testing/libfuzzer/fuzzers/libsrtp_fuzzer.cc - Issue 2123553002: Add a fuzzer for srtp_unprotect in libsrtp.

Side by Side Diff: testing/libfuzzer/fuzzers/libsrtp_fuzzer.cc

Issue 2123553002: Add a fuzzer for srtp_unprotect in libsrtp. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: MODULAR IS ALWAYS BETTER Created 4 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright 2016 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include <stddef.h>

	6 #include <stdint.h>

	7

	8 #include "third_party/libsrtp/srtp/include/rtp.h"

	9 #include "third_party/libsrtp/srtp/include/rtp_priv.h"

	10 #include "third_party/libsrtp/srtp/include/srtp.h"

	11

	12 // TODO(katrielc) Also test the authenticated path, which is what

	13 // WebRTC uses. This is nontrivial because you need to bypass the MAC

	14 // check. Two options: add a UNSAFE_FUZZER_MODE flag to libsrtp (or

	15 // the chromium fork of it), or compute the HMAC of whatever gibberish

	16 // the fuzzer produces and write it into the packet manually.

	17

	18 enum LibSrtpFuzzerCryptoPolicy {

	19 kLibSrtpFuzzerNone,
	mmoroz 2016/07/05 14:20:19 Chromium coding style says to use MACRO_STYLE nami Chromium coding style says to use MACRO_STYLE naming for enum elements: https://www.chromium.org/developers/coding-style#TOC-Naming katrielc 2016/07/05 15:04:39 Done. Show quoted text On 2016/07/05 14:20:19, mmoroz wrote: > Chromium coding style says to use MACRO_STYLE naming for enum elements: > https://www.chromium.org/developers/coding-style#TOC-Naming Done.
	20 kLibSrtpFuzzerLikeWebRTC,

	21 kLibSrtpFuzzerLikeWebRTCWithoutAuth,

	22 kLibSrtpFuzzerAESGCM,

	23 kLibSrtpFuzzerNumberOfPolicies,

	24 };

	25

	26 void crypto_policy_set_null_cipher_null_auth(crypto_policy_t* p) {

	27 p->cipher_type = NULL_CIPHER;

	28 p->cipher_key_len = 0;

	29 p->auth_type = NULL_AUTH;

	30 p->auth_key_len = 0;

	31 p->auth_tag_len = 0;

	32 p->sec_serv = sec_serv_none;

	33 };

	34

	35 struct Environment {

	36 srtp_t session;

	37 srtp_policy_t policy;

	38

	39 void setCryptoPolicy(LibSrtpFuzzerCryptoPolicy crypto_policy) {
	mmoroz 2016/07/05 14:20:19 setCryptoPolicy -> SetCryptoPolicy setCryptoPolicy -> SetCryptoPolicy katrielc 2016/07/05 15:04:39 Done. Show quoted text On 2016/07/05 14:20:19, mmoroz wrote: > setCryptoPolicy -> SetCryptoPolicy Done.
	40 switch (crypto_policy) {

	41 case kLibSrtpFuzzerNumberOfPolicies:

	42 case kLibSrtpFuzzerNone:

	43 crypto_policy_set_null_cipher_null_auth(&policy.rtp);

	44 crypto_policy_set_null_cipher_null_auth(&policy.rtcp);

	45 break;

	46 case kLibSrtpFuzzerLikeWebRTC:

	47 crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtp);

	48 crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtcp);

	49 case kLibSrtpFuzzerLikeWebRTCWithoutAuth:

	50 crypto_policy_set_aes_cm_128_null_auth(&policy.rtp);

	51 crypto_policy_set_aes_cm_128_null_auth(&policy.rtcp);

	52 break;

	53 case kLibSrtpFuzzerAESGCM:

	54 // There was a security bug in the GCM mode in libsrtp 1.5.2.

	55 crypto_policy_set_aes_gcm_128_8_auth(&policy.rtp);

	56 crypto_policy_set_aes_gcm_128_8_auth(&policy.rtcp);

	57 break;

	58 }
	mmoroz 2016/07/05 14:20:19 Missing 'default' case: https://google.github.io/s Missing 'default' case: https://google.github.io/styleguide/cppguide.html#Loops_and_Switch_Statements katrielc 2016/07/05 15:04:40 Style guide says "if not conditional on an enumera Show quoted text On 2016/07/05 14:20:19, mmoroz wrote: > Missing 'default' case: Style guide says "if not conditional on an enumerated value", so this is OK I think? There will be a compiler error if not all cases are handled. mmoroz 2016/07/05 16:06:21 Good point! I misread that, sorry. Show quoted text On 2016/07/05 15:04:40, katrielc wrote: > On 2016/07/05 14:20:19, mmoroz wrote: > > Missing 'default' case: > > Style guide says "if not conditional on an enumerated value", so this is OK I > think? There will be a compiler error if not all cases are handled. Good point! I misread that, sorry.
	59 };

	60

	61 Environment() {

	62 srtp_init();

	63

	64 memset(&policy, 0, sizeof(policy));

	65 policy.key = (unsigned char*) "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234";
	mmoroz 2016/07/05 14:20:18 Please prefer C++ type casting (i.e. static_cast<u Please prefer C++ type casting (i.e. static_cast<unsigned char>()) katrielc* 2016/07/05 15:04:40 Done. Show quoted text On 2016/07/05 14:20:18, mmoroz wrote: > Please prefer C++ type casting (i.e. static_cast<unsigned char*>()) Done.
	66 policy.ssrc.type = ssrc_any_inbound;

	67 policy.ssrc.value = 0xdeadbeef;

	68 policy.window_size = 1024;

	69 policy.allow_repeat_tx = 1;

	70 policy.ekt = nullptr;

	71 policy.next = nullptr;

	72

	73 crypto_policy_set_null_cipher_null_auth(&policy.rtp);

	74 crypto_policy_set_null_cipher_null_auth(&policy.rtcp);

	75 }

	76 };

	77

	78 size_t ReadLength(const uint8_t* data, size_t size) {

	79 // Read one byte of input and check that that many bytes remain.

	80 if (size == 0)

	81 return 0;

	82 size_t n = static_cast<size_t>(data[0]);

	83

	84 if (n > size - 1)

	85 return 0;

	86 else

	87 return n;

	88 }

	89

	90 Environment* env = new Environment();
	mmoroz 2016/07/05 14:20:18 Add an empty line to separate this from the functi Add an empty line to separate this from the function below. katrielc 2016/07/05 15:04:40 Done. Show quoted text On 2016/07/05 14:20:18, mmoroz wrote: > Add an empty line to separate this from the function below. Done.
	91 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

	92 // Read one byte and use it to choose a crypto policy.

	93 if (size <= 1)

	94 return 0;

	95 LibSrtpFuzzerCryptoPolicy policy = static_cast<LibSrtpFuzzerCryptoPolicy>(

	96 data[0] % kLibSrtpFuzzerNumberOfPolicies);

	97 data += 1;

	98 size -= 1;

	99

	100 // Read some more bytes and use them to choose a key.

	101 if (size <= SRTP_MASTER_KEY_LEN)

	102 return 0;

	103 env->policy.key = const_cast<unsigned char*>(data);
	mmoroz 2016/07/05 14:20:19 I think it's worth to create another object (vecto I think it's worth to create another object (vector or another container) with size of SRTP_MASTER_KEY_LEN and values copied from (data, data + SRTP_MASTER_KEY_LEN). Otherwise, ASan will miss out-of-bounds READ to the right (assume that some function working with \|env->policy.key\| will read (SRTP_MASTER_KEY_LEN + 1) bytes from the pointer -> this is definitely bad, but ASan may miss it, because \|data\| points to a bigger number of bytes -> ASan doesn't know that (data + SRTP_MASTER_KEY_LEN + 1) is out-of-bounds). If you will see a significant drop of execution speed, I can recommend to use static stack buffer of key size and just copy key value there every time. From my experience it could be the fastest option, but it's always better to try and experiment a bit :) katrielc 2016/07/05 15:04:39 Yes, you're right -- I didn't think about OOB read Show quoted text On 2016/07/05 14:20:19, mmoroz wrote: > I think it's worth to create another object (vector or another container) with > size of SRTP_MASTER_KEY_LEN Yes, you're right -- I didn't think about OOB reads of the key, but we should certainly check for them :) Done.
	104 data += SRTP_MASTER_KEY_LEN;

	105 size -= SRTP_MASTER_KEY_LEN;

	106

	107 // Create a session with our chosen key and policy.

	108 srtp_t session;

	109 env->setCryptoPolicy(policy);

	110 srtp_create(&session, &env->policy);
	mmoroz 2016/07/05 14:20:19 Don't we need to check the result here? Don't we need to check the result here? katrielc 2016/07/05 15:04:40 Done. Show quoted text On 2016/07/05 14:20:19, mmoroz wrote: > Don't we need to check the result here? Done.
	111

	112 // Read one byte as a packet length N, then feed the next N bytes

	113 // into srtp_unprotect. Keep going until we run out of data.

	114 size_t packet_size;

	115 while ((packet_size = ReadLength(data, size)) > 0) {

	116 size -= packet_size + 1;

	117

	118 // This guard is necessary because libsrtp assumes it.

	119 if (packet_size < sizeof(srtp_hdr_t))

	120 continue;

	121

	122 int out_len = static_cast<int>(packet_size);

	123 rtp_msg_t* message = (rtp_msg_t*)(data + 1);
	mmoroz 2016/07/05 14:20:19 C++ type cast please. + the same thing as for lin C++ type cast please. + the same thing as for line 103, would be better to use another buffer with only \|packet_size\| bytes copied there. katrielc 2016/07/05 15:04:39 Done. Show quoted text On 2016/07/05 14:20:19, mmoroz wrote: > C++ type cast please. > > + the same thing as for line 103, would be better to use another buffer with > only \|packet_size\| bytes copied there. Done.
	124 srtp_unprotect(session, &message->header, &out_len);

	125

	126 data += packet_size + 1;

	127 }

	128

	129 srtp_dealloc(session);

	130 return 0;

	131 }

OLD	NEW

« no previous file with comments | « testing/libfuzzer/fuzzers/BUILD.gn ('k') | no next file » | no next file with comments »