From a7c7017454125ff370d6b76761ebf981817a0ec9 Mon Sep 17 00:00:00 2001 From: h30071384 Date: Wed, 3 Sep 2025 16:57:05 +0800 Subject: [PATCH] ufs_fuzz_part2 Signed-off-by: h30071384 --- test/fuzztest/BUILD.gn | 7 +- .../BUILD.gn | 6 +- .../corpus/init | 0 .../fileaccessextaccess_fuzzer.cpp | 117 ++++++++ .../fileaccessextaccess_fuzzer.h} | 6 +- .../project.xml | 0 .../fileaccessextconnection_fuzzer.cpp | 22 -- .../fileaccessextcopy_fuzzer/BUILD.gn | 68 +++++ .../fileaccessextcopy_fuzzer/corpus/init | 16 ++ .../fileaccessextcopy_fuzzer.cpp} | 258 +----------------- .../fileaccessextcopy_fuzzer.h | 21 ++ .../fileaccessextcopy_fuzzer/project.xml | 25 ++ .../fileaccessextcopyfile_fuzzer/BUILD.gn | 68 +++++ .../fileaccessextcopyfile_fuzzer/corpus/init | 16 ++ .../fileaccessextcopyfile_fuzzer.cpp | 120 ++++++++ .../fileaccessextcopyfile_fuzzer.h | 21 ++ .../fileaccessextcopyfile_fuzzer/project.xml | 25 ++ .../fileaccessextcreatefile_fuzzer/BUILD.gn | 68 +++++ .../corpus/init | 16 ++ .../fileaccessextcreatefile_fuzzer.cpp | 119 ++++++++ .../fileaccessextcreatefile_fuzzer.h | 21 ++ .../project.xml | 25 ++ .../fileaccessextdelete_fuzzer/BUILD.gn | 68 +++++ .../fileaccessextdelete_fuzzer/corpus/init | 16 ++ .../fileaccessextdelete_fuzzer.cpp | 116 ++++++++ .../fileaccessextdelete_fuzzer.h | 21 ++ .../fileaccessextdelete_fuzzer/project.xml | 25 ++ .../fileaccessextgetfileinfo_fuzzer/BUILD.gn | 68 +++++ .../corpus/init | 16 ++ .../fileaccessextgetfileinfo_fuzzer.cpp | 117 ++++++++ .../fileaccessextgetfileinfo_fuzzer.h | 21 ++ .../project.xml | 25 ++ 32 files changed, 1252 insertions(+), 286 deletions(-) rename test/fuzztest/{fileaccessextbaseproxy_fuzzer => fileaccessextaccess_fuzzer}/BUILD.gn (93%) rename test/fuzztest/{fileaccessextbaseproxy_fuzzer => fileaccessextaccess_fuzzer}/corpus/init (100%) create mode 100644 test/fuzztest/fileaccessextaccess_fuzzer/fileaccessextaccess_fuzzer.cpp rename test/fuzztest/{fileaccessextbaseproxy_fuzzer/fileaccessextbaseproxy_fuzzer.h => fileaccessextaccess_fuzzer/fileaccessextaccess_fuzzer.h} (81%) rename test/fuzztest/{fileaccessextbaseproxy_fuzzer => fileaccessextaccess_fuzzer}/project.xml (100%) create mode 100644 test/fuzztest/fileaccessextcopy_fuzzer/BUILD.gn create mode 100644 test/fuzztest/fileaccessextcopy_fuzzer/corpus/init rename test/fuzztest/{fileaccessextbaseproxy_fuzzer/fileaccessextbaseproxy_fuzzer.cpp => fileaccessextcopy_fuzzer/fileaccessextcopy_fuzzer.cpp} (30%) create mode 100644 test/fuzztest/fileaccessextcopy_fuzzer/fileaccessextcopy_fuzzer.h create mode 100644 test/fuzztest/fileaccessextcopy_fuzzer/project.xml create mode 100644 test/fuzztest/fileaccessextcopyfile_fuzzer/BUILD.gn create mode 100644 test/fuzztest/fileaccessextcopyfile_fuzzer/corpus/init create mode 100644 test/fuzztest/fileaccessextcopyfile_fuzzer/fileaccessextcopyfile_fuzzer.cpp create mode 100644 test/fuzztest/fileaccessextcopyfile_fuzzer/fileaccessextcopyfile_fuzzer.h create mode 100644 test/fuzztest/fileaccessextcopyfile_fuzzer/project.xml create mode 100644 test/fuzztest/fileaccessextcreatefile_fuzzer/BUILD.gn create mode 100644 test/fuzztest/fileaccessextcreatefile_fuzzer/corpus/init create mode 100644 test/fuzztest/fileaccessextcreatefile_fuzzer/fileaccessextcreatefile_fuzzer.cpp create mode 100644 test/fuzztest/fileaccessextcreatefile_fuzzer/fileaccessextcreatefile_fuzzer.h create mode 100644 test/fuzztest/fileaccessextcreatefile_fuzzer/project.xml create mode 100644 test/fuzztest/fileaccessextdelete_fuzzer/BUILD.gn create mode 100644 test/fuzztest/fileaccessextdelete_fuzzer/corpus/init create mode 100644 test/fuzztest/fileaccessextdelete_fuzzer/fileaccessextdelete_fuzzer.cpp create mode 100644 test/fuzztest/fileaccessextdelete_fuzzer/fileaccessextdelete_fuzzer.h create mode 100644 test/fuzztest/fileaccessextdelete_fuzzer/project.xml create mode 100644 test/fuzztest/fileaccessextgetfileinfo_fuzzer/BUILD.gn create mode 100644 test/fuzztest/fileaccessextgetfileinfo_fuzzer/corpus/init create mode 100644 test/fuzztest/fileaccessextgetfileinfo_fuzzer/fileaccessextgetfileinfo_fuzzer.cpp create mode 100644 test/fuzztest/fileaccessextgetfileinfo_fuzzer/fileaccessextgetfileinfo_fuzzer.h create mode 100644 test/fuzztest/fileaccessextgetfileinfo_fuzzer/project.xml diff --git a/test/fuzztest/BUILD.gn b/test/fuzztest/BUILD.gn index 9abe65a2..e74dabdd 100644 --- a/test/fuzztest/BUILD.gn +++ b/test/fuzztest/BUILD.gn @@ -28,7 +28,12 @@ group("user_file_service_fuzz_test") { "externalfileaccessopenfile_fuzzer:ExternalFileAccessOpenFileFuzzTest", "externalfileaccessrename_fuzzer:ExternalFileAccessRenameFuzzTest", "externalfileaccessscanfile_fuzzer:ExternalFileAccessScanFileFuzzTest", - "fileaccessextbaseproxy_fuzzer:FileAccessExtBaseProxyFuzzTest", + "fileaccessextcreatefile_fuzzer:FileAccessExtCreateFileFuzzTest", + "fileaccessextdelete_fuzzer:FileAccessExtDeleteFuzzTest", + "fileaccessextcopy_fuzzer:FileAccessExtCopyFuzzTest", + "fileaccessextcopyfile_fuzzer:FileAccessExtCopyFileFuzzTest", + "fileaccessextgetfileinfo_fuzzer:FileAccessExtGetFileInfoFuzzTest", + "fileaccessextaccess_fuzzer:FileAccessExtAccessFuzzTest", "fileaccessextconnection_fuzzer:FileAccessExtConnectionFuzzTest", "fileaccessservicebaseproxy_fuzzer:FileAccessServiceBaseProxyFuzzTest", "fileinfosharedmemory_fuzzer:FileInfoSharedMemoryFuzzTest", diff --git a/test/fuzztest/fileaccessextbaseproxy_fuzzer/BUILD.gn b/test/fuzztest/fileaccessextaccess_fuzzer/BUILD.gn similarity index 93% rename from test/fuzztest/fileaccessextbaseproxy_fuzzer/BUILD.gn rename to test/fuzztest/fileaccessextaccess_fuzzer/BUILD.gn index efdebe29..5560bf9a 100644 --- a/test/fuzztest/fileaccessextbaseproxy_fuzzer/BUILD.gn +++ b/test/fuzztest/fileaccessextaccess_fuzzer/BUILD.gn @@ -15,10 +15,10 @@ import("//build/config/features.gni") import("//build/test.gni") import("//foundation/filemanagement/user_file_service/filemanagement_aafwk.gni") -ohos_fuzztest("FileAccessExtBaseProxyFuzzTest") { +ohos_fuzztest("FileAccessExtAccessFuzzTest") { module_out_path = "user_file_service/user_file_service" fuzz_config_file = - "${user_file_service_path}/test/fuzztest/fileaccessextbaseproxy_fuzzer" + "${user_file_service_path}/test/fuzztest/fileaccessextaccess_fuzzer" include_dirs = [ "${user_file_service_path}/interfaces/inner_api/file_access/include", "${user_file_service_path}/test/fuzztest/privacy_comm/include", @@ -31,7 +31,7 @@ ohos_fuzztest("FileAccessExtBaseProxyFuzzTest") { "-fno-omit-frame-pointer", ] sources = [ - "fileaccessextbaseproxy_fuzzer.cpp", + "fileaccessextaccess_fuzzer.cpp", "${user_file_service_path}/test/fuzztest/privacy_comm/src/user_file_service_token_mock.cpp" ] diff --git a/test/fuzztest/fileaccessextbaseproxy_fuzzer/corpus/init b/test/fuzztest/fileaccessextaccess_fuzzer/corpus/init similarity index 100% rename from test/fuzztest/fileaccessextbaseproxy_fuzzer/corpus/init rename to test/fuzztest/fileaccessextaccess_fuzzer/corpus/init diff --git a/test/fuzztest/fileaccessextaccess_fuzzer/fileaccessextaccess_fuzzer.cpp b/test/fuzztest/fileaccessextaccess_fuzzer/fileaccessextaccess_fuzzer.cpp new file mode 100644 index 00000000..27180862 --- /dev/null +++ b/test/fuzztest/fileaccessextaccess_fuzzer/fileaccessextaccess_fuzzer.cpp @@ -0,0 +1,117 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "fileaccessextaccess_fuzzer.h" + +#include +#include + +#include "accesstoken_kit.h" +#include "file_access_helper.h" +#include "file_access_ext_base_proxy.h" +#include "file_info_shared_memory.h" +#include "iservice_registry.h" +#include "token_setproc.h" +#include "nativetoken_kit.h" + +#include "user_file_service_token_mock.h" + +namespace OHOS { +using namespace std; +using namespace FileAccessFwk; + +const int ABILITY_ID = 5003; +shared_ptr g_fah = nullptr; +const int UID_TRANSFORM_TMP = 20000000; +const int UID_DEFAULT = 0; + +template +T TypeCast(const uint8_t *data, int *pos = nullptr) +{ + if (pos) { + *pos += sizeof(T); + } + return *(reinterpret_cast(data)); +} + +shared_ptr GetFileAccessHelper() +{ + if (g_fah != nullptr) { + return g_fah; + } + auto saManager = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager(); + if (saManager == nullptr) { + return nullptr; + } + auto remoteObj = saManager->GetSystemAbility(ABILITY_ID); + AAFwk::Want want; + vector wantVec; + setuid(UID_TRANSFORM_TMP); + int ret = FileAccessHelper::GetRegisteredFileAccessExtAbilityInfo(wantVec); + if (ret != OHOS::FileAccessFwk::ERR_OK) { + printf("GetRegisteredFileAccessExtAbilityInfo failed."); + return nullptr; + } + bool sus = false; + for (size_t i = 0; i < wantVec.size(); i++) { + auto element = wantVec[i].GetElement(); + if (element.GetBundleName() == "com.ohos.UserFile.ExternalFileManager" && + element.GetAbilityName() == "FileExtensionAbility") { + want = wantVec[i]; + sus = true; + break; + } + } + if (!sus) { + printf("not found bundleName."); + return nullptr; + } + vector wants {want}; + g_fah = FileAccessHelper::Creator(remoteObj, wants); + setuid(UID_DEFAULT); + if (g_fah == nullptr) { + printf("creator fileAccessHelper return nullptr."); + return nullptr; + } + return g_fah; +} + +bool AccessFuzzTest(sptr proxy, const uint8_t *data, size_t size) +{ + Urie uri(string(reinterpret_cast(data), size)); + bool isExist = false; + proxy->Access(uri, isExist); + return true; +} +} // namespace OHOS + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + OHOS::UserFileServiceTokenMock tokenMock; + tokenMock.SetFileManagerToken(); + auto helper = OHOS::GetFileAccessHelper(); + if (helper == nullptr) { + printf("helper is nullptr."); + return false; + } + auto proxy = helper->GetProxyByBundleName(OHOS::EXTERNAL_BNUDLE_NAME); + if (proxy == nullptr) { + printf("get proxy failed."); + return 0; + } + + OHOS::AccessFuzzTest(proxy, data, size); + return 0; +} diff --git a/test/fuzztest/fileaccessextbaseproxy_fuzzer/fileaccessextbaseproxy_fuzzer.h b/test/fuzztest/fileaccessextaccess_fuzzer/fileaccessextaccess_fuzzer.h similarity index 81% rename from test/fuzztest/fileaccessextbaseproxy_fuzzer/fileaccessextbaseproxy_fuzzer.h rename to test/fuzztest/fileaccessextaccess_fuzzer/fileaccessextaccess_fuzzer.h index 5be5cb28..741eb720 100644 --- a/test/fuzztest/fileaccessextbaseproxy_fuzzer/fileaccessextbaseproxy_fuzzer.h +++ b/test/fuzztest/fileaccessextaccess_fuzzer/fileaccessextaccess_fuzzer.h @@ -13,9 +13,9 @@ * limitations under the License. */ -#ifndef FILE_ACCESS_EXTBASEPROXY_FUZZER_H -#define FILE_ACCESS_EXTBASEPROXY_FUZZER_H +#ifndef FILE_ACCESS_EXTACCESS_FUZZER_H +#define FILE_ACCESS_EXTACCESS_FUZZER_H -#define FUZZ_PROJECT_NAME "fileaccessextbaseproxy_fuzzer" +#define FUZZ_PROJECT_NAME "fileaccessextaccesss_fuzzer" #endif \ No newline at end of file diff --git a/test/fuzztest/fileaccessextbaseproxy_fuzzer/project.xml b/test/fuzztest/fileaccessextaccess_fuzzer/project.xml similarity index 100% rename from test/fuzztest/fileaccessextbaseproxy_fuzzer/project.xml rename to test/fuzztest/fileaccessextaccess_fuzzer/project.xml diff --git a/test/fuzztest/fileaccessextconnection_fuzzer/fileaccessextconnection_fuzzer.cpp b/test/fuzztest/fileaccessextconnection_fuzzer/fileaccessextconnection_fuzzer.cpp index dd12d675..36a49852 100644 --- a/test/fuzztest/fileaccessextconnection_fuzzer/fileaccessextconnection_fuzzer.cpp +++ b/test/fuzztest/fileaccessextconnection_fuzzer/fileaccessextconnection_fuzzer.cpp @@ -43,18 +43,6 @@ bool OnAbilityDisconnectDoneFuzzTest(sptr conn, const u return true; } -bool IsExtAbilityConnectedFuzzTest(sptr conn) -{ - conn->IsExtAbilityConnected(); - return true; -} - -bool GetFileExtProxyFuzzTest(sptr conn) -{ - conn->GetFileExtProxy(); - return true; -} - bool ConnectFileExtAbility(sptr conn, const uint8_t *data, size_t size) { int len = size >> 1; @@ -65,12 +53,6 @@ bool ConnectFileExtAbility(sptr conn, const uint8_t *da conn->ConnectFileExtAbility(want, remoteObject); return true; } - -bool DisconnectFileExtAbility(sptr conn) -{ - conn->DisconnectFileExtAbility(); - return true; -} } // namespace OHOS /* Fuzzer entry point */ @@ -83,10 +65,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) OHOS::OnAbilityConnectDoneFuzzTest(conn, data, size); OHOS::OnAbilityDisconnectDoneFuzzTest(conn, data, size); - OHOS::IsExtAbilityConnectedFuzzTest(conn); - OHOS::GetFileExtProxyFuzzTest(conn); OHOS::ConnectFileExtAbility(conn, data, size); - OHOS::DisconnectFileExtAbility(conn); - return 0; } diff --git a/test/fuzztest/fileaccessextcopy_fuzzer/BUILD.gn b/test/fuzztest/fileaccessextcopy_fuzzer/BUILD.gn new file mode 100644 index 00000000..a40118a9 --- /dev/null +++ b/test/fuzztest/fileaccessextcopy_fuzzer/BUILD.gn @@ -0,0 +1,68 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#####################hydra-fuzz################### +import("//build/config/features.gni") +import("//build/test.gni") +import("//foundation/filemanagement/user_file_service/filemanagement_aafwk.gni") +ohos_fuzztest("FileAccessExtCopyFuzzTest") { + module_out_path = "user_file_service/user_file_service" + fuzz_config_file = + "${user_file_service_path}/test/fuzztest/fileaccessextcopy_fuzzer" + include_dirs = [ + "${user_file_service_path}/interfaces/inner_api/file_access/include", + "${user_file_service_path}/test/fuzztest/privacy_comm/include", + "${user_file_service_path}/utils", + ] + cflags = [ + "-g", + "-O0", + "-Wno-unused-variable", + "-fno-omit-frame-pointer", + ] + sources = [ + "fileaccessextcopy_fuzzer.cpp", + "${user_file_service_path}/test/fuzztest/privacy_comm/src/user_file_service_token_mock.cpp" + ] + + deps = [ + "${user_file_service_path}/interfaces/inner_api/file_access:file_access_ext_base_include", + "${user_file_service_path}/interfaces/inner_api/file_access:file_access_extension_ability_kit", + "${user_file_service_path}/services:file_access_service", + "${user_file_service_path}/services:file_access_service_base_include", + ] + + external_deps = [ + "ability_base:want", + "ability_base:zuri", + "ability_runtime:ability_context_native", + "ability_runtime:ability_manager", + "ability_runtime:app_manager", + "ability_runtime:runtime", + "ability_runtime:wantagent_innerkits", + "access_token:libaccesstoken_sdk", + "access_token:libnativetoken", + "access_token:libtoken_setproc", + "bundle_framework:appexecfwk_core", + "cJSON:cjson_static", + "c_utils:utils", + "hilog:libhilog", + "hitrace:hitrace_meter", + "ipc:ipc_core", + "safwk:system_ability_fwk", + "samgr:samgr_proxy", + "selinux_adapter:librestorecon", + ] + + defines = [ "private=public" ] +} diff --git a/test/fuzztest/fileaccessextcopy_fuzzer/corpus/init b/test/fuzztest/fileaccessextcopy_fuzzer/corpus/init new file mode 100644 index 00000000..7ade8a0f --- /dev/null +++ b/test/fuzztest/fileaccessextcopy_fuzzer/corpus/init @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +FUZZ \ No newline at end of file diff --git a/test/fuzztest/fileaccessextbaseproxy_fuzzer/fileaccessextbaseproxy_fuzzer.cpp b/test/fuzztest/fileaccessextcopy_fuzzer/fileaccessextcopy_fuzzer.cpp similarity index 30% rename from test/fuzztest/fileaccessextbaseproxy_fuzzer/fileaccessextbaseproxy_fuzzer.cpp rename to test/fuzztest/fileaccessextcopy_fuzzer/fileaccessextcopy_fuzzer.cpp index 58e66d32..ab945c48 100644 --- a/test/fuzztest/fileaccessextbaseproxy_fuzzer/fileaccessextbaseproxy_fuzzer.cpp +++ b/test/fuzztest/fileaccessextcopy_fuzzer/fileaccessextcopy_fuzzer.cpp @@ -12,7 +12,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -#include "fileaccessextbaseproxy_fuzzer.h" +#include "fileaccessextcopy_fuzzer.h" #include #include @@ -87,57 +87,6 @@ shared_ptr GetFileAccessHelper() return g_fah; } -bool OpenFileFuzzTest(sptr proxy, const uint8_t *data, size_t size) -{ - if (data == nullptr || size < sizeof(int32_t) + sizeof(int)) { - return true; - } - - int pos = 0; - int32_t flags = TypeCast(data, &pos); - int fd = TypeCast(data + pos, &pos); - Urie uri(string(reinterpret_cast(data + pos), size - sizeof(int32_t) - sizeof(int))); - proxy->OpenFile(uri, flags, fd); - return true; -} - -bool CreateFileFuzzTest(sptr proxy, const uint8_t *data, size_t size) -{ - int len = size / 3; - Urie parent(string(reinterpret_cast(data), len)); - string displayName(string(reinterpret_cast(data + len), len)); - Urie newFile(string(reinterpret_cast(data + len + len), len)); - proxy->CreateFile(parent, displayName, newFile); - return true; -} - -bool MkdirFuzzTest(sptr proxy, const uint8_t *data, size_t size) -{ - int len = size / 3; - Urie parent(string(reinterpret_cast(data), len)); - string displayName(string(reinterpret_cast(data + len), len)); - Urie newFile(string(reinterpret_cast(data + len + len), len)); - proxy->Mkdir(parent, displayName, newFile); - return true; -} - -bool DeleteFuzzTest(sptr proxy, const uint8_t *data, size_t size) -{ - Urie sourceFile(string(reinterpret_cast(data), size)); - proxy->Delete(sourceFile); - return true; -} - -bool MoveFuzzTest(sptr proxy, const uint8_t *data, size_t size) -{ - int len = size / 3; - Urie sourceFile(string(reinterpret_cast(data), len)); - string targetParent(string(reinterpret_cast(data + len), len)); - Urie newFile(string(reinterpret_cast(data + len + len), len)); - proxy->Move(sourceFile, targetParent, newFile); - return true; -} - bool CopyFuzzTest(sptr proxy, const uint8_t *data, size_t size) { if (data == nullptr || size < sizeof(bool)) { @@ -155,192 +104,6 @@ bool CopyFuzzTest(sptr proxy, const uint8_t *data, size_t si proxy->Copy(sourceUri, destUri, copyResult, retCode, force); return true; } - -bool CopyFileFuzzTest(sptr proxy, const uint8_t *data, size_t size) -{ - int len = size / 3; - Urie sourceUri(string(reinterpret_cast(data), len)); - Urie destUri(string(reinterpret_cast(data + len), len)); - string fileName(string(reinterpret_cast(data + len + len), len)); - Urie newFileUri; - proxy->CopyFile(sourceUri, destUri, fileName, newFileUri); - return true; -} - -bool RenameFuzzTest(sptr proxy, const uint8_t *data, size_t size) -{ - int len = size / 2; - Urie sourceFile(string(reinterpret_cast(data), len)); - string displayName(string(reinterpret_cast(data + len), len)); - Urie newFile; - proxy->Rename(sourceFile, displayName, newFile); - return true; -} - -bool ListFileFuzzTest(sptr proxy, const uint8_t *data, size_t size) -{ - if (data == nullptr || size < sizeof(int64_t)) { - return true; - } - - int pos = 0; - int64_t offset = TypeCast(data, &pos); - - FileInfo fileInfo; - fileInfo.uri = std::string(reinterpret_cast(data + pos), size - pos); - SharedMemoryInfo memInfo; - int result = SharedMemoryOperation::CreateSharedMemory("FileInfo List", DEFAULT_CAPACITY_200KB, memInfo); - if (result != OHOS::FileAccessFwk::ERR_OK) { - printf("CreateSharedMemory failed. ret : %d", result); - return false; - } - FileFilter filter; - proxy->ListFile(fileInfo, offset, filter, memInfo); - SharedMemoryOperation::DestroySharedMemory(memInfo); - return true; -} - -bool ScanFileFuzzTest(sptr proxy, const uint8_t *data, size_t size) -{ - if (data == nullptr || size < sizeof(int64_t) + sizeof(int64_t)) { - return true; - } - - int pos = 0; - int64_t offset = TypeCast(data, &pos); - int64_t maxCount = TypeCast(data + pos, &pos); - - FileInfo fileInfo; - fileInfo.uri = std::string(reinterpret_cast(data + pos), size - pos); - std::vector fileInfoVec; - FileFilter filter; - proxy->ScanFile(fileInfo, offset, maxCount, filter, fileInfoVec); - return true; -} - -bool QueryFuzzTest(sptr proxy, const uint8_t *data, size_t size) -{ - int len = size / 4; - Urie uri(string(reinterpret_cast(data), len)); - vector columns { - string(reinterpret_cast(data + len), len), - string(reinterpret_cast(data + len + len), len), - string(reinterpret_cast(data + len + len + len), len) - }; - vector results; - proxy->Query(uri, columns, results); - return true; -} - -bool GetFileInfoFromUriFuzzTest(sptr proxy, const uint8_t *data, size_t size) -{ - Urie selectFile(string(reinterpret_cast(data), size)); - FileInfo fileInfo; - proxy->GetFileInfoFromUri(selectFile, fileInfo); - return true; -} - -bool GetRootsFuzzTest(sptr proxy, const uint8_t *data, size_t size) -{ - (void)data; - vector rootInfoVec; - proxy->GetRoots(rootInfoVec); - return true; -} - -bool AccessFuzzTest(sptr proxy, const uint8_t *data, size_t size) -{ - Urie uri(string(reinterpret_cast(data), size)); - bool isExist = false; - proxy->Access(uri, isExist); - return true; -} - -bool StartWatcherFuzzTest(sptr proxy, const uint8_t *data, size_t size) -{ - Urie uri(string(reinterpret_cast(data), size)); - proxy->StartWatcher(uri); - return true; -} - -bool StopWatcherFuzzTest(sptr proxy, const uint8_t *data, size_t size) -{ - Urie uri(string(reinterpret_cast(data), size)); - proxy->StopWatcher(uri); - return true; -} - -bool MoveItemFuzzTest(sptr proxy, const uint8_t *data, size_t size) -{ - if (data == nullptr || size < sizeof(bool)) { - return true; - } - - vector moveResult; - int32_t retCode = 0; - int pos = 0; - bool force = TypeCast(data, &pos); - int len = (size - pos) / 2; - Urie sourceFile(string(reinterpret_cast(data + pos), len)); - Urie targetParent(string(reinterpret_cast(data + pos + len), len)); - - proxy->MoveItem(sourceFile, targetParent, moveResult, retCode, force); - return true; -} - -bool MoveFileFuzzTest(sptr proxy, const uint8_t *data, size_t size) -{ - int len = size / 3; - Urie sourceFile(string(reinterpret_cast(data), len)); - Urie targetParent(string(reinterpret_cast(data + len), len)); - string fileName(string(reinterpret_cast(data + len + len), len)); - Urie newFile; - proxy->MoveFile(sourceFile, targetParent, fileName, newFile); - return true; -} - -bool UrieFuzzTest(const uint8_t *data, size_t size) -{ - int len = size / 2; - Urie uri(string(reinterpret_cast(data), len)); - Urie other(string(reinterpret_cast(data + len), len)); - - uri.uriString_ = string(reinterpret_cast(data), len); - uri.GetScheme(); - uri.GetSchemeSpecificPart(); - uri.GetAuthority(); - uri.GetHost(); - uri.GetPort(); - uri.GetUserInfo(); - uri.GetQuery(); - uri.GetPath(); - uri.GetFragment(); - uri.IsHierarchical(); - uri.IsAbsolute(); - uri.IsRelative(); - uri.ToString(); - uri.CheckScheme(); - uri.ParseScheme(); - uri.ParseSsp(); - uri.ParseAuthority(); - uri.ParseUserInfo(); - uri.ParseHost(); - uri.ParsePort(); - uri.ParsePath(); - uri.ParsePath(NOT_FOUND); - uri.ParseQuery(); - uri.ParseFragment(); - uri.FindSchemeSeparator(); - uri.FindFragmentSeparator(); - uri.Equals(other); - uri.CompareTo(other); - vector segments; - uri.GetPathSegments(segments); - Parcel parcel; - uri.Marshalling(parcel); - uri.Unmarshalling(parcel); - return (uri == other); -} } // namespace OHOS /* Fuzzer entry point */ @@ -359,25 +122,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) return 0; } - OHOS::OpenFileFuzzTest(proxy, data, size); - OHOS::CreateFileFuzzTest(proxy, data, size); - OHOS::MkdirFuzzTest(proxy, data, size); - OHOS::DeleteFuzzTest(proxy, data, size); - OHOS::MoveFuzzTest(proxy, data, size); OHOS::CopyFuzzTest(proxy, data, size); - OHOS::CopyFileFuzzTest(proxy, data, size); - OHOS::RenameFuzzTest(proxy, data, size); - OHOS::ListFileFuzzTest(proxy, data, size); - OHOS::ScanFileFuzzTest(proxy, data, size); - OHOS::QueryFuzzTest(proxy, data, size); - OHOS::GetFileInfoFromUriFuzzTest(proxy, data, size); - OHOS::GetRootsFuzzTest(proxy, data, size); - OHOS::AccessFuzzTest(proxy, data, size); - OHOS::StartWatcherFuzzTest(proxy, data, size); - OHOS::StopWatcherFuzzTest(proxy, data, size); - OHOS::MoveItemFuzzTest(proxy, data, size); - OHOS::MoveFileFuzzTest(proxy, data, size); - - OHOS::UrieFuzzTest(data, size); return 0; } diff --git a/test/fuzztest/fileaccessextcopy_fuzzer/fileaccessextcopy_fuzzer.h b/test/fuzztest/fileaccessextcopy_fuzzer/fileaccessextcopy_fuzzer.h new file mode 100644 index 00000000..e22bf146 --- /dev/null +++ b/test/fuzztest/fileaccessextcopy_fuzzer/fileaccessextcopy_fuzzer.h @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef FILE_ACCESS_EXTCOPY_FUZZER_H +#define FILE_ACCESS_EXTCOPY_FUZZER_H + +#define FUZZ_PROJECT_NAME "fileaccessextcopy_fuzzer" + +#endif \ No newline at end of file diff --git a/test/fuzztest/fileaccessextcopy_fuzzer/project.xml b/test/fuzztest/fileaccessextcopy_fuzzer/project.xml new file mode 100644 index 00000000..8cd95817 --- /dev/null +++ b/test/fuzztest/fileaccessextcopy_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 1000 + + 300 + + 4096 + + diff --git a/test/fuzztest/fileaccessextcopyfile_fuzzer/BUILD.gn b/test/fuzztest/fileaccessextcopyfile_fuzzer/BUILD.gn new file mode 100644 index 00000000..c6d58e1a --- /dev/null +++ b/test/fuzztest/fileaccessextcopyfile_fuzzer/BUILD.gn @@ -0,0 +1,68 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#####################hydra-fuzz################### +import("//build/config/features.gni") +import("//build/test.gni") +import("//foundation/filemanagement/user_file_service/filemanagement_aafwk.gni") +ohos_fuzztest("FileAccessExtCopyFileFuzzTest") { + module_out_path = "user_file_service/user_file_service" + fuzz_config_file = + "${user_file_service_path}/test/fuzztest/fileaccessextcopyfile_fuzzer" + include_dirs = [ + "${user_file_service_path}/interfaces/inner_api/file_access/include", + "${user_file_service_path}/test/fuzztest/privacy_comm/include", + "${user_file_service_path}/utils", + ] + cflags = [ + "-g", + "-O0", + "-Wno-unused-variable", + "-fno-omit-frame-pointer", + ] + sources = [ + "fileaccessextcopyfile_fuzzer.cpp", + "${user_file_service_path}/test/fuzztest/privacy_comm/src/user_file_service_token_mock.cpp" + ] + + deps = [ + "${user_file_service_path}/interfaces/inner_api/file_access:file_access_ext_base_include", + "${user_file_service_path}/interfaces/inner_api/file_access:file_access_extension_ability_kit", + "${user_file_service_path}/services:file_access_service", + "${user_file_service_path}/services:file_access_service_base_include", + ] + + external_deps = [ + "ability_base:want", + "ability_base:zuri", + "ability_runtime:ability_context_native", + "ability_runtime:ability_manager", + "ability_runtime:app_manager", + "ability_runtime:runtime", + "ability_runtime:wantagent_innerkits", + "access_token:libaccesstoken_sdk", + "access_token:libnativetoken", + "access_token:libtoken_setproc", + "bundle_framework:appexecfwk_core", + "cJSON:cjson_static", + "c_utils:utils", + "hilog:libhilog", + "hitrace:hitrace_meter", + "ipc:ipc_core", + "safwk:system_ability_fwk", + "samgr:samgr_proxy", + "selinux_adapter:librestorecon", + ] + + defines = [ "private=public" ] +} diff --git a/test/fuzztest/fileaccessextcopyfile_fuzzer/corpus/init b/test/fuzztest/fileaccessextcopyfile_fuzzer/corpus/init new file mode 100644 index 00000000..7ade8a0f --- /dev/null +++ b/test/fuzztest/fileaccessextcopyfile_fuzzer/corpus/init @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +FUZZ \ No newline at end of file diff --git a/test/fuzztest/fileaccessextcopyfile_fuzzer/fileaccessextcopyfile_fuzzer.cpp b/test/fuzztest/fileaccessextcopyfile_fuzzer/fileaccessextcopyfile_fuzzer.cpp new file mode 100644 index 00000000..59537cb6 --- /dev/null +++ b/test/fuzztest/fileaccessextcopyfile_fuzzer/fileaccessextcopyfile_fuzzer.cpp @@ -0,0 +1,120 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "fileaccessextcopyfile_fuzzer.h" + +#include +#include + +#include "accesstoken_kit.h" +#include "file_access_helper.h" +#include "file_access_ext_base_proxy.h" +#include "file_info_shared_memory.h" +#include "iservice_registry.h" +#include "token_setproc.h" +#include "nativetoken_kit.h" + +#include "user_file_service_token_mock.h" + +namespace OHOS { +using namespace std; +using namespace FileAccessFwk; + +const int ABILITY_ID = 5003; +shared_ptr g_fah = nullptr; +const int UID_TRANSFORM_TMP = 20000000; +const int UID_DEFAULT = 0; + +template +T TypeCast(const uint8_t *data, int *pos = nullptr) +{ + if (pos) { + *pos += sizeof(T); + } + return *(reinterpret_cast(data)); +} + +shared_ptr GetFileAccessHelper() +{ + if (g_fah != nullptr) { + return g_fah; + } + auto saManager = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager(); + if (saManager == nullptr) { + return nullptr; + } + auto remoteObj = saManager->GetSystemAbility(ABILITY_ID); + AAFwk::Want want; + vector wantVec; + setuid(UID_TRANSFORM_TMP); + int ret = FileAccessHelper::GetRegisteredFileAccessExtAbilityInfo(wantVec); + if (ret != OHOS::FileAccessFwk::ERR_OK) { + printf("GetRegisteredFileAccessExtAbilityInfo failed."); + return nullptr; + } + bool sus = false; + for (size_t i = 0; i < wantVec.size(); i++) { + auto element = wantVec[i].GetElement(); + if (element.GetBundleName() == "com.ohos.UserFile.ExternalFileManager" && + element.GetAbilityName() == "FileExtensionAbility") { + want = wantVec[i]; + sus = true; + break; + } + } + if (!sus) { + printf("not found bundleName."); + return nullptr; + } + vector wants {want}; + g_fah = FileAccessHelper::Creator(remoteObj, wants); + setuid(UID_DEFAULT); + if (g_fah == nullptr) { + printf("creator fileAccessHelper return nullptr."); + return nullptr; + } + return g_fah; +} + +bool CopyFileFuzzTest(sptr proxy, const uint8_t *data, size_t size) +{ + int len = size / 3; + Urie sourceUri(string(reinterpret_cast(data), len)); + Urie destUri(string(reinterpret_cast(data + len), len)); + string fileName(string(reinterpret_cast(data + len + len), len)); + Urie newFileUri; + proxy->CopyFile(sourceUri, destUri, fileName, newFileUri); + return true; +} +} // namespace OHOS + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + OHOS::UserFileServiceTokenMock tokenMock; + tokenMock.SetFileManagerToken(); + auto helper = OHOS::GetFileAccessHelper(); + if (helper == nullptr) { + printf("helper is nullptr."); + return false; + } + auto proxy = helper->GetProxyByBundleName(OHOS::EXTERNAL_BNUDLE_NAME); + if (proxy == nullptr) { + printf("get proxy failed."); + return 0; + } + + OHOS::CopyFileFuzzTest(proxy, data, size); + return 0; +} diff --git a/test/fuzztest/fileaccessextcopyfile_fuzzer/fileaccessextcopyfile_fuzzer.h b/test/fuzztest/fileaccessextcopyfile_fuzzer/fileaccessextcopyfile_fuzzer.h new file mode 100644 index 00000000..d9743639 --- /dev/null +++ b/test/fuzztest/fileaccessextcopyfile_fuzzer/fileaccessextcopyfile_fuzzer.h @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef FILE_ACCESS_EXTCOPYFILE_FUZZER_H +#define FILE_ACCESS_EXTCOPYFILE_FUZZER_H + +#define FUZZ_PROJECT_NAME "fileaccessextcopyfile_fuzzer" + +#endif \ No newline at end of file diff --git a/test/fuzztest/fileaccessextcopyfile_fuzzer/project.xml b/test/fuzztest/fileaccessextcopyfile_fuzzer/project.xml new file mode 100644 index 00000000..8cd95817 --- /dev/null +++ b/test/fuzztest/fileaccessextcopyfile_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 1000 + + 300 + + 4096 + + diff --git a/test/fuzztest/fileaccessextcreatefile_fuzzer/BUILD.gn b/test/fuzztest/fileaccessextcreatefile_fuzzer/BUILD.gn new file mode 100644 index 00000000..0381bcd9 --- /dev/null +++ b/test/fuzztest/fileaccessextcreatefile_fuzzer/BUILD.gn @@ -0,0 +1,68 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#####################hydra-fuzz################### +import("//build/config/features.gni") +import("//build/test.gni") +import("//foundation/filemanagement/user_file_service/filemanagement_aafwk.gni") +ohos_fuzztest("FileAccessExtCreateFileFuzzTest") { + module_out_path = "user_file_service/user_file_service" + fuzz_config_file = + "${user_file_service_path}/test/fuzztest/fileaccessextcreatefile_fuzzer" + include_dirs = [ + "${user_file_service_path}/interfaces/inner_api/file_access/include", + "${user_file_service_path}/test/fuzztest/privacy_comm/include", + "${user_file_service_path}/utils", + ] + cflags = [ + "-g", + "-O0", + "-Wno-unused-variable", + "-fno-omit-frame-pointer", + ] + sources = [ + "fileaccessextcreatefile_fuzzer.cpp", + "${user_file_service_path}/test/fuzztest/privacy_comm/src/user_file_service_token_mock.cpp" + ] + + deps = [ + "${user_file_service_path}/interfaces/inner_api/file_access:file_access_ext_base_include", + "${user_file_service_path}/interfaces/inner_api/file_access:file_access_extension_ability_kit", + "${user_file_service_path}/services:file_access_service", + "${user_file_service_path}/services:file_access_service_base_include", + ] + + external_deps = [ + "ability_base:want", + "ability_base:zuri", + "ability_runtime:ability_context_native", + "ability_runtime:ability_manager", + "ability_runtime:app_manager", + "ability_runtime:runtime", + "ability_runtime:wantagent_innerkits", + "access_token:libaccesstoken_sdk", + "access_token:libnativetoken", + "access_token:libtoken_setproc", + "bundle_framework:appexecfwk_core", + "cJSON:cjson_static", + "c_utils:utils", + "hilog:libhilog", + "hitrace:hitrace_meter", + "ipc:ipc_core", + "safwk:system_ability_fwk", + "samgr:samgr_proxy", + "selinux_adapter:librestorecon", + ] + + defines = [ "private=public" ] +} diff --git a/test/fuzztest/fileaccessextcreatefile_fuzzer/corpus/init b/test/fuzztest/fileaccessextcreatefile_fuzzer/corpus/init new file mode 100644 index 00000000..7ade8a0f --- /dev/null +++ b/test/fuzztest/fileaccessextcreatefile_fuzzer/corpus/init @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +FUZZ \ No newline at end of file diff --git a/test/fuzztest/fileaccessextcreatefile_fuzzer/fileaccessextcreatefile_fuzzer.cpp b/test/fuzztest/fileaccessextcreatefile_fuzzer/fileaccessextcreatefile_fuzzer.cpp new file mode 100644 index 00000000..f6b03ec4 --- /dev/null +++ b/test/fuzztest/fileaccessextcreatefile_fuzzer/fileaccessextcreatefile_fuzzer.cpp @@ -0,0 +1,119 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "fileaccessextcreatefile_fuzzer.h" + +#include +#include + +#include "accesstoken_kit.h" +#include "file_access_helper.h" +#include "file_access_ext_base_proxy.h" +#include "file_info_shared_memory.h" +#include "iservice_registry.h" +#include "token_setproc.h" +#include "nativetoken_kit.h" + +#include "user_file_service_token_mock.h" + +namespace OHOS { +using namespace std; +using namespace FileAccessFwk; + +const int ABILITY_ID = 5003; +shared_ptr g_fah = nullptr; +const int UID_TRANSFORM_TMP = 20000000; +const int UID_DEFAULT = 0; + +template +T TypeCast(const uint8_t *data, int *pos = nullptr) +{ + if (pos) { + *pos += sizeof(T); + } + return *(reinterpret_cast(data)); +} + +shared_ptr GetFileAccessHelper() +{ + if (g_fah != nullptr) { + return g_fah; + } + auto saManager = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager(); + if (saManager == nullptr) { + return nullptr; + } + auto remoteObj = saManager->GetSystemAbility(ABILITY_ID); + AAFwk::Want want; + vector wantVec; + setuid(UID_TRANSFORM_TMP); + int ret = FileAccessHelper::GetRegisteredFileAccessExtAbilityInfo(wantVec); + if (ret != OHOS::FileAccessFwk::ERR_OK) { + printf("GetRegisteredFileAccessExtAbilityInfo failed."); + return nullptr; + } + bool sus = false; + for (size_t i = 0; i < wantVec.size(); i++) { + auto element = wantVec[i].GetElement(); + if (element.GetBundleName() == "com.ohos.UserFile.ExternalFileManager" && + element.GetAbilityName() == "FileExtensionAbility") { + want = wantVec[i]; + sus = true; + break; + } + } + if (!sus) { + printf("not found bundleName."); + return nullptr; + } + vector wants {want}; + g_fah = FileAccessHelper::Creator(remoteObj, wants); + setuid(UID_DEFAULT); + if (g_fah == nullptr) { + printf("creator fileAccessHelper return nullptr."); + return nullptr; + } + return g_fah; +} + +bool CreateFileFuzzTest(sptr proxy, const uint8_t *data, size_t size) +{ + int len = size / 3; + Urie parent(string(reinterpret_cast(data), len)); + string displayName(string(reinterpret_cast(data + len), len)); + Urie newFile(string(reinterpret_cast(data + len + len), len)); + proxy->CreateFile(parent, displayName, newFile); + return true; +} +} // namespace OHOS + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + OHOS::UserFileServiceTokenMock tokenMock; + tokenMock.SetFileManagerToken(); + auto helper = OHOS::GetFileAccessHelper(); + if (helper == nullptr) { + printf("helper is nullptr."); + return false; + } + auto proxy = helper->GetProxyByBundleName(OHOS::EXTERNAL_BNUDLE_NAME); + if (proxy == nullptr) { + printf("get proxy failed."); + return 0; + } + + OHOS::CreateFileFuzzTest(proxy, data, size); + return 0; +} diff --git a/test/fuzztest/fileaccessextcreatefile_fuzzer/fileaccessextcreatefile_fuzzer.h b/test/fuzztest/fileaccessextcreatefile_fuzzer/fileaccessextcreatefile_fuzzer.h new file mode 100644 index 00000000..a3c2a606 --- /dev/null +++ b/test/fuzztest/fileaccessextcreatefile_fuzzer/fileaccessextcreatefile_fuzzer.h @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef FILE_ACCESS_EXTCREATEFILE_FUZZER_H +#define FILE_ACCESS_EXTCREATEFILE_FUZZER_H + +#define FUZZ_PROJECT_NAME "fileaccessextcreatefile_fuzzer" + +#endif \ No newline at end of file diff --git a/test/fuzztest/fileaccessextcreatefile_fuzzer/project.xml b/test/fuzztest/fileaccessextcreatefile_fuzzer/project.xml new file mode 100644 index 00000000..8cd95817 --- /dev/null +++ b/test/fuzztest/fileaccessextcreatefile_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 1000 + + 300 + + 4096 + + diff --git a/test/fuzztest/fileaccessextdelete_fuzzer/BUILD.gn b/test/fuzztest/fileaccessextdelete_fuzzer/BUILD.gn new file mode 100644 index 00000000..7014c116 --- /dev/null +++ b/test/fuzztest/fileaccessextdelete_fuzzer/BUILD.gn @@ -0,0 +1,68 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#####################hydra-fuzz################### +import("//build/config/features.gni") +import("//build/test.gni") +import("//foundation/filemanagement/user_file_service/filemanagement_aafwk.gni") +ohos_fuzztest("FileAccessExtDeleteFuzzTest") { + module_out_path = "user_file_service/user_file_service" + fuzz_config_file = + "${user_file_service_path}/test/fuzztest/fileaccessextdelete_fuzzer" + include_dirs = [ + "${user_file_service_path}/interfaces/inner_api/file_access/include", + "${user_file_service_path}/test/fuzztest/privacy_comm/include", + "${user_file_service_path}/utils", + ] + cflags = [ + "-g", + "-O0", + "-Wno-unused-variable", + "-fno-omit-frame-pointer", + ] + sources = [ + "fileaccessextdelete_fuzzer.cpp", + "${user_file_service_path}/test/fuzztest/privacy_comm/src/user_file_service_token_mock.cpp" + ] + + deps = [ + "${user_file_service_path}/interfaces/inner_api/file_access:file_access_ext_base_include", + "${user_file_service_path}/interfaces/inner_api/file_access:file_access_extension_ability_kit", + "${user_file_service_path}/services:file_access_service", + "${user_file_service_path}/services:file_access_service_base_include", + ] + + external_deps = [ + "ability_base:want", + "ability_base:zuri", + "ability_runtime:ability_context_native", + "ability_runtime:ability_manager", + "ability_runtime:app_manager", + "ability_runtime:runtime", + "ability_runtime:wantagent_innerkits", + "access_token:libaccesstoken_sdk", + "access_token:libnativetoken", + "access_token:libtoken_setproc", + "bundle_framework:appexecfwk_core", + "cJSON:cjson_static", + "c_utils:utils", + "hilog:libhilog", + "hitrace:hitrace_meter", + "ipc:ipc_core", + "safwk:system_ability_fwk", + "samgr:samgr_proxy", + "selinux_adapter:librestorecon", + ] + + defines = [ "private=public" ] +} diff --git a/test/fuzztest/fileaccessextdelete_fuzzer/corpus/init b/test/fuzztest/fileaccessextdelete_fuzzer/corpus/init new file mode 100644 index 00000000..7ade8a0f --- /dev/null +++ b/test/fuzztest/fileaccessextdelete_fuzzer/corpus/init @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +FUZZ \ No newline at end of file diff --git a/test/fuzztest/fileaccessextdelete_fuzzer/fileaccessextdelete_fuzzer.cpp b/test/fuzztest/fileaccessextdelete_fuzzer/fileaccessextdelete_fuzzer.cpp new file mode 100644 index 00000000..17caee1e --- /dev/null +++ b/test/fuzztest/fileaccessextdelete_fuzzer/fileaccessextdelete_fuzzer.cpp @@ -0,0 +1,116 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "fileaccessextdelete_fuzzer.h" + +#include +#include + +#include "accesstoken_kit.h" +#include "file_access_helper.h" +#include "file_access_ext_base_proxy.h" +#include "file_info_shared_memory.h" +#include "iservice_registry.h" +#include "token_setproc.h" +#include "nativetoken_kit.h" + +#include "user_file_service_token_mock.h" + +namespace OHOS { +using namespace std; +using namespace FileAccessFwk; + +const int ABILITY_ID = 5003; +shared_ptr g_fah = nullptr; +const int UID_TRANSFORM_TMP = 20000000; +const int UID_DEFAULT = 0; + +template +T TypeCast(const uint8_t *data, int *pos = nullptr) +{ + if (pos) { + *pos += sizeof(T); + } + return *(reinterpret_cast(data)); +} + +shared_ptr GetFileAccessHelper() +{ + if (g_fah != nullptr) { + return g_fah; + } + auto saManager = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager(); + if (saManager == nullptr) { + return nullptr; + } + auto remoteObj = saManager->GetSystemAbility(ABILITY_ID); + AAFwk::Want want; + vector wantVec; + setuid(UID_TRANSFORM_TMP); + int ret = FileAccessHelper::GetRegisteredFileAccessExtAbilityInfo(wantVec); + if (ret != OHOS::FileAccessFwk::ERR_OK) { + printf("GetRegisteredFileAccessExtAbilityInfo failed."); + return nullptr; + } + bool sus = false; + for (size_t i = 0; i < wantVec.size(); i++) { + auto element = wantVec[i].GetElement(); + if (element.GetBundleName() == "com.ohos.UserFile.ExternalFileManager" && + element.GetAbilityName() == "FileExtensionAbility") { + want = wantVec[i]; + sus = true; + break; + } + } + if (!sus) { + printf("not found bundleName."); + return nullptr; + } + vector wants {want}; + g_fah = FileAccessHelper::Creator(remoteObj, wants); + setuid(UID_DEFAULT); + if (g_fah == nullptr) { + printf("creator fileAccessHelper return nullptr."); + return nullptr; + } + return g_fah; +} + +bool DeleteFuzzTest(sptr proxy, const uint8_t *data, size_t size) +{ + Urie sourceFile(string(reinterpret_cast(data), size)); + proxy->Delete(sourceFile); + return true; +} +} // namespace OHOS + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + OHOS::UserFileServiceTokenMock tokenMock; + tokenMock.SetFileManagerToken(); + auto helper = OHOS::GetFileAccessHelper(); + if (helper == nullptr) { + printf("helper is nullptr."); + return false; + } + auto proxy = helper->GetProxyByBundleName(OHOS::EXTERNAL_BNUDLE_NAME); + if (proxy == nullptr) { + printf("get proxy failed."); + return 0; + } + + OHOS::DeleteFuzzTest(proxy, data, size); + return 0; +} diff --git a/test/fuzztest/fileaccessextdelete_fuzzer/fileaccessextdelete_fuzzer.h b/test/fuzztest/fileaccessextdelete_fuzzer/fileaccessextdelete_fuzzer.h new file mode 100644 index 00000000..4ae8b3e8 --- /dev/null +++ b/test/fuzztest/fileaccessextdelete_fuzzer/fileaccessextdelete_fuzzer.h @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef FILE_ACCESS_EXTDELETE_FUZZER_H +#define FILE_ACCESS_EXTDELETE_FUZZER_H + +#define FUZZ_PROJECT_NAME "fileaccessextdelete_fuzzer" + +#endif \ No newline at end of file diff --git a/test/fuzztest/fileaccessextdelete_fuzzer/project.xml b/test/fuzztest/fileaccessextdelete_fuzzer/project.xml new file mode 100644 index 00000000..8cd95817 --- /dev/null +++ b/test/fuzztest/fileaccessextdelete_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 1000 + + 300 + + 4096 + + diff --git a/test/fuzztest/fileaccessextgetfileinfo_fuzzer/BUILD.gn b/test/fuzztest/fileaccessextgetfileinfo_fuzzer/BUILD.gn new file mode 100644 index 00000000..d6520505 --- /dev/null +++ b/test/fuzztest/fileaccessextgetfileinfo_fuzzer/BUILD.gn @@ -0,0 +1,68 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#####################hydra-fuzz################### +import("//build/config/features.gni") +import("//build/test.gni") +import("//foundation/filemanagement/user_file_service/filemanagement_aafwk.gni") +ohos_fuzztest("FileAccessExtGetFileInfoFuzzTest") { + module_out_path = "user_file_service/user_file_service" + fuzz_config_file = + "${user_file_service_path}/test/fuzztest/fileaccessextgetfileinfo_fuzzer" + include_dirs = [ + "${user_file_service_path}/interfaces/inner_api/file_access/include", + "${user_file_service_path}/test/fuzztest/privacy_comm/include", + "${user_file_service_path}/utils", + ] + cflags = [ + "-g", + "-O0", + "-Wno-unused-variable", + "-fno-omit-frame-pointer", + ] + sources = [ + "fileaccessextgetfileinfo_fuzzer.cpp", + "${user_file_service_path}/test/fuzztest/privacy_comm/src/user_file_service_token_mock.cpp" + ] + + deps = [ + "${user_file_service_path}/interfaces/inner_api/file_access:file_access_ext_base_include", + "${user_file_service_path}/interfaces/inner_api/file_access:file_access_extension_ability_kit", + "${user_file_service_path}/services:file_access_service", + "${user_file_service_path}/services:file_access_service_base_include", + ] + + external_deps = [ + "ability_base:want", + "ability_base:zuri", + "ability_runtime:ability_context_native", + "ability_runtime:ability_manager", + "ability_runtime:app_manager", + "ability_runtime:runtime", + "ability_runtime:wantagent_innerkits", + "access_token:libaccesstoken_sdk", + "access_token:libnativetoken", + "access_token:libtoken_setproc", + "bundle_framework:appexecfwk_core", + "cJSON:cjson_static", + "c_utils:utils", + "hilog:libhilog", + "hitrace:hitrace_meter", + "ipc:ipc_core", + "safwk:system_ability_fwk", + "samgr:samgr_proxy", + "selinux_adapter:librestorecon", + ] + + defines = [ "private=public" ] +} diff --git a/test/fuzztest/fileaccessextgetfileinfo_fuzzer/corpus/init b/test/fuzztest/fileaccessextgetfileinfo_fuzzer/corpus/init new file mode 100644 index 00000000..7ade8a0f --- /dev/null +++ b/test/fuzztest/fileaccessextgetfileinfo_fuzzer/corpus/init @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +FUZZ \ No newline at end of file diff --git a/test/fuzztest/fileaccessextgetfileinfo_fuzzer/fileaccessextgetfileinfo_fuzzer.cpp b/test/fuzztest/fileaccessextgetfileinfo_fuzzer/fileaccessextgetfileinfo_fuzzer.cpp new file mode 100644 index 00000000..4a32fc94 --- /dev/null +++ b/test/fuzztest/fileaccessextgetfileinfo_fuzzer/fileaccessextgetfileinfo_fuzzer.cpp @@ -0,0 +1,117 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "fileaccessextgetfileinfo_fuzzer.h" + +#include +#include + +#include "accesstoken_kit.h" +#include "file_access_helper.h" +#include "file_access_ext_base_proxy.h" +#include "file_info_shared_memory.h" +#include "iservice_registry.h" +#include "token_setproc.h" +#include "nativetoken_kit.h" + +#include "user_file_service_token_mock.h" + +namespace OHOS { +using namespace std; +using namespace FileAccessFwk; + +const int ABILITY_ID = 5003; +shared_ptr g_fah = nullptr; +const int UID_TRANSFORM_TMP = 20000000; +const int UID_DEFAULT = 0; + +template +T TypeCast(const uint8_t *data, int *pos = nullptr) +{ + if (pos) { + *pos += sizeof(T); + } + return *(reinterpret_cast(data)); +} + +shared_ptr GetFileAccessHelper() +{ + if (g_fah != nullptr) { + return g_fah; + } + auto saManager = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager(); + if (saManager == nullptr) { + return nullptr; + } + auto remoteObj = saManager->GetSystemAbility(ABILITY_ID); + AAFwk::Want want; + vector wantVec; + setuid(UID_TRANSFORM_TMP); + int ret = FileAccessHelper::GetRegisteredFileAccessExtAbilityInfo(wantVec); + if (ret != OHOS::FileAccessFwk::ERR_OK) { + printf("GetRegisteredFileAccessExtAbilityInfo failed."); + return nullptr; + } + bool sus = false; + for (size_t i = 0; i < wantVec.size(); i++) { + auto element = wantVec[i].GetElement(); + if (element.GetBundleName() == "com.ohos.UserFile.ExternalFileManager" && + element.GetAbilityName() == "FileExtensionAbility") { + want = wantVec[i]; + sus = true; + break; + } + } + if (!sus) { + printf("not found bundleName."); + return nullptr; + } + vector wants {want}; + g_fah = FileAccessHelper::Creator(remoteObj, wants); + setuid(UID_DEFAULT); + if (g_fah == nullptr) { + printf("creator fileAccessHelper return nullptr."); + return nullptr; + } + return g_fah; +} + +bool GetFileInfoFromUriFuzzTest(sptr proxy, const uint8_t *data, size_t size) +{ + Urie selectFile(string(reinterpret_cast(data), size)); + FileInfo fileInfo; + proxy->GetFileInfoFromUri(selectFile, fileInfo); + return true; +} +} // namespace OHOS + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + OHOS::UserFileServiceTokenMock tokenMock; + tokenMock.SetFileManagerToken(); + auto helper = OHOS::GetFileAccessHelper(); + if (helper == nullptr) { + printf("helper is nullptr."); + return false; + } + auto proxy = helper->GetProxyByBundleName(OHOS::EXTERNAL_BNUDLE_NAME); + if (proxy == nullptr) { + printf("get proxy failed."); + return 0; + } + + OHOS::GetFileInfoFromUriFuzzTest(proxy, data, size); + return 0; +} diff --git a/test/fuzztest/fileaccessextgetfileinfo_fuzzer/fileaccessextgetfileinfo_fuzzer.h b/test/fuzztest/fileaccessextgetfileinfo_fuzzer/fileaccessextgetfileinfo_fuzzer.h new file mode 100644 index 00000000..0b97f6d2 --- /dev/null +++ b/test/fuzztest/fileaccessextgetfileinfo_fuzzer/fileaccessextgetfileinfo_fuzzer.h @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef FILE_ACCESS_EXTGETFILEINFO_FUZZER_H +#define FILE_ACCESS_EXTGETFILEINFO_FUZZER_H + +#define FUZZ_PROJECT_NAME "fileaccessextgetfileinfo_fuzzer" + +#endif \ No newline at end of file diff --git a/test/fuzztest/fileaccessextgetfileinfo_fuzzer/project.xml b/test/fuzztest/fileaccessextgetfileinfo_fuzzer/project.xml new file mode 100644 index 00000000..8cd95817 --- /dev/null +++ b/test/fuzztest/fileaccessextgetfileinfo_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 1000 + + 300 + + 4096 + + -- Gitee