Merge of OEMCrypto fuzz test CLs

---------------------------------------------------------------------- Fix oemcrypto_generic_verify_fuzz mutator signature offset [ Merge of http://go/wvgerrit/165899 ] Merged from https://widevine-internal-review.googlesource.com/165598 Change-Id: I85574fcd62622d2954c306688e04ecfda333c0cb ---------------------------------------------------------------------- Fix regressions in oemcrypto_decrypt_cenc_fuzz [ Merge of http://go/wvgerrit/162151 ] Fix null-dereference of subsamples vector and potential memory leak due to parsing errors. Bug: 260005865 Bug: 260013015 Merged from https://widevine-internal-review.googlesource.com/162081 Change-Id: I91bf1baa726803b2a0073ff3db94e69719d377bb ---------------------------------------------------------------------- Add custom mutator to oemcrypto_generic_verify_fuzz [ Merge of http://go/wvgerrit/161578 ] Enable fuzzing mutations beyond changing the signature length. Merged from https://widevine-internal-review.googlesource.com/159917 Change-Id: I022d752107b788bd45aafb8325e3186ef90336de ---------------------------------------------------------------------- Refactor oemcrypto_decrypt_cenc_fuzz [ Merge of http://go/wvgerrit/161546 ] Refactor to minimize the required corpus length, fuzz the sample input data, and avoid undefined behavior related to filling OEMCrypto_DestBufferDesc::buffer with fuzzed data. Merged from https://widevine-internal-review.googlesource.com/159618 Change-Id: Id9af8b1704d4619ba88ab8de3adb35d5f8bb69f6 ---------------------------------------------------------------------- Refactor oemcrypto_copy_buffer_fuzz [ Merge of http://go/wvgerrit/161307 ] Refactor to minimize the required corpus length, fuzz the output buffer length, and avoid undefined behavior related to filling OEMCrypto_DestBufferDesc::buffer with fuzzed data. Merged from https://widevine-internal-review.googlesource.com/159617 Change-Id: Ieddc6260e5eca641f8409a9b361ca4e5a40d6f52 ---------------------------------------------------------------------- Improve AddressSanitizer coverage for LoadEntitledContentKeys fuzzing [ Merge of http://go/wvgerrit/161397 ] Split fuzzed message into separate buffer so AddressSanitizer can detect out-of-bounds accesses. Merged from https://widevine-internal-review.googlesource.com/161277 ---------------------------------------------------------------------- Avoid copying fuzzed data when separator splitting [ Merge of http://go/wvgerrit/161120 ] Merged from https://widevine-internal-review.googlesource.com/159497 Change-Id: I2b13ff34eee74c8aea9a8176aa711e3e2bc57add ---------------------------------------------------------------------- Fix oemcrypto_opk_dispatcher_fuzz [ Merge of http://go/wvgerrit/161119 ] Set ODK_Message size and add timestamp field to initialization requests. Merged from https://widevine-internal-review.googlesource.com/159897 Change-Id: Ide51d1cb4119a396212d1802411cfa19f5792e9d ---------------------------------------------------------------------- Cover empty buffers in fuzz tests [ Merge of http://go/wvgerrit/161018 ] Update tests that avoid passing empty buffers to OEMCrypto API methods. Merged from https://widevine-internal-review.googlesource.com/159317 Change-Id: If0d8007e3294820654b081fe813a09485e757f1c ---------------------------------------------------------------------- Fix cherry pick of "Improve buffer size distribution in fuzz tests" [ Merge of http://go/wvgerrit/161022 ] Change-Id: I8b0440fe13b513396b5779c25e6a46ac40eaa183 ---------------------------------------------------------------------- Improve buffer size distribution in fuzz tests [ Merge of http://go/wvgerrit/160957 ] When a buffer size is fuzzed, use the modulo operation, instead of std::min, to create an even distribution. Merged from https://widevine-internal-review.googlesource.com/159157 Change-Id: I3c1168c7a7d739793005927a97af18de5df2e4c6 ---------------------------------------------------------------------- Improve AddressSanitizer coverage in fuzz tests [ Merge of http://go/wvgerrit/160464 ] Split fuzzed data into separate buffers so AddressSanitizer can detect all out-of-bounds accesses. Merged from https://widevine-internal-review.googlesource.com/158977 Change-Id: I7ca67409b7c6f96548e21ab41f6caf99f738605d
2023-02-27 16:20:51 -08:00
parent 469c6408da
commit e4cde22826
17 changed files with 505 additions and 433 deletions
--- a/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generic_verify_fuzz.cc
+++ b/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generic_verify_fuzz.cc
@@ -2,66 +2,124 @@
 // source code may only be used and distributed under the Widevine
 // License Agreement.

-#include <openssl/hmac.h>
-#include <openssl/sha.h>
-
+#include "FuzzedDataProvider.h"
 #include "OEMCryptoCENC.h"
-#include "log.h"
 #include "oemcrypto_fuzz_helper.h"
 #include "oemcrypto_fuzz_structs.h"
 #include "oemcrypto_types.h"

 namespace wvoec {
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  // Redirect printf and log statements from oemcrypto functions to a file to
-  // reduce noise
-  RedirectStdoutToFile();

-  OEMCrypto_Generic_Verify_Fuzz fuzzed_structure;
-  if (size < sizeof(fuzzed_structure)) {
-    return 0;
+// Properties deserialized from fuzzed data.
+struct FuzzedProperties {
+  OEMCrypto_Generic_Api_Fuzz structure;
+  std::vector<uint8_t> buffer;
+  std::vector<uint8_t> signature;
+};
+
+// Contains value only if has_value is true.
+struct OptionalFuzzedProperties {
+  FuzzedProperties value;
+  bool has_value;
+};
+
+OEMCryptoLicenseAPIFuzz license_api_fuzz;
+
+OptionalFuzzedProperties DeserializeFuzzedData(const uint8_t* data,
+                                               size_t size) {
+  OptionalFuzzedProperties fuzzed_properties;
+  const std::vector<FuzzedData> inputs = SplitFuzzedData(data, size);
+  if (inputs.size() < 2 ||
+      inputs[0].size < sizeof(fuzzed_properties.value.structure)) {
+    fuzzed_properties.has_value = false;
+    return fuzzed_properties;
  }
-  // Copy OEMCrypto_Generic_Verify_Fuzz from input data.
-  memcpy(&fuzzed_structure, data, sizeof(fuzzed_structure));
+  FuzzedDataProvider fuzzed_data(inputs[0].data, inputs[0].size);
+  fuzzed_data.ConsumeData(&fuzzed_properties.value.structure,
+                          sizeof(fuzzed_properties.value.structure));
  ConvertDataToValidEnum(OEMCrypto_CipherMode_MaxValue,
-                         &fuzzed_structure.cipher_mode);
+                         &fuzzed_properties.value.structure.cipher_mode);
  ConvertDataToValidEnum(OEMCrypto_Algorithm_MaxValue,
-                         &fuzzed_structure.algorithm);
+                         &fuzzed_properties.value.structure.algorithm);
+  fuzzed_properties.value.buffer = fuzzed_data.ConsumeRemainingBytes<uint8_t>();
+  fuzzed_properties.value.signature.assign(inputs[1].data,
+                                           inputs[1].data + inputs[1].size);
+  fuzzed_properties.has_value = true;
+  return fuzzed_properties;
+}

-  size_t in_buffer_size = size - sizeof(fuzzed_structure);
-  if (in_buffer_size == 0) {
-    return 0;
-  }
-  // Copy clear buffer from input data.
-  vector<uint8_t> in_buffer(in_buffer_size);
-  memcpy(in_buffer.data(), data + sizeof(fuzzed_structure), in_buffer_size);
-
-  OEMCryptoLicenseAPIFuzz license_api_fuzz;
-  Session* session = license_api_fuzz.session();
-  // Load license and call generic_verify API.
+extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
+  RedirectStdoutToFile();
  license_api_fuzz.LoadLicense();
-  OEMCrypto_SelectKey(session->session_id(), session->license().keys[0].key_id,
-                      session->license().keys[0].key_id_length,
-                      OEMCrypto_CipherMode_CENC);
-  // Calculate signature for in buffer.
-  size_t signature_length = 0;
-  OEMCrypto_Generic_Sign(session->session_id(), in_buffer.data(),
-                         in_buffer.size(), fuzzed_structure.algorithm, nullptr,
-                         &signature_length);
-  vector<uint8_t> signature(signature_length);
-  OEMCrypto_Generic_Sign(session->session_id(), in_buffer.data(),
-                         in_buffer.size(), fuzzed_structure.algorithm,
-                         signature.data(), &signature_length);
-
-  OEMCrypto_SelectKey(session->session_id(), session->license().keys[0].key_id,
-                      session->license().keys[0].key_id_length,
-                      fuzzed_structure.cipher_mode);
-  signature_length =
-      std::min(MAX_FUZZ_OUTPUT_LENGTH, fuzzed_structure.signature_length);
-  signature.resize(signature_length);
-  OEMCrypto_Generic_Verify(session->session_id(), in_buffer.data(),
-                           in_buffer.size(), fuzzed_structure.algorithm,
-                           signature.data(), signature_length);
  return 0;
 }
+
+extern "C" size_t LLVMFuzzerCustomMutator(uint8_t* data, size_t size,
+                                          size_t max_size, unsigned int seed) {
+  // Deserialize fuzzed data.
+  OptionalFuzzedProperties fuzzed_properties =
+      DeserializeFuzzedData(data, size);
+  if (!fuzzed_properties.has_value) {
+    return 0;
+  }
+
+  // Select key and perform verification.
+  Session* const session = license_api_fuzz.session();
+  OEMCrypto_SelectKey(session->session_id(), session->license().keys[0].key_id,
+                      session->license().keys[0].key_id_length,
+                      fuzzed_properties.value.structure.cipher_mode);
+  if (OEMCrypto_Generic_Verify(
+          session->session_id(), fuzzed_properties.value.buffer.data(),
+          fuzzed_properties.value.buffer.size(),
+          fuzzed_properties.value.structure.algorithm,
+          fuzzed_properties.value.signature.data(),
+          fuzzed_properties.value.signature.size()) != OEMCrypto_SUCCESS) {
+    // Generate a new signature.
+    size_t signature_length = 0;
+    OEMCrypto_Generic_Sign(session->session_id(),
+                           fuzzed_properties.value.buffer.data(),
+                           fuzzed_properties.value.buffer.size(),
+                           fuzzed_properties.value.structure.algorithm, nullptr,
+                           &signature_length);
+    fuzzed_properties.value.signature.resize(signature_length);
+    OEMCrypto_Generic_Sign(
+        session->session_id(), fuzzed_properties.value.buffer.data(),
+        fuzzed_properties.value.buffer.size(),
+        fuzzed_properties.value.structure.algorithm,
+        fuzzed_properties.value.signature.data(), &signature_length);
+    const size_t signature_offset = sizeof(fuzzed_properties.value.structure) +
+                                    fuzzed_properties.value.buffer.size() +
+                                    sizeof(kFuzzDataSeparator);
+    size = signature_offset + signature_length;
+    if (size > max_size) {
+      return 0;
+    }
+    memcpy(data + signature_offset, fuzzed_properties.value.signature.data(),
+           signature_length);
+  }
+  return LLVMFuzzerMutate(data, size, max_size);
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  // Deserialize fuzzed data.
+  const OptionalFuzzedProperties fuzzed_properties =
+      DeserializeFuzzedData(data, size);
+  if (!fuzzed_properties.has_value) {
+    return 0;
+  }
+
+  // Select key and perform verification.
+  Session* const session = license_api_fuzz.session();
+  OEMCrypto_SelectKey(session->session_id(), session->license().keys[0].key_id,
+                      session->license().keys[0].key_id_length,
+                      fuzzed_properties.value.structure.cipher_mode);
+  OEMCrypto_Generic_Verify(session->session_id(),
+                           fuzzed_properties.value.buffer.data(),
+                           fuzzed_properties.value.buffer.size(),
+                           fuzzed_properties.value.structure.algorithm,
+                           fuzzed_properties.value.signature.data(),
+                           fuzzed_properties.value.signature.size());
+  return 0;
+}
+
 }  // namespace wvoec