widevine-partner/android
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d9ef97dfbc7c17290c7691967758d5e11a0b411c
android/libwvdrmengine/oemcrypto/test/fuzz_tests/oemcrypto_decrypt_cenc_fuzz.cc
Rahul Frias e4cde22826 Merge of OEMCrypto fuzz test CLs 
----------------------------------------------------------------------

Fix oemcrypto_generic_verify_fuzz mutator signature offset

[ Merge of http://go/wvgerrit/165899 ]

Merged from https://widevine-internal-review.googlesource.com/165598

Change-Id: I85574fcd62622d2954c306688e04ecfda333c0cb

----------------------------------------------------------------------

Fix regressions in oemcrypto_decrypt_cenc_fuzz

[ Merge of http://go/wvgerrit/162151 ]

Fix null-dereference of subsamples vector and potential memory leak due
to parsing errors.

Bug: 260005865
Bug: 260013015

Merged from https://widevine-internal-review.googlesource.com/162081

Change-Id: I91bf1baa726803b2a0073ff3db94e69719d377bb

----------------------------------------------------------------------

Add custom mutator to oemcrypto_generic_verify_fuzz

[ Merge of http://go/wvgerrit/161578 ]

Enable fuzzing mutations beyond changing the signature length.

Merged from https://widevine-internal-review.googlesource.com/159917

Change-Id: I022d752107b788bd45aafb8325e3186ef90336de

----------------------------------------------------------------------

Refactor oemcrypto_decrypt_cenc_fuzz

[ Merge of http://go/wvgerrit/161546 ]

Refactor to minimize the required corpus length, fuzz the sample input
data, and avoid undefined behavior related to filling
OEMCrypto_DestBufferDesc::buffer with fuzzed data.

Merged from https://widevine-internal-review.googlesource.com/159618

Change-Id: Id9af8b1704d4619ba88ab8de3adb35d5f8bb69f6

----------------------------------------------------------------------

Refactor oemcrypto_copy_buffer_fuzz

[ Merge of http://go/wvgerrit/161307 ]

Refactor to minimize the required corpus length, fuzz the output buffer
length, and avoid undefined behavior related to filling
OEMCrypto_DestBufferDesc::buffer with fuzzed data.

Merged from https://widevine-internal-review.googlesource.com/159617

Change-Id: Ieddc6260e5eca641f8409a9b361ca4e5a40d6f52

----------------------------------------------------------------------

Improve AddressSanitizer coverage for LoadEntitledContentKeys fuzzing

[ Merge of http://go/wvgerrit/161397 ]

Split fuzzed message into separate buffer so AddressSanitizer can detect
out-of-bounds accesses.

Merged from https://widevine-internal-review.googlesource.com/161277

----------------------------------------------------------------------

Avoid copying fuzzed data when separator splitting

[ Merge of http://go/wvgerrit/161120 ]

Merged from https://widevine-internal-review.googlesource.com/159497

Change-Id: I2b13ff34eee74c8aea9a8176aa711e3e2bc57add

----------------------------------------------------------------------

Fix oemcrypto_opk_dispatcher_fuzz

[ Merge of http://go/wvgerrit/161119 ]

Set ODK_Message size and add timestamp field to initialization requests.

Merged from https://widevine-internal-review.googlesource.com/159897

Change-Id: Ide51d1cb4119a396212d1802411cfa19f5792e9d

----------------------------------------------------------------------

Cover empty buffers in fuzz tests

[ Merge of http://go/wvgerrit/161018 ]

Update tests that avoid passing empty buffers to OEMCrypto API methods.

Merged from https://widevine-internal-review.googlesource.com/159317

Change-Id: If0d8007e3294820654b081fe813a09485e757f1c

----------------------------------------------------------------------

Fix cherry pick of "Improve buffer size distribution in fuzz tests"

[ Merge of http://go/wvgerrit/161022 ]

Change-Id: I8b0440fe13b513396b5779c25e6a46ac40eaa183

----------------------------------------------------------------------

Improve buffer size distribution in fuzz tests

[ Merge of http://go/wvgerrit/160957 ]

When a buffer size is fuzzed, use the modulo operation, instead of
std::min, to create an even distribution.

Merged from https://widevine-internal-review.googlesource.com/159157

Change-Id: I3c1168c7a7d739793005927a97af18de5df2e4c6

----------------------------------------------------------------------

Improve AddressSanitizer coverage in fuzz tests

[ Merge of http://go/wvgerrit/160464 ]

Split fuzzed data into separate buffers so AddressSanitizer can detect
all out-of-bounds accesses.

Merged from https://widevine-internal-review.googlesource.com/158977

Change-Id: I7ca67409b7c6f96548e21ab41f6caf99f738605d
2023-02-28 00:40:35 +00:00

170 lines
6.4 KiB
C++
Raw Blame History

// Copyright 2020 Google LLC. All Rights Reserved. This file and proprietary
// source code may only be used and distributed under the Widevine
// License Agreement.
#include "FuzzedDataProvider.h"
#include "OEMCryptoCENC.h"
#include "oemcrypto_fuzz_helper.h"
#include "oemcrypto_fuzz_structs.h"
namespace wvoec {
// Limit output buffer size to 5 MB as 4 MB is maximum size specified by
// resource rating tier documentation.
const size_t MAX_FUZZ_SAMPLE_SIZE = 5 * MB;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
// Redirect printf and log statements from oemcrypto functions to a file to
// reduce noise
RedirectStdoutToFile();
// Split data using separator.
const std::vector<FuzzedData> inputs = SplitFuzzedData(data, size);
if (inputs.size() < 3) {
return 0;
}
// Read cipher mode and pattern from fuzzed data.
OEMCrypto_Decrypt_Cenc_Fuzz fuzzed_structure;
if (inputs[0].size < sizeof(fuzzed_structure)) {
return 0;
}
FuzzedDataProvider fuzzed_data(inputs[0].data, inputs[0].size);
fuzzed_data.ConsumeData(&fuzzed_structure, sizeof(fuzzed_structure));
ConvertDataToValidEnum(OEMCrypto_CipherMode_MaxValue,
&fuzzed_structure.cipher_mode);
// Allocate sample descriptions.
std::vector<OEMCrypto_SampleDescription> sample_descriptions(
fuzzed_data.remaining_bytes() / sizeof(OEMCrypto_SampleDescription_Fuzz));
// Allocate input buffers for each sample description.
std::vector<std::vector<OEMCrypto_SharedMemory>> input_buffers(
sample_descriptions.size());
// Allocate secure_fd values for secure buffers.
std::vector<int> secure_fd_array(sample_descriptions.size());
// Allocate subsamples for each sample description.
std::vector<std::vector<OEMCrypto_SubSampleDescription>> subsamples(
sample_descriptions.size());
OEMCryptoLicenseAPIFuzz license_api_fuzz;
const uint32_t session_id = license_api_fuzz.session()->session_id();
// Free first given number of output buffers.
const auto FreeOutputBuffers = [&sample_descriptions, session_id,
&secure_fd_array](size_t num_buffers) {
for (size_t i = 0; i < num_buffers; i++) {
OEMCrypto_DestBufferDesc& output_descriptor =
sample_descriptions[i].buffers.output_descriptor;
switch (output_descriptor.type) {
case OEMCrypto_BufferType_Clear:
delete[] output_descriptor.buffer.clear.clear_buffer;
break;
case OEMCrypto_BufferType_Secure:
OEMCrypto_FreeSecureBuffer(session_id, &output_descriptor,
secure_fd_array[i]);
break;
case OEMCrypto_BufferType_Direct:
break;
}
}
};
// Prepare each sample description.
FuzzedDataProvider& sample_description_data = fuzzed_data;
FuzzedDataProvider input_buffer_data(inputs[1].data, inputs[1].size);
FuzzedDataProvider subsample_data(inputs[2].data, inputs[2].size);
for (size_t i = 0; i < sample_descriptions.size(); i++) {
// Read and normalize sample description fuzzed properties.
OEMCrypto_SampleDescription_Fuzz fuzzed_sample_description;
sample_description_data.ConsumeData(&fuzzed_sample_description,
sizeof(fuzzed_sample_description));
fuzzed_sample_description.buffers.input_data_length %=
MAX_FUZZ_SAMPLE_SIZE + 1;
ConvertDataToValidEnum(
OEMCrypto_BufferType_MaxValue,
&fuzzed_sample_description.buffers.output_descriptor.type);
fuzzed_sample_description.buffers.output_descriptor.buffer_config %=
MAX_FUZZ_SAMPLE_SIZE + 1;
// Read input data.
if (fuzzed_sample_description.buffers.input_data_length >
input_buffer_data.remaining_bytes()) {
FreeOutputBuffers(i);
return 0;
}
input_buffers[i] = input_buffer_data.ConsumeBytes<uint8_t>(
fuzzed_sample_description.buffers.input_data_length);
sample_descriptions[i].buffers.input_data = input_buffers[i].data();
sample_descriptions[i].buffers.input_data_length = input_buffers[i].size();
// Set subsample data.
if (fuzzed_sample_description.subsamples_length >
subsample_data.remaining_bytes() /
sizeof(OEMCrypto_SubSampleDescription)) {
FreeOutputBuffers(i);
return 0;
}
if (fuzzed_sample_description.subsamples_length > 0) {
subsamples[i].resize(fuzzed_sample_description.subsamples_length);
subsample_data.ConsumeData(
subsamples[i].data(),
subsamples[i].size() * sizeof(OEMCrypto_SubSampleDescription));
}
sample_descriptions[i].subsamples = subsamples[i].data();
sample_descriptions[i].subsamples_length = subsamples[i].size();
// Set IV data.
memcpy(sample_descriptions[i].iv, fuzzed_sample_description.iv,
sizeof(sample_descriptions[i].iv));
// Initialize output buffer.
OEMCrypto_DestBufferDesc& output_descriptor =
sample_descriptions[i].buffers.output_descriptor;
const OEMCrypto_DestBufferDesc_Fuzz& fuzzed_output_descriptor =
fuzzed_sample_description.buffers.output_descriptor;
output_descriptor.type = fuzzed_output_descriptor.type;
switch (output_descriptor.type) {
case OEMCrypto_BufferType_Clear:
output_descriptor.buffer.clear.clear_buffer =
new OEMCrypto_SharedMemory[fuzzed_output_descriptor.buffer_config];
output_descriptor.buffer.clear.clear_buffer_length =
fuzzed_output_descriptor.buffer_config;
break;
case OEMCrypto_BufferType_Secure:
if (OEMCrypto_AllocateSecureBuffer(
session_id, fuzzed_output_descriptor.buffer_config,
&output_descriptor, &secure_fd_array[i]) != OEMCrypto_SUCCESS) {
FreeOutputBuffers(i);
return 0;
}
break;
case OEMCrypto_BufferType_Direct:
output_descriptor.buffer.direct.is_video =
fuzzed_output_descriptor.buffer_config & 1;
break;
}
}
// Load license and call decrypt_cenc API.
license_api_fuzz.LoadLicense();
const MessageKeyData& key = license_api_fuzz.session()->license().keys[0];
OEMCrypto_SelectKey(session_id, key.key_id, key.key_id_length,
fuzzed_structure.cipher_mode);
OEMCrypto_DecryptCENC(session_id, sample_descriptions.data(),
sample_descriptions.size(), &fuzzed_structure.pattern);
// Free all output buffers.
FreeOutputBuffers(sample_descriptions.size());
return 0;
}
} // namespace wvoec
Reference in New Issue View Git Blame Copy Permalink