!470 merge master into master

添加fuzzer

Created-by: RichardLiuda
Commit-by: RichardLiu
Merged-by: openharmony_ci
Description: fuzzer

See merge request: openharmony/resourceschedule_memmgr!470
This commit is contained in:
openharmony_ci
2026-03-11 09:59:48 +08:00
6 changed files with 791 additions and 1 deletions
+2 -1
View File
@@ -62,7 +62,8 @@
],
"test": [
"//foundation/resourceschedule/memmgr/test:memmgr_unittest",
"//foundation/resourceschedule/memmgr/test/fuzztest:memmgr_fuzztest"
"//foundation/resourceschedule/memmgr/test/fuzztest:memmgr_fuzztest",
"//foundation/resourceschedule/memmgr/test/fuzztest/mem_fuzzer:fuzztest"
]
},
"features": [
+64
View File
@@ -0,0 +1,64 @@
# Copyright (c) 2026 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#####################hydra-fuzz###################
import("../../../memmgr.gni")
import("//build/config/features.gni")
import("//build/test.gni")
##############################fuzztest##########################################
ohos_fuzztest("MemFuzzTest") {
module_out_path = "memmgr/memmgr"
fuzz_config_file = "${memmgr_root_path}/test/fuzztest/mem_fuzzer"
include_dirs = [
"${memmgr_service_path}/include",
"${memgr_innerkits_path}/include",
"${memmgr_common_path}/include",
]
cflags = [
"-g",
"-O0",
"-Wno-unused-variable",
"-fno-omit-frame-pointer",
]
sources = [ "mem_fuzzer.cpp" ]
defines = []
if (memmgr_purgeable_memory) {
defines += [ "USE_PURGEABLE_MEMORY" ]
}
deps = [ "${memmgr_service_path}:memmgrservice" ]
external_deps = [
"c_utils:utils",
"hilog:libhilog",
"ipc:ipc_core",
"memmgr:memmgrclient",
"safwk:system_ability_fwk",
"samgr:samgr_proxy",
]
}
###############################################################################
group("fuzztest") {
testonly = true
deps = []
deps += [
# deps file
":MemFuzzTest",
]
}
###############################################################################
+16
View File
@@ -0,0 +1,16 @@
/*
* Copyright (c) 2026 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
FUZZ_MEMMGR_IPC_TEST_SEED_DATA
+513
View File
@@ -0,0 +1,513 @@
/*
* Copyright (c) 2026 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "mem_fuzzer.h"
namespace OHOS {
namespace Memory {
namespace {
// String length limits for fuzzing - avoid excessive memory allocation
constexpr size_t FUZZ_MAX_NAME_LENGTH = 128;
} // namespace
/**
* @brief Write interface token to MessageParcel
* Uses IMemMgr::GetDescriptor() to avoid hardcoding
*/
static bool WriteInterfaceToken(MessageParcel& data)
{
return data.WriteInterfaceToken(IMemMgr::GetDescriptor());
}
/**
* @brief Fuzz GetBundlePriorityList IPC handler
* Tests: HandleGetBunldePriorityList in mem_mgr_stub.cpp
*/
static bool FuzzGetBundlePriorityList(FuzzDataProvider& provider)
{
MessageParcel data;
MessageParcel reply;
MessageOption option;
if (!WriteInterfaceToken(data)) {
return false;
}
// Construct BundlePriorityList parcel data
int32_t count = provider.ConsumeIntegralInRange<int32_t>(0, FUZZ_MAX_BUNDLE_COUNT);
data.WriteInt32(count);
for (int32_t i = 0; i < count && provider.HasEnoughData(sizeof(int32_t)); ++i) {
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // uid
data.WriteString(provider.ConsumeString(FUZZ_MAX_NAME_LENGTH)); // name
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // priority
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // accountId
}
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_GET_BUNDLE_PRIORITY_LIST);
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
return true;
}
/**
* @brief Fuzz NotifyDistDevStatus IPC handler
* Tests: HandleNotifyDistDevStatus in mem_mgr_stub.cpp
*/
static bool FuzzNotifyDistDevStatus(FuzzDataProvider& provider)
{
MessageParcel data;
MessageParcel reply;
MessageOption option;
if (!WriteInterfaceToken(data)) {
return false;
}
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // uid
data.WriteString(provider.ConsumeString(FUZZ_MAX_NAME_LENGTH)); // name
data.WriteBool(provider.ConsumeBool()); // connected
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_NOTIFY_DIST_DEV_STATUS);
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
return true;
}
/**
* @brief Fuzz GetKillLevelOfLmkd IPC handler
* Tests: HandleGetKillLevelOfLmkd in mem_mgr_stub.cpp
*/
static bool FuzzGetKillLevelOfLmkd(FuzzDataProvider& provider)
{
MessageParcel data;
MessageParcel reply;
MessageOption option;
if (!WriteInterfaceToken(data)) {
return false;
}
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_GET_KILL_LEVEL_OF_LMKD);
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
return true;
}
#ifdef USE_PURGEABLE_MEMORY
/**
* @brief Fuzz RegisterActiveApps IPC handler
* Tests: HandleRegisterActiveApps in mem_mgr_stub.cpp
*/
static bool FuzzRegisterActiveApps(FuzzDataProvider& provider)
{
MessageParcel data;
MessageParcel reply;
MessageOption option;
if (!WriteInterfaceToken(data)) {
return false;
}
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // uid
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_REGISTER_ACTIVE_APPS);
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
return true;
}
/**
* @brief Fuzz DeregisterActiveApps IPC handler
* Tests: HandleDeregisterActiveApps in mem_mgr_stub.cpp
*/
static bool FuzzDeregisterActiveApps(FuzzDataProvider& provider)
{
MessageParcel data;
MessageParcel reply;
MessageOption option;
if (!WriteInterfaceToken(data)) {
return false;
}
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // uid
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_DEREGISTER_ACTIVE_APPS);
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
return true;
}
/**
* @brief Fuzz GetAvailableMemory IPC handler
* Tests: HandleGetAvailableMemory in mem_mgr_stub.cpp
*/
static bool FuzzGetAvailableMemory(FuzzDataProvider& provider)
{
MessageParcel data;
MessageParcel reply;
MessageOption option;
if (!WriteInterfaceToken(data)) {
return false;
}
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_GET_AVAILABLE_MEMORY);
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
return true;
}
/**
* @brief Fuzz GetTotalMemory IPC handler
* Tests: HandleGetTotalMemory in mem_mgr_stub.cpp
*/
static bool FuzzGetTotalMemory(FuzzDataProvider& provider)
{
MessageParcel data;
MessageParcel reply;
MessageOption option;
if (!WriteInterfaceToken(data)) {
return false;
}
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_GET_TOTAL_MEMORY);
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
return true;
}
#endif // USE_PURGEABLE_MEMORY
/**
* @brief Fuzz OnWindowVisibilityChanged IPC handler
* Tests: HandleOnWindowVisibilityChanged in mem_mgr_stub.cpp
*/
static bool FuzzOnWindowVisibilityChanged(FuzzDataProvider& provider)
{
MessageParcel data;
MessageParcel reply;
MessageOption option;
if (!WriteInterfaceToken(data)) {
return false;
}
uint32_t count = provider.ConsumeIntegralInRange<uint32_t>(0, FUZZ_MAX_WINDOW_INFO_COUNT);
data.WriteUint32(count);
for (uint32_t i = 0; i < count && provider.HasEnoughData(sizeof(uint32_t)); ++i) {
// Write MemMgrWindowInfo parcel format: windowId, pid, uid, isVisible
data.WriteUint32(provider.ConsumeIntegral<uint32_t>()); // windowId
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // uid
data.WriteBool(provider.ConsumeBool()); // isVisible
}
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_ON_WINDOW_VISIBILITY_CHANGED);
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
return true;
}
/**
* @brief Fuzz GetReclaimPriorityByPid IPC handler
* Tests: HandleGetReclaimPriorityByPid in mem_mgr_stub.cpp
*/
static bool FuzzGetReclaimPriorityByPid(FuzzDataProvider& provider)
{
MessageParcel data;
MessageParcel reply;
MessageOption option;
if (!WriteInterfaceToken(data)) {
return false;
}
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_GET_PRIORITY_BY_PID);
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
return true;
}
/**
* @brief Fuzz NotifyProcessStateChangedSync IPC handler
* Tests: HandleNotifyProcessStateChangedSync in mem_mgr_stub.cpp
*/
static bool FuzzNotifyProcessStateChangedSync(FuzzDataProvider& provider)
{
MessageParcel data;
MessageParcel reply;
MessageOption option;
if (!WriteInterfaceToken(data)) {
return false;
}
// Write MemMgrProcessStateInfo parcel format
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // callerPid
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // callerUid
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // uid
data.WriteUint32(provider.ConsumeIntegral<uint32_t>()); // reason
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_NOTIFY_PROCESS_STATE_CHANGED_SYNC);
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
return true;
}
/**
* @brief Fuzz NotifyProcessStateChangedAsync IPC handler
* Tests: HandleNotifyProcessStateChangedAsync in mem_mgr_stub.cpp
*/
static bool FuzzNotifyProcessStateChangedAsync(FuzzDataProvider& provider)
{
MessageParcel data;
MessageParcel reply;
MessageOption option;
if (!WriteInterfaceToken(data)) {
return false;
}
// Write MemMgrProcessStateInfo parcel format
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // callerPid
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // callerUid
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // uid
data.WriteUint32(provider.ConsumeIntegral<uint32_t>()); // reason
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_NOTIFY_PROCESS_STATE_CHANGED_ASYNC);
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
return true;
}
/**
* @brief Fuzz NotifyProcessStatus IPC handler
* Tests: HandleNotifyProcessStatus in mem_mgr_stub.cpp
*/
static bool FuzzNotifyProcessStatus(FuzzDataProvider& provider)
{
MessageParcel data;
MessageParcel reply;
MessageOption option;
if (!WriteInterfaceToken(data)) {
return false;
}
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // type
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // status
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // saId
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_NOTIFY_PROCESS_STATUS);
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
return true;
}
/**
* @brief Fuzz SetCritical IPC handler
* Tests: HandleSetCritical in mem_mgr_stub.cpp
*/
static bool FuzzSetCritical(FuzzDataProvider& provider)
{
MessageParcel data;
MessageParcel reply;
MessageOption option;
if (!WriteInterfaceToken(data)) {
return false;
}
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
data.WriteBool(provider.ConsumeBool()); // critical
data.WriteInt32(provider.ConsumeIntegral<int32_t>()); // saId
uint32_t code = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_SET_CRITICAL);
MemMgrService::GetInstance().OnRemoteRequest(code, data, reply, option);
return true;
}
/**
* @brief Fuzz IPC stub with random code selection
* Routes to appropriate handler based on fuzz data
*/
bool FuzzIPCStub(FuzzDataProvider& provider)
{
if (!provider.HasEnoughData(FUZZ_THRESHOLD_FOR_IPC)) {
return false;
}
// Select IPC code from valid range using enum values
uint32_t code = provider.ConsumeIntegralInRange<uint32_t>(FUZZ_IPC_CODE_MIN, FUZZ_IPC_CODE_MAX);
switch (static_cast<MemMgrInterfaceCode>(code)) {
case MemMgrInterfaceCode::MEM_MGR_GET_BUNDLE_PRIORITY_LIST:
return FuzzGetBundlePriorityList(provider);
case MemMgrInterfaceCode::MEM_MGR_NOTIFY_DIST_DEV_STATUS:
return FuzzNotifyDistDevStatus(provider);
case MemMgrInterfaceCode::MEM_MGR_GET_KILL_LEVEL_OF_LMKD:
return FuzzGetKillLevelOfLmkd(provider);
#ifdef USE_PURGEABLE_MEMORY
case MemMgrInterfaceCode::MEM_MGR_REGISTER_ACTIVE_APPS:
return FuzzRegisterActiveApps(provider);
case MemMgrInterfaceCode::MEM_MGR_DEREGISTER_ACTIVE_APPS:
return FuzzDeregisterActiveApps(provider);
case MemMgrInterfaceCode::MEM_MGR_GET_AVAILABLE_MEMORY:
return FuzzGetAvailableMemory(provider);
case MemMgrInterfaceCode::MEM_MGR_GET_TOTAL_MEMORY:
return FuzzGetTotalMemory(provider);
#endif
case MemMgrInterfaceCode::MEM_MGR_ON_WINDOW_VISIBILITY_CHANGED:
return FuzzOnWindowVisibilityChanged(provider);
case MemMgrInterfaceCode::MEM_MGR_GET_PRIORITY_BY_PID:
return FuzzGetReclaimPriorityByPid(provider);
case MemMgrInterfaceCode::MEM_MGR_NOTIFY_PROCESS_STATE_CHANGED_SYNC:
return FuzzNotifyProcessStateChangedSync(provider);
case MemMgrInterfaceCode::MEM_MGR_NOTIFY_PROCESS_STATE_CHANGED_ASYNC:
return FuzzNotifyProcessStateChangedAsync(provider);
case MemMgrInterfaceCode::MEM_MGR_NOTIFY_PROCESS_STATUS:
return FuzzNotifyProcessStatus(provider);
case MemMgrInterfaceCode::MEM_MGR_SET_CRITICAL:
return FuzzSetCritical(provider);
default:
return false;
}
}
/**
* @brief Fuzz MemMgrWindowInfo Unmarshalling
* Tests: MemMgrWindowInfo::Unmarshalling in mem_mgr_window_info.cpp
*/
bool FuzzParcelableWindowInfo(FuzzDataProvider& provider)
{
if (!provider.HasEnoughData(FUZZ_THRESHOLD_FOR_PARCELABLE)) {
return false;
}
MessageParcel parcel;
// Write raw fuzz data in expected format
parcel.WriteUint32(provider.ConsumeIntegral<uint32_t>()); // windowId
parcel.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
parcel.WriteInt32(provider.ConsumeIntegral<int32_t>()); // uid
parcel.WriteBool(provider.ConsumeBool()); // isVisible
// Attempt to unmarshall
MemMgrWindowInfo* info = MemMgrWindowInfo::Unmarshalling(parcel);
if (info != nullptr) {
delete info;
}
return true;
}
/**
* @brief Fuzz MemMgrProcessStateInfo Unmarshalling
* Tests: MemMgrProcessStateInfo::Unmarshalling in mem_mgr_process_state_info.cpp
*/
bool FuzzParcelableProcessStateInfo(FuzzDataProvider& provider)
{
if (!provider.HasEnoughData(FUZZ_THRESHOLD_FOR_PARCELABLE)) {
return false;
}
MessageParcel parcel;
// Write raw fuzz data in expected format
parcel.WriteInt32(provider.ConsumeIntegral<int32_t>()); // callerPid
parcel.WriteInt32(provider.ConsumeIntegral<int32_t>()); // callerUid
parcel.WriteInt32(provider.ConsumeIntegral<int32_t>()); // pid
parcel.WriteInt32(provider.ConsumeIntegral<int32_t>()); // uid
parcel.WriteUint32(provider.ConsumeIntegral<uint32_t>()); // reason
// Attempt to unmarshall
MemMgrProcessStateInfo* info = MemMgrProcessStateInfo::Unmarshalling(parcel);
if (info != nullptr) {
delete info;
}
return true;
}
/**
* @brief Fuzz BundlePriorityList Unmarshalling
* Tests: BundlePriorityList::Unmarshalling in bundle_priority_list.cpp
*/
bool FuzzParcelableBundlePriorityList(FuzzDataProvider& provider)
{
if (!provider.HasEnoughData(sizeof(int32_t))) {
return false;
}
MessageParcel parcel;
// Write count - use smaller range to avoid excessive loop iterations
int32_t count = provider.ConsumeIntegralInRange<int32_t>(0, FUZZ_MAX_BUNDLE_COUNT);
parcel.WriteInt32(count);
// Write bundle entries
for (int32_t i = 0; i < count && provider.HasEnoughData(sizeof(int32_t)); ++i) {
parcel.WriteInt32(provider.ConsumeIntegral<int32_t>()); // uid
parcel.WriteString(provider.ConsumeString(FUZZ_MAX_NAME_LENGTH)); // name
parcel.WriteInt32(provider.ConsumeIntegral<int32_t>()); // priority
parcel.WriteInt32(provider.ConsumeIntegral<int32_t>()); // accountId
}
// Attempt to unmarshall
BundlePriorityList* list = BundlePriorityList::Unmarshalling(parcel);
if (list != nullptr) {
delete list;
}
return true;
}
/**
* @brief Main fuzzer routing function
* Selects fuzz path based on input data and routes accordingly
*/
static bool DoFuzzTest(const uint8_t* data, size_t size)
{
if (data == nullptr || size < FUZZ_MIN_DATA_SIZE) {
return false;
}
FuzzDataProvider provider(data, size);
// Select fuzz path based on first byte
uint8_t pathSelector = provider.ConsumeIntegral<uint8_t>();
FuzzTestPath path = static_cast<FuzzTestPath>(
pathSelector % static_cast<uint8_t>(FuzzTestPath::FUZZ_PATH_COUNT));
switch (path) {
case FuzzTestPath::FUZZ_IPC_STUB:
return FuzzIPCStub(provider);
case FuzzTestPath::FUZZ_PARCELABLE_WINDOW_INFO:
return FuzzParcelableWindowInfo(provider);
case FuzzTestPath::FUZZ_PARCELABLE_PROCESS_STATE_INFO:
return FuzzParcelableProcessStateInfo(provider);
case FuzzTestPath::FUZZ_PARCELABLE_BUNDLE_PRIORITY_LIST:
return FuzzParcelableBundlePriorityList(provider);
default:
return FuzzIPCStub(provider);
}
}
} // namespace Memory
} // namespace OHOS
/* Fuzzer entry point */
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
{
/* Run fuzz tests */
OHOS::Memory::DoFuzzTest(data, size);
return 0;
}
+171
View File
@@ -0,0 +1,171 @@
/*
* Copyright (c) 2026 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef OHOS_MEMMGR_FUZZTEST_MEM_FUZZER_H
#define OHOS_MEMMGR_FUZZTEST_MEM_FUZZER_H
#include <cstdint>
#include <cstddef>
#include <cstdio>
#include <cstdlib>
#include <cstring>
#include <climits>
#include <unistd.h>
#include <fcntl.h>
#include <string>
#include <vector>
// IPC related headers
#include "message_parcel.h"
#include "message_option.h"
#include "iremote_stub.h"
// MemMgr service headers
#include "i_mem_mgr.h"
#include "mem_mgr_stub.h"
#include "mem_mgr_service.h"
#include "memmgrservice_ipc_interface_code.h"
// Parcelable types
#include "bundle_priority_list.h"
#include "bundle_priority.h"
#include "mem_mgr_window_info.h"
#include "mem_mgr_process_state_info.h"
// Security
#include "securec.h"
#define FUZZ_PROJECT_NAME "mem_fuzzer"
namespace OHOS {
namespace Memory {
// Fuzzer configuration constants - derived from project definitions
constexpr size_t FUZZ_MIN_DATA_SIZE = sizeof(uint32_t);
constexpr size_t FUZZ_THRESHOLD_FOR_IPC = sizeof(uint32_t) * 2;
constexpr size_t FUZZ_THRESHOLD_FOR_PARCELABLE = sizeof(int32_t) * 4;
// Window info fuzzer limits - derived from mem_mgr_stub.cpp MAX_PARCEL_SIZE
constexpr uint32_t FUZZ_MAX_WINDOW_INFO_COUNT = 100;
// Bundle priority list limits - derived from bundle_priority_list.cpp MAX_PARCEL_SIZE
constexpr int32_t FUZZ_MAX_BUNDLE_COUNT = 1000;
// IPC code range - derived from MemMgrInterfaceCode enum
constexpr uint32_t FUZZ_IPC_CODE_MIN = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_GET_BUNDLE_PRIORITY_LIST);
constexpr uint32_t FUZZ_IPC_CODE_MAX = static_cast<uint32_t>(MemMgrInterfaceCode::MEM_MGR_SET_CRITICAL);
// Fuzz test path selectors
enum class FuzzTestPath : uint8_t {
FUZZ_IPC_STUB = 0,
FUZZ_PARCELABLE_WINDOW_INFO,
FUZZ_PARCELABLE_PROCESS_STATE_INFO,
FUZZ_PARCELABLE_BUNDLE_PRIORITY_LIST,
FUZZ_PATH_COUNT
};
/**
* @brief Data provider for structured fuzzing
* Extracts typed data from raw fuzz input bytes
*/
class FuzzDataProvider {
public:
FuzzDataProvider(const uint8_t* data, size_t size)
: data_(data), size_(size), pos_(0) {}
template<typename T>
T ConsumeIntegral()
{
T value{};
size_t typeSize = sizeof(T);
if (data_ == nullptr || pos_ + typeSize > size_) {
return value;
}
errno_t ret = memcpy_s(&value, typeSize, data_ + pos_, typeSize);
if (ret != EOK) {
return T{};
}
pos_ += typeSize;
return value;
}
template<typename T>
T ConsumeIntegralInRange(T min, T max)
{
if (min >= max) {
return min;
}
T value = ConsumeIntegral<T>();
return min + (value % (max - min + 1));
}
bool ConsumeBool()
{
return ConsumeIntegral<uint8_t>() & 1;
}
std::string ConsumeString(size_t maxLength)
{
size_t length = ConsumeIntegralInRange<size_t>(0, maxLength);
if (length > RemainingBytes()) {
length = RemainingBytes();
}
std::string result;
if (length > 0 && data_ != nullptr) {
result.assign(reinterpret_cast<const char*>(data_ + pos_), length);
pos_ += length;
}
return result;
}
std::vector<uint8_t> ConsumeBytes(size_t count)
{
if (count > RemainingBytes()) {
count = RemainingBytes();
}
std::vector<uint8_t> result;
if (count > 0 && data_ != nullptr) {
result.assign(data_ + pos_, data_ + pos_ + count);
pos_ += count;
}
return result;
}
size_t RemainingBytes() const
{
return (pos_ < size_) ? (size_ - pos_) : 0;
}
bool HasEnoughData(size_t required) const
{
return RemainingBytes() >= required;
}
private:
const uint8_t* data_;
size_t size_;
size_t pos_;
};
// Fuzzer function declarations
bool FuzzIPCStub(FuzzDataProvider& provider);
bool FuzzParcelableWindowInfo(FuzzDataProvider& provider);
bool FuzzParcelableProcessStateInfo(FuzzDataProvider& provider);
bool FuzzParcelableBundlePriorityList(FuzzDataProvider& provider);
} // namespace Memory
} // namespace OHOS
#endif // OHOS_MEMMGR_FUZZTEST_MEM_FUZZER_H
+25
View File
@@ -0,0 +1,25 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Copyright (c) 2026 Huawei Device Co., Ltd.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<fuzz_config>
<fuzztest>
<!-- maximum length of a test input -->
<max_len>1000</max_len>
<!-- maximum total time in seconds to run the fuzzer -->
<max_total_time>300</max_total_time>
<!-- memory usage limit in Mb -->
<rss_limit_mb>4096</rss_limit_mb>
</fuzztest>
</fuzz_config>