!1371 Add fuzz test for daemon usb read

Merge pull request !1371 from zhaolihui/daemonusbread_fuzz

src/daemon/daemon.cpp

@@ -856,7 +856,9 @@ void HdcDaemon::InitSessionAuthInfo(uint32_t sessionid, string token)
 {
     HdcDaemonAuthInfo info = {
         AUTH_NONE,
-        token
+        token,
+        "",
+        ""
     };
     mapAuthStatusMutex.lock();
     mapAuthStatus[sessionid] = info;

src/daemon/daemon_usb.cpp

@@ -619,6 +619,10 @@ int HdcDaemonUSB::LoopUSBRead(HUSB hUSB, int readMaxWanted)
     StartTraceScope("HdcDaemonUSB::LoopUSBRead");
     int ret = ERR_GENERIC;
     HdcDaemon *daemon = reinterpret_cast<HdcDaemon *>(clsMainBase);
+    if (daemon == nullptr) {
+        WRITE_LOG(LOG_FATAL, "daemon is nullptr in LoopUSBRead");
+        return ret;
+    }
     uv_buf_t iov;
     ctxRecv.data = hUSB;
     ctxRecv.bufSize = readMaxWanted;

test/BUILD.gn

@@ -361,9 +361,30 @@ ohos_fuzztest("JdwpReadStreamFuzzTest") {
   ]
 }
 
+ohos_fuzztest("DaemonUsbReadFuzzTest") {
+  module_out_path = FUZZ_OUTPUT_PATH
+  fuzz_config_file = "${hdc_path}/test/fuzztest/daemonusbread_fuzzer"
+  configs = [ ":hdc_test_config" ]
+  cflags = fuzz_cflags
+  deps = [ "//third_party/libuv:uv" ]
+  sources = [
+    "${hdc_path}/src/daemon/daemon_usb.cpp",
+    "${hdc_path}/src/daemon/system_depend.cpp",
+    "fuzztest/daemonusbread_fuzzer/DaemonUsbRead_fuzzer.cpp",
+  ]
+  deps += [ ":hdc_common" ]
+  external_deps = [
+    "init:libbeget_proxy",
+    "init:libbegetutil",
+  ]
+}
+
 group("hdc_fuzztest") {
   testonly = true
-  deps = [ ":JdwpReadStreamFuzzTest" ]
+  deps = [
+    ":DaemonUsbReadFuzzTest",
+    ":JdwpReadStreamFuzzTest",
+  ]
 }
 
 ohos_unittest("hdc_register_unittest") {

test/fuzztest/daemonusbread_fuzzer/DaemonUsbRead_fuzzer.cpp

@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "DaemonUsbRead_fuzzer.h"
+#include "daemon_usb.h"
+#include <uv.h>
+
+namespace Hdc {
+class HdcDaemonUsbFuzzer : public HdcDaemonUSB {
+public:
+    explicit HdcDaemonUsbFuzzer(void *ptrbase) : HdcDaemonUSB(false, ptrbase) {}
+
+    static std::unique_ptr<HdcDaemonUsbFuzzer> Instance(void *ptrbase)
+    {
+        std::unique_ptr<HdcDaemonUsbFuzzer> daemonusb = std::make_unique<HdcDaemonUsbFuzzer>(ptrbase);
+        return daemonusb;
+    }
+};
+
+bool FuzzDaemonUsbRead(const uint8_t *data, size_t size)
+{
+    auto daemonusb = HdcDaemonUsbFuzzer::Instance(nullptr);
+    if (daemonusb == nullptr) {
+        WRITE_LOG(LOG_FATAL, "FuzzDaemonUsbRead daemonusb is null");
+        return false;
+    }
+    HdcUSB hUSB = {};
+    hUSB.wMaxPacketSizeSend = MAX_PACKET_SIZE_HISPEED;
+    HdcDaemonUSB::CtxUvFileCommonIo ctxRecv = {};
+    ctxRecv.thisClass = &daemonusb;
+    ctxRecv.data = &hUSB;
+    ctxRecv.bufSizeMax = Base::GetUsbffsBulkSize();
+    ctxRecv.buf = const_cast<uint8_t *>(data);
+    ctxRecv.req = {};
+    uv_fs_t *req = &ctxRecv.req;
+    req->result = size;
+    req->data = &ctxRecv;
+    daemonusb->OnUSBRead(req);
+    return true;
+}
+} // namespace Hdc
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    Hdc::FuzzDaemonUsbRead(data, size);
+    return 0;
+}

test/fuzztest/daemonusbread_fuzzer/DaemonUsbRead_fuzzer.h

@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef DAEMONUSBREAD_FUZZER_H
+#define DAEMONUSBREAD_FUZZER_H
+
+#include <cstdio>
+
+#define FUZZ_PROJECT_NAME "DaemonUsbRead_fuzzer"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+#endif // DAEMONUSBREAD_FUZZER_H

test/fuzztest/daemonusbread_fuzzer/corpus/init

@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+ 
+FUZZ

test/fuzztest/daemonusbread_fuzzer/project.xml

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2024 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>10</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>