widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Optimize OEMCrypto_ShrinkUsageTableHeader fuzzing

Browse Source 
Merge from Widevine repo of http://go/wvgerrit/159057

Increase fuzzing efficiency by generating the header_buffer_length
parameter from the input data and pre-creating a usage table header.

Test: tested with http://go/ag/20420224

Change-Id: Idab4c3d0ae879854202e5ffd24bf031b946aeb6a
This commit is contained in:
Ian Benz
2022-11-08 13:53:09 -08:00
committed by Fred Gylys-Colwell
parent 2e9cbaf30f
commit e88bcf51c8
4 changed files with 14 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_fuzz_helper.h
View File

@@ -20,9 +20,10 @@ extern "C" size_t LLVMFuzzerMutate(uint8_t* Data, size_t Size, size_t MaxSize)
__attribute__((weak));
const size_t KB = 1024;
// Maximum signature length. If fuzzed signature length is greater that this,
// this value will be used for signature length.
const size_t MAX_FUZZ_SIGNATURE_LENGTH = 5 * KB;
// Default maximum length of fuzzing output parameters.
const size_t MAX_FUZZ_OUTPUT_LENGTH = 5 * KB;
// Initial setup to create a valid OEMCrypto state such as initializing crypto
// firmware/hardware, installing golden key box etc. in order to fuzz
// OEMCrypto APIs.

2
libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generate_rsa_signature_fuzz.cc
View File

@@ -23,7 +23,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
// We cannot allocate buffers of random huge lengths in memory.
// This also slows down the fuzzer.
size_t signature_length =
std::min(MAX_FUZZ_SIGNATURE_LENGTH, fuzzed_structure.signature_length);
std::min(MAX_FUZZ_OUTPUT_LENGTH, fuzzed_structure.signature_length);
vector<uint8_t> signature(signature_length);
OEMCrypto_GenerateRSASignature(
license_api_fuzz.session()->session_id(), data + sizeof(fuzzed_structure),

2
libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_generic_verify_fuzz.cc
View File

@@ -57,7 +57,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
session->license().keys[0].key_id_length,
fuzzed_structure.cipher_mode);
signature_length =
std::min(MAX_FUZZ_SIGNATURE_LENGTH, fuzzed_structure.signature_length);
std::min(MAX_FUZZ_OUTPUT_LENGTH, fuzzed_structure.signature_length);
signature.resize(signature_length);
OEMCrypto_Generic_Verify(session->session_id(), in_buffer.data(),
in_buffer.size(), fuzzed_structure.algorithm,

13
libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_shrink_usage_table_header_fuzz.cc
View File

@@ -2,6 +2,7 @@
// source code may only be used and distributed under the Widevine
// License Agreement.
#include "FuzzedDataProvider.h"
#include "OEMCryptoCENC.h"
#include "oemcrypto_fuzz_helper.h"
@@ -11,15 +12,17 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
// reduce noise
RedirectStdoutToFile();
if (size < sizeof(uint32_t)) {
if (size < sizeof(uint32_t) + sizeof(size_t)) {
return 0;
}
LicenseWithUsageEntryFuzz entry;
uint32_t new_entry_count = 0;
memcpy(&new_entry_count, data, sizeof(uint32_t));
std::vector<uint8_t> header_buffer(size - sizeof(uint32_t));
size_t header_buffer_length = header_buffer.size();
entry.CreateUsageTableHeader();
FuzzedDataProvider fuzzed_data(data, size);
const uint32_t new_entry_count = fuzzed_data.ConsumeIntegral<uint32_t>();
size_t header_buffer_length =
fuzzed_data.ConsumeIntegralInRange<size_t>(0, MAX_FUZZ_OUTPUT_LENGTH);
std::vector<uint8_t> header_buffer(header_buffer_length);
OEMCrypto_ShrinkUsageTableHeader(new_entry_count, header_buffer.data(),
&header_buffer_length);