widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Pick widevine oemcrypto-v18 change

Browse Source 
No-Typo-Check: From a third party header file
Bug: 260918793
Test: unit tests
Test: atp v2/widevine-eng/drm_compliance
Change-Id: I36effd6a10a99bdb2399ab1f4a0fad026d607c70
This commit is contained in:
Kyle Zhang
2022-12-16 03:21:08 +00:00
parent 4586522c07
commit 11255b7426
105 changed files with 324641 additions and 299787 deletions
Download Patch File Download Diff File Expand all files Collapse all files

266
libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_decrypt_cenc_fuzz.cc
View File

@@ -4,187 +4,169 @@
#include "FuzzedDataProvider.h"
#include "OEMCryptoCENC.h"
#include "log.h"
#include "oec_session_util.h"
#include "oemcrypto_fuzz_helper.h"
#include "oemcrypto_fuzz_structs.h"
#include "oemcrypto_overflow.h"
namespace wvoec {
const size_t MAX_FUZZ_SAMPLE_SIZE = 5 * MB;
// Free dynamic memory allocated by fuzzer script.
void FreeOutputBuffers(OEMCrypto_SESSION session_id,
OEMCrypto_SampleDescription* sample_description,
size_t sample_index, int* secure_fd_array) {
for (size_t i = 0; i < sample_index; i++) {
OEMCrypto_DestBufferDesc fuzzed_output_descriptor =
sample_description[i].buffers.output_descriptor;
switch (fuzzed_output_descriptor.type) {
case OEMCrypto_BufferType_Clear: {
delete[] fuzzed_output_descriptor.buffer.clear.clear_buffer;
break;
}
case OEMCrypto_BufferType_Secure: {
OEMCrypto_FreeSecureBuffer(session_id, &fuzzed_output_descriptor,
secure_fd_array[i]);
break;
}
case OEMCrypto_BufferType_Direct: {
break;
}
}
}
}
// Function to initialize output buffer pointers by allocating memory.
// Limiting output buffer size to 5 MB as 4 MB is maximum size specified
// by resource rating tier documentation.
bool InitializeOutputBuffers(OEMCrypto_SESSION session_id,
OEMCrypto_DestBufferDesc& output_descriptor,
size_t sample_index,
vector<int>& secure_fd_array) {
switch (output_descriptor.type) {
case OEMCrypto_BufferType_Clear: {
output_descriptor.buffer.clear.clear_buffer =
new OEMCrypto_SharedMemory[std::min(
MAX_FUZZ_SAMPLE_SIZE,
output_descriptor.buffer.clear.clear_buffer_length)];
return true;
}
case OEMCrypto_BufferType_Secure: {
int* secure_fd;
OEMCryptoResult sts = OEMCrypto_AllocateSecureBuffer(
session_id,
std::min(MAX_FUZZ_SAMPLE_SIZE,
output_descriptor.buffer.secure.secure_buffer_length),
&output_descriptor, secure_fd);
if (sts == OEMCrypto_SUCCESS) secure_fd_array[sample_index] = *secure_fd;
return sts == OEMCrypto_SUCCESS;
}
case OEMCrypto_BufferType_Direct: {
return true;
}
}
}
// Limit output buffer size to 5 MB as 4 MB is maximum size specified by
// resource rating tier documentation.
const size_t MAX_FUZZ_SAMPLE_SIZE = 5 * MB;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
// Redirect printf and log statements from oemcrypto functions to a file to
// reduce noise
RedirectStdoutToFile();
size_t samples_length;
// Split data using separator.
auto inputs = SplitInput(data, size);
if (inputs.size() < 2) {
const std::vector<FuzzedData> inputs = SplitFuzzedData(data, size);
if (inputs.size() < 3) {
return 0;
}
// Read cipher mode and pattern from fuzzed data.
OEMCrypto_Decrypt_Cenc_Fuzz fuzzed_structure;
if (inputs[0].size() < sizeof(fuzzed_structure)) {
if (inputs[0].size < sizeof(fuzzed_structure)) {
return 0;
}
// Copy OEMCrypto_Decrypt_Cenc_Fuzz from input data.
memcpy(&fuzzed_structure, data, sizeof(fuzzed_structure));
FuzzedDataProvider fuzzed_data(inputs[0].data, inputs[0].size);
fuzzed_data.ConsumeData(&fuzzed_structure, sizeof(fuzzed_structure));
ConvertDataToValidEnum(OEMCrypto_CipherMode_MaxValue,
&fuzzed_structure.cipher_mode);
size_t remaining_size_for_samples =
inputs[0].size() - sizeof(fuzzed_structure);
// Initialize FDP structures to read data using inbuilt functions.
FuzzedDataProvider fuzzed_sample_data(data + sizeof(fuzzed_structure),
remaining_size_for_samples);
FuzzedDataProvider fuzzed_subsample_data(inputs[1].data(), inputs[1].size());
// Allocate sample descriptions.
std::vector<OEMCrypto_SampleDescription> sample_descriptions(
fuzzed_data.remaining_bytes() / sizeof(OEMCrypto_SampleDescription_Fuzz));
// Read subsamples from fuzzed data.
vector<OEMCrypto_SubSampleDescription> subsamples;
while (fuzzed_subsample_data.remaining_bytes() >=
sizeof(OEMCrypto_SubSampleDescription)) {
OEMCrypto_SubSampleDescription subsample;
fuzzed_subsample_data.ConsumeData(&subsample,
sizeof(OEMCrypto_SubSampleDescription));
subsamples.push_back(subsample);
}
if (subsamples.size() == 0) {
return 0;
}
// Allocate input buffers for each sample description.
std::vector<std::vector<OEMCrypto_SharedMemory>> input_buffers(
sample_descriptions.size());
// Infer samples_length from fuzzed data.
size_t sample_description_size = sizeof(OEMCrypto_SampleDescription);
samples_length =
fuzzed_sample_data.remaining_bytes() / sample_description_size;
if (samples_length == 0) {
return 0;
}
// Allocate secure_fd values for secure buffers.
std::vector<int> secure_fd_array(sample_descriptions.size());
// Initialize sample_descriptions array.
vector<OEMCrypto_SampleDescription> sample_descriptions(samples_length);
// Create array to maintain secure_fd buffer values for secure buffers.
vector<int> secure_fd_array(samples_length);
// Allocate subsamples for each sample description.
std::vector<std::vector<OEMCrypto_SubSampleDescription>> subsamples(
sample_descriptions.size());
OEMCryptoLicenseAPIFuzz license_api_fuzz;
Session* session = license_api_fuzz.session();
// Copy samples from fuzzed data.
size_t input_subsample_index = 0;
size_t total_input_data_length = 0;
for (size_t i = 0; i < samples_length; i++) {
fuzzed_sample_data.ConsumeData(&sample_descriptions[i],
sample_description_size);
const uint32_t session_id = license_api_fuzz.session()->session_id();
// Free first given number of output buffers.
const auto FreeOutputBuffers = [&sample_descriptions, session_id,
&secure_fd_array](size_t num_buffers) {
for (size_t i = 0; i < num_buffers; i++) {
OEMCrypto_DestBufferDesc& output_descriptor =
sample_descriptions[i].buffers.output_descriptor;
switch (output_descriptor.type) {
case OEMCrypto_BufferType_Clear:
delete[] output_descriptor.buffer.clear.clear_buffer;
break;
case OEMCrypto_BufferType_Secure:
OEMCrypto_FreeSecureBuffer(session_id, &output_descriptor,
secure_fd_array[i]);
break;
case OEMCrypto_BufferType_Direct:
break;
}
}
};
// Prepare each sample description.
FuzzedDataProvider& sample_description_data = fuzzed_data;
FuzzedDataProvider input_buffer_data(inputs[1].data, inputs[1].size);
FuzzedDataProvider subsample_data(inputs[2].data, inputs[2].size);
for (size_t i = 0; i < sample_descriptions.size(); i++) {
// Read and normalize sample description fuzzed properties.
OEMCrypto_SampleDescription_Fuzz fuzzed_sample_description;
sample_description_data.ConsumeData(&fuzzed_sample_description,
sizeof(fuzzed_sample_description));
fuzzed_sample_description.buffers.input_data_length %=
MAX_FUZZ_SAMPLE_SIZE + 1;
ConvertDataToValidEnum(
OEMCrypto_BufferType_MaxValue,
&sample_descriptions[i].buffers.output_descriptor.type);
&fuzzed_sample_description.buffers.output_descriptor.type);
fuzzed_sample_description.buffers.output_descriptor.buffer_config %=
MAX_FUZZ_SAMPLE_SIZE + 1;
// Copy random data into input sample data. Cap input data length at 5 MB,
// 1 MB higher than that described by resource rating tier.
total_input_data_length += std::min(
MAX_FUZZ_SAMPLE_SIZE, sample_descriptions[i].buffers.input_data_length);
// Copy sub sample data.
sample_descriptions[i].subsamples = &subsamples[input_subsample_index];
if (OPK_AddOverflowUX(input_subsample_index,
sample_descriptions[i].subsamples_length,
&input_subsample_index)) {
// Read input data.
if (fuzzed_sample_description.buffers.input_data_length >
input_buffer_data.remaining_bytes()) {
FreeOutputBuffers(i);
return 0;
}
if (input_subsample_index > subsamples.size()) return 0;
} // Sample loop.
input_buffers[i] = input_buffer_data.ConsumeBytes<uint8_t>(
fuzzed_sample_description.buffers.input_data_length);
sample_descriptions[i].buffers.input_data = input_buffers[i].data();
sample_descriptions[i].buffers.input_data_length = input_buffers[i].size();
// Allocate input/output buffers for each sample description.
vector<OEMCrypto_SharedMemory> input_buffer(total_input_data_length);
size_t input_buffer_index = 0;
for (size_t i = 0; i < samples_length; i++) {
if (total_input_data_length > 0) {
sample_descriptions[i].buffers.input_data =
&input_buffer[input_buffer_index];
// Set subsample data.
if (fuzzed_sample_description.subsamples_length >
subsample_data.remaining_bytes() /
sizeof(OEMCrypto_SubSampleDescription)) {
FreeOutputBuffers(i);
return 0;
}
input_buffer_index += std::min(
MAX_FUZZ_SAMPLE_SIZE, sample_descriptions[i].buffers.input_data_length);
if (fuzzed_sample_description.subsamples_length > 0) {
subsamples[i].resize(fuzzed_sample_description.subsamples_length);
subsample_data.ConsumeData(
subsamples[i].data(),
subsamples[i].size() * sizeof(OEMCrypto_SubSampleDescription));
}
sample_descriptions[i].subsamples = subsamples[i].data();
sample_descriptions[i].subsamples_length = subsamples[i].size();
// Create output buffer pointers. If secure buffer is not supported, we
// explicitly convert to clear buffer and fuzz.
if (!InitializeOutputBuffers(
session->session_id(),
sample_descriptions[i].buffers.output_descriptor, i,
secure_fd_array)) {
LOGI(
"[OEMCrypto decrypt CENC fuzz] Secure buffers are not supported. "
"Use "
"clear buffer instead.");
sample_descriptions[i].buffers.output_descriptor.type =
OEMCrypto_BufferType_Clear;
InitializeOutputBuffers(session->session_id(),
sample_descriptions[i].buffers.output_descriptor,
i, secure_fd_array);
// Set IV data.
memcpy(sample_descriptions[i].iv, fuzzed_sample_description.iv,
sizeof(sample_descriptions[i].iv));
// Initialize output buffer.
OEMCrypto_DestBufferDesc& output_descriptor =
sample_descriptions[i].buffers.output_descriptor;
const OEMCrypto_DestBufferDesc_Fuzz& fuzzed_output_descriptor =
fuzzed_sample_description.buffers.output_descriptor;
output_descriptor.type = fuzzed_output_descriptor.type;
switch (output_descriptor.type) {
case OEMCrypto_BufferType_Clear:
output_descriptor.buffer.clear.clear_buffer =
new OEMCrypto_SharedMemory[fuzzed_output_descriptor.buffer_config];
output_descriptor.buffer.clear.clear_buffer_length =
fuzzed_output_descriptor.buffer_config;
break;
case OEMCrypto_BufferType_Secure:
if (OEMCrypto_AllocateSecureBuffer(
session_id, fuzzed_output_descriptor.buffer_config,
&output_descriptor, &secure_fd_array[i]) != OEMCrypto_SUCCESS) {
FreeOutputBuffers(i);
return 0;
}
break;
case OEMCrypto_BufferType_Direct:
output_descriptor.buffer.direct.is_video =
fuzzed_output_descriptor.buffer_config & 1;
break;
}
}
// Load license and call decrypt_cenc API.
license_api_fuzz.LoadLicense();
OEMCrypto_SelectKey(session->session_id(), session->license().keys[0].key_id,
session->license().keys[0].key_id_length,
fuzzed_structure.cipher_mode);
OEMCrypto_DecryptCENC(session->session_id(), sample_descriptions.data(),
samples_length, &fuzzed_structure.pattern);
FreeOutputBuffers(session->session_id(), sample_descriptions.data(),
samples_length, secure_fd_array.data());
const MessageKeyData& key = license_api_fuzz.session()->license().keys[0];
vector<uint8_t> key_handle;
GetKeyHandleIntoVector(session_id, key.key_id, key.key_id_length,
fuzzed_structure.cipher_mode, key_handle);
OEMCrypto_DecryptCENC(key_handle.data(), key_handle.size(),
sample_descriptions.data(), sample_descriptions.size(),
&fuzzed_structure.pattern);
// Free all output buffers.
FreeOutputBuffers(sample_descriptions.size());
return 0;
}
} // namespace wvoec