diff --git a/test/fuzztest/BUILD.gn b/test/fuzztest/BUILD.gn index 8468e7fbd79380495fd33d6aeaf10d4b3e107884..fd52f2bcf2b311d31d4b7d2f68de6f88a8c414ea 100644 --- a/test/fuzztest/BUILD.gn +++ b/test/fuzztest/BUILD.gn @@ -69,6 +69,7 @@ group("fuzztest") { "ipc/native/src/mock/dbinderservicestubmock:DBinderServiceStubMockFuzzTest", "ipc/native/src/mock/dbinderremotelistenermock_fuzzer:DBinderRemoteListenerMockFuzzTest", "ipc/native/src/mock/dbinderservicemock:dbinderservicemockfuzz", + "ipc/native/src/mock/binderinvokermock:binderinvokermockfuzz", "ipc/native/src/mock/dbinderdatabusinvokermock:dbinderdatabusinvokermockfuzz", "ipc/native/src/mock/ipcobjectproxymock:ipcobjectproxymockfuzz", "ipc/native/src/mock/dbindercallbackstubmock:dbindercallbackstubmockfuzz", diff --git a/test/fuzztest/ipc/native/src/mock/binderinvokermock/BUILD.gn b/test/fuzztest/ipc/native/src/mock/binderinvokermock/BUILD.gn new file mode 100644 index 0000000000000000000000000000000000000000..b3a62fbf4b75afb7ea4ebe7e5c4454a349a248c5 --- /dev/null +++ b/test/fuzztest/ipc/native/src/mock/binderinvokermock/BUILD.gn @@ -0,0 +1,21 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +##############################fuzztest########################################## +group("binderinvokermockfuzz") { + testonly = true + deps = [ + "binderinvokermock001_fuzzer:BinderInvokerMock001FuzzTest", + "binderinvokermock002_fuzzer:BinderInvokerMock002FuzzTest", + ] +} \ No newline at end of file diff --git a/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock001_fuzzer/BUILD.gn b/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock001_fuzzer/BUILD.gn new file mode 100644 index 0000000000000000000000000000000000000000..5cfb5bcb19668749b5fecc39d1ebc472c95a6e04 --- /dev/null +++ b/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock001_fuzzer/BUILD.gn @@ -0,0 +1,44 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#####################hydra-fuzz################### +import("//build/config/features.gni") +import("//build/test.gni") +import("../../../../../../../../config.gni") + +##############################fuzztest########################################## +ohos_fuzztest("BinderInvokerMock001FuzzTest") { + module_out_path = "ipc/ipc" + fuzz_config_file = "../binderinvokermock001_fuzzer" + defines = [ + "private = public", + "protected = public", + ] + include_dirs = [ + "../include", + "$IPC_ROOT_PATH/utils/include", + ] + sources = [ "binderinvokermock001_fuzzer.cpp" ] + deps = [ + "$IPC_ROOT_PATH/interfaces/innerkits/ipc_single:ipc_single_test", + "$IPC_ROOT_PATH/ipc/native/src/core:ipc_common", + ] + external_deps = [ + "c_utils:utils", + "hilog:libhilog", + "googletest:gmock", + "googletest:gtest", + "hitrace:libhitracechain", + ] + resource_config_file = "$IPC_ROOT_PATH/test/resource/ipc/ohos_test.xml" +} \ No newline at end of file diff --git a/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock001_fuzzer/binderinvokermock001_fuzzer.cpp b/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock001_fuzzer/binderinvokermock001_fuzzer.cpp new file mode 100644 index 0000000000000000000000000000000000000000..e55dffd5476c16ce4602977884f9182d410d4e6e --- /dev/null +++ b/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock001_fuzzer/binderinvokermock001_fuzzer.cpp @@ -0,0 +1,217 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "binderinvokermock_fuzzer.h" + +using namespace testing; +using namespace testing::ext; + +namespace OHOS { +class BinderInvokerInterface { +public: + BinderInvokerInterface() {}; + virtual ~BinderInvokerInterface() {}; + + virtual bool WriteUint32(uint32_t value) = 0; + virtual bool WriteInt32(int32_t value) = 0; + virtual bool RewindWrite(size_t newPosition) = 0; + virtual bool WritePointer(uintptr_t value) = 0; + virtual int FlushCommands(IRemoteObject *object) = 0; +}; + +class BinderInvokerInterfaceMock : public BinderInvokerInterface { +public: + BinderInvokerInterfaceMock(); + ~BinderInvokerInterfaceMock() override; + + MOCK_METHOD(bool, WriteUint32, (uint32_t value), (override)); + MOCK_METHOD(bool, WriteInt32, (int32_t value), (override)); + MOCK_METHOD(bool, RewindWrite, (size_t newPosition), (override)); + MOCK_METHOD(bool, WritePointer, (uintptr_t value), (override)); + MOCK_METHOD(int, FlushCommands, (IRemoteObject * object), (override)); +}; + +static void *g_interface = nullptr; + +BinderInvokerInterfaceMock::BinderInvokerInterfaceMock() +{ + g_interface = reinterpret_cast(this); +} + +BinderInvokerInterfaceMock::~BinderInvokerInterfaceMock() +{ + g_interface = nullptr; +} + +static BinderInvokerInterfaceMock *GetBinderInvokerInterfaceMock() +{ + return reinterpret_cast(g_interface); +} + +extern "C" { +bool Parcel::WriteUint32(uint32_t value) +{ + if (g_interface == nullptr) { + return false; + } + return GetBinderInvokerInterfaceMock()->WriteUint32(value); +} + +bool Parcel::WriteInt32(int32_t value) +{ + if (g_interface == nullptr) { + return false; + } + return GetBinderInvokerInterfaceMock()->WriteInt32(value); +} + +bool Parcel::RewindWrite(size_t newPosition) +{ + if (g_interface == nullptr) { + return false; + } + return GetBinderInvokerInterfaceMock()->RewindWrite(newPosition); +} + +bool Parcel::WritePointer(uintptr_t value) +{ + if (g_interface == nullptr) { + return false; + } + return GetBinderInvokerInterfaceMock()->WritePointer(value); +} + +int BinderInvoker::FlushCommands(IRemoteObject *object) +{ + if (g_interface == nullptr) { + return false; + } + return GetBinderInvokerInterfaceMock()->FlushCommands(object); +} +} + +static void AcquireHandleFuzzTest(FuzzedDataProvider &provider) +{ + int32_t handle = provider.ConsumeIntegral(); + BinderInvoker invoker; + NiceMock mock; + EXPECT_CALL(mock, WriteUint32(BC_ACQUIRE)).WillOnce(Return(false)); + invoker.AcquireHandle(handle); + + EXPECT_CALL(mock, WriteUint32(BC_ACQUIRE)).WillOnce(Return(true)); + EXPECT_CALL(mock, WriteInt32(handle)).WillOnce(Return(false)); + EXPECT_CALL(mock, RewindWrite(_)).WillOnce(Return(false)); + invoker.AcquireHandle(handle); +} + +static void ReleaseHandleFuzzTest(FuzzedDataProvider &provider) +{ + int32_t handle = provider.ConsumeIntegral(); + BinderInvoker invoker; + NiceMock mock; + EXPECT_CALL(mock, WriteUint32(BC_RELEASE)).WillOnce(Return(false)); + invoker.ReleaseHandle(handle); + + EXPECT_CALL(mock, WriteUint32(BC_RELEASE)).WillOnce(Return(true)); + EXPECT_CALL(mock, WriteInt32(handle)).WillOnce(Return(false)); + EXPECT_CALL(mock, RewindWrite(_)).WillOnce(Return(false)); + invoker.ReleaseHandle(handle); +} + +static void AddDeathRecipientFuzzTest(FuzzedDataProvider &provider) +{ + int32_t handle = provider.ConsumeIntegral(); + BinderInvoker invoker; + NiceMock mock; + EXPECT_CALL(mock, WriteInt32(BC_REQUEST_DEATH_NOTIFICATION)).WillOnce(Return(false)); + invoker.AddDeathRecipient(handle, nullptr); + + EXPECT_CALL(mock, WriteInt32(BC_REQUEST_DEATH_NOTIFICATION)).WillOnce(Return(true)); + EXPECT_CALL(mock, WriteInt32(handle)).WillOnce(Return(false)); + EXPECT_CALL(mock, RewindWrite(_)).WillOnce(Return(false)); + invoker.AddDeathRecipient(handle, nullptr); + + EXPECT_CALL(mock, WriteInt32(BC_REQUEST_DEATH_NOTIFICATION)).WillOnce(Return(true)); + EXPECT_CALL(mock, WriteInt32(handle)).WillOnce(Return(true)); + EXPECT_CALL(mock, WritePointer(_)).WillOnce(Return(false)); + EXPECT_CALL(mock, RewindWrite(_)).WillOnce(Return(false)); + invoker.AddDeathRecipient(handle, nullptr); +} + +static void RemoveDeathRecipientFuzzTest(FuzzedDataProvider &provider) +{ + int32_t handle = provider.ConsumeIntegral(); + BinderInvoker invoker; + NiceMock mock; + EXPECT_CALL(mock, WriteInt32(BC_CLEAR_DEATH_NOTIFICATION)).WillOnce(Return(false)); + invoker.RemoveDeathRecipient(handle, nullptr); + + EXPECT_CALL(mock, WriteInt32(BC_CLEAR_DEATH_NOTIFICATION)).WillOnce(Return(true)); + EXPECT_CALL(mock, WriteInt32(handle)).WillOnce(Return(false)); + EXPECT_CALL(mock, RewindWrite(_)).WillOnce(Return(false)); + invoker.RemoveDeathRecipient(handle, nullptr); + + EXPECT_CALL(mock, WriteInt32(BC_CLEAR_DEATH_NOTIFICATION)).WillOnce(Return(true)); + EXPECT_CALL(mock, WriteInt32(handle)).WillOnce(Return(true)); + EXPECT_CALL(mock, WritePointer(_)).WillOnce(Return(false)); + EXPECT_CALL(mock, RewindWrite(_)).WillOnce(Return(false)); + invoker.RemoveDeathRecipient(handle, nullptr); + + EXPECT_CALL(mock, WriteInt32(BC_CLEAR_DEATH_NOTIFICATION)).WillOnce(Return(true)); + EXPECT_CALL(mock, WriteInt32(handle)).WillOnce(Return(true)); + EXPECT_CALL(mock, WritePointer(_)).WillOnce(Return(true)); + EXPECT_CALL(mock, FlushCommands(_)).WillOnce(Return(-1)); + invoker.RemoveDeathRecipient(handle, nullptr); +} + +static void WriteTransactionFuzzTest(FuzzedDataProvider &provider) +{ + MessageParcel dataParcel; + size_t bytesSize = provider.ConsumeIntegralInRange(MIN_BYTE_SIZE, MAX_BYTE_SIZE); + std::vector bytes = provider.ConsumeBytes(bytesSize); + dataParcel.WriteBuffer(bytes.data(), bytes.size()); + int cmd = provider.ConsumeIntegral(); + uint32_t flags = provider.ConsumeIntegral(); + int32_t handle = provider.ConsumeIntegral(); + uint32_t code = provider.ConsumeIntegral(); + size_t statusSize = provider.ConsumeIntegralInRange(MIN_BYTE_SIZE, MAX_BYTE_SIZE); + std::vector statusBytes = provider.ConsumeBytes(statusSize); + int32_t *status = reinterpret_cast(statusBytes.data()); + size_t totalDBinderBufSize = provider.ConsumeIntegralInRange(MIN_BYTE_SIZE, MAX_BYTE_SIZE); + + NiceMock mock; + EXPECT_CALL(mock, WriteInt32).WillOnce(Return(false)); + BinderInvoker invoker; + invoker.WriteTransaction(cmd, flags, handle, code, dataParcel, status, totalDBinderBufSize); + + EXPECT_CALL(mock, WriteInt32).WillRepeatedly(testing::Return(true)); + invoker.WriteTransaction(cmd, flags, handle, code, dataParcel, status, totalDBinderBufSize); + // Overwrite the special branch and call it twice. + invoker.WriteTransaction(cmd, flags, handle, code, dataParcel, status, totalDBinderBufSize); +} +} // namespace OHOS + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + /* Run your code on data */ + FuzzedDataProvider provider(data, size); + OHOS::AcquireHandleFuzzTest(provider); + OHOS::ReleaseHandleFuzzTest(provider); + OHOS::AddDeathRecipientFuzzTest(provider); + OHOS::RemoveDeathRecipientFuzzTest(provider); + OHOS::WriteTransactionFuzzTest(provider); + return 0; +} \ No newline at end of file diff --git a/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock001_fuzzer/corpus/init b/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock001_fuzzer/corpus/init new file mode 100644 index 0000000000000000000000000000000000000000..7ade8a0faafeaedba7241e7d4a97b8e1f9691932 --- /dev/null +++ b/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock001_fuzzer/corpus/init @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +FUZZ \ No newline at end of file diff --git a/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock001_fuzzer/project.xml b/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock001_fuzzer/project.xml new file mode 100644 index 0000000000000000000000000000000000000000..226522bd2ad3eaf2db4f710f1924d82d2912c235 --- /dev/null +++ b/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock001_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 10000 + + 300 + + 4096 + + diff --git a/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock002_fuzzer/BUILD.gn b/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock002_fuzzer/BUILD.gn new file mode 100644 index 0000000000000000000000000000000000000000..51b5e6e9b126ff5440f584f6420fbebdd3da396a --- /dev/null +++ b/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock002_fuzzer/BUILD.gn @@ -0,0 +1,44 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#####################hydra-fuzz################### +import("//build/config/features.gni") +import("//build/test.gni") +import("../../../../../../../../config.gni") + +##############################fuzztest########################################## +ohos_fuzztest("BinderInvokerMock002FuzzTest") { + module_out_path = "ipc/ipc" + fuzz_config_file = "../binderinvokermock002_fuzzer" + defines = [ + "private = public", + "protected = public", + ] + include_dirs = [ + "../include", + "$IPC_ROOT_PATH/utils/include", + ] + sources = [ "binderinvokermock002_fuzzer.cpp" ] + deps = [ + "$IPC_ROOT_PATH/interfaces/innerkits/ipc_single:ipc_single_test", + "$IPC_ROOT_PATH/ipc/native/src/core:ipc_common", + ] + external_deps = [ + "c_utils:utils", + "hilog:libhilog", + "googletest:gmock", + "googletest:gtest", + "hitrace:libhitracechain", + ] + resource_config_file = "$IPC_ROOT_PATH/test/resource/ipc/ohos_test.xml" +} \ No newline at end of file diff --git a/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock002_fuzzer/binderinvokermock002_fuzzer.cpp b/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock002_fuzzer/binderinvokermock002_fuzzer.cpp new file mode 100644 index 0000000000000000000000000000000000000000..edd4ab24cb91da44cba6cf65c67bb677c70c657d --- /dev/null +++ b/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock002_fuzzer/binderinvokermock002_fuzzer.cpp @@ -0,0 +1,186 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "binderinvokermock_fuzzer.h" + +using namespace testing; +using namespace testing::ext; + +namespace OHOS { +class BinderInvokerInterface { +public: + BinderInvokerInterface() {}; + virtual ~BinderInvokerInterface() {}; + + virtual bool WriteUint32(uint32_t value) = 0; + virtual bool RewindWrite(size_t newPosition) = 0; + virtual bool WritePointer(uintptr_t value) = 0; + virtual int FlushCommands(IRemoteObject *object) = 0; + virtual int SendRequest(int handle, uint32_t code, MessageParcel &data, MessageParcel &reply, + MessageOption &option) = 0; + virtual bool SetAllocator(Allocator *allocator) = 0; +}; + +class BinderInvokerInterfaceMock : public BinderInvokerInterface { +public: + BinderInvokerInterfaceMock(); + ~BinderInvokerInterfaceMock() override; + + MOCK_METHOD(bool, WriteUint32, (uint32_t value), (override)); + MOCK_METHOD(bool, RewindWrite, (size_t newPosition), (override)); + MOCK_METHOD(bool, WritePointer, (uintptr_t value), (override)); + MOCK_METHOD(int, FlushCommands, (IRemoteObject * object), (override)); + MOCK_METHOD(int, SendRequest, (int handle, uint32_t code, MessageParcel &data, MessageParcel &reply, + MessageOption &option), (override)); + MOCK_METHOD(bool, SetAllocator, (Allocator * allocator), (override)); +}; + +static void *g_interface = nullptr; + +BinderInvokerInterfaceMock::BinderInvokerInterfaceMock() +{ + g_interface = reinterpret_cast(this); +} + +BinderInvokerInterfaceMock::~BinderInvokerInterfaceMock() +{ + g_interface = nullptr; +} + +static BinderInvokerInterfaceMock *GetBinderInvokerInterfaceMock() +{ + return reinterpret_cast(g_interface); +} + +extern "C" { +bool Parcel::WriteUint32(uint32_t value) +{ + if (g_interface == nullptr) { + return false; + } + return GetBinderInvokerInterfaceMock()->WriteUint32(value); +} + +bool Parcel::RewindWrite(size_t newPosition) +{ + if (g_interface == nullptr) { + return false; + } + return GetBinderInvokerInterfaceMock()->RewindWrite(newPosition); +} + +bool Parcel::WritePointer(uintptr_t value) +{ + if (g_interface == nullptr) { + return false; + } + return GetBinderInvokerInterfaceMock()->WritePointer(value); +} + +int BinderInvoker::FlushCommands(IRemoteObject *object) +{ + if (g_interface == nullptr) { + return false; + } + return GetBinderInvokerInterfaceMock()->FlushCommands(object); +} + +int BinderInvoker::SendRequest(int handle, uint32_t code, MessageParcel &data, MessageParcel &reply, + MessageOption &option) +{ + if (g_interface == nullptr) { + return false; + } + return GetBinderInvokerInterfaceMock()->SendRequest(handle, code, data, reply, option); +} + +bool Parcel::SetAllocator(Allocator *allocator) +{ + if (g_interface == nullptr) { + return true; + } + return GetBinderInvokerInterfaceMock()->SetAllocator(allocator); +} +} + +static void FreeBufferFuzzTest(FuzzedDataProvider &provider) +{ + std::string data = provider.ConsumeRandomLengthString(MAX_STR_LEN); + NiceMock mock; + EXPECT_CALL(mock, WriteUint32).WillOnce(Return(false)); + BinderInvoker invoker; + invoker.FreeBuffer(const_cast(data.c_str())); + + EXPECT_CALL(mock, WriteUint32).WillOnce(Return(true)); + EXPECT_CALL(mock, WritePointer).WillOnce(Return(false)); + EXPECT_CALL(mock, RewindWrite).WillOnce(Return(false)); + invoker.FreeBuffer(const_cast(data.c_str())); + + EXPECT_CALL(mock, WriteUint32).WillOnce(Return(true)); + EXPECT_CALL(mock, WritePointer).WillOnce(Return(true)); + EXPECT_CALL(mock, FlushCommands(_)).WillRepeatedly(testing::Return(-1)); + invoker.FreeBuffer(const_cast(data.c_str())); +} + +static void AddCommAuthFuzzTest(FuzzedDataProvider &provider) +{ + int32_t handle = 0; + flat_binder_object flat; + BinderInvoker invoker; + NiceMock mock; + EXPECT_CALL(mock, SendRequest(handle, GET_PID_UID, _, _, _)).WillRepeatedly(Return(ERR_NONE)); + invoker.AddCommAuth(handle, &flat); + + IPCProcessSkeleton *current = IPCProcessSkeleton::GetCurrent(); + if (current == nullptr) { + return; + } + std::string serviceName = provider.ConsumeRandomLengthString(MAX_STR_LEN); + std::string serverDeviceId = provider.ConsumeRandomLengthString(MAX_STR_LEN); + uint64_t stubIndex = provider.ConsumeIntegral(); + uint32_t tokenId = provider.ConsumeIntegral(); + std::shared_ptr session = + std::make_shared(serviceName, serverDeviceId, stubIndex, nullptr, tokenId); + flat.handle = handle; + current->ProxyAttachDBinderSession(handle, session); + invoker.AddCommAuth(handle, &flat); +} + +static void HandleReplyFuzzTest(FuzzedDataProvider &provider) +{ + MessageParcel reply; + bool isStubRet = provider.ConsumeBool(); + BinderInvoker invoker; + binder_transaction_data data; + invoker.input_.WriteBuffer(&data, sizeof(data)); + invoker.HandleReply(nullptr, isStubRet); + + invoker.input_.WriteBuffer(&data, sizeof(data)); + NiceMock mock; + EXPECT_CALL(mock, SetAllocator(_)).WillOnce(Return(false)); + invoker.HandleReply(&reply, isStubRet); +} +} // namespace OHOS + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + /* Run your code on data */ + FuzzedDataProvider provider(data, size); + OHOS::FreeBufferFuzzTest(provider); + OHOS::AddCommAuthFuzzTest(provider); + OHOS::HandleReplyFuzzTest(provider); + return 0; +} \ No newline at end of file diff --git a/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock002_fuzzer/corpus/init b/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock002_fuzzer/corpus/init new file mode 100644 index 0000000000000000000000000000000000000000..7ade8a0faafeaedba7241e7d4a97b8e1f9691932 --- /dev/null +++ b/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock002_fuzzer/corpus/init @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +FUZZ \ No newline at end of file diff --git a/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock002_fuzzer/project.xml b/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock002_fuzzer/project.xml new file mode 100644 index 0000000000000000000000000000000000000000..226522bd2ad3eaf2db4f710f1924d82d2912c235 --- /dev/null +++ b/test/fuzztest/ipc/native/src/mock/binderinvokermock/binderinvokermock002_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 10000 + + 300 + + 4096 + + diff --git a/test/fuzztest/ipc/native/src/mock/binderinvokermock/include/binderinvokermock_fuzzer.h b/test/fuzztest/ipc/native/src/mock/binderinvokermock/include/binderinvokermock_fuzzer.h new file mode 100644 index 0000000000000000000000000000000000000000..dd049cf3900315913145bacc9a0faefca2dff741 --- /dev/null +++ b/test/fuzztest/ipc/native/src/mock/binderinvokermock/include/binderinvokermock_fuzzer.h @@ -0,0 +1,37 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef BINDERINVOKERMOCK_FUZZER_H +#define BINDERINVOKERMOCK_FUZZER_H + +#include +#include +#include + +#include "binder_connector.h" +#include "binder_invoker.h" +#include "ipc_object_stub.h" +#include "ipc_process_skeleton.h" +#include "message_parcel.h" +#include "string_ex.h" + +namespace OHOS { +static const size_t MAX_STR_LEN = 100; +static const size_t MIN_BYTE_SIZE = 1; +static const size_t MAX_BYTE_SIZE = 50; +} // namespace OHOS + +#define FUZZ_PROJECT_NAME "binderinvokermock_fuzzer" + +#endif \ No newline at end of file diff --git a/test/resource/ipc/ohos_test.xml b/test/resource/ipc/ohos_test.xml index 28748bb2270c12b2077fe583f16cc4fa3e731cf3..57242401f1638f2f61f163ed24b91520eb471526 100644 --- a/test/resource/ipc/ohos_test.xml +++ b/test/resource/ipc/ohos_test.xml @@ -311,6 +311,18 @@