widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge of OEMCrypto fuzz test CLs

Browse Source 
----------------------------------------------------------------------

Fix oemcrypto_generic_verify_fuzz mutator signature offset

[ Merge of http://go/wvgerrit/165899 ]

Merged from https://widevine-internal-review.googlesource.com/165598

Change-Id: I85574fcd62622d2954c306688e04ecfda333c0cb

----------------------------------------------------------------------

Fix regressions in oemcrypto_decrypt_cenc_fuzz

[ Merge of http://go/wvgerrit/162151 ]

Fix null-dereference of subsamples vector and potential memory leak due
to parsing errors.

Bug: 260005865
Bug: 260013015

Merged from https://widevine-internal-review.googlesource.com/162081

Change-Id: I91bf1baa726803b2a0073ff3db94e69719d377bb

----------------------------------------------------------------------

Add custom mutator to oemcrypto_generic_verify_fuzz

[ Merge of http://go/wvgerrit/161578 ]

Enable fuzzing mutations beyond changing the signature length.

Merged from https://widevine-internal-review.googlesource.com/159917

Change-Id: I022d752107b788bd45aafb8325e3186ef90336de

----------------------------------------------------------------------

Refactor oemcrypto_decrypt_cenc_fuzz

[ Merge of http://go/wvgerrit/161546 ]

Refactor to minimize the required corpus length, fuzz the sample input
data, and avoid undefined behavior related to filling
OEMCrypto_DestBufferDesc::buffer with fuzzed data.

Merged from https://widevine-internal-review.googlesource.com/159618

Change-Id: Id9af8b1704d4619ba88ab8de3adb35d5f8bb69f6

----------------------------------------------------------------------

Refactor oemcrypto_copy_buffer_fuzz

[ Merge of http://go/wvgerrit/161307 ]

Refactor to minimize the required corpus length, fuzz the output buffer
length, and avoid undefined behavior related to filling
OEMCrypto_DestBufferDesc::buffer with fuzzed data.

Merged from https://widevine-internal-review.googlesource.com/159617

Change-Id: Ieddc6260e5eca641f8409a9b361ca4e5a40d6f52

----------------------------------------------------------------------

Improve AddressSanitizer coverage for LoadEntitledContentKeys fuzzing

[ Merge of http://go/wvgerrit/161397 ]

Split fuzzed message into separate buffer so AddressSanitizer can detect
out-of-bounds accesses.

Merged from https://widevine-internal-review.googlesource.com/161277

----------------------------------------------------------------------

Avoid copying fuzzed data when separator splitting

[ Merge of http://go/wvgerrit/161120 ]

Merged from https://widevine-internal-review.googlesource.com/159497

Change-Id: I2b13ff34eee74c8aea9a8176aa711e3e2bc57add

----------------------------------------------------------------------

Fix oemcrypto_opk_dispatcher_fuzz

[ Merge of http://go/wvgerrit/161119 ]

Set ODK_Message size and add timestamp field to initialization requests.

Merged from https://widevine-internal-review.googlesource.com/159897

Change-Id: Ide51d1cb4119a396212d1802411cfa19f5792e9d

----------------------------------------------------------------------

Cover empty buffers in fuzz tests

[ Merge of http://go/wvgerrit/161018 ]

Update tests that avoid passing empty buffers to OEMCrypto API methods.

Merged from https://widevine-internal-review.googlesource.com/159317

Change-Id: If0d8007e3294820654b081fe813a09485e757f1c

----------------------------------------------------------------------

Fix cherry pick of "Improve buffer size distribution in fuzz tests"

[ Merge of http://go/wvgerrit/161022 ]

Change-Id: I8b0440fe13b513396b5779c25e6a46ac40eaa183

----------------------------------------------------------------------

Improve buffer size distribution in fuzz tests

[ Merge of http://go/wvgerrit/160957 ]

When a buffer size is fuzzed, use the modulo operation, instead of
std::min, to create an even distribution.

Merged from https://widevine-internal-review.googlesource.com/159157

Change-Id: I3c1168c7a7d739793005927a97af18de5df2e4c6

----------------------------------------------------------------------

Improve AddressSanitizer coverage in fuzz tests

[ Merge of http://go/wvgerrit/160464 ]

Split fuzzed data into separate buffers so AddressSanitizer can detect
all out-of-bounds accesses.

Merged from https://widevine-internal-review.googlesource.com/158977

Change-Id: I7ca67409b7c6f96548e21ab41f6caf99f738605d
This commit is contained in:
Rahul Frias
2023-02-27 16:20:51 -08:00
parent 469c6408da
commit e4cde22826
17 changed files with 505 additions and 433 deletions
Download Patch File Download Diff File Expand all files Collapse all files

260
libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_decrypt_cenc_fuzz.cc
View File

@@ -4,184 +4,166 @@
#include "FuzzedDataProvider.h"
#include "OEMCryptoCENC.h"
#include "log.h"
#include "oemcrypto_fuzz_helper.h"
#include "oemcrypto_fuzz_structs.h"
#include "oemcrypto_overflow.h"
namespace wvoec {
const size_t MAX_FUZZ_SAMPLE_SIZE = 5 * MB;
// Free dynamic memory allocated by fuzzer script.
void FreeOutputBuffers(OEMCrypto_SESSION session_id,
OEMCrypto_SampleDescription* sample_description,
size_t sample_index, int* secure_fd_array) {
for (size_t i = 0; i < sample_index; i++) {
OEMCrypto_DestBufferDesc fuzzed_output_descriptor =
sample_description[i].buffers.output_descriptor;
switch (fuzzed_output_descriptor.type) {
case OEMCrypto_BufferType_Clear: {
delete[] fuzzed_output_descriptor.buffer.clear.clear_buffer;
break;
}
case OEMCrypto_BufferType_Secure: {
OEMCrypto_FreeSecureBuffer(session_id, &fuzzed_output_descriptor,
secure_fd_array[i]);
break;
}
case OEMCrypto_BufferType_Direct: {
break;
}
}
}
}
// Function to initialize output buffer pointers by allocating memory.
// Limiting output buffer size to 5 MB as 4 MB is maximum size specified
// by resource rating tier documentation.
bool InitializeOutputBuffers(OEMCrypto_SESSION session_id,
OEMCrypto_DestBufferDesc& output_descriptor,
size_t sample_index,
vector<int>& secure_fd_array) {
switch (output_descriptor.type) {
case OEMCrypto_BufferType_Clear: {
output_descriptor.buffer.clear.clear_buffer =
new OEMCrypto_SharedMemory[std::min(
MAX_FUZZ_SAMPLE_SIZE,
output_descriptor.buffer.clear.clear_buffer_length)];
return true;
}
case OEMCrypto_BufferType_Secure: {
int* secure_fd;
OEMCryptoResult sts = OEMCrypto_AllocateSecureBuffer(
session_id,
std::min(MAX_FUZZ_SAMPLE_SIZE,
output_descriptor.buffer.secure.secure_buffer_length),
&output_descriptor, secure_fd);
if (sts == OEMCrypto_SUCCESS) secure_fd_array[sample_index] = *secure_fd;
return sts == OEMCrypto_SUCCESS;
}
case OEMCrypto_BufferType_Direct: {
return true;
}
}
}
// Limit output buffer size to 5 MB as 4 MB is maximum size specified by
// resource rating tier documentation.
const size_t MAX_FUZZ_SAMPLE_SIZE = 5 * MB;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
// Redirect printf and log statements from oemcrypto functions to a file to
// reduce noise
RedirectStdoutToFile();
size_t samples_length;
// Split data using separator.
auto inputs = SplitInput(data, size);
if (inputs.size() < 2) {
const std::vector<FuzzedData> inputs = SplitFuzzedData(data, size);
if (inputs.size() < 3) {
return 0;
}
// Read cipher mode and pattern from fuzzed data.
OEMCrypto_Decrypt_Cenc_Fuzz fuzzed_structure;
if (inputs[0].size() < sizeof(fuzzed_structure)) {
if (inputs[0].size < sizeof(fuzzed_structure)) {
return 0;
}
// Copy OEMCrypto_Decrypt_Cenc_Fuzz from input data.
memcpy(&fuzzed_structure, data, sizeof(fuzzed_structure));
FuzzedDataProvider fuzzed_data(inputs[0].data, inputs[0].size);
fuzzed_data.ConsumeData(&fuzzed_structure, sizeof(fuzzed_structure));
ConvertDataToValidEnum(OEMCrypto_CipherMode_MaxValue,
&fuzzed_structure.cipher_mode);
size_t remaining_size_for_samples =
inputs[0].size() - sizeof(fuzzed_structure);
// Initialize FDP structures to read data using inbuilt functions.
FuzzedDataProvider fuzzed_sample_data(data + sizeof(fuzzed_structure),
remaining_size_for_samples);
FuzzedDataProvider fuzzed_subsample_data(inputs[1].data(), inputs[1].size());
// Allocate sample descriptions.
std::vector<OEMCrypto_SampleDescription> sample_descriptions(
fuzzed_data.remaining_bytes() / sizeof(OEMCrypto_SampleDescription_Fuzz));
// Read subsamples from fuzzed data.
vector<OEMCrypto_SubSampleDescription> subsamples;
while (fuzzed_subsample_data.remaining_bytes() >=
sizeof(OEMCrypto_SubSampleDescription)) {
OEMCrypto_SubSampleDescription subsample;
fuzzed_subsample_data.ConsumeData(&subsample,
sizeof(OEMCrypto_SubSampleDescription));
subsamples.push_back(subsample);
}
if (subsamples.size() == 0) {
return 0;
}
// Allocate input buffers for each sample description.
std::vector<std::vector<OEMCrypto_SharedMemory>> input_buffers(
sample_descriptions.size());
// Infer samples_length from fuzzed data.
size_t sample_description_size = sizeof(OEMCrypto_SampleDescription);
samples_length =
fuzzed_sample_data.remaining_bytes() / sample_description_size;
if (samples_length == 0) {
return 0;
}
// Allocate secure_fd values for secure buffers.
std::vector<int> secure_fd_array(sample_descriptions.size());
// Initialize sample_descriptions array.
vector<OEMCrypto_SampleDescription> sample_descriptions(samples_length);
// Create array to maintain secure_fd buffer values for secure buffers.
vector<int> secure_fd_array(samples_length);
// Allocate subsamples for each sample description.
std::vector<std::vector<OEMCrypto_SubSampleDescription>> subsamples(
sample_descriptions.size());
OEMCryptoLicenseAPIFuzz license_api_fuzz;
Session* session = license_api_fuzz.session();
// Copy samples from fuzzed data.
size_t input_subsample_index = 0;
size_t total_input_data_length = 0;
for (size_t i = 0; i < samples_length; i++) {
fuzzed_sample_data.ConsumeData(&sample_descriptions[i],
sample_description_size);
const uint32_t session_id = license_api_fuzz.session()->session_id();
// Free first given number of output buffers.
const auto FreeOutputBuffers = [&sample_descriptions, session_id,
&secure_fd_array](size_t num_buffers) {
for (size_t i = 0; i < num_buffers; i++) {
OEMCrypto_DestBufferDesc& output_descriptor =
sample_descriptions[i].buffers.output_descriptor;
switch (output_descriptor.type) {
case OEMCrypto_BufferType_Clear:
delete[] output_descriptor.buffer.clear.clear_buffer;
break;
case OEMCrypto_BufferType_Secure:
OEMCrypto_FreeSecureBuffer(session_id, &output_descriptor,
secure_fd_array[i]);
break;
case OEMCrypto_BufferType_Direct:
break;
}
}
};
// Prepare each sample description.
FuzzedDataProvider& sample_description_data = fuzzed_data;
FuzzedDataProvider input_buffer_data(inputs[1].data, inputs[1].size);
FuzzedDataProvider subsample_data(inputs[2].data, inputs[2].size);
for (size_t i = 0; i < sample_descriptions.size(); i++) {
// Read and normalize sample description fuzzed properties.
OEMCrypto_SampleDescription_Fuzz fuzzed_sample_description;
sample_description_data.ConsumeData(&fuzzed_sample_description,
sizeof(fuzzed_sample_description));
fuzzed_sample_description.buffers.input_data_length %=
MAX_FUZZ_SAMPLE_SIZE + 1;
ConvertDataToValidEnum(
OEMCrypto_BufferType_MaxValue,
&sample_descriptions[i].buffers.output_descriptor.type);
&fuzzed_sample_description.buffers.output_descriptor.type);
fuzzed_sample_description.buffers.output_descriptor.buffer_config %=
MAX_FUZZ_SAMPLE_SIZE + 1;
// Copy random data into input sample data. Cap input data length at 5 MB,
// 1 MB higher than that described by resource rating tier.
total_input_data_length += std::min(
MAX_FUZZ_SAMPLE_SIZE, sample_descriptions[i].buffers.input_data_length);
// Copy sub sample data.
sample_descriptions[i].subsamples = &subsamples[input_subsample_index];
if (OPK_AddOverflowUX(input_subsample_index,
sample_descriptions[i].subsamples_length,
&input_subsample_index)) {
// Read input data.
if (fuzzed_sample_description.buffers.input_data_length >
input_buffer_data.remaining_bytes()) {
FreeOutputBuffers(i);
return 0;
}
if (input_subsample_index > subsamples.size()) return 0;
} // Sample loop.
input_buffers[i] = input_buffer_data.ConsumeBytes<uint8_t>(
fuzzed_sample_description.buffers.input_data_length);
sample_descriptions[i].buffers.input_data = input_buffers[i].data();
sample_descriptions[i].buffers.input_data_length = input_buffers[i].size();
// Allocate input/output buffers for each sample description.
vector<OEMCrypto_SharedMemory> input_buffer(total_input_data_length);
size_t input_buffer_index = 0;
for (size_t i = 0; i < samples_length; i++) {
sample_descriptions[i].buffers.input_data =
&input_buffer[input_buffer_index];
input_buffer_index += std::min(
MAX_FUZZ_SAMPLE_SIZE, sample_descriptions[i].buffers.input_data_length);
// Set subsample data.
if (fuzzed_sample_description.subsamples_length >
subsample_data.remaining_bytes() /
sizeof(OEMCrypto_SubSampleDescription)) {
FreeOutputBuffers(i);
return 0;
}
if (fuzzed_sample_description.subsamples_length > 0) {
subsamples[i].resize(fuzzed_sample_description.subsamples_length);
subsample_data.ConsumeData(
subsamples[i].data(),
subsamples[i].size() * sizeof(OEMCrypto_SubSampleDescription));
}
sample_descriptions[i].subsamples = subsamples[i].data();
sample_descriptions[i].subsamples_length = subsamples[i].size();
// Create output buffer pointers. If secure buffer is not supported, we
// explicitly convert to clear buffer and fuzz.
if (!InitializeOutputBuffers(
session->session_id(),
sample_descriptions[i].buffers.output_descriptor, i,
secure_fd_array)) {
LOGI(
"[OEMCrypto decrypt CENC fuzz] Secure buffers are not supported. Use "
"clear buffer instead.");
sample_descriptions[i].buffers.output_descriptor.type =
OEMCrypto_BufferType_Clear;
InitializeOutputBuffers(session->session_id(),
sample_descriptions[i].buffers.output_descriptor,
i, secure_fd_array);
// Set IV data.
memcpy(sample_descriptions[i].iv, fuzzed_sample_description.iv,
sizeof(sample_descriptions[i].iv));
// Initialize output buffer.
OEMCrypto_DestBufferDesc& output_descriptor =
sample_descriptions[i].buffers.output_descriptor;
const OEMCrypto_DestBufferDesc_Fuzz& fuzzed_output_descriptor =
fuzzed_sample_description.buffers.output_descriptor;
output_descriptor.type = fuzzed_output_descriptor.type;
switch (output_descriptor.type) {
case OEMCrypto_BufferType_Clear:
output_descriptor.buffer.clear.clear_buffer =
new OEMCrypto_SharedMemory[fuzzed_output_descriptor.buffer_config];
output_descriptor.buffer.clear.clear_buffer_length =
fuzzed_output_descriptor.buffer_config;
break;
case OEMCrypto_BufferType_Secure:
if (OEMCrypto_AllocateSecureBuffer(
session_id, fuzzed_output_descriptor.buffer_config,
&output_descriptor, &secure_fd_array[i]) != OEMCrypto_SUCCESS) {
FreeOutputBuffers(i);
return 0;
}
break;
case OEMCrypto_BufferType_Direct:
output_descriptor.buffer.direct.is_video =
fuzzed_output_descriptor.buffer_config & 1;
break;
}
}
// Load license and call decrypt_cenc API.
license_api_fuzz.LoadLicense();
OEMCrypto_SelectKey(session->session_id(), session->license().keys[0].key_id,
session->license().keys[0].key_id_length,
const MessageKeyData& key = license_api_fuzz.session()->license().keys[0];
OEMCrypto_SelectKey(session_id, key.key_id, key.key_id_length,
fuzzed_structure.cipher_mode);
OEMCrypto_DecryptCENC(session->session_id(), sample_descriptions.data(),
samples_length, &fuzzed_structure.pattern);
FreeOutputBuffers(session->session_id(), sample_descriptions.data(),
samples_length, secure_fd_array.data());
OEMCrypto_DecryptCENC(session_id, sample_descriptions.data(),
sample_descriptions.size(), &fuzzed_structure.pattern);
// Free all output buffers.
FreeOutputBuffers(sample_descriptions.size());
return 0;
}
} // namespace wvoec