From a285b363d9fabb64b31d27cdba912f25de6f75f9 Mon Sep 17 00:00:00 2001 From: Edwin Wong Date: Thu, 19 May 2022 17:51:19 +0000 Subject: [PATCH] Fuzz Widevine AIDL drmFactory binder interface. [Merged from http://go/wvgerrit/152150 ] Test: build and run test Bug: 226948319 Change-Id: I717d119cbf455fe76e4bb1f818d00141f4e7fa7c --- libwvdrmengine/Android.bp | 117 ++++++++++++++++++++++ libwvdrmengine/aidl_src/fuzzer/README.md | 31 ++++++ libwvdrmengine/aidl_src/fuzzer/fuzzer.cpp | 34 +++++++ libwvdrmengine/cdm/core/src/Android.bp | 4 +- libwvdrmengine/mediacrypto/Android.bp | 46 ++++++++- libwvdrmengine/mediadrm/Android.bp | 43 ++++++++ 6 files changed, 272 insertions(+), 3 deletions(-) create mode 100644 libwvdrmengine/aidl_src/fuzzer/README.md create mode 100644 libwvdrmengine/aidl_src/fuzzer/fuzzer.cpp diff --git a/libwvdrmengine/Android.bp b/libwvdrmengine/Android.bp index 1cb3d02c..dc761610 100644 --- a/libwvdrmengine/Android.bp +++ b/libwvdrmengine/Android.bp @@ -557,3 +557,120 @@ phony { "android.hardware.drm-service-lazy.widevine", ], } + +cc_library_shared { + name: "libwvaidl_fuzz", + + srcs: [ + "src/WVCDMSingleton.cpp", + "src/WVUUID.cpp", + "aidl_src/wv_metrics.cpp", + "aidl_src/WVCreatePluginFactories.cpp", + "aidl_src/WVDrmFactory.cpp", + ], + + include_dirs: [ + "frameworks/av/include", + "frameworks/native/include", + "vendor/widevine/libwvdrmengine/cdm/core/include", + "vendor/widevine/libwvdrmengine/cdm/metrics/include", + "vendor/widevine/libwvdrmengine/cdm/util/include", + "vendor/widevine/libwvdrmengine/cdm/include", + "vendor/widevine/libwvdrmengine/aidl_include", + "vendor/widevine/libwvdrmengine/include", + "vendor/widevine/libwvdrmengine/mediacrypto/aidl_include", + "vendor/widevine/libwvdrmengine/mediadrm/aidl_include", + "vendor/widevine/libwvdrmengine/oemcrypto/include", + ], + + static_libs: [ + "android.hardware.common-V2-ndk", + "libaidlcommonsupport", + "libcdm", + "libcdm_protos", + "libcdm_utils", + "libjsmn", + "libwvdrmcryptoplugin_aidl_fuzz", + "libwvdrmdrmplugin_aidl_fuzz", + "libwvlevel3", + "libwv_odk", + ], + + shared_libs: [ + "android.hardware.drm-V1-ndk", + "libbase", + "libbinder_ndk", + "libcrypto", + "libcutils", + "libdl", + "liblog", + "libprotobuf-cpp-lite", + "libutils", + ], + + header_libs: ["libstagefright_foundation_headers"], + + owner: "widevine", + + proprietary: true, +} + +cc_defaults { + name: "common_widevine_service-multilib-defaults-aidl_fuzz", + owner: "widevine", + proprietary: true, + relative_install_path: "hw", + include_dirs: [ + "vendor/widevine/libwvdrmengine/aidl_include", + "vendor/widevine/libwvdrmengine/mediadrm/aidl_include", + "vendor/widevine/libwvdrmengine/oemcrypto/include", + ], + header_libs: ["libstagefright_foundation_headers"], + + shared_libs: [ + "android.hardware.drm-V1-ndk", + "libbase", + "libbinder_ndk", + "liblog", + "libutils", + "libwvaidl_fuzz", + ], +} + +cc_fuzz { + name: "android.hardware.drm-service.widevine.aidl_fuzzer", + defaults: [ + "common_widevine_service-multilib-first", + "common_widevine_service-multilib-defaults-aidl_fuzz", + ], + static_libs: [ + "libbase", + "libbinder_random_parcel", + "libcutils", + "libutils", + ], + target: { + android: { + shared_libs: [ + "libbinder_ndk", + "libbinder", + ], + }, + host: { + static_libs: [ + "libbinder_ndk", + "libbinder", + ], + }, + darwin: { + enabled: false, + }, + }, + srcs: ["aidl_src/fuzzer/fuzzer.cpp"], + fuzz_config: { + cc: [ + "edwinwong@google.com", + "widevine-android@google.com", + ], + }, +} diff --git a/libwvdrmengine/aidl_src/fuzzer/README.md b/libwvdrmengine/aidl_src/fuzzer/README.md new file mode 100644 index 00000000..34f06717 --- /dev/null +++ b/libwvdrmengine/aidl_src/fuzzer/README.md @@ -0,0 +1,31 @@ +# About Widevine aidl binder fuzzer + +## Build the binaries + +See [go/build-fast][1] to setup the RBE environment. + +From Android root: + +1. source build/make/rbesetup.sh +2. `SANITIZE_TARGET`=hwaddress m `android.hardware.drm-service.widevine.aidl_fuzzer` -j128 + +## Push to target for testing + +adb push $(OUT)/data/fuzz/arm64/lib/ /data/fuzz/arm64/lib/ + +## Run test + +adb shell
+cd /data/fuzz/arm64
+`LD_LIBRARY_PATH=/data/fuzz/arm65/lib /data/fuzz/arm64/android.hardware.drm-service.widevine.aidl_fuzzer/vendor/hw/android.hardware.drm-service.widevine.aidl_fuzzer` + +## Monitoring + +By using `cc_fuzz` in Android.bp, the fuzz binary and its dependency sanitized shared libraries will be installed on the device.
+Libraries are installed in `/data/fuzz//lib`, and the binary is installed in /data/fuzz/<arch>/<`binary_name`>/vendor/hw.
+ +Within 24-48 hours of merge, you can monitor the coverage data [here][2].
+Bugs will be filed automatically, and the owner of the fuzzer(the cc in the config section) will be notified.
+ +[1]: https://g3doc.corp.google.com/company/teams/android/developing/update/build-fast.md?cl=head +[2]: https://android-coverage.googleplex.com/ diff --git a/libwvdrmengine/aidl_src/fuzzer/fuzzer.cpp b/libwvdrmengine/aidl_src/fuzzer/fuzzer.cpp new file mode 100644 index 00000000..91b7346d --- /dev/null +++ b/libwvdrmengine/aidl_src/fuzzer/fuzzer.cpp @@ -0,0 +1,34 @@ +/* + * Copyright (C) 2022 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include +#include +#include +#include + +#include "WVCreatePluginFactories.h" + +using ::wvdrm::hardware::drm::widevine::createDrmFactory; +using ::wvdrm::hardware::drm::widevine::WVDrmFactory; + +using android::fuzzService; +using ndk::SharedRefBase; + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + std::shared_ptr drmFactory = createDrmFactory(); + fuzzService(drmFactory->asBinder().get(), FuzzedDataProvider(data, size)); + + return 0; +} diff --git a/libwvdrmengine/cdm/core/src/Android.bp b/libwvdrmengine/cdm/core/src/Android.bp index 5b6afc36..7d10a511 100644 --- a/libwvdrmengine/cdm/core/src/Android.bp +++ b/libwvdrmengine/cdm/core/src/Android.bp @@ -17,8 +17,8 @@ cc_library { vendor: true, srcs: [ - "license_protocol.proto", - "device_files.proto", + "license_protocol.proto", + "device_files.proto", ], cflags: [ diff --git a/libwvdrmengine/mediacrypto/Android.bp b/libwvdrmengine/mediacrypto/Android.bp index c66eb004..0255cebf 100644 --- a/libwvdrmengine/mediacrypto/Android.bp +++ b/libwvdrmengine/mediacrypto/Android.bp @@ -36,7 +36,7 @@ cc_library_static { "vendor/widevine/libwvdrmengine/cdm/include", "vendor/widevine/libwvdrmengine/cdm/metrics/include", "vendor/widevine/libwvdrmengine/cdm/util/include", - "vendor/widevine/libwvdrmengine/include", + "vendor/widevine/libwvdrmengine/include", "vendor/widevine/libwvdrmengine/include_hidl", "vendor/widevine/libwvdrmengine/mediacrypto/include_hidl", "vendor/widevine/libwvdrmengine/oemcrypto/include", @@ -109,3 +109,47 @@ cc_library_static { proprietary: true, } + +// Builds libwvdrmcryptoplugin_aidl_fuzz +// +cc_library_static { + name: "libwvdrmcryptoplugin_aidl_fuzz", + + srcs: ["aidl_src/WVCryptoPlugin.cpp"], + + include_dirs: [ + "frameworks/av/include", + "frameworks/native/include", + "vendor/widevine/libwvdrmengine/cdm/core/include", + "vendor/widevine/libwvdrmengine/cdm/include", + "vendor/widevine/libwvdrmengine/cdm/metrics/include", + "vendor/widevine/libwvdrmengine/cdm/util/include", + "vendor/widevine/libwvdrmengine/aidl_include", + "vendor/widevine/libwvdrmengine/include", + "vendor/widevine/libwvdrmengine/mediacrypto/aidl_include", + "vendor/widevine/libwvdrmengine/oemcrypto/include", + ], + + header_libs: [ + "libstagefright_headers", + "libutils_headers", + ], + + static_libs: [ + "android.hardware.common-V2-ndk", + "libaidlcommonsupport", + "libcdm_protos", + ], + + shared_libs: [ + "android.hardware.drm-V1-ndk", + "libbase", + "libcrypto", + "libhwbinder", + "liblog", + ], + + cflags: ["-Wthread-safety"], + + proprietary: true, +} diff --git a/libwvdrmengine/mediadrm/Android.bp b/libwvdrmengine/mediadrm/Android.bp index 5552dede..68c7b2d8 100644 --- a/libwvdrmengine/mediadrm/Android.bp +++ b/libwvdrmengine/mediadrm/Android.bp @@ -110,3 +110,46 @@ cc_library_static { proprietary: true, } + +// Builds libwvdrmdrmplugin_aidl_fuzz +// +cc_library_static { + name: "libwvdrmdrmplugin_aidl_fuzz", + + srcs: [ + "aidl_src/WVDrmPlugin.cpp", + "aidl_src/WVGenericCryptoInterface.cpp", + "aidl_src/wv_metrics_adapter.cpp", + ], + + include_dirs: [ + "frameworks/av/include", + "frameworks/native/include", + "vendor/widevine/libwvdrmengine/cdm/core/include", + "vendor/widevine/libwvdrmengine/cdm/include", + "vendor/widevine/libwvdrmengine/cdm/metrics/include", + "vendor/widevine/libwvdrmengine/cdm/util/include", + "vendor/widevine/libwvdrmengine/aidl_include", + "vendor/widevine/libwvdrmengine/include", + "vendor/widevine/libwvdrmengine/mediadrm/aidl_include", + "vendor/widevine/libwvdrmengine/oemcrypto/include", + ], + + header_libs: [ + "libstagefright_headers", + "libstagefright_foundation_headers", + "libutils_headers", + ], + + static_libs: ["libcdm_protos"], + + shared_libs: [ + "libbase", + "libbinder_ndk", + "libcrypto", + "liblog", + "android.hardware.drm-V1-ndk", + ], + + proprietary: true, +}