e4cde22826
---------------------------------------------------------------------- Fix oemcrypto_generic_verify_fuzz mutator signature offset [ Merge of http://go/wvgerrit/165899 ] Merged from https://widevine-internal-review.googlesource.com/165598 Change-Id: I85574fcd62622d2954c306688e04ecfda333c0cb ---------------------------------------------------------------------- Fix regressions in oemcrypto_decrypt_cenc_fuzz [ Merge of http://go/wvgerrit/162151 ] Fix null-dereference of subsamples vector and potential memory leak due to parsing errors. Bug: 260005865 Bug: 260013015 Merged from https://widevine-internal-review.googlesource.com/162081 Change-Id: I91bf1baa726803b2a0073ff3db94e69719d377bb ---------------------------------------------------------------------- Add custom mutator to oemcrypto_generic_verify_fuzz [ Merge of http://go/wvgerrit/161578 ] Enable fuzzing mutations beyond changing the signature length. Merged from https://widevine-internal-review.googlesource.com/159917 Change-Id: I022d752107b788bd45aafb8325e3186ef90336de ---------------------------------------------------------------------- Refactor oemcrypto_decrypt_cenc_fuzz [ Merge of http://go/wvgerrit/161546 ] Refactor to minimize the required corpus length, fuzz the sample input data, and avoid undefined behavior related to filling OEMCrypto_DestBufferDesc::buffer with fuzzed data. Merged from https://widevine-internal-review.googlesource.com/159618 Change-Id: Id9af8b1704d4619ba88ab8de3adb35d5f8bb69f6 ---------------------------------------------------------------------- Refactor oemcrypto_copy_buffer_fuzz [ Merge of http://go/wvgerrit/161307 ] Refactor to minimize the required corpus length, fuzz the output buffer length, and avoid undefined behavior related to filling OEMCrypto_DestBufferDesc::buffer with fuzzed data. Merged from https://widevine-internal-review.googlesource.com/159617 Change-Id: Ieddc6260e5eca641f8409a9b361ca4e5a40d6f52 ---------------------------------------------------------------------- Improve AddressSanitizer coverage for LoadEntitledContentKeys fuzzing [ Merge of http://go/wvgerrit/161397 ] Split fuzzed message into separate buffer so AddressSanitizer can detect out-of-bounds accesses. Merged from https://widevine-internal-review.googlesource.com/161277 ---------------------------------------------------------------------- Avoid copying fuzzed data when separator splitting [ Merge of http://go/wvgerrit/161120 ] Merged from https://widevine-internal-review.googlesource.com/159497 Change-Id: I2b13ff34eee74c8aea9a8176aa711e3e2bc57add ---------------------------------------------------------------------- Fix oemcrypto_opk_dispatcher_fuzz [ Merge of http://go/wvgerrit/161119 ] Set ODK_Message size and add timestamp field to initialization requests. Merged from https://widevine-internal-review.googlesource.com/159897 Change-Id: Ide51d1cb4119a396212d1802411cfa19f5792e9d ---------------------------------------------------------------------- Cover empty buffers in fuzz tests [ Merge of http://go/wvgerrit/161018 ] Update tests that avoid passing empty buffers to OEMCrypto API methods. Merged from https://widevine-internal-review.googlesource.com/159317 Change-Id: If0d8007e3294820654b081fe813a09485e757f1c ---------------------------------------------------------------------- Fix cherry pick of "Improve buffer size distribution in fuzz tests" [ Merge of http://go/wvgerrit/161022 ] Change-Id: I8b0440fe13b513396b5779c25e6a46ac40eaa183 ---------------------------------------------------------------------- Improve buffer size distribution in fuzz tests [ Merge of http://go/wvgerrit/160957 ] When a buffer size is fuzzed, use the modulo operation, instead of std::min, to create an even distribution. Merged from https://widevine-internal-review.googlesource.com/159157 Change-Id: I3c1168c7a7d739793005927a97af18de5df2e4c6 ---------------------------------------------------------------------- Improve AddressSanitizer coverage in fuzz tests [ Merge of http://go/wvgerrit/160464 ] Split fuzzed data into separate buffers so AddressSanitizer can detect all out-of-bounds accesses. Merged from https://widevine-internal-review.googlesource.com/158977 Change-Id: I7ca67409b7c6f96548e21ab41f6caf99f738605d
126 lines
5.0 KiB
C++
126 lines
5.0 KiB
C++
// Copyright 2020 Google LLC. All Rights Reserved. This file and proprietary
|
|
// source code may only be used and distributed under the Widevine
|
|
// License Agreement.
|
|
|
|
#include "FuzzedDataProvider.h"
|
|
#include "OEMCryptoCENC.h"
|
|
#include "oemcrypto_fuzz_helper.h"
|
|
#include "oemcrypto_fuzz_structs.h"
|
|
#include "oemcrypto_types.h"
|
|
|
|
namespace wvoec {
|
|
|
|
// Properties deserialized from fuzzed data.
|
|
struct FuzzedProperties {
|
|
OEMCrypto_Generic_Api_Fuzz structure;
|
|
std::vector<uint8_t> buffer;
|
|
std::vector<uint8_t> signature;
|
|
};
|
|
|
|
// Contains value only if has_value is true.
|
|
struct OptionalFuzzedProperties {
|
|
FuzzedProperties value;
|
|
bool has_value;
|
|
};
|
|
|
|
OEMCryptoLicenseAPIFuzz license_api_fuzz;
|
|
|
|
OptionalFuzzedProperties DeserializeFuzzedData(const uint8_t* data,
|
|
size_t size) {
|
|
OptionalFuzzedProperties fuzzed_properties;
|
|
const std::vector<FuzzedData> inputs = SplitFuzzedData(data, size);
|
|
if (inputs.size() < 2 ||
|
|
inputs[0].size < sizeof(fuzzed_properties.value.structure)) {
|
|
fuzzed_properties.has_value = false;
|
|
return fuzzed_properties;
|
|
}
|
|
FuzzedDataProvider fuzzed_data(inputs[0].data, inputs[0].size);
|
|
fuzzed_data.ConsumeData(&fuzzed_properties.value.structure,
|
|
sizeof(fuzzed_properties.value.structure));
|
|
ConvertDataToValidEnum(OEMCrypto_CipherMode_MaxValue,
|
|
&fuzzed_properties.value.structure.cipher_mode);
|
|
ConvertDataToValidEnum(OEMCrypto_Algorithm_MaxValue,
|
|
&fuzzed_properties.value.structure.algorithm);
|
|
fuzzed_properties.value.buffer = fuzzed_data.ConsumeRemainingBytes<uint8_t>();
|
|
fuzzed_properties.value.signature.assign(inputs[1].data,
|
|
inputs[1].data + inputs[1].size);
|
|
fuzzed_properties.has_value = true;
|
|
return fuzzed_properties;
|
|
}
|
|
|
|
extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
|
|
RedirectStdoutToFile();
|
|
license_api_fuzz.LoadLicense();
|
|
return 0;
|
|
}
|
|
|
|
extern "C" size_t LLVMFuzzerCustomMutator(uint8_t* data, size_t size,
|
|
size_t max_size, unsigned int seed) {
|
|
// Deserialize fuzzed data.
|
|
OptionalFuzzedProperties fuzzed_properties =
|
|
DeserializeFuzzedData(data, size);
|
|
if (!fuzzed_properties.has_value) {
|
|
return 0;
|
|
}
|
|
|
|
// Select key and perform verification.
|
|
Session* const session = license_api_fuzz.session();
|
|
OEMCrypto_SelectKey(session->session_id(), session->license().keys[0].key_id,
|
|
session->license().keys[0].key_id_length,
|
|
fuzzed_properties.value.structure.cipher_mode);
|
|
if (OEMCrypto_Generic_Verify(
|
|
session->session_id(), fuzzed_properties.value.buffer.data(),
|
|
fuzzed_properties.value.buffer.size(),
|
|
fuzzed_properties.value.structure.algorithm,
|
|
fuzzed_properties.value.signature.data(),
|
|
fuzzed_properties.value.signature.size()) != OEMCrypto_SUCCESS) {
|
|
// Generate a new signature.
|
|
size_t signature_length = 0;
|
|
OEMCrypto_Generic_Sign(session->session_id(),
|
|
fuzzed_properties.value.buffer.data(),
|
|
fuzzed_properties.value.buffer.size(),
|
|
fuzzed_properties.value.structure.algorithm, nullptr,
|
|
&signature_length);
|
|
fuzzed_properties.value.signature.resize(signature_length);
|
|
OEMCrypto_Generic_Sign(
|
|
session->session_id(), fuzzed_properties.value.buffer.data(),
|
|
fuzzed_properties.value.buffer.size(),
|
|
fuzzed_properties.value.structure.algorithm,
|
|
fuzzed_properties.value.signature.data(), &signature_length);
|
|
const size_t signature_offset = sizeof(fuzzed_properties.value.structure) +
|
|
fuzzed_properties.value.buffer.size() +
|
|
sizeof(kFuzzDataSeparator);
|
|
size = signature_offset + signature_length;
|
|
if (size > max_size) {
|
|
return 0;
|
|
}
|
|
memcpy(data + signature_offset, fuzzed_properties.value.signature.data(),
|
|
signature_length);
|
|
}
|
|
return LLVMFuzzerMutate(data, size, max_size);
|
|
}
|
|
|
|
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
|
|
// Deserialize fuzzed data.
|
|
const OptionalFuzzedProperties fuzzed_properties =
|
|
DeserializeFuzzedData(data, size);
|
|
if (!fuzzed_properties.has_value) {
|
|
return 0;
|
|
}
|
|
|
|
// Select key and perform verification.
|
|
Session* const session = license_api_fuzz.session();
|
|
OEMCrypto_SelectKey(session->session_id(), session->license().keys[0].key_id,
|
|
session->license().keys[0].key_id_length,
|
|
fuzzed_properties.value.structure.cipher_mode);
|
|
OEMCrypto_Generic_Verify(session->session_id(),
|
|
fuzzed_properties.value.buffer.data(),
|
|
fuzzed_properties.value.buffer.size(),
|
|
fuzzed_properties.value.structure.algorithm,
|
|
fuzzed_properties.value.signature.data(),
|
|
fuzzed_properties.value.signature.size());
|
|
return 0;
|
|
}
|
|
|
|
} // namespace wvoec
|