widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix null passed to memcpy in generic verify fuzz

Browse Source 
Merge from Widevine repo of http://go/wvgerrit/169048

Do not generate a new signature during mutation if a key handle cannot
be retrieved by OEMCrypto_GetKeyHandle().

Bug: 275264353
Test: luci tests
Change-Id: I9a804328c4b6d3e50d14c3f9c71043e71a88e3da
This commit is contained in:
Ian Benz
2023-03-27 19:40:31 -07:00
committed by Fred Gylys-Colwell
parent 322355dbbf
commit c579a79462
1 changed files with 35 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generic_verify_fuzz.cc
View File

@@ -64,44 +64,48 @@ extern "C" size_t LLVMFuzzerCustomMutator(uint8_t* data, size_t size,
return 0;
}
// Select key and perform verification.
// Get key handle for signing and verifying.
Session* const session = license_api_fuzz.session();
vector<uint8_t> key_handle;
GetKeyHandleIntoVector(
OEMCryptoResult result = GetKeyHandleIntoVector(
session->session_id(), session->license().keys[0].key_id,
session->license().keys[0].key_id_length,
fuzzed_properties.value.structure.cipher_mode, key_handle);
if (OEMCrypto_Generic_Verify(key_handle.data(), key_handle.size(),
fuzzed_properties.value.buffer.data(),
fuzzed_properties.value.buffer.size(),
fuzzed_properties.value.structure.algorithm,
fuzzed_properties.value.signature.data(),
fuzzed_properties.value.signature.size()) !=
OEMCrypto_SUCCESS) {
// Generate a new signature.
size_t signature_length = 0;
OEMCrypto_Generic_Sign(key_handle.data(), key_handle.size(),
fuzzed_properties.value.buffer.data(),
fuzzed_properties.value.buffer.size(),
fuzzed_properties.value.structure.algorithm, nullptr,
&signature_length);
fuzzed_properties.value.signature.resize(signature_length);
OEMCrypto_Generic_Sign(key_handle.data(), key_handle.size(),
fuzzed_properties.value.buffer.data(),
fuzzed_properties.value.buffer.size(),
fuzzed_properties.value.structure.algorithm,
fuzzed_properties.value.signature.data(),
&signature_length);
const size_t signature_offset = sizeof(fuzzed_properties.value.structure) +
fuzzed_properties.value.buffer.size() +
sizeof(kFuzzDataSeparator);
size = signature_offset + signature_length;
if (size > max_size) {
return 0;
if (result == OEMCrypto_SUCCESS) {
// Generate a new signature if verification fails.
result =
OEMCrypto_Generic_Verify(key_handle.data(), key_handle.size(),
fuzzed_properties.value.buffer.data(),
fuzzed_properties.value.buffer.size(),
fuzzed_properties.value.structure.algorithm,
fuzzed_properties.value.signature.data(),
fuzzed_properties.value.signature.size());
if (result != OEMCrypto_SUCCESS) {
size_t signature_length = 0;
OEMCrypto_Generic_Sign(key_handle.data(), key_handle.size(),
fuzzed_properties.value.buffer.data(),
fuzzed_properties.value.buffer.size(),
fuzzed_properties.value.structure.algorithm,
nullptr, &signature_length);
fuzzed_properties.value.signature.resize(signature_length);
OEMCrypto_Generic_Sign(key_handle.data(), key_handle.size(),
fuzzed_properties.value.buffer.data(),
fuzzed_properties.value.buffer.size(),
fuzzed_properties.value.structure.algorithm,
fuzzed_properties.value.signature.data(),
&signature_length);
const size_t signature_offset =
sizeof(fuzzed_properties.value.structure) +
fuzzed_properties.value.buffer.size() + sizeof(kFuzzDataSeparator);
size = signature_offset + signature_length;
if (size > max_size) {
return 0;
}
memcpy(data + signature_offset, fuzzed_properties.value.signature.data(),
signature_length);
}
memcpy(data + signature_offset, fuzzed_properties.value.signature.data(),
signature_length);
}
return LLVMFuzzerMutate(data, size, max_size);
}