mirror of
https://github.com/openharmony/resourceschedule_memmgr.git
synced 2026-07-01 22:44:05 -04:00
添加fuzzer Signed-off-by: RichardLiu <2645345468@qq.com>
Change-Id: Ice92dae7f528c9c03164665f8df4bddac81f9506
This commit is contained in:
+73
-70
@@ -1,73 +1,76 @@
|
||||
{
|
||||
"name": "@ohos/memmgr",
|
||||
"version": "3.1.0",
|
||||
"description": "memory management",
|
||||
"publishAs": "source",
|
||||
"scripts": {},
|
||||
"author": {},
|
||||
"repository": "",
|
||||
"license": "Apache License 2.0",
|
||||
"segment": {
|
||||
"destPath": "foundation/resourceschedule/memmgr"
|
||||
},
|
||||
"component": {
|
||||
"name": "memmgr",
|
||||
"subsystem": "resourceschedule",
|
||||
"adapted_system_type": [ "standard" ],
|
||||
"rom": "1000KB",
|
||||
"ram": "4316KB",
|
||||
"deps": {
|
||||
"components": [
|
||||
"ipc",
|
||||
"ability_base",
|
||||
"bundle_framework",
|
||||
"safwk",
|
||||
"background_task_mgr",
|
||||
"ability_runtime",
|
||||
"os_account",
|
||||
"common_event_service",
|
||||
"eventhandler",
|
||||
"hilog",
|
||||
"c_utils",
|
||||
"samgr",
|
||||
"resource_management",
|
||||
"access_token",
|
||||
"init",
|
||||
"libxml2",
|
||||
"json"
|
||||
]
|
||||
},
|
||||
"build": {
|
||||
"sub_component": [
|
||||
"//foundation/resourceschedule/memmgr/sa_profile:memmgr_sa_profile",
|
||||
"//foundation/resourceschedule/memmgr/services/memmgrservice:memmgrservice",
|
||||
"//foundation/resourceschedule/memmgr/services/memmgrservice:memmgrservice_init",
|
||||
"//foundation/resourceschedule/memmgr/profile:memmgr_config",
|
||||
"//foundation/resourceschedule/memmgr/profile:memmgr.para",
|
||||
"//foundation/resourceschedule/memmgr/profile:memmgr.para.dac"
|
||||
],
|
||||
"inner_kits": [
|
||||
{
|
||||
"name": "//foundation/resourceschedule/memmgr/interface/innerkits:memmgrclient",
|
||||
"header": {
|
||||
"header_files": [
|
||||
"mem_mgr_client.h",
|
||||
"i_mem_mgr.h",
|
||||
"mem_mgr_proxy.h",
|
||||
"mem_mgr_constant.h"
|
||||
],
|
||||
"header_base": "//foundation/resourceschedule/memmgr/interface/innerkits/include/"
|
||||
}
|
||||
}
|
||||
],
|
||||
"test": [
|
||||
"//foundation/resourceschedule/memmgr/test:memmgr_unittest",
|
||||
"//foundation/resourceschedule/memmgr/test/fuzztest:memmgr_fuzztest"
|
||||
]
|
||||
},
|
||||
"features": [
|
||||
"memmgr_purgeable_memory",
|
||||
"memmgr_hyperhold_memory"
|
||||
"name": "@ohos/memmgr",
|
||||
"version": "3.1.0",
|
||||
"description": "memory management",
|
||||
"publishAs": "source",
|
||||
"scripts": {},
|
||||
"author": {},
|
||||
"repository": "",
|
||||
"license": "Apache License 2.0",
|
||||
"segment": {
|
||||
"destPath": "foundation/resourceschedule/memmgr"
|
||||
},
|
||||
"component": {
|
||||
"name": "memmgr",
|
||||
"subsystem": "resourceschedule",
|
||||
"adapted_system_type": [
|
||||
"standard"
|
||||
],
|
||||
"rom": "1000KB",
|
||||
"ram": "4316KB",
|
||||
"deps": {
|
||||
"components": [
|
||||
"ipc",
|
||||
"ability_base",
|
||||
"bundle_framework",
|
||||
"safwk",
|
||||
"background_task_mgr",
|
||||
"ability_runtime",
|
||||
"os_account",
|
||||
"common_event_service",
|
||||
"eventhandler",
|
||||
"hilog",
|
||||
"c_utils",
|
||||
"samgr",
|
||||
"resource_management",
|
||||
"access_token",
|
||||
"init",
|
||||
"libxml2",
|
||||
"json"
|
||||
]
|
||||
}
|
||||
},
|
||||
"build": {
|
||||
"sub_component": [
|
||||
"//foundation/resourceschedule/memmgr/sa_profile:memmgr_sa_profile",
|
||||
"//foundation/resourceschedule/memmgr/services/memmgrservice:memmgrservice",
|
||||
"//foundation/resourceschedule/memmgr/services/memmgrservice:memmgrservice_init",
|
||||
"//foundation/resourceschedule/memmgr/profile:memmgr_config",
|
||||
"//foundation/resourceschedule/memmgr/profile:memmgr.para",
|
||||
"//foundation/resourceschedule/memmgr/profile:memmgr.para.dac"
|
||||
],
|
||||
"inner_kits": [
|
||||
{
|
||||
"name": "//foundation/resourceschedule/memmgr/interface/innerkits:memmgrclient",
|
||||
"header": {
|
||||
"header_files": [
|
||||
"mem_mgr_client.h",
|
||||
"i_mem_mgr.h",
|
||||
"mem_mgr_proxy.h",
|
||||
"mem_mgr_constant.h"
|
||||
],
|
||||
"header_base": "//foundation/resourceschedule/memmgr/interface/innerkits/include/"
|
||||
}
|
||||
}
|
||||
],
|
||||
"test": [
|
||||
"//foundation/resourceschedule/memmgr/test:memmgr_unittest",
|
||||
"//foundation/resourceschedule/memmgr/test/fuzztest:memmgr_fuzztest",
|
||||
"//foundation/resourceschedule/memmgr/test/fuzztest/mem_fuzzer:fuzztest"
|
||||
]
|
||||
},
|
||||
"features": [
|
||||
"memmgr_purgeable_memory",
|
||||
"memmgr_hyperhold_memory"
|
||||
]
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,64 @@
|
||||
# Copyright (c) 2021 Huawei Device Co., Ltd.
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
#####################hydra-fuzz###################
|
||||
import("../../../memmgr.gni")
|
||||
import("//build/config/features.gni")
|
||||
import("//build/test.gni")
|
||||
|
||||
##############################fuzztest##########################################
|
||||
ohos_fuzztest("MemFuzzTest") {
|
||||
module_out_path = "memmgr/memmgr"
|
||||
fuzz_config_file = "${memmgr_root_path}/test/fuzztest/mem_fuzzer"
|
||||
|
||||
include_dirs = [
|
||||
"${memmgr_service_path}/include",
|
||||
"${memgr_innerkits_path}/include",
|
||||
"${memmgr_common_path}/include",
|
||||
]
|
||||
|
||||
cflags = [
|
||||
"-g",
|
||||
"-O0",
|
||||
"-Wno-unused-variable",
|
||||
"-fno-omit-frame-pointer",
|
||||
]
|
||||
|
||||
sources = [ "mem_fuzzer.cpp" ]
|
||||
|
||||
defines = []
|
||||
if (memmgr_purgeable_memory) {
|
||||
defines += [ "USE_PURGEABLE_MEMORY" ]
|
||||
}
|
||||
|
||||
deps = [ "${memmgr_service_path}:memmgrservice" ]
|
||||
|
||||
external_deps = [
|
||||
"c_utils:utils",
|
||||
"hilog:libhilog",
|
||||
"ipc:ipc_core",
|
||||
"memmgr:memmgrclient",
|
||||
"safwk:system_ability_fwk",
|
||||
"samgr:samgr_proxy",
|
||||
]
|
||||
}
|
||||
###############################################################################
|
||||
group("fuzztest") {
|
||||
testonly = true
|
||||
deps = []
|
||||
deps += [
|
||||
# deps file
|
||||
":MemFuzzTest",
|
||||
]
|
||||
}
|
||||
###############################################################################
|
||||
@@ -0,0 +1,16 @@
|
||||
/*
|
||||
* Copyright (c) 2021 Huawei Device Co., Ltd.
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
FUZZ_MEMMGR_IPC_TEST_SEED_DATA
|
||||
@@ -0,0 +1,513 @@
|
||||
/*
|
||||
* Copyright (c) 2021 Huawei Device Co., Ltd.
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include "mem_fuzzer.h"
|
||||
|
||||
namespace OHOS {
|
||||
namespace Memory {
|
||||
|
||||
namespace {
|
||||
// String length limits for fuzzing - avoid excessive memory allocation
|
||||
constexpr size_t FUZZ_MAX_NAME_LENGTH = 128;
|
||||
} // namespace
|
||||
|
||||
/**
|
||||
* @brief Write interface token to MessageParcel
|
||||
* Uses IMemMgr::GetDescriptor() to avoid hardcoding
|
||||
*/
|
||||
static bool WriteInterfaceToken(MessageParcel& data)
|
||||
{
|
||||
return data.WriteInterfaceToken(IMemMgr::GetDescriptor());
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Fuzz GetBundlePriorityList IPC handler
|
||||
* Tests: HandleGetBunldePriorityList in mem_mgr_stub.cpp
|
||||
*/
|
||||
static bool FuzzGetBundlePriorityList(FuzzDataProvider& provider)
|
||||
{
|
||||
MessageParcel data;
|
||||
MessageParcel reply;
|
||||
MessageOption option;
|
||||
|
||||
if (!WriteInterfaceToken(data)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Construct BundlePriorityList parcel data
|
||||
int32_t count = provider.ConsumeIntegralInRange<int32_t>(0, FUZZ_MAX_BUNDLE_COUNT);
|
||||
data.WriteInt32(count);
|
||||
|
||||
for (int32_t i = 0; i < count && provider.HasEnoughData(sizeof(int32_t)); ++i) {
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // uid
|
||||
data.WriteString(provider.ConsumeString(FUZZ_MAX_NAME_LENGTH)); // name
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // priority
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // accountId
|
||||
}
|
||||
|
||||
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_GET_BUNDLE_PRIORITY_LIST);
|
||||
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Fuzz NotifyDistDevStatus IPC handler
|
||||
* Tests: HandleNotifyDistDevStatus in mem_mgr_stub.cpp
|
||||
*/
|
||||
static bool FuzzNotifyDistDevStatus(FuzzDataProvider& provider)
|
||||
{
|
||||
MessageParcel data;
|
||||
MessageParcel reply;
|
||||
MessageOption option;
|
||||
|
||||
if (!WriteInterfaceToken(data)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // uid
|
||||
data.WriteString(provider.ConsumeString(FUZZ_MAX_NAME_LENGTH)); // name
|
||||
data.WriteBool(provider.ConsumeBool()); // connected
|
||||
|
||||
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_NOTIFY_DIST_DEV_STATUS);
|
||||
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Fuzz GetKillLevelOfLmkd IPC handler
|
||||
* Tests: HandleGetKillLevelOfLmkd in mem_mgr_stub.cpp
|
||||
*/
|
||||
static bool FuzzGetKillLevelOfLmkd(FuzzDataProvider& provider)
|
||||
{
|
||||
MessageParcel data;
|
||||
MessageParcel reply;
|
||||
MessageOption option;
|
||||
|
||||
if (!WriteInterfaceToken(data)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_GET_KILL_LEVEL_OF_LMKD);
|
||||
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
|
||||
return true;
|
||||
}
|
||||
|
||||
#ifdef USE_PURGEABLE_MEMORY
|
||||
/**
|
||||
* @brief Fuzz RegisterActiveApps IPC handler
|
||||
* Tests: HandleRegisterActiveApps in mem_mgr_stub.cpp
|
||||
*/
|
||||
static bool FuzzRegisterActiveApps(FuzzDataProvider& provider)
|
||||
{
|
||||
MessageParcel data;
|
||||
MessageParcel reply;
|
||||
MessageOption option;
|
||||
|
||||
if (!WriteInterfaceToken(data)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // uid
|
||||
|
||||
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_REGISTER_ACTIVE_APPS);
|
||||
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Fuzz DeregisterActiveApps IPC handler
|
||||
* Tests: HandleDeregisterActiveApps in mem_mgr_stub.cpp
|
||||
*/
|
||||
static bool FuzzDeregisterActiveApps(FuzzDataProvider& provider)
|
||||
{
|
||||
MessageParcel data;
|
||||
MessageParcel reply;
|
||||
MessageOption option;
|
||||
|
||||
if (!WriteInterfaceToken(data)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // uid
|
||||
|
||||
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_DEREGISTER_ACTIVE_APPS);
|
||||
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Fuzz GetAvailableMemory IPC handler
|
||||
* Tests: HandleGetAvailableMemory in mem_mgr_stub.cpp
|
||||
*/
|
||||
static bool FuzzGetAvailableMemory(FuzzDataProvider& provider)
|
||||
{
|
||||
MessageParcel data;
|
||||
MessageParcel reply;
|
||||
MessageOption option;
|
||||
|
||||
if (!WriteInterfaceToken(data)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_GET_AVAILABLE_MEMORY);
|
||||
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Fuzz GetTotalMemory IPC handler
|
||||
* Tests: HandleGetTotalMemory in mem_mgr_stub.cpp
|
||||
*/
|
||||
static bool FuzzGetTotalMemory(FuzzDataProvider& provider)
|
||||
{
|
||||
MessageParcel data;
|
||||
MessageParcel reply;
|
||||
MessageOption option;
|
||||
|
||||
if (!WriteInterfaceToken(data)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_GET_TOTAL_MEMORY);
|
||||
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
|
||||
return true;
|
||||
}
|
||||
#endif // USE_PURGEABLE_MEMORY
|
||||
|
||||
/**
|
||||
* @brief Fuzz OnWindowVisibilityChanged IPC handler
|
||||
* Tests: HandleOnWindowVisibilityChanged in mem_mgr_stub.cpp
|
||||
*/
|
||||
static bool FuzzOnWindowVisibilityChanged(FuzzDataProvider& provider)
|
||||
{
|
||||
MessageParcel data;
|
||||
MessageParcel reply;
|
||||
MessageOption option;
|
||||
|
||||
if (!WriteInterfaceToken(data)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
uint32_t count = provider.ConsumeIntegralInRange<uint32_t>(0, FUZZ_MAX_WINDOW_INFO_COUNT);
|
||||
data.WriteUint32(count);
|
||||
|
||||
for (uint32_t i = 0; i < count && provider.HasEnoughData(sizeof(uint32_t)); ++i) {
|
||||
// Write MemMgrWindowInfo parcel format: windowId, pid, uid, isVisible
|
||||
data.WriteUint32(provider.ConsumeIntegral<uint32_t>()); // windowId
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // uid
|
||||
data.WriteBool(provider.ConsumeBool()); // isVisible
|
||||
}
|
||||
|
||||
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_ON_WINDOW_VISIBILITY_CHANGED);
|
||||
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Fuzz GetReclaimPriorityByPid IPC handler
|
||||
* Tests: HandleGetReclaimPriorityByPid in mem_mgr_stub.cpp
|
||||
*/
|
||||
static bool FuzzGetReclaimPriorityByPid(FuzzDataProvider& provider)
|
||||
{
|
||||
MessageParcel data;
|
||||
MessageParcel reply;
|
||||
MessageOption option;
|
||||
|
||||
if (!WriteInterfaceToken(data)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
|
||||
|
||||
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_GET_PRIORITY_BY_PID);
|
||||
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Fuzz NotifyProcessStateChangedSync IPC handler
|
||||
* Tests: HandleNotifyProcessStateChangedSync in mem_mgr_stub.cpp
|
||||
*/
|
||||
static bool FuzzNotifyProcessStateChangedSync(FuzzDataProvider& provider)
|
||||
{
|
||||
MessageParcel data;
|
||||
MessageParcel reply;
|
||||
MessageOption option;
|
||||
|
||||
if (!WriteInterfaceToken(data)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Write MemMgrProcessStateInfo parcel format
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // callerPid
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // callerUid
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // uid
|
||||
data.WriteUint32(provider.ConsumeIntegral<uint32_t>()); // reason
|
||||
|
||||
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_NOTIFY_PROCESS_STATE_CHANGED_SYNC);
|
||||
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Fuzz NotifyProcessStateChangedAsync IPC handler
|
||||
* Tests: HandleNotifyProcessStateChangedAsync in mem_mgr_stub.cpp
|
||||
*/
|
||||
static bool FuzzNotifyProcessStateChangedAsync(FuzzDataProvider& provider)
|
||||
{
|
||||
MessageParcel data;
|
||||
MessageParcel reply;
|
||||
MessageOption option;
|
||||
|
||||
if (!WriteInterfaceToken(data)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Write MemMgrProcessStateInfo parcel format
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // callerPid
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // callerUid
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // uid
|
||||
data.WriteUint32(provider.ConsumeIntegral<uint32_t>()); // reason
|
||||
|
||||
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_NOTIFY_PROCESS_STATE_CHANGED_ASYNC);
|
||||
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Fuzz NotifyProcessStatus IPC handler
|
||||
* Tests: HandleNotifyProcessStatus in mem_mgr_stub.cpp
|
||||
*/
|
||||
static bool FuzzNotifyProcessStatus(FuzzDataProvider& provider)
|
||||
{
|
||||
MessageParcel data;
|
||||
MessageParcel reply;
|
||||
MessageOption option;
|
||||
|
||||
if (!WriteInterfaceToken(data)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // type
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // status
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // saId
|
||||
|
||||
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_NOTIFY_PROCESS_STATUS);
|
||||
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Fuzz SetCritical IPC handler
|
||||
* Tests: HandleSetCritical in mem_mgr_stub.cpp
|
||||
*/
|
||||
static bool FuzzSetCritical(FuzzDataProvider& provider)
|
||||
{
|
||||
MessageParcel data;
|
||||
MessageParcel reply;
|
||||
MessageOption option;
|
||||
|
||||
if (!WriteInterfaceToken(data)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
|
||||
data.WriteBool(provider.ConsumeBool()); // critical
|
||||
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // saId
|
||||
|
||||
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_SET_CRITICAL);
|
||||
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Fuzz IPC stub with random code selection
|
||||
* Routes to appropriate handler based on fuzz data
|
||||
*/
|
||||
bool FuzzIPCStub(FuzzDataProvider& provider)
|
||||
{
|
||||
if (!provider.HasEnoughData(FUZZ_THRESHOLD_FOR_IPC)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Select IPC code from valid range using enum values
|
||||
uint32_t code = provider.ConsumeIntegralInRange<uint32_t>(FUZZ_IPC_CODE_MIN, FUZZ_IPC_CODE_MAX);
|
||||
|
||||
switch (static_cast<MemMgrInterfaceCode>(code)) {
|
||||
case MemMgrInterfaceCode::MEM_MGR_GET_BUNDLE_PRIORITY_LIST:
|
||||
return FuzzGetBundlePriorityList(provider);
|
||||
case MemMgrInterfaceCode::MEM_MGR_NOTIFY_DIST_DEV_STATUS:
|
||||
return FuzzNotifyDistDevStatus(provider);
|
||||
case MemMgrInterfaceCode::MEM_MGR_GET_KILL_LEVEL_OF_LMKD:
|
||||
return FuzzGetKillLevelOfLmkd(provider);
|
||||
#ifdef USE_PURGEABLE_MEMORY
|
||||
case MemMgrInterfaceCode::MEM_MGR_REGISTER_ACTIVE_APPS:
|
||||
return FuzzRegisterActiveApps(provider);
|
||||
case MemMgrInterfaceCode::MEM_MGR_DEREGISTER_ACTIVE_APPS:
|
||||
return FuzzDeregisterActiveApps(provider);
|
||||
case MemMgrInterfaceCode::MEM_MGR_GET_AVAILABLE_MEMORY:
|
||||
return FuzzGetAvailableMemory(provider);
|
||||
case MemMgrInterfaceCode::MEM_MGR_GET_TOTAL_MEMORY:
|
||||
return FuzzGetTotalMemory(provider);
|
||||
#endif
|
||||
case MemMgrInterfaceCode::MEM_MGR_ON_WINDOW_VISIBILITY_CHANGED:
|
||||
return FuzzOnWindowVisibilityChanged(provider);
|
||||
case MemMgrInterfaceCode::MEM_MGR_GET_PRIORITY_BY_PID:
|
||||
return FuzzGetReclaimPriorityByPid(provider);
|
||||
case MemMgrInterfaceCode::MEM_MGR_NOTIFY_PROCESS_STATE_CHANGED_SYNC:
|
||||
return FuzzNotifyProcessStateChangedSync(provider);
|
||||
case MemMgrInterfaceCode::MEM_MGR_NOTIFY_PROCESS_STATE_CHANGED_ASYNC:
|
||||
return FuzzNotifyProcessStateChangedAsync(provider);
|
||||
case MemMgrInterfaceCode::MEM_MGR_NOTIFY_PROCESS_STATUS:
|
||||
return FuzzNotifyProcessStatus(provider);
|
||||
case MemMgrInterfaceCode::MEM_MGR_SET_CRITICAL:
|
||||
return FuzzSetCritical(provider);
|
||||
default:
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Fuzz MemMgrWindowInfo Unmarshalling
|
||||
* Tests: MemMgrWindowInfo::Unmarshalling in mem_mgr_window_info.cpp
|
||||
*/
|
||||
bool FuzzParcelableWindowInfo(FuzzDataProvider& provider)
|
||||
{
|
||||
if (!provider.HasEnoughData(FUZZ_THRESHOLD_FOR_PARCELABLE)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
MessageParcel parcel;
|
||||
// Write raw fuzz data in expected format
|
||||
parcel.WriteUint32(provider.ConsumeIntegral<uint32_t>()); // windowId
|
||||
parcel.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
|
||||
parcel.WriteInt32(provider.ConsumeIntegral<int32_t>()); // uid
|
||||
parcel.WriteBool(provider.ConsumeBool()); // isVisible
|
||||
|
||||
// Attempt to unmarshall
|
||||
MemMgrWindowInfo* info = MemMgrWindowInfo::Unmarshalling(parcel);
|
||||
if (info != nullptr) {
|
||||
delete info;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Fuzz MemMgrProcessStateInfo Unmarshalling
|
||||
* Tests: MemMgrProcessStateInfo::Unmarshalling in mem_mgr_process_state_info.cpp
|
||||
*/
|
||||
bool FuzzParcelableProcessStateInfo(FuzzDataProvider& provider)
|
||||
{
|
||||
if (!provider.HasEnoughData(FUZZ_THRESHOLD_FOR_PARCELABLE)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
MessageParcel parcel;
|
||||
// Write raw fuzz data in expected format
|
||||
parcel.WriteInt32(provider.ConsumeIntegral<int32_t>()); // callerPid
|
||||
parcel.WriteInt32(provider.ConsumeIntegral<int32_t>()); // callerUid
|
||||
parcel.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
|
||||
parcel.WriteInt32(provider.ConsumeIntegral<int32_t>()); // uid
|
||||
parcel.WriteUint32(provider.ConsumeIntegral<uint32_t>()); // reason
|
||||
|
||||
// Attempt to unmarshall
|
||||
MemMgrProcessStateInfo* info = MemMgrProcessStateInfo::Unmarshalling(parcel);
|
||||
if (info != nullptr) {
|
||||
delete info;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Fuzz BundlePriorityList Unmarshalling
|
||||
* Tests: BundlePriorityList::Unmarshalling in bundle_priority_list.cpp
|
||||
*/
|
||||
bool FuzzParcelableBundlePriorityList(FuzzDataProvider& provider)
|
||||
{
|
||||
if (!provider.HasEnoughData(sizeof(int32_t))) {
|
||||
return false;
|
||||
}
|
||||
|
||||
MessageParcel parcel;
|
||||
|
||||
// Write count - use smaller range to avoid excessive loop iterations
|
||||
int32_t count = provider.ConsumeIntegralInRange<int32_t>(0, FUZZ_MAX_BUNDLE_COUNT);
|
||||
parcel.WriteInt32(count);
|
||||
|
||||
// Write bundle entries
|
||||
for (int32_t i = 0; i < count && provider.HasEnoughData(sizeof(int32_t)); ++i) {
|
||||
parcel.WriteInt32(provider.ConsumeIntegral<int32_t>()); // uid
|
||||
parcel.WriteString(provider.ConsumeString(FUZZ_MAX_NAME_LENGTH)); // name
|
||||
parcel.WriteInt32(provider.ConsumeIntegral<int32_t>()); // priority
|
||||
parcel.WriteInt32(provider.ConsumeIntegral<int32_t>()); // accountId
|
||||
}
|
||||
|
||||
// Attempt to unmarshall
|
||||
BundlePriorityList* list = BundlePriorityList::Unmarshalling(parcel);
|
||||
if (list != nullptr) {
|
||||
delete list;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Main fuzzer routing function
|
||||
* Selects fuzz path based on input data and routes accordingly
|
||||
*/
|
||||
static bool DoFuzzTest(const uint8_t* data, size_t size)
|
||||
{
|
||||
if (data == nullptr || size < FUZZ_MIN_DATA_SIZE) {
|
||||
return false;
|
||||
}
|
||||
|
||||
FuzzDataProvider provider(data, size);
|
||||
|
||||
// Select fuzz path based on first byte
|
||||
uint8_t pathSelector = provider.ConsumeIntegral<uint8_t>();
|
||||
FuzzTestPath path = static_cast<FuzzTestPath>(
|
||||
pathSelector % static_cast<uint8_t>(FuzzTestPath::FUZZ_PATH_COUNT));
|
||||
|
||||
switch (path) {
|
||||
case FuzzTestPath::FUZZ_IPC_STUB:
|
||||
return FuzzIPCStub(provider);
|
||||
case FuzzTestPath::FUZZ_PARCELABLE_WINDOW_INFO:
|
||||
return FuzzParcelableWindowInfo(provider);
|
||||
case FuzzTestPath::FUZZ_PARCELABLE_PROCESS_STATE_INFO:
|
||||
return FuzzParcelableProcessStateInfo(provider);
|
||||
case FuzzTestPath::FUZZ_PARCELABLE_BUNDLE_PRIORITY_LIST:
|
||||
return FuzzParcelableBundlePriorityList(provider);
|
||||
default:
|
||||
return FuzzIPCStub(provider);
|
||||
}
|
||||
}
|
||||
|
||||
} // namespace Memory
|
||||
} // namespace OHOS
|
||||
|
||||
/* Fuzzer entry point */
|
||||
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
|
||||
{
|
||||
/* Run fuzz tests */
|
||||
OHOS::Memory::DoFuzzTest(data, size);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -0,0 +1,171 @@
|
||||
/*
|
||||
* Copyright (c) 2021 Huawei Device Co., Ltd.
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#ifndef OHOS_MEMMGR_FUZZTEST_MEM_FUZZER_H
|
||||
#define OHOS_MEMMGR_FUZZTEST_MEM_FUZZER_H
|
||||
|
||||
#include <cstdint>
|
||||
#include <cstddef>
|
||||
#include <cstdio>
|
||||
#include <cstdlib>
|
||||
#include <cstring>
|
||||
#include <climits>
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
#include <string>
|
||||
#include <vector>
|
||||
|
||||
// IPC related headers
|
||||
#include "message_parcel.h"
|
||||
#include "message_option.h"
|
||||
#include "iremote_stub.h"
|
||||
|
||||
// MemMgr service headers
|
||||
#include "i_mem_mgr.h"
|
||||
#include "mem_mgr_stub.h"
|
||||
#include "mem_mgr_service.h"
|
||||
#include "memmgrservice_ipc_interface_code.h"
|
||||
|
||||
// Parcelable types
|
||||
#include "bundle_priority_list.h"
|
||||
#include "bundle_priority.h"
|
||||
#include "mem_mgr_window_info.h"
|
||||
#include "mem_mgr_process_state_info.h"
|
||||
|
||||
// Security
|
||||
#include "securec.h"
|
||||
|
||||
#define FUZZ_PROJECT_NAME "mem_fuzzer"
|
||||
|
||||
namespace OHOS {
|
||||
namespace Memory {
|
||||
|
||||
// Fuzzer configuration constants - derived from project definitions
|
||||
constexpr size_t FUZZ_MIN_DATA_SIZE = sizeof(uint32_t);
|
||||
constexpr size_t FUZZ_THRESHOLD_FOR_IPC = sizeof(uint32_t) * 2;
|
||||
constexpr size_t FUZZ_THRESHOLD_FOR_PARCELABLE = sizeof(int32_t) * 4;
|
||||
|
||||
// Window info fuzzer limits - derived from mem_mgr_stub.cpp MAX_PARCEL_SIZE
|
||||
constexpr uint32_t FUZZ_MAX_WINDOW_INFO_COUNT = 100;
|
||||
|
||||
// Bundle priority list limits - derived from bundle_priority_list.cpp MAX_PARCEL_SIZE
|
||||
constexpr int32_t FUZZ_MAX_BUNDLE_COUNT = 1000;
|
||||
|
||||
// IPC code range - derived from MemMgrInterfaceCode enum
|
||||
constexpr uint32_t FUZZ_IPC_CODE_MIN = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_GET_BUNDLE_PRIORITY_LIST);
|
||||
constexpr uint32_t FUZZ_IPC_CODE_MAX = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_SET_CRITICAL);
|
||||
|
||||
// Fuzz test path selectors
|
||||
enum class FuzzTestPath : uint8_t {
|
||||
FUZZ_IPC_STUB = 0,
|
||||
FUZZ_PARCELABLE_WINDOW_INFO,
|
||||
FUZZ_PARCELABLE_PROCESS_STATE_INFO,
|
||||
FUZZ_PARCELABLE_BUNDLE_PRIORITY_LIST,
|
||||
FUZZ_PATH_COUNT
|
||||
};
|
||||
|
||||
/**
|
||||
* @brief Data provider for structured fuzzing
|
||||
* Extracts typed data from raw fuzz input bytes
|
||||
*/
|
||||
class FuzzDataProvider {
|
||||
public:
|
||||
FuzzDataProvider(const uint8_t* data, size_t size)
|
||||
: data_(data), size_(size), pos_(0) {}
|
||||
|
||||
template<typename T>
|
||||
T ConsumeIntegral()
|
||||
{
|
||||
T value{};
|
||||
size_t typeSize = sizeof(T);
|
||||
if (data_ == nullptr || pos_ + typeSize > size_) {
|
||||
return value;
|
||||
}
|
||||
errno_t ret = memcpy_s(&value, typeSize, data_ + pos_, typeSize);
|
||||
if (ret != EOK) {
|
||||
return T{};
|
||||
}
|
||||
pos_ += typeSize;
|
||||
return value;
|
||||
}
|
||||
|
||||
template<typename T>
|
||||
T ConsumeIntegralInRange(T min, T max)
|
||||
{
|
||||
if (min >= max) {
|
||||
return min;
|
||||
}
|
||||
T value = ConsumeIntegral<T>();
|
||||
return min + (value % (max - min + 1));
|
||||
}
|
||||
|
||||
bool ConsumeBool()
|
||||
{
|
||||
return ConsumeIntegral<uint8_t>() & 1;
|
||||
}
|
||||
|
||||
std::string ConsumeString(size_t maxLength)
|
||||
{
|
||||
size_t length = ConsumeIntegralInRange<size_t>(0, maxLength);
|
||||
if (length > RemainingBytes()) {
|
||||
length = RemainingBytes();
|
||||
}
|
||||
std::string result;
|
||||
if (length > 0 && data_ != nullptr) {
|
||||
result.assign(reinterpret_cast<const char*>(data_ + pos_), length);
|
||||
pos_ += length;
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
std::vector<uint8_t> ConsumeBytes(size_t count)
|
||||
{
|
||||
if (count > RemainingBytes()) {
|
||||
count = RemainingBytes();
|
||||
}
|
||||
std::vector<uint8_t> result;
|
||||
if (count > 0 && data_ != nullptr) {
|
||||
result.assign(data_ + pos_, data_ + pos_ + count);
|
||||
pos_ += count;
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
size_t RemainingBytes() const
|
||||
{
|
||||
return (pos_ < size_) ? (size_ - pos_) : 0;
|
||||
}
|
||||
|
||||
bool HasEnoughData(size_t required) const
|
||||
{
|
||||
return RemainingBytes() >= required;
|
||||
}
|
||||
|
||||
private:
|
||||
const uint8_t* data_;
|
||||
size_t size_;
|
||||
size_t pos_;
|
||||
};
|
||||
|
||||
// Fuzzer function declarations
|
||||
bool FuzzIPCStub(FuzzDataProvider& provider);
|
||||
bool FuzzParcelableWindowInfo(FuzzDataProvider& provider);
|
||||
bool FuzzParcelableProcessStateInfo(FuzzDataProvider& provider);
|
||||
bool FuzzParcelableBundlePriorityList(FuzzDataProvider& provider);
|
||||
|
||||
} // namespace Memory
|
||||
} // namespace OHOS
|
||||
|
||||
#endif // OHOS_MEMMGR_FUZZTEST_MEM_FUZZER_H
|
||||
@@ -0,0 +1,25 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!-- Copyright (c) 2021 Huawei Device Co., Ltd.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
-->
|
||||
<fuzz_config>
|
||||
<fuzztest>
|
||||
<!-- maximum length of a test input -->
|
||||
<max_len>1000</max_len>
|
||||
<!-- maximum total time in seconds to run the fuzzer -->
|
||||
<max_total_time>300</max_total_time>
|
||||
<!-- memory usage limit in Mb -->
|
||||
<rss_limit_mb>4096</rss_limit_mb>
|
||||
</fuzztest>
|
||||
</fuzz_config>
|
||||
Reference in New Issue
Block a user