widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix bugs impacting fuzzing coverage

Browse Source 
- Update ConvertDataToValidEnum to not use FuzzedDataProvider since it
  causes unexpected parsing results.
- Add OEMCryptoLicenseAPIFuzz::LoadLicenseWithGenericCryptoKeys so that
  generic crypto fuzz tests can load appropriate keys.
- Remove custom mutator from oemcrypto_generic_verify_fuzz because it
  provides minimal additional coverage.
- Refresh affected corpus files.

Merged from https://widevine-internal-review.googlesource.com/168557
Merged from https://widevine-internal-review.googlesource.com/171191
Merged from https://widevine-internal-review.googlesource.com/172170
Merged from https://widevine-internal-review.googlesource.com/172250

Change-Id: Ie676a36cbf4c12bdda9566fad3590a7b69168d9c
This commit is contained in:
Ian Benz
2023-03-21 01:45:50 +00:00
committed by Robert Shih
parent 55ef762c08
commit 57b391c8b9
300 changed files with 81 additions and 139 deletions
Download Patch File Download Diff File Expand all files Collapse all files

137
libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generic_verify_fuzz.cc
View File

@@ -12,131 +12,52 @@
namespace {
// Properties deserialized from fuzzed data.
struct FuzzedProperties {
wvoec::OEMCrypto_Generic_Api_Fuzz structure;
std::vector<uint8_t> buffer;
std::vector<uint8_t> signature;
};
// Contains value only if has_value is true.
struct OptionalFuzzedProperties {
FuzzedProperties value;
bool has_value;
};
// Avoid calling non-trivial destructor.
wvoec::OEMCryptoLicenseAPIFuzz& license_api_fuzz =
*new wvoec::OEMCryptoLicenseAPIFuzz;
OptionalFuzzedProperties DeserializeFuzzedData(const uint8_t* data,
size_t size) {
OptionalFuzzedProperties fuzzed_properties;
const std::vector<wvoec::FuzzedData> inputs =
wvoec::SplitFuzzedData(data, size);
if (inputs.size() < 2 ||
inputs[0].size < sizeof(fuzzed_properties.value.structure)) {
fuzzed_properties.has_value = false;
return fuzzed_properties;
}
FuzzedDataProvider fuzzed_data(inputs[0].data, inputs[0].size);
fuzzed_data.ConsumeData(&fuzzed_properties.value.structure,
sizeof(fuzzed_properties.value.structure));
wvoec::ConvertDataToValidEnum(OEMCrypto_CipherMode_MaxValue,
&fuzzed_properties.value.structure.cipher_mode);
wvoec::ConvertDataToValidEnum(OEMCrypto_Algorithm_MaxValue,
&fuzzed_properties.value.structure.algorithm);
fuzzed_properties.value.buffer = fuzzed_data.ConsumeRemainingBytes<uint8_t>();
fuzzed_properties.value.signature.assign(inputs[1].data,
inputs[1].data + inputs[1].size);
fuzzed_properties.has_value = true;
return fuzzed_properties;
}
} // namespace
extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
wvoec::RedirectStdoutToFile();
license_api_fuzz.Initialize();
license_api_fuzz.LoadLicense();
license_api_fuzz.LoadLicenseWithGenericCryptoKeys();
return 0;
}
extern "C" size_t LLVMFuzzerCustomMutator(uint8_t* data, size_t size,
size_t max_size, unsigned int seed) {
// Deserialize fuzzed data.
OptionalFuzzedProperties fuzzed_properties =
DeserializeFuzzedData(data, size);
if (!fuzzed_properties.has_value) {
return 0;
}
// Select key and perform verification.
wvoec::Session& session = license_api_fuzz.session();
std::vector<uint8_t> key_handle;
OEMCryptoResult result = wvoec::GetKeyHandleIntoVector(
session.session_id(), session.license().keys[0].key_id,
session.license().keys[0].key_id_length,
fuzzed_properties.value.structure.cipher_mode, key_handle);
if (result == OEMCrypto_SUCCESS) {
// Generate a new signature if verification fails.
result =
OEMCrypto_Generic_Verify(key_handle.data(), key_handle.size(),
fuzzed_properties.value.buffer.data(),
fuzzed_properties.value.buffer.size(),
fuzzed_properties.value.structure.algorithm,
fuzzed_properties.value.signature.data(),
fuzzed_properties.value.signature.size());
if (result != OEMCrypto_SUCCESS) {
size_t signature_length = 0;
OEMCrypto_Generic_Sign(key_handle.data(), key_handle.size(),
fuzzed_properties.value.buffer.data(),
fuzzed_properties.value.buffer.size(),
fuzzed_properties.value.structure.algorithm,
nullptr, &signature_length);
fuzzed_properties.value.signature.resize(signature_length);
OEMCrypto_Generic_Sign(key_handle.data(), key_handle.size(),
fuzzed_properties.value.buffer.data(),
fuzzed_properties.value.buffer.size(),
fuzzed_properties.value.structure.algorithm,
fuzzed_properties.value.signature.data(),
&signature_length);
const size_t signature_offset =
sizeof(fuzzed_properties.value.structure) +
fuzzed_properties.value.buffer.size() +
sizeof(wvoec::kFuzzDataSeparator);
size = signature_offset + signature_length;
if (size > max_size) {
return 0;
}
memcpy(data + signature_offset, fuzzed_properties.value.signature.data(),
signature_length);
}
}
return LLVMFuzzerMutate(data, size, max_size);
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
// Deserialize fuzzed data.
const OptionalFuzzedProperties fuzzed_properties =
DeserializeFuzzedData(data, size);
if (!fuzzed_properties.has_value) {
// Split data using separator.
const std::vector<wvoec::FuzzedData> inputs =
wvoec::SplitFuzzedData(data, size);
if (inputs.size() < 2) {
return 0;
}
// Select key and perform verification.
// Deserialize fuzzed data.
wvoec::OEMCrypto_Generic_Api_Fuzz fuzzed_structure;
if (inputs[0].size < sizeof(fuzzed_structure)) {
return 0;
}
FuzzedDataProvider fuzzed_data(inputs[0].data, inputs[0].size);
fuzzed_data.ConsumeData(&fuzzed_structure, sizeof(fuzzed_structure));
wvoec::ConvertDataToValidEnum(OEMCrypto_CipherMode_MaxValue,
fuzzed_structure.cipher_mode);
wvoec::ConvertDataToValidEnum(OEMCrypto_Algorithm_MaxValue,
fuzzed_structure.algorithm);
const std::vector<uint8_t> buffer =
fuzzed_data.ConsumeRemainingBytes<uint8_t>();
const std::vector<uint8_t> signature(inputs[1].data,
inputs[1].data + inputs[1].size);
// Select key and verify.
wvoec::Session& session = license_api_fuzz.session();
std::vector<uint8_t> key_handle;
wvoec::GetKeyHandleIntoVector(
session.session_id(), session.license().keys[0].key_id,
session.license().keys[0].key_id_length,
fuzzed_properties.value.structure.cipher_mode, key_handle);
OEMCrypto_Generic_Verify(key_handle.data(), key_handle.size(),
fuzzed_properties.value.buffer.data(),
fuzzed_properties.value.buffer.size(),
fuzzed_properties.value.structure.algorithm,
fuzzed_properties.value.signature.data(),
fuzzed_properties.value.signature.size());
wvoec::GetKeyHandleIntoVector(session.session_id(),
session.license().keys[3].key_id,
session.license().keys[3].key_id_length,
fuzzed_structure.cipher_mode, key_handle);
OEMCrypto_Generic_Verify(key_handle.data(), key_handle.size(), buffer.data(),
buffer.size(), fuzzed_structure.algorithm,
signature.data(), signature.size());
return 0;
}