forked from bitcoinfuzz/bitcoinfuzz
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.cpp
More file actions
358 lines (294 loc) · 11.6 KB
/
main.cpp
File metadata and controls
358 lines (294 loc) · 11.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
#include <algorithm>
#include <memory>
#include <cstring>
#include "driver.h"
#include <bitcoinfuzz/basemodule.h>
#ifdef BITCOIN_CORE
#include <modules/bitcoin/module.h>
#endif
#ifdef RUST_BITCOIN
#include <modules/rustbitcoin/module.h>
#endif
#ifdef RUST_MINISCRIPT
#include <modules/rustminiscript/module.h>
#endif
#ifdef BTCD
#include <modules/btcd/module.h>
#endif
#ifdef LND
#include <modules/lnd/module.h>
#endif
#ifdef LDK
#include <modules/ldk/module.h>
#endif
#ifdef NLIGHTNING
#include <modules/nlightning/module.h>
#endif
#ifdef EMBIT
#include <modules/embit/module.h>
#endif
#ifdef CLIGHTNING
#include <modules/clightning/module.h>
#endif
#ifdef CUSTOM_MUTATOR_BOLT11
#include <modules/bolt11mutator/bech32.h>
#endif
std::shared_ptr<bitcoinfuzz::Driver> driver = nullptr;
#ifdef CUSTOM_MUTATOR_BOLT11
// We use a custom mutator to produce an input corpus that consists entirely of
// correctly encoded bech32 strings. This enables us to efficiently fuzz the
// bolt11 decoding logic without the fuzzer getting stuck on fuzzing the bech32
// decoding/encoding logic. This custom mutator is originally from core-lightning:
// https://github.com/ElementsProject/lightning/blob/3a7a1fad4eb56522b6ab590e53c695e2fb08e7e2/tests/fuzz/fuzz-bolt11.c#L59
//
// This custom mutator does the following things:
// 1. Attempt to bech32 decode the given input (returns the encoded dummy
// invoice on failure).
// 2. Mutate either the human readable or data part of the invoice using
// libFuzzer's default mutator `LLVMFuzzerMutate`.
// 3. Attempt to bech32 encode the mutated hrp and data (returns the endcoded
// dummy on failure).
// 4. Write the encoded result to `fuzz_data` if its size does not exceed
// `max_size`, otherwise return the encoded dummy invoice.
extern "C" size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize);
extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *fuzz_data, size_t size, size_t max_size,
unsigned int seed);
extern "C" size_t LLVMFuzzerCustomCrossOver(const uint8_t *in1, size_t in1_size, const uint8_t *in2,
size_t in2_size, uint8_t *out, size_t max_out_size,
unsigned seed);
// Encodes a dummy bolt11 invoice into `fuzz_data` and returns the size of the
// encoded string.
static size_t initial_input(uint8_t *fuzz_data, size_t max_size)
{
constexpr std::string_view dummy =
"lnbc16lta047pp5h6lta047h6lta047h6lta047h6lta047h6lta047h6lta047"
"h6lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"
"qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqxnht6w";
size_t output_size = std::min(max_size, dummy.size());
std::memcpy(fuzz_data, dummy.data(), output_size);
return output_size;
}
size_t LLVMFuzzerCustomMutator(uint8_t *fuzz_data, size_t size, size_t max_size,
unsigned int seed)
{
// A minimum size of 9 prevents hrp_maxlen <= 0 and data_maxlen <= 0.
if (size < 9)
return initial_input(fuzz_data, max_size);
// Interpret fuzz input as string
std::string input(reinterpret_cast<char*>(fuzz_data), size);
size_t data_maxlen = input.size() - 8;
size_t hrp_maxlen = input.size() - 6;
// Attempt to bech32 decode the input
bech32::DecodeResult decoded = bech32::Decode(input, bech32::CharLimit::CUSTOM_MUTATOR);
if (decoded.encoding != bech32::Encoding::BECH32) {
// Decoding failed, this should only happen when starting from
// an empty corpus.
return initial_input(fuzz_data, max_size);
}
auto data = decoded.data;
auto hrp = decoded.hrp;
// Mutate either the hrp or data
std::srand(seed);
switch (std::rand() % 2) {
case 0: { // Mutate hrp
// Make sure we have a buffer that's large enough for mutation
std::vector<uint8_t> hrp_buffer(hrp.begin(), hrp.end());
// Reserve enough space for the maximum mutation size
hrp_buffer.resize(hrp_maxlen);
// Mutate the buffer
size_t new_len = LLVMFuzzerMutate(hrp_buffer.data(),
hrp.size(),
hrp_maxlen);
// Convert back to string with the new length
hrp = std::string(reinterpret_cast<char*>(hrp_buffer.data()), new_len);
// Sanitize hrp - ensure only valid ASCII characters (33-126) and not uppercase
for (char& c : hrp) {
if (c < 33 || c > 126) {
c = 'a' + (c % 26); // Replace with a valid lowercase letter
} else if (c >= 'A' && c <= 'Z') {
c = c - 'A' + 'a'; // Convert uppercase to lowercase
}
}
break;
}
case 1: { // Mutate data
size_t original_data_size = data.size();
// Make sure we have a buffer that's large enough for mutation
data.resize(std::max(data.size(), data_maxlen));
size_t new_len = LLVMFuzzerMutate(data.data(),
original_data_size,
data_maxlen);
// It ensures that all values remain valid 5-bit values
for (auto& val : data) {
val &= 0x1F;
}
break;
}
}
if (!hrp.empty()) {
for (const char& c : hrp) {
if (c >= 'A' && c <= 'Z') {
return initial_input(fuzz_data, max_size);
}
}
}
std::string output = bech32::Encode(bech32::Encoding::BECH32, hrp, data);
if (output.length() > max_size) {
return initial_input(fuzz_data, max_size);
}
std::memcpy(fuzz_data, output.data(), output.length());
return output.length();
}
static std::vector<uint8_t> insert_part(std::span<const uint8_t> in1,
std::span<const uint8_t> in2,
size_t max_out_size)
{
size_t in1_size = in1.size();
size_t in2_size = in2.size();
std::vector<uint8_t> out;
if (in1_size >= max_out_size)
return out;
if (in1_size == 0 || in2_size == 0)
return out;
size_t max_insert_size = max_out_size - in1_size;
if (max_insert_size > in2_size) max_insert_size = in2_size;
size_t insert_begin = std::rand() % in1_size;
size_t insert_size = (std::rand() % max_insert_size) + 1;
size_t in2_begin = std::rand() % (in2_size - insert_size + 1);
size_t total_size = in1_size + insert_size;
out.reserve(total_size);
out.insert(out.end(), in1.begin(), in1.begin() + insert_begin);
out.insert(out.end(), in2.begin() + in2_begin, in2.begin() + in2_begin + insert_size);
out.insert(out.end(), in1.begin() + insert_begin, in1.end());
return out;
}
static std::vector<uint8_t> overwrite_part(std::span<const uint8_t> in1,
std::span<const uint8_t> in2,
size_t max_out_size)
{
std::vector<uint8_t> out;
out.reserve(max_out_size);
if (in1.empty() || in2.empty()) {
return out;
}
// Copy in1 to out first (limited by max_out_size)
size_t in1_bytes = std::min(in1.size(), max_out_size);
out.insert(out.end(), in1.begin(), in1.begin() + in1_bytes);
if (out.empty()) return out;
size_t pos = std::rand() % out.size();
size_t max_possible = std::min(in2.size(), out.size() - pos);
size_t overwrite_length = (std::rand() % max_possible) + 1;
size_t in2_start = 0;
if (in2.size() > overwrite_length) {
in2_start = std::rand() % (in2.size() - overwrite_length + 1);
}
// Overwrite portion of out with random substring from in2
std::copy_n(in2.begin() + in2_start, overwrite_length, out.begin() + pos);
return out;
}
static std::vector<uint8_t> cross_over(std::span<const uint8_t> in1,
std::span<const uint8_t> in2,
size_t max_out_size,
unsigned seed)
{
std::srand(seed);
if (std::rand() % 2) {
return insert_part(in1, in2, max_out_size);
} else {
return overwrite_part(in1, in2, max_out_size);
}
}
size_t LLVMFuzzerCustomCrossOver(const uint8_t *in1, size_t in1_size, const uint8_t *in2,
size_t in2_size, uint8_t *out, size_t max_out_size,
unsigned seed)
{
if (in1_size < 9 || in2_size < 9)
return 0;
// Interpret fuzz inputs as strings
std::string input1(reinterpret_cast<const char*>(in1), in1_size);
std::string input2(reinterpret_cast<const char*>(in2), in2_size);
// Attempt to bech32 decode the inputs
bech32::DecodeResult result1 = bech32::Decode(input1, bech32::CharLimit::CUSTOM_MUTATOR);
if (result1.encoding != bech32::Encoding::BECH32) {
// Decoding failed
return 0;
}
bech32::DecodeResult result2 = bech32::Decode(input2, bech32::CharLimit::CUSTOM_MUTATOR);
if (result2.encoding != bech32::Encoding::BECH32) {
// Decoding failed
return 0;
}
std::string hrp1 = result1.hrp;
std::string hrp2 = result2.hrp;
std::vector<uint8_t> data1 = result1.data;
std::vector<uint8_t> data2 = result2.data;
std::srand(seed);
std::string out_hrp;
std::vector<uint8_t> out_data;
if (std::rand() % 2) {
// Cross-over the HRP
out_data = data1;
std::span<const uint8_t> hrp1_span(reinterpret_cast<const uint8_t*>(hrp1.data()), hrp1.size());
std::span<const uint8_t> hrp2_span(reinterpret_cast<const uint8_t*>(hrp2.data()), hrp2.size());
size_t max_out_data_size = max_out_size - data1.size() - 8;
auto out_hrp_vec = cross_over(
hrp1_span,
hrp2_span,
max_out_data_size,
static_cast<unsigned>(std::rand()));
// Convert back to string and ensure null termination
out_hrp = std::string(out_hrp_vec.begin(), out_hrp_vec.begin() + out_hrp_vec.size());
} else {
// Cross-over the data part
out_hrp = hrp1;
size_t max_out_data_size = max_out_size - hrp1.size() - 8;
out_data = cross_over(
data1,
data2,
max_out_data_size,
static_cast<unsigned>(std::rand()));
}
// Encode the output
std::string encoded = bech32::Encode(bech32::Encoding::BECH32, out_hrp, out_data);
if (encoded.size() > max_out_size) {
return 0;
}
// Copy the result to out buffer
std::memcpy(out, encoded.data(), encoded.size());
return encoded.size();
}
#endif
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
const char* target = std::getenv("FUZZ");
driver = std::make_shared<bitcoinfuzz::Driver>();
#ifdef BITCOIN_CORE
driver->LoadModule(std::make_shared<bitcoinfuzz::module::Bitcoin>());
#endif
#ifdef RUST_BITCOIN
driver->LoadModule(std::make_shared<bitcoinfuzz::module::Rustbitcoin>());
#endif
#ifdef RUST_MINISCRIPT
driver->LoadModule(std::make_shared<bitcoinfuzz::module::Rustminiscript>());
#endif
#ifdef BTCD
driver->LoadModule(std::make_shared<bitcoinfuzz::module::Btcd>());
#endif
#ifdef LND
driver->LoadModule(std::make_shared<bitcoinfuzz::module::Lnd>());
#endif
#ifdef LDK
driver->LoadModule(std::make_shared<bitcoinfuzz::module::Ldk>());
#endif
#ifdef NLIGHTNING
driver->LoadModule(std::make_shared<bitcoinfuzz::module::NLightning>());
#endif
#ifdef EMBIT
driver->LoadModule(std::make_shared<bitcoinfuzz::module::Embit>());
#endif
#ifdef CLIGHTNING
driver->LoadModule(std::make_shared<bitcoinfuzz::module::CLightning>());
#endif
driver->Run(Data, Size, target);
return 0;
}