diff --git a/test/fuzztest/services/BUILD.gn b/test/fuzztest/services/BUILD.gn index 55c38be0c6f4a427087be848dd14e2f9b321687a..726f52366330cfd65b4b80d95f3b8851e479dc02 100644 --- a/test/fuzztest/services/BUILD.gn +++ b/test/fuzztest/services/BUILD.gn @@ -19,6 +19,7 @@ group("fuzztest") { testonly = true deps = [ "createdatachannelstub_fuzzer:fuzztest", + "destroyclientremoteobjectstub_fuzzer:fuzztest", "disableactiveinfocbstub_fuzzer:fuzztest", "enableactiveinfocbstub_fuzzer:fuzztest", "getactiveinfoliststub_fuzzer:fuzztest", @@ -38,6 +39,7 @@ group("fuzztest") { "service/reportonchangedata_fuzzer:fuzztest", "service/reportsensorsysevent_fuzzer:fuzztest", "service/setdevicestatusservice_fuzzer:fuzztest", + "setdevicestatusstub_fuzzer:fuzztest", "suspendsensorsstub_fuzzer:fuzztest", "transferclientremoteobjectstub_fuzzer:fuzztest", ] diff --git a/test/fuzztest/services/destroyclientremoteobjectstub_fuzzer/BUILD.gn b/test/fuzztest/services/destroyclientremoteobjectstub_fuzzer/BUILD.gn new file mode 100644 index 0000000000000000000000000000000000000000..0e29a9b44f6ad76e577bc6f54f4d6d0b3c542c11 --- /dev/null +++ b/test/fuzztest/services/destroyclientremoteobjectstub_fuzzer/BUILD.gn @@ -0,0 +1,77 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import("//build/config/features.gni") +import("//build/ohos.gni") +import("//build/test.gni") +import("./../../../../sensor.gni") + +ohos_fuzztest("DestroyClientRemoteObjectStubFuzzTest") { + module_out_path = FUZZ_MODULE_OUT_PATH + + fuzz_config_file = + "$SUBSYSTEM_DIR/test/fuzztest/services/destroyclientremoteobjectstub_fuzzer" + + include_dirs = [ + "$SUBSYSTEM_DIR/frameworks/native/include", + "$SUBSYSTEM_DIR/interfaces/inner_api", + "$SUBSYSTEM_DIR/services/hdi_connection/interface/include", + "$SUBSYSTEM_DIR/services/hdi_connection/adapter/include", + "$SUBSYSTEM_DIR/services/hdi_connection/hardware/include", + "$SUBSYSTEM_DIR/services/include", + "$SUBSYSTEM_DIR/test/fuzztest/services/destroyclientremoteobjectstub_fuzzer", + "$SUBSYSTEM_DIR/utils/common/include", + "$SUBSYSTEM_DIR/utils/ipc/include", + ] + + cflags = [ + "-g", + "-O0", + "-Wno-unused-variable", + "-fno-omit-frame-pointer", + ] + + sources = [ "destroyclientremoteobjectstub_fuzzer.cpp" ] + + defines = sensor_default_defines + + deps = [ + "$SUBSYSTEM_DIR/frameworks/native:sensor_interface_native", + "$SUBSYSTEM_DIR/frameworks/native:sensor_service_stub", + "$SUBSYSTEM_DIR/services:libsensor_service_static", + "$SUBSYSTEM_DIR/utils/common:libsensor_utils", + "$SUBSYSTEM_DIR/utils/ipc:libsensor_ipc", + ] + + external_deps = [ + "access_token:libaccesstoken_sdk", + "access_token:libnativetoken_shared", + "access_token:libtokensetproc_shared", + "c_utils:utils", + "cJSON:cjson_static", + "drivers_interface_sensor:libsensor_proxy_3.0", + "hilog:libhilog", + "ipc:ipc_single", + "safwk:system_ability_fwk", + "samgr:samgr_proxy", + "selinux_adapter:librestorecon", + ] +} + +group("fuzztest") { + testonly = true + deps = [ + # deps file + ":DestroyClientRemoteObjectStubFuzzTest", + ] +} diff --git a/test/fuzztest/services/destroyclientremoteobjectstub_fuzzer/corpus/init b/test/fuzztest/services/destroyclientremoteobjectstub_fuzzer/corpus/init new file mode 100644 index 0000000000000000000000000000000000000000..65af8ee8d11bf23407ea34d4de49f7cbb6a2b791 --- /dev/null +++ b/test/fuzztest/services/destroyclientremoteobjectstub_fuzzer/corpus/init @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FUZZ \ No newline at end of file diff --git a/test/fuzztest/services/destroyclientremoteobjectstub_fuzzer/destroyclientremoteobjectstub_fuzzer.cpp b/test/fuzztest/services/destroyclientremoteobjectstub_fuzzer/destroyclientremoteobjectstub_fuzzer.cpp new file mode 100644 index 0000000000000000000000000000000000000000..6eecd2780577b4a52ce605c5a163a05b1518cebd --- /dev/null +++ b/test/fuzztest/services/destroyclientremoteobjectstub_fuzzer/destroyclientremoteobjectstub_fuzzer.cpp @@ -0,0 +1,112 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "destroyclientremoteobjectstub_fuzzer.h" + +#include +#include + +#include "accesstoken_kit.h" +#include "message_parcel.h" +#include "nativetoken_kit.h" +#include "securec.h" +#include "token_setproc.h" + +#include "sensor.h" +#include "sensor_service.h" + +namespace OHOS { +namespace Sensors { +using namespace Security::AccessToken; +using Security::AccessToken::AccessTokenID; +namespace { +constexpr size_t U32_AT_SIZE = 4; +auto g_service = SensorDelayedSpSingleton::GetInstance(); +const std::u16string SENSOR_INTERFACE_TOKEN = u"OHOS.Sensors.ISensorService"; +static sptr g_remote = new (std::nothrow) IPCObjectStub(); +} // namespace + +void SetUpTestCase() +{ + const char **perms = new (std::nothrow) const char *[2]; + if (perms == nullptr) { + return; + } + perms[0] = "ohos.permission.ACCELEROMETER"; + perms[1] = "ohos.permission.MANAGE_SENSOR"; + TokenInfoParams infoInstance = { + .dcapsNum = 0, + .permsNum = 2, + .aclsNum = 0, + .dcaps = nullptr, + .perms = perms, + .acls = nullptr, + .processName = "CreateDataChannelStubFuzzTest", + .aplStr = "system_core", + }; + uint64_t tokenId = GetAccessTokenId(&infoInstance); + SetSelfTokenID(tokenId); + AccessTokenKit::ReloadNativeTokenInfo(); + delete[] perms; +} + +template +size_t GetObject(T &object, const uint8_t *data, size_t size) +{ + size_t objectSize = sizeof(object); + if (objectSize > size) { + return 0; + } + errno_t ret = memcpy_s(&object, objectSize, data, objectSize); + if (ret != EOK) { + return 0; + } + return objectSize; +} + +bool OnRemoteRequestFuzzTest(const uint8_t *data, size_t size) +{ + SetUpTestCase(); + if (g_remote == nullptr || g_service == nullptr) { + return false; + } + MessageParcel datas; + datas.WriteInterfaceToken(SENSOR_INTERFACE_TOKEN); + datas.WriteRemoteObject(g_remote); + datas.RewindRead(0); + MessageParcel reply; + MessageOption option; + g_service->OnRemoteRequest(static_cast(ISensorServiceIpcCode::COMMAND_DESTROY_CLIENT_REMOTE_OBJECT), + datas, reply, option); + return true; +} +} // namespace Sensors +} // namespace OHOS + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + /* Run your code on data */ + if (data == nullptr) { + return 0; + } + + /* Validate the length of size */ + if (size < OHOS::Sensors::U32_AT_SIZE) { + return 0; + } + + OHOS::Sensors::OnRemoteRequestFuzzTest(data, size); + return 0; +} \ No newline at end of file diff --git a/test/fuzztest/services/destroyclientremoteobjectstub_fuzzer/destroyclientremoteobjectstub_fuzzer.h b/test/fuzztest/services/destroyclientremoteobjectstub_fuzzer/destroyclientremoteobjectstub_fuzzer.h new file mode 100644 index 0000000000000000000000000000000000000000..ae44f1ceab24f47d3957287b17cf727f4b09ec8e --- /dev/null +++ b/test/fuzztest/services/destroyclientremoteobjectstub_fuzzer/destroyclientremoteobjectstub_fuzzer.h @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef DESTROY_CLIENT_REMOTE_OBJECT_STUB_FUZZER_H +#define DESTROY_CLIENT_REMOTE_OBJECT_STUB_FUZZER_H + +#define FUZZ_PROJECT_NAME "destroyclientremoteobjectstub_fuzzer" + +#endif // DESTROY_CLIENT_REMOTE_OBJECT_STUB_FUZZER_H diff --git a/test/fuzztest/services/destroyclientremoteobjectstub_fuzzer/project.xml b/test/fuzztest/services/destroyclientremoteobjectstub_fuzzer/project.xml new file mode 100644 index 0000000000000000000000000000000000000000..2eb360c27f1b159e1b043e38846f10fcf37fa37c --- /dev/null +++ b/test/fuzztest/services/destroyclientremoteobjectstub_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 1000 + + 120 + + 2048 + + diff --git a/test/fuzztest/services/setdevicestatusstub_fuzzer/BUILD.gn b/test/fuzztest/services/setdevicestatusstub_fuzzer/BUILD.gn new file mode 100644 index 0000000000000000000000000000000000000000..71f01582b35223b0fd0e257f2b5ad73a0bc06a00 --- /dev/null +++ b/test/fuzztest/services/setdevicestatusstub_fuzzer/BUILD.gn @@ -0,0 +1,77 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import("//build/config/features.gni") +import("//build/ohos.gni") +import("//build/test.gni") +import("./../../../../sensor.gni") + +ohos_fuzztest("SetDeviceStatusStubFuzzTest") { + module_out_path = FUZZ_MODULE_OUT_PATH + + fuzz_config_file = + "$SUBSYSTEM_DIR/test/fuzztest/services/setdevicestatusstub_fuzzer" + + include_dirs = [ + "$SUBSYSTEM_DIR/frameworks/native/include", + "$SUBSYSTEM_DIR/interfaces/inner_api", + "$SUBSYSTEM_DIR/services/hdi_connection/interface/include", + "$SUBSYSTEM_DIR/services/hdi_connection/adapter/include", + "$SUBSYSTEM_DIR/services/hdi_connection/hardware/include", + "$SUBSYSTEM_DIR/services/include", + "$SUBSYSTEM_DIR/test/fuzztest/services/setdevicestatusstub_fuzzer", + "$SUBSYSTEM_DIR/utils/common/include", + "$SUBSYSTEM_DIR/utils/ipc/include", + ] + + cflags = [ + "-g", + "-O0", + "-Wno-unused-variable", + "-fno-omit-frame-pointer", + ] + + sources = [ "setdevicestatusstub_fuzzer.cpp" ] + + defines = sensor_default_defines + + deps = [ + "$SUBSYSTEM_DIR/frameworks/native:sensor_interface_native", + "$SUBSYSTEM_DIR/frameworks/native:sensor_service_stub", + "$SUBSYSTEM_DIR/services:libsensor_service_static", + "$SUBSYSTEM_DIR/utils/common:libsensor_utils", + "$SUBSYSTEM_DIR/utils/ipc:libsensor_ipc", + ] + + external_deps = [ + "access_token:libaccesstoken_sdk", + "access_token:libnativetoken_shared", + "access_token:libtokensetproc_shared", + "c_utils:utils", + "cJSON:cjson_static", + "drivers_interface_sensor:libsensor_proxy_3.0", + "hilog:libhilog", + "ipc:ipc_single", + "safwk:system_ability_fwk", + "samgr:samgr_proxy", + "selinux_adapter:librestorecon", + ] +} + +group("fuzztest") { + testonly = true + deps = [ + # deps file + ":SetDeviceStatusStubFuzzTest", + ] +} diff --git a/test/fuzztest/services/setdevicestatusstub_fuzzer/corpus/init b/test/fuzztest/services/setdevicestatusstub_fuzzer/corpus/init new file mode 100644 index 0000000000000000000000000000000000000000..65af8ee8d11bf23407ea34d4de49f7cbb6a2b791 --- /dev/null +++ b/test/fuzztest/services/setdevicestatusstub_fuzzer/corpus/init @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FUZZ \ No newline at end of file diff --git a/test/fuzztest/services/setdevicestatusstub_fuzzer/project.xml b/test/fuzztest/services/setdevicestatusstub_fuzzer/project.xml new file mode 100644 index 0000000000000000000000000000000000000000..2eb360c27f1b159e1b043e38846f10fcf37fa37c --- /dev/null +++ b/test/fuzztest/services/setdevicestatusstub_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 1000 + + 120 + + 2048 + + diff --git a/test/fuzztest/services/setdevicestatusstub_fuzzer/setdevicestatusstub_fuzzer.cpp b/test/fuzztest/services/setdevicestatusstub_fuzzer/setdevicestatusstub_fuzzer.cpp new file mode 100644 index 0000000000000000000000000000000000000000..031dbfa7247a64d2fab818a44e2b433abda421ef --- /dev/null +++ b/test/fuzztest/services/setdevicestatusstub_fuzzer/setdevicestatusstub_fuzzer.cpp @@ -0,0 +1,113 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "setdevicestatusstub_fuzzer.h" + +#include +#include + +#include "accesstoken_kit.h" +#include "message_parcel.h" +#include "nativetoken_kit.h" +#include "securec.h" +#include "token_setproc.h" + +#include "sensor.h" +#include "sensor_service.h" + +namespace OHOS { +namespace Sensors { +using namespace Security::AccessToken; +using Security::AccessToken::AccessTokenID; +namespace { +constexpr size_t U32_AT_SIZE = 4; +auto g_service = SensorDelayedSpSingleton::GetInstance(); +const std::u16string SENSOR_INTERFACE_TOKEN = u"OHOS.Sensors.ISensorService"; +} // namespace + +template +size_t GetObject(T &object, const uint8_t *data, size_t size) +{ + size_t objectSize = sizeof(object); + if (objectSize > size) { + return 0; + } + errno_t ret = memcpy_s(&object, objectSize, data, objectSize); + if (ret != EOK) { + return 0; + } + return objectSize; +} + +void SetUpTestCase() +{ + const char **perms = new (std::nothrow) const char *[2]; + if (perms == nullptr) { + return; + } + perms[0] = "ohos.permission.ACCELEROMETER"; + perms[1] = "ohos.permission.MANAGE_SENSOR"; + TokenInfoParams infoInstance = { + .dcapsNum = 0, + .permsNum = 2, + .aclsNum = 0, + .dcaps = nullptr, + .perms = perms, + .acls = nullptr, + .processName = "SetDeviceStatusServiceFuzzTest", + .aplStr = "system_core", + }; + uint64_t tokenId = GetAccessTokenId(&infoInstance); + SetSelfTokenID(tokenId); + AccessTokenKit::ReloadNativeTokenInfo(); + delete[] perms; +} + +bool SetDeviceStatusFuzzTest(const uint8_t *data, size_t size) +{ + SetUpTestCase(); + if (g_service == nullptr) { + return false; + } + MessageParcel datas; + datas.WriteInterfaceToken(SENSOR_INTERFACE_TOKEN); + int32_t deviceStatus = 0; + GetObject(deviceStatus, data, size); + datas.WriteInt32(deviceStatus); + datas.RewindRead(0); + MessageParcel reply; + MessageOption option; + g_service->OnRemoteRequest(static_cast(ISensorServiceIpcCode::COMMAND_SET_DEVICE_STATUS), + datas, reply, option); + return true; +} +} // namespace Sensors +} // namespace OHOS + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + /* Run your code on data */ + if (data == nullptr) { + return 0; + } + + /* Validate the length of size */ + if (size < OHOS::Sensors::U32_AT_SIZE) { + return 0; + } + + OHOS::Sensors::SetDeviceStatusFuzzTest(data, size); + return 0; +} diff --git a/test/fuzztest/services/setdevicestatusstub_fuzzer/setdevicestatusstub_fuzzer.h b/test/fuzztest/services/setdevicestatusstub_fuzzer/setdevicestatusstub_fuzzer.h new file mode 100644 index 0000000000000000000000000000000000000000..e211c8dc3dd83c03b889b257efc1fa3da923483c --- /dev/null +++ b/test/fuzztest/services/setdevicestatusstub_fuzzer/setdevicestatusstub_fuzzer.h @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef SET_DEVICE_STATUS_STUB_FUZZER_H +#define SET_DEVICE_STATUS_STUB_FUZZER_H + +#define FUZZ_PROJECT_NAME "setdevicestatusstub_fuzzer" + +#endif // SET_DEVICE_STATUS_STUB_FUZZER_H