumptokeninfo_fuzzer.cpp
@@ -15,35 +15,45 @@
 
 #include "dumptokeninfo_fuzzer.h"
 
-#include <iostream>
-#include <thread>
 #include <string>
 #include <vector>
 
-#undef private
+#include "access_token.h"
 #include "accesstoken_kit.h"
 #include "fuzzer/FuzzedDataProvider.h"
 
 using namespace std;
 using namespace OHOS::Security::AccessToken;
+static const vector<OptType> TYPE_LIST = {
+    DEFAULT_OPER,
+    DUMP_TOKEN,
+    DUMP_RECORD,
+    DUMP_TYPE,
+    DUMP_PERM,
+    PERM_GRANT,
+    PERM_REVOKE
+};
 
 namespace OHOS {
-    bool DumpTokenInfoFuzzTest(const uint8_t* data, size_t size)
-    {
-        if ((data == nullptr) || (size == 0)) {
-            return false;
-        }
-
-        FuzzedDataProvider provider(data, size);
-        AtmToolsParamInfo info = {
-            .tokenId = provider.ConsumeIntegral<AccessTokenID>(),
-        };
-
-        std::string dumpInfo;
-        AccessTokenKit::DumpTokenInfo(info, dumpInfo);
- 
-        return true;
+bool DumpTokenInfoFuzzTest(const uint8_t* data, size_t size)
+{
+    if ((data == nullptr) || (size == 0)) {
+        return false;
     }
+
+    FuzzedDataProvider provider(data, size);
+    uint32_t typeIndex = provider.ConsumeIntegral<uint32_t>() % static_cast<uint32_t>(TYPE_LIST.size());
+    OptType type = TYPE_LIST[typeIndex];
+    AtmToolsParamInfo info = {
+        .type = type,
+        .tokenId = provider.ConsumeIntegral<AccessTokenID>(),
+    };
+
+    std::string dumpInfo;
+    AccessTokenKit::DumpTokenInfo(info, dumpInfo);
+
+    return true;
+}
 }
 
 /* Fuzzer entry point */
diff --git a/test/fuzztest/innerkits/accesstoken/registertokensynccallback_fuzzer/registertokensynccallback_fuzzer.cpp b/test/fuzztest/innerkits/accesstoken/registertokensynccallback_fuzzer/registertokensynccallback_fuzzer.cpp
index c6c53cccc..b60b38c74 100644
--- a/test/fuzztest/innerkits/accesstoken/registertokensynccallback_fuzzer/registertokensynccallback_fuzzer.cpp
+++ b/test/fuzztest/innerkits/accesstoken/registertokensynccallback_fuzzer/registertokensynccallback_fuzzer.cpp
@@ -24,8 +24,7 @@ using namespace std;
 using namespace OHOS::Security::AccessToken;
 #ifdef TOKEN_SYNC_ENABLE
 static constexpr int32_t NUMBER_TWO = 2;
-#endif // TOKEN_SYNC_ENABLE
-
+#endif
 namespace {
 class TokenSyncCallback : public TokenSyncKitInterface {
 public:
diff --git a/test/fuzztest/services/accesstoken/BUILD.gn b/test/fuzztest/services/accesstoken/BUILD.gn
index e8f7fef4c..c396cac27 100644
--- a/test/fuzztest/services/accesstoken/BUILD.gn
+++ b/test/fuzztest/services/accesstoken/BUILD.gn
@@ -54,6 +54,7 @@ group("fuzztest") {
     "revokepermissionstub_fuzzer:RevokePermissionStubFuzzTest",
     "setpermdialogcap_fuzzer:SetPermDialogCapFuzzTest",
     "setpermissionrequesttogglestatusstub_fuzzer:SetPermissionRequestToggleStatusStubFuzzTest",
+    "setpermissionstatuswithpolicystub_fuzzer:SetPermissionStatusWithPolicyStubFuzzTest",
     "setremotehaptokeninfostub_fuzzer:SetRemoteHapTokenInfoStubFuzzTest",
     "updatehaptokenstub_fuzzer:UpdateHapTokenStubFuzzTest",
     "updateuserpolicystub_fuzzer:UpdateUserPolicyStubFuzzTest",
diff --git a/test/fuzztest/services/accesstoken/istoastshownneededstub_fuzzer/BUILD.gn b/test/fuzztest/services/accesstoken/istoastshownneededstub_fuzzer/BUILD.gn
index c35d0c5a6..f8d411f31 100644
--- a/test/fuzztest/services/accesstoken/istoastshownneededstub_fuzzer/BUILD.gn
+++ b/test/fuzztest/services/accesstoken/istoastshownneededstub_fuzzer/BUILD.gn
@@ -42,4 +42,8 @@ ohos_fuzztest("IsToastShownNeededStubFuzzTest") {
   cflags_cc = access_token_cflags_cc
 
   sources += access_token_sources
+  if (security_component_enhance_enable == true) {
+    cflags_cc += [ "-DSECURITY_COMPONENT_ENHANCE_ENABLE" ]
+    sources += [ "${access_token_path}/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_enhance_agent.cpp" ]
+  }
 }
diff --git a/test/fuzztest/services/accesstoken/setpermissionstatuswithpolicystub_fuzzer/BUILD.gn b/test/fuzztest/services/accesstoken/setpermissionstatuswithpolicystub_fuzzer/BUILD.gn
new file mode 100644
index 000000000..19d9919e8
--- /dev/null
+++ b/test/fuzztest/services/accesstoken/setpermissionstatuswithpolicystub_fuzzer/BUILD.gn
@@ -0,0 +1,50 @@
+# Copyright (c) 2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//build/config/features.gni")
+import("//build/test.gni")
+import("../../../../../access_token.gni")
+import("../access_token_service_fuzz.gni")
+
+ohos_fuzztest("SetPermissionStatusWithPolicyStubFuzzTest") {
+  module_out_path = module_output_path_service_access_token
+  fuzz_config_file = "."
+
+  sources = [ "setpermissionstatuswithpolicystub_fuzzer.cpp" ]
+
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+  ]
+
+  include_dirs = access_token_include_dirs
+
+  deps = access_token_deps
+
+  configs = [
+    "${access_token_path}/config:coverage_flags",
+    "${access_token_path}/services/accesstokenmanager/idl:access_token_manager_gen_config",
+  ]
+
+  external_deps = access_token_external_deps
+
+  cflags_cc = access_token_cflags_cc
+
+  sources += access_token_sources
+  if (security_component_enhance_enable == true) {
+    cflags_cc += [ "-DSECURITY_COMPONENT_ENHANCE_ENABLE" ]
+    sources += [ "${access_token_path}/services/accesstokenmanager/main/cpp/src/seccomp/sec_comp_enhance_agent.cpp" ]
+  }
+}
diff --git a/test/fuzztest/services/accesstoken/setpermissionstatuswithpolicystub_fuzzer/corpus/init b/test/fuzztest/services/accesstoken/setpermissionstatuswithpolicystub_fuzzer/corpus/init
new file mode 100644
index 000000000..65af8ee8d
--- /dev/null
+++ b/test/fuzztest/services/accesstoken/setpermissionstatuswithpolicystub_fuzzer/corpus/init
@@ -0,0 +1,14 @@
+# Copyright (c) 2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/services/accesstoken/setpermissionstatuswithpolicystub_fuzzer/project.xml b/test/fuzztest/services/accesstoken/setpermissionstatuswithpolicystub_fuzzer/project.xml
new file mode 100644
index 000000000..66e1dcac4
--- /dev/null
+++ b/test/fuzztest/services/accesstoken/setpermissionstatuswithpolicystub_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/services/accesstoken/setpermissionstatuswithpolicystub_fuzzer/setpermissionstatuswithpolicystub_fuzzer.cpp b/test/fuzztest/services/accesstoken/setpermissionstatuswithpolicystub_fuzzer/setpermissionstatuswithpolicystub_fuzzer.cpp
new file mode 100644
index 000000000..abab4357a
--- /dev/null
+++ b/test/fuzztest/services/accesstoken/setpermissionstatuswithpolicystub_fuzzer/setpermissionstatuswithpolicystub_fuzzer.cpp
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "setpermissionstatuswithpolicystub_fuzzer.h"
+
+#include <vector>
+
+#include "access_token.h"
+#include "accesstoken_manager_service.h"
+#include "fuzzer/FuzzedDataProvider.h"
+#include "iaccess_token_manager.h"
+
+using namespace std;
+using namespace OHOS::Security::AccessToken;
+
+const int CONSTANTS_NUMBER_ONE = 1;
+const int CONSTANTS_NUMBER_TEN = 10;
+const uint32_t MAX_PERMISSION_LIST_SIZE = 1024;
+static const int32_t ROOT_UID = 0;
+
+namespace OHOS {
+bool SetPermissionStatusWithPolicyStubFuzzTest(const uint8_t* data, size_t size)
+{
+    if ((data == nullptr) || (size == 0)) {
+        return false;
+    }
+
+    FuzzedDataProvider provider(data, size);
+    AccessTokenID tokenId = provider.ConsumeIntegral<AccessTokenID>();
+    uint32_t permListSize =
+        provider.ConsumeIntegralInRange<uint32_t>(CONSTANTS_NUMBER_ONE, MAX_PERMISSION_LIST_SIZE);
+    std::vector<std::string> permissionList;
+    for (size_t i = 0; i < permListSize; i++) {
+        std::string permission = provider.ConsumeRandomLengthString();
+        if (!permission.empty()) {
+            permissionList.push_back(permission);
+        }
+    }
+    uint32_t flag = static_cast<uint32_t>(TypePermissionFlag::PERMISSION_FIXED_BY_ADMIN_POLICY);
+    int32_t status = TypePermissionState::PERMISSION_DENIED;
+    MessageParcel datas;
+    if (!datas.WriteInterfaceToken(IAccessTokenManager::GetDescriptor())) {
+        return false;
+    }
+    if (!datas.WriteUint32(tokenId) || !datas.WriteStringVector(permissionList) ||
+        !datas.WriteUint32(status) || !datas.WriteInt32(flag)) {
+        return false;
+    }
+
+    uint32_t code = static_cast<uint32_t>(IAccessTokenManagerIpcCode::COMMAND_SET_PERMISSION_STATUS_WITH_POLICY);
+
+    MessageParcel reply;
+    MessageOption option;
+    if (((provider.ConsumeIntegral<int32_t>() % CONSTANTS_NUMBER_TEN) == 0)) {
+        setuid(CONSTANTS_NUMBER_TEN);
+    }
+    DelayedSingleton<AccessTokenManagerService>::GetInstance()->OnRemoteRequest(code, datas, reply, option);
+    setuid(ROOT_UID);
+    return true;
+}
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+    /* Run your code on data */
+    OHOS::SetPermissionStatusWithPolicyStubFuzzTest(data, size);
+    return 0;
+}
diff --git a/test/fuzztest/services/accesstoken/setpermissionstatuswithpolicystub_fuzzer/setpermissionstatuswithpolicystub_fuzzer.h b/test/fuzztest/services/accesstoken/setpermissionstatuswithpolicystub_fuzzer/setpermissionstatuswithpolicystub_fuzzer.h
new file mode 100644
index 000000000..100e7a292
--- /dev/null
+++ b/test/fuzztest/services/accesstoken/setpermissionstatuswithpolicystub_fuzzer/setpermissionstatuswithpolicystub_fuzzer.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef TEST_FUZZTEST_SETPERMISSIONSTATUSWITHPOLICYSTUB_FUZZER_H
+#define TEST_FUZZTEST_SETPERMISSIONSTATUSWITHPOLICYSTUB_FUZZER_H
+
+#define FUZZ_PROJECT_NAME "setpermissionstatuswithpolicystub_fuzzer"
+
+#endif // TEST_FUZZTEST_SETPERMISSIONSTATUSWITHPOLICYSTUB_FUZZER_H
-- 
Gitee