widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix null passed to memcpy in generic verify fuzz

Browse Source 
Merge from Widevine repo of http://go/wvgerrit/169048

Do not generate a new signature during mutation if a key handle cannot
be retrieved by OEMCrypto_GetKeyHandle().

Bug: 275264353
Test: luci tests
Change-Id: I9a804328c4b6d3e50d14c3f9c71043e71a88e3da
This commit is contained in:
Ian Benz
2023-03-27 19:40:31 -07:00
committed by Fred Gylys-Colwell
parent 322355dbbf
commit c579a79462
1 changed files with 35 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generic_verify_fuzz.cc
View File

@@ -64,44 +64,48 @@ extern "C" size_t LLVMFuzzerCustomMutator(uint8_t* data, size_t size,
return 0; return 0;
} }
// Select key and perform verification. // Get key handle for signing and verifying.
Session* const session = license_api_fuzz.session(); Session* const session = license_api_fuzz.session();
vector<uint8_t> key_handle; vector<uint8_t> key_handle;
GetKeyHandleIntoVector( OEMCryptoResult result = GetKeyHandleIntoVector(
session->session_id(), session->license().keys[0].key_id, session->session_id(), session->license().keys[0].key_id,
session->license().keys[0].key_id_length, session->license().keys[0].key_id_length,
fuzzed_properties.value.structure.cipher_mode, key_handle); fuzzed_properties.value.structure.cipher_mode, key_handle);
if (OEMCrypto_Generic_Verify(key_handle.data(), key_handle.size(), if (result == OEMCrypto_SUCCESS) {
fuzzed_properties.value.buffer.data(), // Generate a new signature if verification fails.
fuzzed_properties.value.buffer.size(), result =
fuzzed_properties.value.structure.algorithm, OEMCrypto_Generic_Verify(key_handle.data(), key_handle.size(),
fuzzed_properties.value.signature.data(), fuzzed_properties.value.buffer.data(),
fuzzed_properties.value.signature.size()) != fuzzed_properties.value.buffer.size(),
OEMCrypto_SUCCESS) { fuzzed_properties.value.structure.algorithm,
// Generate a new signature. fuzzed_properties.value.signature.data(),
size_t signature_length = 0; fuzzed_properties.value.signature.size());
OEMCrypto_Generic_Sign(key_handle.data(), key_handle.size(), if (result != OEMCrypto_SUCCESS) {
fuzzed_properties.value.buffer.data(), size_t signature_length = 0;
fuzzed_properties.value.buffer.size(), OEMCrypto_Generic_Sign(key_handle.data(), key_handle.size(),
fuzzed_properties.value.structure.algorithm, nullptr, fuzzed_properties.value.buffer.data(),
&signature_length); fuzzed_properties.value.buffer.size(),
fuzzed_properties.value.signature.resize(signature_length); fuzzed_properties.value.structure.algorithm,
OEMCrypto_Generic_Sign(key_handle.data(), key_handle.size(), nullptr, &signature_length);
fuzzed_properties.value.buffer.data(), fuzzed_properties.value.signature.resize(signature_length);
fuzzed_properties.value.buffer.size(), OEMCrypto_Generic_Sign(key_handle.data(), key_handle.size(),
fuzzed_properties.value.structure.algorithm, fuzzed_properties.value.buffer.data(),
fuzzed_properties.value.signature.data(), fuzzed_properties.value.buffer.size(),
&signature_length); fuzzed_properties.value.structure.algorithm,
const size_t signature_offset = sizeof(fuzzed_properties.value.structure) + fuzzed_properties.value.signature.data(),
fuzzed_properties.value.buffer.size() + &signature_length);
sizeof(kFuzzDataSeparator); const size_t signature_offset =
size = signature_offset + signature_length; sizeof(fuzzed_properties.value.structure) +
if (size > max_size) { fuzzed_properties.value.buffer.size() + sizeof(kFuzzDataSeparator);
return 0; size = signature_offset + signature_length;
if (size > max_size) {
return 0;
}
memcpy(data + signature_offset, fuzzed_properties.value.signature.data(),
signature_length);
} }
memcpy(data + signature_offset, fuzzed_properties.value.signature.data(),
signature_length);
} }
return LLVMFuzzerMutate(data, size, max_size); return LLVMFuzzerMutate(data, size, max_size);
} }