[server-fuzzer] Add a fuzzer that uses the fake creds library to hit some security codepaths (#37395)

Also fix some buffer overruns/underruns in our fake creds implementation.

@jboeuf

Closes #37395

COPYBARA_INTEGRATE_REVIEW=https://github.com/grpc/grpc/pull/37395 from ctiller:renegade-chicken fd835bcd38
PiperOrigin-RevId: 659600701

BUILD

@@ -4035,6 +4035,7 @@ grpc_cc_library(
     deps = [
         "gpr",
         "tsi_base",
+        "//src/core:dump_args",
         "//src/core:slice",
         "//src/core:useful",
     ],

src/core/tsi/fake_transport_security.cc

@@ -18,20 +18,19 @@
 
 #include "src/core/tsi/fake_transport_security.h"
 
-#include <stdlib.h>
-#include <string.h>
-
-#include "absl/log/check.h"
-#include "absl/log/log.h"
-
 #include <grpc/support/alloc.h>
 #include <grpc/support/port_platform.h>
+#include <stdlib.h>
+#include <string.h>
 
 #include "src/core/lib/gprpp/crash.h"
+#include "src/core/lib/gprpp/dump_args.h"
 #include "src/core/lib/gprpp/memory.h"
 #include "src/core/lib/slice/slice_internal.h"
 #include "src/core/tsi/transport_security_grpc.h"
 #include "src/core/tsi/transport_security_interface.h"
+#include "absl/log/check.h"
+#include "absl/log/log.h"
 
 // --- Constants. ---
 #define TSI_FAKE_FRAME_HEADER_SIZE 4
@@ -210,6 +209,9 @@ static tsi_result tsi_fake_frame_decode(const unsigned char* incoming_bytes,
     frame->offset += to_read_size;
     available_size -= to_read_size;
     frame->size = load32_little_endian(frame->data);
+    LOG(INFO) << "frame->size: " << frame->size;
+    if (frame->size < 4) return TSI_DATA_CORRUPTED;
+    if (frame->size > 16 * 1024 * 1024) return TSI_DATA_CORRUPTED;
     tsi_fake_frame_ensure_size(frame);
   }
 

test/core/end2end/fuzzers/BUILD

@@ -168,6 +168,25 @@ grpc_proto_fuzzer(
     ],
 )
 
+grpc_proto_fuzzer(
+    name = "server_fuzzer_chttp2_fake_creds",
+    srcs = ["server_fuzzer_chttp2_fake_creds.cc"],
+    corpus = "server_fuzzer_chttp2_fake_creds_corpus",
+    end2end_fuzzer = True,
+    language = "C++",
+    proto = None,
+    tags = [
+        "no_mac",
+        "no_windows",
+    ],
+    uses_event_engine = False,
+    uses_polling = False,
+    deps = [
+        ":server_fuzzer",
+        "//:grpc",
+    ],
+)
+
 grpc_proto_fuzzer(
     name = "server_fuzzer_chaotic_good",
     srcs = ["server_fuzzer_chaotic_good.cc"],

test/core/end2end/fuzzers/server_fuzzer_chttp2_fake_creds.cc

@@ -0,0 +1,30 @@
+// Copyright 2024 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <grpc/credentials.h>
+#include <grpc/grpc_security.h>
+
+#include "src/core/lib/security/credentials/fake/fake_credentials.h"
+#include "src/libfuzzer/libfuzzer_macro.h"
+#include "test/core/end2end/fuzzers/server_fuzzer.h"
+
+DEFINE_PROTO_FUZZER(const fuzzer_input::Msg& msg) {
+  grpc_core::RunServerFuzzer(msg, [](grpc_server* server, int port_num,
+                                     const grpc_core::ChannelArgs&) {
+    auto* creds = grpc_fake_transport_security_server_credentials_create();
+    grpc_server_add_http2_port(
+        server, absl::StrCat("0.0.0.0:", port_num).c_str(), creds);
+    grpc_server_credentials_release(creds);
+  });
+}

test/core/end2end/fuzzers/server_fuzzer_chttp2_fake_creds_corpus/empty

@@ -0,0 +1 @@
+