From 1e9255a4edbcb51283c3b0a8b2196e0123fbdc8d Mon Sep 17 00:00:00 2001 From: wuyunxun Date: Mon, 18 Aug 2025 19:22:40 +0800 Subject: [PATCH] =?UTF-8?q?dbinderservice=E8=A1=A5=E5=85=85fuzz?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: wuyunxun Change-Id: Iba236f198db9e930505f59c3c82ad10d4702fc17 --- .../dbinderservicemock_fuzzer.cpp | 235 ++++++++++++++++++ 1 file changed, 235 insertions(+) diff --git a/test/fuzztest/dbinder/dbinder_service/src/mock/dbinderservicemock_fuzzer/dbinderservicemock_fuzzer.cpp b/test/fuzztest/dbinder/dbinder_service/src/mock/dbinderservicemock_fuzzer/dbinderservicemock_fuzzer.cpp index 53ab3021..198ac35a 100644 --- a/test/fuzztest/dbinder/dbinder_service/src/mock/dbinderservicemock_fuzzer/dbinderservicemock_fuzzer.cpp +++ b/test/fuzztest/dbinder/dbinder_service/src/mock/dbinderservicemock_fuzzer/dbinderservicemock_fuzzer.cpp @@ -328,6 +328,229 @@ void LoadSystemAbilityCompleteTest(FuzzedDataProvider &provider) dBinderService->LoadSystemAbilityComplete(localDevID, systemAbilityId, callbackProxy); } + +void OnRemoteMessageTaskTest(FuzzedDataProvider &provider) +{ + sptr dBinderService = DBinderService::GetInstance(); + if (dBinderService == nullptr) { + return; + } + dBinderService->OnRemoteMessageTask(nullptr); + std::shared_ptr message = std::make_shared(); + if (message == nullptr) { + return; + } + message->seqNumber = provider.ConsumeIntegral(); + message->dBinderCode = DBinderCode::MESSAGE_AS_REMOTE_ERROR; + dBinderService->OnRemoteMessageTask(message); +} + +void ProcessOnSessionClosedTest(FuzzedDataProvider &provider) +{ + sptr dBinderService = DBinderService::GetInstance(); + if (dBinderService == nullptr) { + return; + } + std::string networkId = provider.ConsumeRandomLengthString(MAX_STRING_PARAM_LEN); + std::string otherNetworkId = provider.ConsumeRandomLengthString(MAX_STRING_PARAM_LEN); + uint32_t seqNumber = provider.ConsumeIntegral(); + uint32_t otherSeqNumber = provider.ConsumeIntegral(); + dBinderService->AttachThreadLockInfo(seqNumber, networkId, std::make_shared()); + dBinderService->AttachThreadLockInfo(otherSeqNumber, otherNetworkId, std::make_shared()); + + dBinderService->ProcessOnSessionClosed(networkId); + dBinderService->DetachThreadLockInfo(seqNumber); + dBinderService->DetachThreadLockInfo(otherSeqNumber); +} + +void IsInvalidStubTest(FuzzedDataProvider &provider) +{ + sptr dBinderService = DBinderService::GetInstance(); + if (dBinderService == nullptr) { + return; + } + const std::string serviceName = provider.ConsumeRandomLengthString(MAX_STRING_PARAM_LEN); + const std::u16string serviceName16 = Str8ToStr16(serviceName); + const std::string deviceID = provider.ConsumeRandomLengthString(MAX_STRING_PARAM_LEN); + binder_uintptr_t binderObject = provider.ConsumeIntegral(); + sptr stub = sptr::MakeSptr(serviceName16, deviceID, binderObject); + if (stub == nullptr) { + return; + } + binder_uintptr_t binderObjectPtr = reinterpret_cast(stub.GetRefPtr()); + binder_uintptr_t stubTag = dBinderService->stubTagNum_++; + auto result = dBinderService->mapDBinderStubRegisters_.insert({stubTag, binderObjectPtr}); + if (!result.second) { + return; + } + dBinderService->DBinderStubRegisted_.push_back(stub); + auto replyMessage = std::make_shared(); + if (replyMessage == nullptr) { + return; + } + replyMessage->stub = stubTag; + + dBinderService->IsInvalidStub(replyMessage); +} + +void IsValidSessionNameTest(FuzzedDataProvider &provider) +{ + sptr dBinderService = DBinderService::GetInstance(); + std::shared_ptr replyMessage = std::make_shared(); + if (dBinderService == nullptr || replyMessage == nullptr) { + return; + } + + replyMessage->serviceNameLength = SERVICENAME_LENGTH; + dBinderService->IsValidSessionName(replyMessage); + replyMessage->serviceNameLength = SERVICENAME_LENGTH + 1; + dBinderService->IsValidSessionName(replyMessage); +} + +void MakeSessionByReplyMessageTest(FuzzedDataProvider &provider) +{ + sptr dBinderService = DBinderService::GetInstance(); + if (dBinderService == nullptr) { + return; + } + const std::string serviceName = provider.ConsumeRandomLengthString(MAX_STRING_PARAM_LEN); + const std::u16string serviceName16 = Str8ToStr16(serviceName); + const std::string deviceID = provider.ConsumeRandomLengthString(MAX_STRING_PARAM_LEN); + binder_uintptr_t binderObject = provider.ConsumeIntegral(); + sptr stub = sptr::MakeSptr(serviceName16, deviceID, binderObject); + if (stub == nullptr) { + return; + } + binder_uintptr_t binderObjectPtr = reinterpret_cast(stub.GetRefPtr()); + binder_uintptr_t stubTag = dBinderService->stubTagNum_++; + auto result = dBinderService->mapDBinderStubRegisters_.insert({stubTag, binderObjectPtr}); + if (!result.second) { + return; + } + dBinderService->DBinderStubRegisted_.push_back(stub); + dBinderService->AttachSessionObject(std::make_shared(), binderObjectPtr); + auto replyMessage = std::make_shared(); + if (replyMessage == nullptr) { + return; + } + replyMessage->stub = stubTag; + replyMessage->serviceNameLength = strlen(replyMessage->serviceName); + replyMessage->dBinderCode = MESSAGE_AS_REPLY; + replyMessage->seqNumber = provider.ConsumeIntegral(); + replyMessage->stubIndex = provider.ConsumeIntegral(); + + dBinderService->MakeSessionByReplyMessage(replyMessage); +} + +void WakeupThreadByStubTest(FuzzedDataProvider &provider) +{ + sptr dBinderService = DBinderService::GetInstance(); + if (dBinderService == nullptr) { + return; + } + std::string networkId = provider.ConsumeRandomLengthString(MAX_STRING_PARAM_LEN); + uint32_t seqNumber = provider.ConsumeIntegral(); + dBinderService->AttachThreadLockInfo(seqNumber, networkId, std::make_shared()); + dBinderService->WakeupThreadByStub(seqNumber); + dBinderService->DetachThreadLockInfo(seqNumber); +} + +void QueryProxyObjectTest(FuzzedDataProvider &provider) +{ + sptr dBinderService = DBinderService::GetInstance(); + if (dBinderService == nullptr) { + return; + } + binder_uintptr_t binderObject = provider.ConsumeIntegral(); + dBinderService->AttachProxyObject(nullptr, binderObject); + dBinderService->QueryProxyObject(binderObject); + dBinderService->DetachProxyObject(binderObject); +} + +void AttachSessionObjectTest(FuzzedDataProvider &provider) +{ + sptr dBinderService = DBinderService::GetInstance(); + std::shared_ptr sessionInfo = std::make_shared(); + if (dBinderService == nullptr || sessionInfo == nullptr) { + return; + } + + binder_uintptr_t stub = provider.ConsumeIntegral(); + dBinderService->AttachSessionObject(sessionInfo, stub); + dBinderService->DetachSessionObject(stub); +} + +void ProcessCallbackProxyTest(FuzzedDataProvider &provider) +{ + sptr dBinderService = DBinderService::GetInstance(); + if (dBinderService == nullptr) { + return; + } + int handle = provider.ConsumeIntegral(); + std::string serviceName = provider.ConsumeRandomLengthString(MAX_STRING_PARAM_LEN); + std::u16string serviceName16 = Str8ToStr16(serviceName); + std::string deviceID = provider.ConsumeRandomLengthString(MAX_STRING_PARAM_LEN); + binder_uintptr_t binderObject = provider.ConsumeIntegral(); + sptr object = new (std::nothrow) IPCObjectProxy(handle); + sptr dBinderServiceStub = + sptr::MakeSptr(serviceName16, deviceID, binderObject); + if (object == nullptr || dBinderServiceStub == nullptr) { + return; + } + dBinderService->AttachCallbackProxy(object, dBinderServiceStub.GetRefPtr()); + std::vector> dbStubs {dBinderServiceStub}; + dBinderService->ProcessCallbackProxy(dbStubs); + dBinderService->DetachCallbackProxy(object); +} + +void NoticeServiceDieInnerTest(FuzzedDataProvider &provider) +{ + sptr dBinderService = DBinderService::GetInstance(); + if (dBinderService == nullptr) { + return; + } + std::string serviceName = provider.ConsumeRandomLengthString(MAX_STRING_PARAM_LEN); + std::u16string serviceName16 = Str8ToStr16(serviceName); + std::string deviceID = provider.ConsumeRandomLengthString(MAX_STRING_PARAM_LEN); + dBinderService->NoticeServiceDieInner(serviceName16, deviceID); +} + +void FindServicesByDeviceIDTest(FuzzedDataProvider &provider) +{ + sptr dBinderService = DBinderService::GetInstance(); + if (dBinderService == nullptr) { + return; + } + std::string serviceName = provider.ConsumeRandomLengthString(MAX_STRING_PARAM_LEN); + std::u16string serviceName16 = Str8ToStr16(serviceName); + std::string deviceID = provider.ConsumeRandomLengthString(MAX_STRING_PARAM_LEN); + binder_uintptr_t binderObject = provider.ConsumeIntegral(); + sptr dBinderServiceStub = + sptr::MakeSptr(serviceName16, deviceID, binderObject); + dBinderService->DBinderStubRegisted_.push_back(dBinderServiceStub); + dBinderService->FindServicesByDeviceID(deviceID); +} + +void NoticeDeviceDieTest(FuzzedDataProvider &provider) +{ + sptr dBinderService = DBinderService::GetInstance(); + std::shared_ptr remoteListener = std::make_shared(); + if (dBinderService == nullptr || remoteListener == nullptr) { + return; + } + + std::string serviceName = provider.ConsumeRandomLengthString(MAX_STRING_PARAM_LEN); + std::u16string serviceName16 = Str8ToStr16(serviceName); + std::string deviceID = provider.ConsumeRandomLengthString(MAX_STRING_PARAM_LEN); + int32_t socketId = provider.ConsumeIntegral(); + binder_uintptr_t binderObject = provider.ConsumeIntegral(); + sptr dBinderServiceStub = + sptr::MakeSptr(serviceName16, deviceID, binderObject); + dBinderService->DBinderStubRegisted_.push_back(dBinderServiceStub); + remoteListener->clientSocketInfos_[deviceID] = socketId; + dBinderService->remoteListener_ = remoteListener; + dBinderService->NoticeDeviceDie(deviceID); +} } // namespace OHOS /* Fuzzer entry point */ @@ -342,5 +565,17 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) OHOS::SendEntryToRemoteTest(provider); OHOS::InvokerRemoteDBinderTest001(provider); OHOS::LoadSystemAbilityCompleteTest(provider); + OHOS::OnRemoteMessageTaskTest(provider); + OHOS::ProcessOnSessionClosedTest(provider); + OHOS::IsInvalidStubTest(provider); + OHOS::IsValidSessionNameTest(provider); + OHOS::WakeupThreadByStubTest(provider); + OHOS::NoticeServiceDieInnerTest(provider); + OHOS::QueryProxyObjectTest(provider); + OHOS::AttachSessionObjectTest(provider); + OHOS::ProcessCallbackProxyTest(provider); + OHOS::FindServicesByDeviceIDTest(provider); + OHOS::NoticeDeviceDieTest(provider); + OHOS::MakeSessionByReplyMessageTest(provider); return 0; } \ No newline at end of file -- Gitee