Fix keymaster message fuzzing
The previous fuzzing driver for message serialization has various
problems. The main one is that the input to `Deserialize()` was
taken from a `new uint8_t[size]`, *not* from the fuzzing input. As a
result, the fuzzing results are not going to be reliable or
reproducible, because the inputs are just whatever data is found on
the heap at the time.
Also, the attempts to fuzz the `Serialize()` entrypoint are mostly
just testing that serializing into a too-short buffer doesn't crash.
That doesn't need to be fuzzer-driven, so convert to a unit test.
Combining these changes leaves just a fuzz driver for `Deserialize()`,
and that can be simplified further by letting the external fuzzing
infrastructure handle the size of the fuzzing input, dropping the local
attempts to pick random input data sizes.
Rename the fuzzing target so that any existing corpus data doesn't
get re-used.
Finally, a couple of minor tweaks to the keymaster code:
- Add a nullptr check in the serialization code, so that
`memcpy` never gets src=nullptr, len=0 as input.
- Limit the number of HmacSharingParams that can be requested, so that
the client can't trigger arbitrary-sized allocations.
Test: libkeymaster_fuzz_deserialize, keymaster_test
Bug: 176789374
Bug: 203322576
Bug: 280064809
Change-Id: Ica174b418306e7cd706d19f1bf24a90b094c64b0
5 files changed