widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a878e7b98d233ba3552b3c0ba8434e81160a837b
android/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_fuzz_helper.h
Rahul Frias e4cde22826 Merge of OEMCrypto fuzz test CLs 
----------------------------------------------------------------------

Fix oemcrypto_generic_verify_fuzz mutator signature offset

[ Merge of http://go/wvgerrit/165899 ]

Merged from https://widevine-internal-review.googlesource.com/165598

Change-Id: I85574fcd62622d2954c306688e04ecfda333c0cb

----------------------------------------------------------------------

Fix regressions in oemcrypto_decrypt_cenc_fuzz

[ Merge of http://go/wvgerrit/162151 ]

Fix null-dereference of subsamples vector and potential memory leak due
to parsing errors.

Bug: 260005865
Bug: 260013015

Merged from https://widevine-internal-review.googlesource.com/162081

Change-Id: I91bf1baa726803b2a0073ff3db94e69719d377bb

----------------------------------------------------------------------

Add custom mutator to oemcrypto_generic_verify_fuzz

[ Merge of http://go/wvgerrit/161578 ]

Enable fuzzing mutations beyond changing the signature length.

Merged from https://widevine-internal-review.googlesource.com/159917

Change-Id: I022d752107b788bd45aafb8325e3186ef90336de

----------------------------------------------------------------------

Refactor oemcrypto_decrypt_cenc_fuzz

[ Merge of http://go/wvgerrit/161546 ]

Refactor to minimize the required corpus length, fuzz the sample input
data, and avoid undefined behavior related to filling
OEMCrypto_DestBufferDesc::buffer with fuzzed data.

Merged from https://widevine-internal-review.googlesource.com/159618

Change-Id: Id9af8b1704d4619ba88ab8de3adb35d5f8bb69f6

----------------------------------------------------------------------

Refactor oemcrypto_copy_buffer_fuzz

[ Merge of http://go/wvgerrit/161307 ]

Refactor to minimize the required corpus length, fuzz the output buffer
length, and avoid undefined behavior related to filling
OEMCrypto_DestBufferDesc::buffer with fuzzed data.

Merged from https://widevine-internal-review.googlesource.com/159617

Change-Id: Ieddc6260e5eca641f8409a9b361ca4e5a40d6f52

----------------------------------------------------------------------

Improve AddressSanitizer coverage for LoadEntitledContentKeys fuzzing

[ Merge of http://go/wvgerrit/161397 ]

Split fuzzed message into separate buffer so AddressSanitizer can detect
out-of-bounds accesses.

Merged from https://widevine-internal-review.googlesource.com/161277

----------------------------------------------------------------------

Avoid copying fuzzed data when separator splitting

[ Merge of http://go/wvgerrit/161120 ]

Merged from https://widevine-internal-review.googlesource.com/159497

Change-Id: I2b13ff34eee74c8aea9a8176aa711e3e2bc57add

----------------------------------------------------------------------

Fix oemcrypto_opk_dispatcher_fuzz

[ Merge of http://go/wvgerrit/161119 ]

Set ODK_Message size and add timestamp field to initialization requests.

Merged from https://widevine-internal-review.googlesource.com/159897

Change-Id: Ide51d1cb4119a396212d1802411cfa19f5792e9d

----------------------------------------------------------------------

Cover empty buffers in fuzz tests

[ Merge of http://go/wvgerrit/161018 ]

Update tests that avoid passing empty buffers to OEMCrypto API methods.

Merged from https://widevine-internal-review.googlesource.com/159317

Change-Id: If0d8007e3294820654b081fe813a09485e757f1c

----------------------------------------------------------------------

Fix cherry pick of "Improve buffer size distribution in fuzz tests"

[ Merge of http://go/wvgerrit/161022 ]

Change-Id: I8b0440fe13b513396b5779c25e6a46ac40eaa183

----------------------------------------------------------------------

Improve buffer size distribution in fuzz tests

[ Merge of http://go/wvgerrit/160957 ]

When a buffer size is fuzzed, use the modulo operation, instead of
std::min, to create an even distribution.

Merged from https://widevine-internal-review.googlesource.com/159157

Change-Id: I3c1168c7a7d739793005927a97af18de5df2e4c6

----------------------------------------------------------------------

Improve AddressSanitizer coverage in fuzz tests

[ Merge of http://go/wvgerrit/160464 ]

Split fuzzed data into separate buffers so AddressSanitizer can detect
all out-of-bounds accesses.

Merged from https://widevine-internal-review.googlesource.com/158977

Change-Id: I7ca67409b7c6f96548e21ab41f6caf99f738605d
2023-02-28 00:40:35 +00:00

143 lines
4.2 KiB
C++
Raw Blame History

// Copyright 2020 Google LLC. All Rights Reserved. This file and proprietary
// source code may only be used and distributed under the Widevine
// License Agreement.
#ifndef OEMCRYPTO_FUZZ_HELPER_H_
#define OEMCRYPTO_FUZZ_HELPER_H_
#include <vector>
#include "FuzzedDataProvider.h"
#include "OEMCryptoCENC.h"
#include "oec_device_features.h"
#include "oemcrypto_corpus_generator_helper.h"
#include "oemcrypto_session_tests_helper.h"
namespace wvoec {
// Forward-declare the libFuzzer's mutator callback. Mark it weak so that
// the program links successfully even outside of --config=asan-fuzzer
// (apparently the only config in which LLVM uses our custom mutator).
extern "C" size_t LLVMFuzzerMutate(uint8_t* Data, size_t Size, size_t MaxSize)
__attribute__((weak));
const size_t KB = 1024;
// Default maximum length of fuzzing output parameters.
const size_t MAX_FUZZ_OUTPUT_LENGTH = 5 * KB;
// Fuzzed data region.
struct FuzzedData {
const uint8_t* data;
size_t size;
};
// Initial setup to create a valid OEMCrypto state such as initializing crypto
// firmware/hardware, installing golden key box etc. in order to fuzz
// OEMCrypto APIs.
class InitializeFuzz : public SessionUtil {
public:
InitializeFuzz() {
wvoec::global_features.Initialize();
OEMCrypto_SetSandbox(kTestSandbox, sizeof(kTestSandbox));
OEMCrypto_Initialize();
EnsureTestKeys();
}
~InitializeFuzz() { OEMCrypto_Terminate(); }
};
class OEMCryptoLicenseAPIFuzz : public InitializeFuzz {
public:
OEMCryptoLicenseAPIFuzz() : license_messages_(&session_) {
session_.open();
InstallTestRSAKey(&session_);
session_.GenerateNonce();
}
~OEMCryptoLicenseAPIFuzz() { session_.close(); }
LicenseRoundTrip& license_messages() { return license_messages_; }
Session* session() { return &session_; }
void LoadLicense();
private:
Session session_;
LicenseRoundTrip license_messages_;
};
class OEMCryptoProvisioningAPIFuzz : public InitializeFuzz {
public:
OEMCryptoProvisioningAPIFuzz()
: provisioning_messages_(&session_, encoded_rsa_key_) {
// Opens a session and Generates Nonce.
provisioning_messages_.PrepareSession(keybox_);
}
~OEMCryptoProvisioningAPIFuzz() { session_.close(); }
void LoadProvisioning();
ProvisioningRoundTrip& provisioning_messages() {
return provisioning_messages_;
}
Session* session() { return &session_; }
private:
Session session_;
ProvisioningRoundTrip provisioning_messages_;
};
// Initial setup to create a valid state such as creating session, installing
// golden key box etc. in order to fuzz Load Renewal API.
class OEMCryptoRenewalAPIFuzz : public OEMCryptoLicenseAPIFuzz {
public:
OEMCryptoRenewalAPIFuzz() : renewal_messages_(&license_messages()) {}
RenewalRoundTrip& renewal_messages() { return renewal_messages_; }
private:
RenewalRoundTrip renewal_messages_;
};
class LicenseWithUsageEntryFuzz : public InitializeFuzz {
public:
LicenseWithUsageEntryFuzz() : license_messages_(&session_) {
license_messages_.set_pst("my_pst");
}
void CreateUsageTableHeader();
LicenseRoundTrip& license_messages() { return license_messages_; }
const vector<uint8_t>& encrypted_usage_header() {
return encrypted_usage_header_;
}
void LoadLicense();
private:
vector<uint8_t> encrypted_usage_header_;
LicenseRoundTrip license_messages_;
Session session_;
};
// Convert data to valid enum value.
template <typename T>
void ConvertDataToValidEnum(T max_enum_value, T* t) {
FuzzedDataProvider fuzzed_enum_data(reinterpret_cast<uint8_t*>(t), sizeof(T));
*t = static_cast<T>(fuzzed_enum_data.ConsumeIntegralInRange<uint32_t>(
0, static_cast<uint32_t>(max_enum_value)));
}
// Redirect printf and log statements from oemcrypto functions to a file to
// reduce noise
void RedirectStdoutToFile();
// Split fuzzed data using delimiter "-_^_".
std::vector<FuzzedData> SplitFuzzedData(const uint8_t* data, size_t size);
// Check the status and exit fuzzer if arguments do not match. This is usually
// called to check status of APIs which are called to setup state for fuzzers.
void CheckStatusAndExitFuzzerOnFailure(OEMCryptoResult result,
OEMCryptoResult expected_status);
} // namespace wvoec
#endif // OEMCRYPTO_FUZZ_HELPER_H_
Reference in New Issue View Git Blame Copy Permalink