diff --git a/BUILD.gn b/BUILD.gn index 5b1fdd6bd7007473161cfc82c6fb05f7cd36b551..6802cea87c5146b9b0d81ad73b5f7c2556aade42 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -35,6 +35,8 @@ group("deviceauth_test_build") { if (os_level == "standard") { testonly = true deps += [ + "test/fuzztest/devauth_fuzzer:fuzztest", + "test/fuzztest/devauthcb_fuzzer:fuzztest", "test/fuzztest/group_auth/authdevice_fuzzer:fuzztest", "test/fuzztest/group_auth/cancelauthrequest_fuzzer:fuzztest", "test/fuzztest/group_auth/getpseudonymid_fuzzer:fuzztest", diff --git a/test/fuzztest/devauth_fuzzer/BUILD.gn b/test/fuzztest/devauth_fuzzer/BUILD.gn new file mode 100644 index 0000000000000000000000000000000000000000..7883585412abf5da4112c26a3e4725120abfe190 --- /dev/null +++ b/test/fuzztest/devauth_fuzzer/BUILD.gn @@ -0,0 +1,84 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import("//base/security/device_auth/deps_adapter/deviceauth_hals.gni") +import("//base/security/device_auth/services/deviceauth.gni") + +#####################hydra-fuzz################### +import("//build/config/features.gni") +import("//build/ohos.gni") +import("//build/test.gni") +module_output_path = "device_auth/fuzztest" + +##############################fuzztest########################################## +ohos_fuzztest("DevAuthFuzzTest") { + module_out_path = module_output_path + fuzz_config_file = "//base/security/device_auth/test/fuzztest/devauth_fuzzer" + include_dirs = inc_path + hals_inc_path + include_dirs += [ + ".", + "//third_party/cJSON", + "${frameworks_path}/inc/standard", + "${dev_frameworks_path}/inc/permission_adapter", + "//base/security/access_token/interfaces/innerkits/nativetoken/include", + "//base/security/access_token/interfaces/innerkits/token_setproc/include", + ] + sources = [ "devauth_fuzzer.cpp" ] + sources += deviceauth_ipc_files + sources += permission_adapter_files + sources += [ "${frameworks_path}/src/ipc_service.c" ] + defines = [ "HILOG_ENABLE" ] + defines += [ "DEV_AUTH_HIVIEW_ENABLE" ] + defines += [ "DEV_AUTH_FUZZ_TEST" ] + cflags = [ + "-g", + "-O0", + "-Wno-unused-variable", + "-fno-omit-frame-pointer", + "-DHILOG_ENABLE", + ] + cflags += build_flags + if (target_cpu == "arm") { + cflags += [ "-DBINDER_IPC_32BIT" ] + } + cflags += [ "--coverage" ] + ldflags = [ "--coverage" ] + deps = [ + "${services_path}:deviceauth", + "${deps_adapter_path}:${hal_module_name}", + "//third_party/cJSON:cjson", + "//base/security/access_token/interfaces/innerkits/nativetoken:libnativetoken", + "//base/security/access_token/interfaces/innerkits/token_setproc:libtoken_setproc", + ] + external_deps = [ + "access_token:libaccesstoken_sdk", + "c_utils:utils", + "hilog:libhilog", + "hisysevent:libhisysevent", + "hitrace:hitrace_meter", + "init:libbegetutil", + "ipc:ipc_core", + "samgr:samgr_proxy", + ] +} + +############################################################################### +group("fuzztest") { + testonly = true + deps = [] + deps += [ + # deps file + ":DevAuthFuzzTest", + ] +} +############################################################################### diff --git a/test/fuzztest/devauth_fuzzer/corpus/init b/test/fuzztest/devauth_fuzzer/corpus/init new file mode 100644 index 0000000000000000000000000000000000000000..2b595da0c26af63ffb2d5f4132c086b2e5986fce --- /dev/null +++ b/test/fuzztest/devauth_fuzzer/corpus/init @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2023 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +FUZZ \ No newline at end of file diff --git a/test/fuzztest/devauth_fuzzer/devauth_fuzzer.cpp b/test/fuzztest/devauth_fuzzer/devauth_fuzzer.cpp new file mode 100644 index 0000000000000000000000000000000000000000..3fab4a90621d48b740a13c1b188edde391cedcf4 --- /dev/null +++ b/test/fuzztest/devauth_fuzzer/devauth_fuzzer.cpp @@ -0,0 +1,98 @@ +/* + * Copyright (c) 2023 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "devauth_fuzzer.h" + +#include +#include + +#include "access_token.h" +#include "accesstoken_kit.h" +#include "access_token_error.h" +#include "hc_log.h" +#include "ipc_adapt.h" +#include "ipc_callback_stub.h" +#include "ipc_dev_auth_stub.h" +#include "ipc_sdk.h" +#include "ipc_service.h" +#include "message_parcel.h" +#include "nativetoken_kit.h" +#include "securec.h" +#include "token_setproc.h" + +namespace OHOS { +const std::u16string DEV_AUTH_SERVICE_INTERFACE_TOKEN = u"deviceauth.IMethodsIpcCall"; + +static void NativeTokenSet(const char *procName) +{ + const char *acls[] = {"ACCESS_IDS"}; + const char *perms[] = { + "ohos.permission.PLACE_CALL", + "ohos.permission.ACCESS_IDS" + }; + uint64_t tokenId; + NativeTokenInfoParams infoInstance = { + .dcapsNum = 0, + .permsNum = 2, + .aclsNum = 1, + .dcaps = NULL, + .perms = perms, + .acls = acls, + .processName = procName, + .aplStr = "system_core", + }; + tokenId = GetAccessTokenId(&infoInstance); + SetSelfTokenID(tokenId); + Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo(); +} + +bool FuzzDoRegCallback(const uint8_t* data, size_t size) +{ + NativeTokenSet("device_manager"); + (void)InitDeviceAuthService(); + (void)MainRescInit(); + ServiceDevAuth *serviceObj = new(std::nothrow) ServiceDevAuth(); + if (serviceObj == nullptr) { + return false; + } + sptr sptrObj = serviceObj; + uintptr_t serviceCtx = reinterpret_cast(serviceObj); + (void)AddMethodMap(serviceCtx); + for (int32_t i = IPC_CALL_ID_REG_CB; i <= IPC_CALL_GA_CANCEL_REQUEST; i++) { + MessageParcel datas; + datas.WriteInterfaceToken(DEV_AUTH_SERVICE_INTERFACE_TOKEN); + datas.WriteInt32(i); + datas.WriteInt32(size + sizeof(int32_t)); + datas.WriteInt32(0); + datas.WriteInt32(size); + datas.WriteBuffer(data, size); + datas.RewindRead(0); + MessageParcel reply; + MessageOption option; + LOGE("fzk: %p\n", serviceObj); + (void)serviceObj->OnRemoteRequest(1, datas, reply, option); + } + return true; +} +} + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + /* Run your code on data */ + OHOS::FuzzDoRegCallback(data, size); + return 0; +} + diff --git a/test/fuzztest/devauth_fuzzer/devauth_fuzzer.h b/test/fuzztest/devauth_fuzzer/devauth_fuzzer.h new file mode 100644 index 0000000000000000000000000000000000000000..3e26402a4763d5e266e93e079b2f8aa8139f1332 --- /dev/null +++ b/test/fuzztest/devauth_fuzzer/devauth_fuzzer.h @@ -0,0 +1,24 @@ +/* + * Copyright (c) 2023 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef DEV_AUTH_FUZZER_H +#define DEV_AUTH_FUZZER_H + +#include +#include +#include + +#define FUZZ_PROJECT_NAME "devauth_fuzzer" +#endif \ No newline at end of file diff --git a/test/fuzztest/devauth_fuzzer/project.xml b/test/fuzztest/devauth_fuzzer/project.xml new file mode 100644 index 0000000000000000000000000000000000000000..8f76ede824edd110462d647a80222b062ce52144 --- /dev/null +++ b/test/fuzztest/devauth_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 1000 + + 10 + + 4096 + + diff --git a/test/fuzztest/devauthcb_fuzzer/BUILD.gn b/test/fuzztest/devauthcb_fuzzer/BUILD.gn new file mode 100644 index 0000000000000000000000000000000000000000..ac4bdd8f63a39e441eaf5dca7c8322e2768002ed --- /dev/null +++ b/test/fuzztest/devauthcb_fuzzer/BUILD.gn @@ -0,0 +1,84 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import("//base/security/device_auth/deps_adapter/deviceauth_hals.gni") +import("//base/security/device_auth/services/deviceauth.gni") + +#####################hydra-fuzz################### +import("//build/config/features.gni") +import("//build/ohos.gni") +import("//build/test.gni") +module_output_path = "device_auth/fuzztest" + +##############################fuzztest########################################## +ohos_fuzztest("DevAuthCbFuzzTest") { + module_out_path = module_output_path + fuzz_config_file = "//base/security/device_auth/test/fuzztest/devauthcb_fuzzer" + include_dirs = inc_path + hals_inc_path + include_dirs += [ + ".", + "//third_party/cJSON", + "${frameworks_path}/inc/standard", + "${dev_frameworks_path}/inc/permission_adapter", + "//base/security/access_token/interfaces/innerkits/nativetoken/include", + "//base/security/access_token/interfaces/innerkits/token_setproc/include", + ] + sources = [ "devauthcb_fuzzer.cpp" ] + sources += deviceauth_ipc_files + sources += permission_adapter_files + sources += [ "${frameworks_path}/src/ipc_service.c" ] + defines = [ "HILOG_ENABLE" ] + defines += [ "DEV_AUTH_HIVIEW_ENABLE" ] + defines += [ "DEV_AUTH_FUZZ_TEST" ] + cflags = [ + "-g", + "-O0", + "-Wno-unused-variable", + "-fno-omit-frame-pointer", + "-DHILOG_ENABLE", + ] + cflags += build_flags + if (target_cpu == "arm") { + cflags += [ "-DBINDER_IPC_32BIT" ] + } + cflags += [ "--coverage" ] + ldflags = [ "--coverage" ] + deps = [ + "${services_path}:deviceauth", + "${deps_adapter_path}:${hal_module_name}", + "//third_party/cJSON:cjson", + "//base/security/access_token/interfaces/innerkits/nativetoken:libnativetoken", + "//base/security/access_token/interfaces/innerkits/token_setproc:libtoken_setproc", + ] + external_deps = [ + "access_token:libaccesstoken_sdk", + "c_utils:utils", + "hilog:libhilog", + "hisysevent:libhisysevent", + "hitrace:hitrace_meter", + "init:libbegetutil", + "ipc:ipc_core", + "samgr:samgr_proxy", + ] +} + +############################################################################### +group("fuzztest") { + testonly = true + deps = [] + deps += [ + # deps file + ":DevAuthCbFuzzTest", + ] +} +############################################################################### diff --git a/test/fuzztest/devauthcb_fuzzer/corpus/init b/test/fuzztest/devauthcb_fuzzer/corpus/init new file mode 100644 index 0000000000000000000000000000000000000000..2b595da0c26af63ffb2d5f4132c086b2e5986fce --- /dev/null +++ b/test/fuzztest/devauthcb_fuzzer/corpus/init @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2023 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +FUZZ \ No newline at end of file diff --git a/test/fuzztest/devauthcb_fuzzer/devauthcb_fuzzer.cpp b/test/fuzztest/devauthcb_fuzzer/devauthcb_fuzzer.cpp new file mode 100644 index 0000000000000000000000000000000000000000..52ae359f8b9d5672bcdb30455bee0b1057563e3d --- /dev/null +++ b/test/fuzztest/devauthcb_fuzzer/devauthcb_fuzzer.cpp @@ -0,0 +1,88 @@ +/* + * Copyright (c) 2023 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "devauthcb_fuzzer.h" + +#include +#include + +#include "access_token.h" +#include "accesstoken_kit.h" +#include "access_token_error.h" +#include "hc_log.h" +#include "ipc_adapt.h" +#include "ipc_callback_stub.h" +#include "ipc_dev_auth_stub.h" +#include "ipc_sdk.h" +#include "ipc_service.h" +#include "message_parcel.h" +#include "nativetoken_kit.h" +#include "securec.h" +#include "token_setproc.h" + +namespace OHOS { +const std::u16string DEV_AUTH_CB_INTERFACE_TOKEN = u"deviceauth.ICommIpcCallback"; + +static void NativeTokenSet(const char *procName) +{ + const char *acls[] = {"ACCESS_IDS"}; + const char *perms[] = { + "ohos.permission.PLACE_CALL", + "ohos.permission.ACCESS_IDS" + }; + uint64_t tokenId; + NativeTokenInfoParams infoInstance = { + .dcapsNum = 0, + .permsNum = 2, + .aclsNum = 1, + .dcaps = NULL, + .perms = perms, + .acls = acls, + .processName = procName, + .aplStr = "system_core", + }; + tokenId = GetAccessTokenId(&infoInstance); + SetSelfTokenID(tokenId); + Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo(); +} + +bool FuzzDoCallback(const uint8_t* data, size_t size) +{ + NativeTokenSet("device_manager"); + StubDevAuthCb *remoteObj = new(std::nothrow) StubDevAuthCb(); + if (remoteObj == nullptr) { + return false; + } + sptr remoteSptr = remoteObj; + MessageParcel datas; + datas.WriteInterfaceToken(DEV_AUTH_CB_INTERFACE_TOKEN); + datas.WriteInt32(0); + datas.WritePointer(0x0); + datas.RewindRead(0); + MessageParcel reply; + MessageOption option; + (void)remoteObj->OnRemoteRequest(1, datas, reply, option); + return true; +} +} + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + /* Run your code on data */ + OHOS::FuzzDoCallback(data, size); + return 0; +} + diff --git a/test/fuzztest/devauthcb_fuzzer/devauthcb_fuzzer.h b/test/fuzztest/devauthcb_fuzzer/devauthcb_fuzzer.h new file mode 100644 index 0000000000000000000000000000000000000000..ca6452916b82375871e26fef4a5f347919471389 --- /dev/null +++ b/test/fuzztest/devauthcb_fuzzer/devauthcb_fuzzer.h @@ -0,0 +1,24 @@ +/* + * Copyright (c) 2023 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef DEV_AUTH_CALLBACK_FUZZER_H +#define DEV_AUTH_CALLBACK_FUZZER_H + +#include +#include +#include + +#define FUZZ_PROJECT_NAME "devauthcb_fuzzer" +#endif \ No newline at end of file diff --git a/test/fuzztest/devauthcb_fuzzer/project.xml b/test/fuzztest/devauthcb_fuzzer/project.xml new file mode 100644 index 0000000000000000000000000000000000000000..8f76ede824edd110462d647a80222b062ce52144 --- /dev/null +++ b/test/fuzztest/devauthcb_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 1000 + + 10 + + 4096 + +