From c579a794620207f6858bfc519aa482f422d5df1d Mon Sep 17 00:00:00 2001 From: Ian Benz Date: Mon, 27 Mar 2023 19:40:31 -0700 Subject: [PATCH] Fix null passed to memcpy in generic verify fuzz Merge from Widevine repo of http://go/wvgerrit/169048 Do not generate a new signature during mutation if a key handle cannot be retrieved by OEMCrypto_GetKeyHandle(). Bug: 275264353 Test: luci tests Change-Id: I9a804328c4b6d3e50d14c3f9c71043e71a88e3da --- .../oemcrypto_generic_verify_fuzz.cc | 66 ++++++++++--------- 1 file changed, 35 insertions(+), 31 deletions(-) diff --git a/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generic_verify_fuzz.cc b/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generic_verify_fuzz.cc index b4d98104..23f598d2 100644 --- a/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generic_verify_fuzz.cc +++ b/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generic_verify_fuzz.cc @@ -64,44 +64,48 @@ extern "C" size_t LLVMFuzzerCustomMutator(uint8_t* data, size_t size, return 0; } - // Select key and perform verification. + // Get key handle for signing and verifying. Session* const session = license_api_fuzz.session(); vector key_handle; - GetKeyHandleIntoVector( + OEMCryptoResult result = GetKeyHandleIntoVector( session->session_id(), session->license().keys[0].key_id, session->license().keys[0].key_id_length, fuzzed_properties.value.structure.cipher_mode, key_handle); - if (OEMCrypto_Generic_Verify(key_handle.data(), key_handle.size(), - fuzzed_properties.value.buffer.data(), - fuzzed_properties.value.buffer.size(), - fuzzed_properties.value.structure.algorithm, - fuzzed_properties.value.signature.data(), - fuzzed_properties.value.signature.size()) != - OEMCrypto_SUCCESS) { - // Generate a new signature. - size_t signature_length = 0; - OEMCrypto_Generic_Sign(key_handle.data(), key_handle.size(), - fuzzed_properties.value.buffer.data(), - fuzzed_properties.value.buffer.size(), - fuzzed_properties.value.structure.algorithm, nullptr, - &signature_length); - fuzzed_properties.value.signature.resize(signature_length); - OEMCrypto_Generic_Sign(key_handle.data(), key_handle.size(), - fuzzed_properties.value.buffer.data(), - fuzzed_properties.value.buffer.size(), - fuzzed_properties.value.structure.algorithm, - fuzzed_properties.value.signature.data(), - &signature_length); - const size_t signature_offset = sizeof(fuzzed_properties.value.structure) + - fuzzed_properties.value.buffer.size() + - sizeof(kFuzzDataSeparator); - size = signature_offset + signature_length; - if (size > max_size) { - return 0; + if (result == OEMCrypto_SUCCESS) { + // Generate a new signature if verification fails. + result = + OEMCrypto_Generic_Verify(key_handle.data(), key_handle.size(), + fuzzed_properties.value.buffer.data(), + fuzzed_properties.value.buffer.size(), + fuzzed_properties.value.structure.algorithm, + fuzzed_properties.value.signature.data(), + fuzzed_properties.value.signature.size()); + if (result != OEMCrypto_SUCCESS) { + size_t signature_length = 0; + OEMCrypto_Generic_Sign(key_handle.data(), key_handle.size(), + fuzzed_properties.value.buffer.data(), + fuzzed_properties.value.buffer.size(), + fuzzed_properties.value.structure.algorithm, + nullptr, &signature_length); + fuzzed_properties.value.signature.resize(signature_length); + OEMCrypto_Generic_Sign(key_handle.data(), key_handle.size(), + fuzzed_properties.value.buffer.data(), + fuzzed_properties.value.buffer.size(), + fuzzed_properties.value.structure.algorithm, + fuzzed_properties.value.signature.data(), + &signature_length); + const size_t signature_offset = + sizeof(fuzzed_properties.value.structure) + + fuzzed_properties.value.buffer.size() + sizeof(kFuzzDataSeparator); + size = signature_offset + signature_length; + if (size > max_size) { + return 0; + } + memcpy(data + signature_offset, fuzzed_properties.value.signature.data(), + signature_length); } - memcpy(data + signature_offset, fuzzed_properties.value.signature.data(), - signature_length); } + return LLVMFuzzerMutate(data, size, max_size); }