From e027a8b3cf25478fa28dc9497ca3e72565762983 Mon Sep 17 00:00:00 2001
From: wanxiaoqing40281 <wanxiaoqing@huawei.com>
Date: Mon, 29 May 2023 11:43:26 +0800
Subject: [PATCH] =?UTF-8?q?=E6=96=B0=E5=A2=9E=E5=86=85=E6=A0=B8=E6=A8=A1?=
 =?UTF-8?q?=E5=9D=97FUZZ=E6=B5=8B=E8=AF=95=E7=94=A8=E4=BE=8B?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: wanxiaoqing40281 <wanxiaoqing@huawei.com>
---
 test/fuzztest/BUILD.gn                        |   1 +
 test/fuzztest/kernel/BUILD.gn                 |  22 +++
 test/fuzztest/kernel/authctrl_fuzzer/BUILD.gn |  44 +++++
 .../authctrl_fuzzer/authctrl_fuzzer.cpp       |  50 ++++++
 .../kernel/authctrl_fuzzer/corpus/init        |  14 ++
 .../kernel/authctrl_fuzzer/project.xml        |  25 +++
 test/fuzztest/kernel/include/qos_interface.h  | 164 ++++++++++++++++++
 test/fuzztest/kernel/qosctrl_fuzzer/BUILD.gn  |  44 +++++
 .../kernel/qosctrl_fuzzer/corpus/init         |  14 ++
 .../kernel/qosctrl_fuzzer/project.xml         |  25 +++
 .../kernel/qosctrl_fuzzer/qosctrl_fuzzer.cpp  |  73 ++++++++
 11 files changed, 476 insertions(+)
 create mode 100644 test/fuzztest/kernel/BUILD.gn
 create mode 100644 test/fuzztest/kernel/authctrl_fuzzer/BUILD.gn
 create mode 100644 test/fuzztest/kernel/authctrl_fuzzer/authctrl_fuzzer.cpp
 create mode 100644 test/fuzztest/kernel/authctrl_fuzzer/corpus/init
 create mode 100644 test/fuzztest/kernel/authctrl_fuzzer/project.xml
 create mode 100644 test/fuzztest/kernel/include/qos_interface.h
 create mode 100644 test/fuzztest/kernel/qosctrl_fuzzer/BUILD.gn
 create mode 100644 test/fuzztest/kernel/qosctrl_fuzzer/corpus/init
 create mode 100644 test/fuzztest/kernel/qosctrl_fuzzer/project.xml
 create mode 100644 test/fuzztest/kernel/qosctrl_fuzzer/qosctrl_fuzzer.cpp

diff --git a/test/fuzztest/BUILD.gn b/test/fuzztest/BUILD.gn
index f3942ad..b2e79e9 100644
--- a/test/fuzztest/BUILD.gn
+++ b/test/fuzztest/BUILD.gn
@@ -20,5 +20,6 @@ group("fuzztest") {
     "hc_node:fuzztest",
     "memory:fuzztest",
     "sched:fuzztest",
+    "kernel:fuzztest",
   ]
 }
diff --git a/test/fuzztest/kernel/BUILD.gn b/test/fuzztest/kernel/BUILD.gn
new file mode 100644
index 0000000..1e19085
--- /dev/null
+++ b/test/fuzztest/kernel/BUILD.gn
@@ -0,0 +1,22 @@
+# Copyright (c) 2022 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+group("fuzztest") {
+  testonly = true
+  deps = []
+
+  deps += [
+    "qosctrl_fuzzer:QosctrlFuzzTest",
+    "authctrl_fuzzer:AuthctrlFuzzTest",
+  ]
+}
diff --git a/test/fuzztest/kernel/authctrl_fuzzer/BUILD.gn b/test/fuzztest/kernel/authctrl_fuzzer/BUILD.gn
new file mode 100644
index 0000000..5c2b3df
--- /dev/null
+++ b/test/fuzztest/kernel/authctrl_fuzzer/BUILD.gn
@@ -0,0 +1,44 @@
+# Copyright (c) 2022 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//build/config/features.gni")
+import("//build/test.gni")
+
+module_output_path = "linuxkerneltest/authctrl"
+
+ohos_fuzztest("AuthctrlFuzzTest") {
+  module_out_path = module_output_path
+  fuzz_config_file =
+      "//kernel/linux/build/test/fuzztest/kernel/authctrl_fuzzer"
+
+  include_dirs = [ "../include" ]
+  deps = [ "//third_party/bounds_checking_function:libsec_static" ]
+
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+    "-pthread",
+  ]
+
+  sources = [
+    "authctrl_fuzzer.cpp",
+  ]
+}
+
+group("fuzztest") {
+  testonly = true
+  deps = []
+  deps += [ ":AuthctrlFuzzTest" ]
+}
diff --git a/test/fuzztest/kernel/authctrl_fuzzer/authctrl_fuzzer.cpp b/test/fuzztest/kernel/authctrl_fuzzer/authctrl_fuzzer.cpp
new file mode 100644
index 0000000..d25ccf4
--- /dev/null
+++ b/test/fuzztest/kernel/authctrl_fuzzer/authctrl_fuzzer.cpp
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 2022 Huawei Device Co., Ltd.
+ * SPDX-License-Identifier: GPL-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <vector>
+#include <cstddef>
+#include <cstdint>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+#include "__config"
+#include "qos_interface.h"
+
+using namespace std;
+namespace OHOS {
+
+bool AuthCtlBasicOprFuzzTest(const uint8_t *data, size_t size)
+{
+    auth_ctrl_data *authData;
+    char fileName[] = "/dev/auth_ctrl";
+    int fd = open(fileName, O_RDWR);
+    if(fd < 0) {
+        return false;
+    }
+
+    if(data == nullptr) {
+        return false;
+    }
+
+    if(size < sizeof(auth_ctrl_data)) {
+        return false;
+    }
+
+    authData = reinterpret_cast<auth_ctrl_data *>(const_cast<uint8_t *>(data));
+    (void)ioctl(fd, BASIC_AUTH_CTRL_OPERATION, authData);
+    return true;
+}
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    OHOS::AuthCtlBasicOprFuzzTest(data, size);
+    return 0;
+}
diff --git a/test/fuzztest/kernel/authctrl_fuzzer/corpus/init b/test/fuzztest/kernel/authctrl_fuzzer/corpus/init
new file mode 100644
index 0000000..58ee85e
--- /dev/null
+++ b/test/fuzztest/kernel/authctrl_fuzzer/corpus/init
@@ -0,0 +1,14 @@
+# Copyright (c) 2020-2022 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/kernel/authctrl_fuzzer/project.xml b/test/fuzztest/kernel/authctrl_fuzzer/project.xml
new file mode 100644
index 0000000..6e8ad2c
--- /dev/null
+++ b/test/fuzztest/kernel/authctrl_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2022 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/kernel/include/qos_interface.h b/test/fuzztest/kernel/include/qos_interface.h
new file mode 100644
index 0000000..34dd3dd
--- /dev/null
+++ b/test/fuzztest/kernel/include/qos_interface.h
@@ -0,0 +1,164 @@
+#ifndef QOS_INTERFACE_H
+#define QOS_INTERFACE_H
+#include <stdbool.h>
+
+/*
+ * generic
+ */
+#define SYSTEM_UID 1000
+#define ROOT_UID 0
+
+/*
+ * auth_ctrl
+ */
+struct auth_ctrl_data {
+	unsigned int uid;
+	unsigned int type;
+	unsigned int rtg_ua_flag;
+	unsigned int qos_ua_flag;
+	unsigned int status;
+};
+
+enum auth_manipulate_type {
+	AUTH_ENABLE = 1,
+	AUTH_DELETE,
+	AUTH_GET,
+	AUTH_SWITCH,
+	AUTH_MAX_NR,
+};
+
+enum auth_status {
+	AUTH_STATUS_DISABLED = 1,
+	AUTH_STATUS_SYSTEM_SERVER = 2,
+	AUTH_STATUS_FOREGROUND = 3,
+	AUTH_STATUS_BACKGROUND = 4,
+	AUTH_STATUS_DEAD,
+};
+
+enum auth_ctrl_cmdid {
+	BASIC_AUTH_CTRL = 1,
+	AUTH_CTRL_MAX_NR
+};
+
+#define AUTH_CTRL_IPC_MAGIG	0xCD
+
+#define	BASIC_AUTH_CTRL_OPERATION \
+	_IOWR(AUTH_CTRL_IPC_MAGIG, BASIC_AUTH_CTRL, struct auth_ctrl_data)
+
+
+/*
+ * qos ctrl
+ */
+#define NR_QOS 6
+#define QOS_NUM_MAX 10
+
+#define AF_QOS_ALL		0x0003
+#define AF_QOS_DELEGATED	0x0001
+
+enum qos_manipulate_type {
+	QOS_APPLY = 1,
+	QOS_LEAVE,
+	QOS_MAX_NR,
+};
+
+struct qos_ctrl_data {
+	int pid;
+	unsigned int type;
+	unsigned int level;
+};
+
+struct qos_policy_data {
+	int nice;
+	int latency_nice;
+	int uclamp_min;
+	int uclamp_max;
+	int rt_sched_priority;
+};
+
+enum qos_policy_type {
+	QOS_POLICY_DEFAULT = 1,
+	QOS_POLICY_SYSTEM_SERVER = 2,
+	QOS_POLICY_FRONT = 3,
+	QOS_POLICY_BACK = 4,
+	QOS_POLICY_MAX_NR,
+};
+
+#define QOS_FLAG_NICE			0X01
+#define QOS_FLAG_LATENCY_NICE		0X02
+#define QOS_FLAG_UCLAMP			0x04
+#define QOS_FLAG_RT			0x08
+
+#define QOS_FLAG_ALL	(QOS_FLAG_NICE			| \
+			 QOS_FLAG_LATENCY_NICE		| \
+			 QOS_FLAG_UCLAMP		| \
+			 QOS_FLAG_RT)
+
+struct qos_policy_datas {
+	int policy_type;
+	unsigned int policy_flag;
+	struct qos_policy_data policys[NR_QOS + 1];
+};
+
+enum qos_ctrl_cmdid {
+	QOS_CTRL = 1,
+	QOS_POLICY,
+	QOS_CTRL_MAX_NR
+};
+
+#define QOS_CTRL_IPC_MAGIG	0xCC
+
+#define QOS_CTRL_BASIC_OPERATION \
+	_IOWR(QOS_CTRL_IPC_MAGIG, QOS_CTRL, struct qos_ctrl_data)
+#define QOS_CTRL_POLICY_OPERATION \
+	_IOWR(QOS_CTRL_IPC_MAGIG, QOS_POLICY, struct qos_policy_datas)
+
+/*
+ * RTG
+ */
+#define AF_RTG_ALL		0x1fff
+#define AF_RTG_DELEGATED	0x1fff
+
+struct rtg_enable_data {
+    int enable;
+    int len;
+    char *data;
+};
+
+enum rtg_sched_cmdid {
+    SET_ENABLE = 1,
+    SET_RTG,
+    SET_CONFIG,
+    SET_RTG_ATTR,
+    BEGIN_FRAME_FREQ = 5,
+    END_FRAME_FREQ,
+    END_SCENE,
+    SET_MIN_UTIL,
+    SET_MARGIN,
+    LIST_RTG = 10,
+    LIST_RTG_THREAD,
+    SEARCH_RTG,
+    GET_ENABLE,
+    RTG_CTRL_MAX_NR,
+};
+
+#define RTG_SCHED_IPC_MAGIC	0xAB
+
+#define CMD_ID_SET_ENABLE \
+    _IOWR(RTG_SCHED_IPC_MAGIC, SET_ENABLE, struct rtg_enable_data)
+
+/*
+ * interface
+ */
+int EnableRtg(bool flag);
+int AuthEnable(unsigned int uid, unsigned int ua_flag, unsigned int status);
+int AuthPause(unsigned int uid);
+int AuthDelete(unsigned int uid);
+int AuthGet(unsigned int uid, unsigned int *ua_flag, unsigned int *status);
+int AuthSwitch(unsigned int uid, unsigned int rtg_flag, unsigned int qos_flag, unsigned int status);
+int QosApply(unsigned int level);
+int QosApplyForOther(unsigned int level, int tid);
+int QosLeave();
+int QosLeaveForOther(int tid);
+int QosPolicy(struct qos_policy_datas *policy_datas);
+
+#endif /* OQS_INTERFACE_H */
diff --git a/test/fuzztest/kernel/qosctrl_fuzzer/BUILD.gn b/test/fuzztest/kernel/qosctrl_fuzzer/BUILD.gn
new file mode 100644
index 0000000..2c5f1ab
--- /dev/null
+++ b/test/fuzztest/kernel/qosctrl_fuzzer/BUILD.gn
@@ -0,0 +1,44 @@
+# Copyright (c) 2022 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//build/config/features.gni")
+import("//build/test.gni")
+
+module_output_path = "linuxkerneltest/qosctrl"
+
+ohos_fuzztest("QosctrlFuzzTest") {
+  module_out_path = module_output_path
+  fuzz_config_file =
+      "//kernel/linux/build/test/fuzztest/kernel/qosctrl_fuzzer"
+
+  include_dirs = [ "../include" ]
+  deps = [ "//third_party/bounds_checking_function:libsec_static" ]
+
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+    "-pthread",
+  ]
+
+  sources = [
+    "qosctrl_fuzzer.cpp",
+  ]
+}
+
+group("fuzztest") {
+  testonly = true
+  deps = []
+  deps += [ ":QosctrlFuzzTest" ]
+}
diff --git a/test/fuzztest/kernel/qosctrl_fuzzer/corpus/init b/test/fuzztest/kernel/qosctrl_fuzzer/corpus/init
new file mode 100644
index 0000000..58ee85e
--- /dev/null
+++ b/test/fuzztest/kernel/qosctrl_fuzzer/corpus/init
@@ -0,0 +1,14 @@
+# Copyright (c) 2020-2022 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/kernel/qosctrl_fuzzer/project.xml b/test/fuzztest/kernel/qosctrl_fuzzer/project.xml
new file mode 100644
index 0000000..6e8ad2c
--- /dev/null
+++ b/test/fuzztest/kernel/qosctrl_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2022 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/kernel/qosctrl_fuzzer/qosctrl_fuzzer.cpp b/test/fuzztest/kernel/qosctrl_fuzzer/qosctrl_fuzzer.cpp
new file mode 100644
index 0000000..e48fbe3
--- /dev/null
+++ b/test/fuzztest/kernel/qosctrl_fuzzer/qosctrl_fuzzer.cpp
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2022 Huawei Device Co., Ltd.
+ * SPDX-License-Identifier: GPL-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <vector>
+#include <cstddef>
+#include <cstdint>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+#include "__config"
+#include "qos_interface.h"
+
+using namespace std;
+namespace OHOS {
+
+bool QosCtlBasicOprFuzzTest(const uint8_t *data, size_t size)
+{
+    qos_ctrl_data *qosData;
+    char fileName[] = "/proc/thread-self/sched_qos_ctrl";
+    int fd = open(fileName, O_RDWR);
+    if(fd < 0) {
+        return false;
+    }
+
+    if(data == nullptr) {
+        return false;
+    }
+
+    if(size < sizeof(qos_ctrl_data)) {
+        return false;
+    }
+
+    qosData = reinterpret_cast<qos_ctrl_data *>(const_cast<uint8_t *>(data));
+    (void)ioctl(fd, QOS_CTRL_BASIC_OPERATION, qosData);
+    return true;
+}
+
+bool QosCtlPolicyOprFuzzTest(const uint8_t *data, size_t size)
+{
+    qos_policy_datas *qosData;
+    char fileName[] = "/proc/thread-self/sched_qos_ctrl";
+    int fd = open(fileName, O_RDWR);
+    if(fd < 0) {
+        return false;
+    }
+
+    if(data == nullptr) {
+        return false;
+    }
+
+    if(size < sizeof(qos_policy_datas)) {
+        return false;
+    }
+
+    qosData = reinterpret_cast<qos_policy_datas *>(const_cast<uint8_t *>(data));
+    (void)ioctl(fd, QOS_CTRL_POLICY_OPERATION, qosData);
+    return true;
+}
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    OHOS::QosCtlBasicOprFuzzTest(data, size);
+    OHOS::QosCtlPolicyOprFuzzTest(data, size);
+    return 0;
+}
-- 
Gitee