Add a fuzzer for srtp_unprotect in libsrtp.

testing/libfuzzer/fuzzers/libsrtp_fuzzer.cc

Index: testing/libfuzzer/fuzzers/libsrtp_fuzzer.cc
diff --git a/testing/libfuzzer/fuzzers/libsrtp_fuzzer.cc b/testing/libfuzzer/fuzzers/libsrtp_fuzzer.cc
new file mode 100644
index 0000000000000000000000000000000000000000..86d684a27bdc1727f84c6593e0c0efdd9b0fa51a
--- /dev/null
+++ b/testing/libfuzzer/fuzzers/libsrtp_fuzzer.cc
@@ -0,0 +1,185 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <assert.h>
+#include <stddef.h>
+#include <stdint.h>
+
+#include <algorithm>
+#include <vector>
+
+#include "third_party/libsrtp/srtp/include/rtp.h"
+#include "third_party/libsrtp/srtp/include/rtp_priv.h"
+#include "third_party/libsrtp/srtp/include/srtp.h"
+
+#ifdef ADDRESS_SANITIZER
+#include <sanitizer/asan_interface.h>
+#endif
+
+// TODO(katrielc) Also test the authenticated path, which is what
+// WebRTC uses.  This is nontrivial because you need to bypass the MAC
+// check. Two options: add a UNSAFE_FUZZER_MODE flag to libsrtp (or
+// the chromium fork of it), or compute the HMAC of whatever gibberish
+// the fuzzer produces and write it into the packet manually.
+
+namespace LibSrtpFuzzer {
+enum CryptoPolicy {
+  NONE,
+  LIKE_WEBRTC,
+  LIKE_WEBRTC_WITHOUT_AUTH,
+  AES_GCM,
+  NUMBER_OF_POLICIES,
+};
+}
+
+void poison(void const volatile* addr, size_t size) {
+#ifdef ADDRESS_SANITIZER
+  ASAN_POISON_MEMORY_REGION(addr, size);
+#endif
+};
+
+void unpoison(void const volatile* addr, size_t size) {
+#ifdef ADDRESS_SANITIZER
+  ASAN_UNPOISON_MEMORY_REGION(addr, size);
+#endif
+};
+
+void crypto_policy_set_null_cipher_null_auth(crypto_policy_t* p) {
+  p->cipher_type = NULL_CIPHER;
+  p->cipher_key_len = 0;
+  p->auth_type = NULL_AUTH;
+  p->auth_key_len = 0;
+  p->auth_tag_len = 0;
+  p->sec_serv = sec_serv_none;
+};
+
+// The environment holds some structs and buffers so that we don't
+// need to reallocate them on every fuzzer iteration.
+struct Environment {
+  srtp_t session;
+  srtp_policy_t policy;
+  unsigned char key[SRTP_MASTER_KEY_LEN] = {0};
+  rtp_msg_t message = {};
+
+  srtp_policy_t GetCryptoPolicy(LibSrtpFuzzer::CryptoPolicy crypto_policy,
+                                const unsigned char* replacement_key) {
+    // Update some values in the global srtp_policy_t and return it.
+    switch (crypto_policy) {
+      case LibSrtpFuzzer::NUMBER_OF_POLICIES:
+      case LibSrtpFuzzer::NONE:
+        crypto_policy_set_null_cipher_null_auth(&policy.rtp);
+        crypto_policy_set_null_cipher_null_auth(&policy.rtcp);
+        break;
+      case LibSrtpFuzzer::LIKE_WEBRTC:
+        crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtp);
+        crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtcp);
+      case LibSrtpFuzzer::LIKE_WEBRTC_WITHOUT_AUTH:
+        crypto_policy_set_aes_cm_128_null_auth(&policy.rtp);
+        crypto_policy_set_aes_cm_128_null_auth(&policy.rtcp);
+        break;
+      case LibSrtpFuzzer::AES_GCM:
+        // There was a security bug in the GCM mode in libsrtp 1.5.2.
+        crypto_policy_set_aes_gcm_128_8_auth(&policy.rtp);
+        crypto_policy_set_aes_gcm_128_8_auth(&policy.rtcp);
+        break;
+    }
+
+    memcpy(key, replacement_key, SRTP_MASTER_KEY_LEN);
+    return policy;
+  };
+
+  Environment() {
+    srtp_init();
+
+    // We keep one global rtp_msg_t and copy messages into it. TO
+    // ensure that OOB reads are detected, if building with ASAN we
+    // explicitly poison the entire packet memory and then unpoison
+    // just the region we expect.
+    poison(&message.header, sizeof(srtp_hdr_t));
+    poison(&message.body, RTP_MAX_BUF_LEN);
+
+    memset(&policy, 0, sizeof(policy));
+    policy.ssrc.type = ssrc_any_inbound;
+    policy.ssrc.value = 0xdeadbeef;
+    policy.window_size = 1024;
+    policy.allow_repeat_tx = 1;
+    policy.ekt = nullptr;
+    policy.next = nullptr;
+
+    // Set some defaults in case we don't want to override them later.
+    policy.key = key;
+    crypto_policy_set_null_cipher_null_auth(&policy.rtp);
+    crypto_policy_set_null_cipher_null_auth(&policy.rtcp);
+  }
+};
+
+size_t ReadLength(const uint8_t* data, size_t size) {
+  // Read one byte of input and check that that many bytes remain.
+  if (size == 0)
+    return 0;
+  size_t n = static_cast<size_t>(data[0]);
+
+  if (n > size - 1)
+    return 0;
+  else
+    return n;
+}
+
+Environment* env = new Environment();
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  // Read one byte and use it to choose a crypto policy.
+  if (size <= 1)
+    return 0;
+  LibSrtpFuzzer::CryptoPolicy policy = static_cast<LibSrtpFuzzer::CryptoPolicy>(
+      data[0] % LibSrtpFuzzer::NUMBER_OF_POLICIES);
+  data += 1;
+  size -= 1;
+
+  // Read some more bytes to use as a key.
+  if (size <= SRTP_MASTER_KEY_LEN)
+    return 0;
+  srtp_policy_t srtp_policy = env->GetCryptoPolicy(policy, data);
+  data += SRTP_MASTER_KEY_LEN;
+  size -= SRTP_MASTER_KEY_LEN;
+
+  // Create a session with the above data.
+  srtp_t session;
+  err_status_t error = srtp_create(&session, &srtp_policy);
+  assert(error == err_status_ok);
+
+  // Read one byte as a packet length N, then feed the next N bytes
+  // into srtp_unprotect. Keep going until we run out of data.
+  size_t packet_size;
+  while ((packet_size = ReadLength(data, size)) > 0) {
+    // One byte was used by ReadLength.
+    data++;
+    size--;
+
+    size_t header_size = std::min(sizeof(srtp_hdr_t), packet_size);
+    size_t body_size = packet_size - std::min(packet_size, header_size);

[mmoroz, 2016/07/06 09:44:22]

I think we can use packet_size - header_size. It will be >= 0.

[katrielc, 2016/07/06 10:36:03]

Haha, I stared at this code for five minutes and still didn't notice that. Good
point.

+
+    unpoison(&env->message.header, header_size);

[mmoroz, 2016/07/06 09:44:22]

Manual poisoning is not the best approach, but I agree that we would like to
catch OOB to right in the message body. Though it will not be OOB actually, it
may be use-of-uninitialized value -- this is what MSan for.

Given that, my suggestion for now is:
1) declare |rtp_msg_t message| object inside the loop
2) do not initialize it with zeroes
3) copy |header_size| bytes into |message.header|
4) copy |body_size| bytes into |message.body|

That allows us:
A) have a valid object in memory
B) pass packets of different size
C) detect usage of last bytes of the message body (bytes from body_size to
RTP_MMAX_BUF_LEN) with MSan

Also this will make code a bit simpler.

[katrielc, 2016/07/06 10:36:03]

Done.

+    memcpy(&env->message.header, data, header_size);
+    if (body_size > 0) {
+      unpoison(&env->message.body, body_size);
+      memcpy(&env->message.body, data + header_size, body_size);
+    };
+
+    int out_len = static_cast<int>(packet_size);
+    std::vector<unsigned char> packet(data, data + packet_size);

[mmoroz, 2016/07/06 09:44:22]

For what do we need the same data in both env-> message and packet? Looks like
env->message is not used anywhere.

[katrielc, 2016/07/06 10:36:03]

Oops. Fixed.

+    srtp_unprotect(session, reinterpret_cast<rtp_msg_t*>(packet.data()),
+                   &out_len);
+
+    poison(&env->message.header, sizeof(srtp_hdr_t));
+    poison(&env->message.body, RTP_MAX_BUF_LEN);
+
+    // |packet_size| bytes were used above.
+    data += packet_size;
+    size -= packet_size;
+  }
+
+  srtp_dealloc(session);
+  return 0;
+}