Commit Graph

45 Commits

Author SHA1 Message Date
Matt Morehouse
8d9f033954 fuzz: initial handshake target seeds
Corpora generated for fuzz-connectd-handshake-act{1,2,3} from 300+ CPU
hours of fuzzing and then minimized.
2023-06-22 13:40:45 +09:30
Matt Morehouse
0e2173f1fd fuzz: add handshake act 3 target
The fuzz target uses static keys with a fuzzer-generated Act 3 packet.
2023-06-22 13:40:45 +09:30
Matt Morehouse
a203db00ca fuzz: add handshake act 2 target
The fuzz target uses static keys with a fuzzer-generated Act 2 packet.
2023-06-22 13:40:45 +09:30
Matt Morehouse
4bb216a611 fuzz: add handshake act 1 target
The fuzz target uses static keys with a fuzzer-generated Act 1 packet.
2023-06-22 13:40:45 +09:30
Matt Morehouse
2b629b2509 fuzz: add connectd_handshake.h
This header will be used by multiple fuzz targets to fuzz Acts 1, 2, and
3 of the BOLT 8 handshake.

We could make this header into a full library, but considering its
narrow use let's try not to over-engineer things.
2023-06-22 13:40:45 +09:30
Rusty Russell
edbaa944da lightningd: switch parsing to common/configvar
Now we wire in the code which gathers configvars and parses from there;
lightningd keeps the array of configuration variables for future use.

Note that lightning-cli also needs to read the config, but it has its
own options (including short ones!) and doesn't want to use this
configvar mechanism, so we have a different API for that now.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2023-06-03 10:50:29 +09:30
Matt Morehouse
34d104b809 fuzz: new fuzz-bech32 seeds
Add new seeds generated after improving the fuzz-bech32 target.
2023-05-27 15:06:31 +09:30
Matt Morehouse
ecdbab5813 fuzz: simplify fuzz-bech32.c
Use a short loop to eliminate redundant code.
2023-05-27 15:06:31 +09:30
Matt Morehouse
7db1e06fb5 fuzz: check decoded values
Decoded values should match the original values before encoding.
2023-05-27 15:06:31 +09:30
Matt Morehouse
255413377b fuzz: allow bech32_encode to succeed
We were passing a max_output_len that was too small, so every call to
bech32_encode was failing. Now we set max_output_len to the full size of
bech32_str.
2023-05-27 15:06:31 +09:30
Rusty Russell
4deb552fe9 build: don't generate experimental variants of wire files.
We no longer have any experimental-only wire definitions.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2023-05-23 09:34:08 +09:30
Matt Morehouse
f7602ea335 fuzz: new fuzz-bip32 seeds
Add new seeds generated after improving the fuzz-bip32 target.
2023-05-21 12:46:27 +02:00
Matt Morehouse
8265a94858 fuzz: correct buffer length for bip32_key_version
8 bytes are expected, not 4.

Because we were passing the wrong number of bytes, parsing was failing
every single time.
2023-05-21 12:46:27 +02:00
Matt Morehouse
7d662b6b68 fuzz: check key validity before serializing
We need to check that the key is valid for two reasons:
  1) towire_ext_key() aborts if the key is invalid
  2) fromwire_ext_key() doesn't check the parsed key for validity

Since bip32_key_get_fingerprint() fails if the key is invalid, we can
call it first to guarantee the key is valid before serializing.
2023-05-21 12:46:27 +02:00
Matt Morehouse
fa988d2942 fuzz: add check-fuzz.sh
The script runs each fuzz target on its seed corpus and prints any
failures.
2023-04-09 12:41:27 +09:30
Matt Morehouse
a1a1373090 fuzz: improve corpus merging
The following arguments were copied from Bitcoin Core's corpus merging
script https://github.com/bitcoin/bitcoin/blob/master/test/fuzz/test_runner.py:

-shuffle=0
-prefer_small=1
-use_value_profile=1
2023-04-09 12:41:27 +09:30
Matt Morehouse
9384692e2a fuzz: add initial seed corpora
These corpora were generated with default libFuzzer flags with 30+ hours
of CPU time, and then minimized with:
  ./fuzz-TARGET -merge=1 -shuffle=0 -prefer_small=1 -use_value_profile=1 corpora/fuzz-TARGET UNMINIMIZED_CORPUS
2023-04-09 12:41:27 +09:30
Rusty Russell
5787e18e69 fuzz: fix check-src/includes when fuzzing enabled.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2023-04-05 06:12:24 +09:30
Matt Morehouse
5ea1fade60 fuzz: fix invalid pubkey error
pubkey_from_hexstr() was failing, which we didn't notice because we
weren't checking the return value. The problem was that we were passing
it a strlen that was half the actual length.

Relevant error:

  [libsecp256k1] illegal argument: !secp256k1_fe_is_zero(&ge->x)

  ==417723== ERROR: libFuzzer: deadly signal
    #7 0x7f5deaacc7fb in abort
    #8 0x51b0b0 in secp256k1_default_illegal_callback_fn secp256k1.c
    #9 0x51bd8e in secp256k1_ec_pubkey_serialize
    #10 0x4e235b in pubkey_to_der bitcoin/pubkey.c:29:7
    #11 0x4e2941 in pubkey_cmp bitcoin/pubkey.c:89:2
    #12 0x4e333d in bitcoin_redeem_2of2 bitcoin/script.c:144:6
    #13 0x4f1396 in run tests/fuzz/fuzz-close_tx.c:78:19
2023-04-03 16:12:29 +09:30
Matt Morehouse
3192be5c23 fuzz: fix UBSan nullability error
The issue is that common_setup() wasn't called by the fuzz target,
leaving secp256k1_ctx as NULL.

UBSan error:

$ UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1" \
    ./fuzz-channel_id crash-1575b41ef09e62e4c09c165e6dc037a110b113f2

INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1153355603
INFO: Loaded 1 modules   (25915 inline 8-bit counters): 25915 [0x563bae7ac3a8, 0x563bae7b28e3),
INFO: Loaded 1 PC tables (25915 PCs): 25915 [0x563bae7b28e8,0x563bae817c98),
./fuzz-channel_id: Running 1 inputs 1 time(s) each.
Running: crash-1575b41ef09e62e4c09c165e6dc037a110b113f2
bitcoin/pubkey.c:22:33: runtime error: null pointer passed as argument 1, which is declared to never be null
external/libwally-core/src/secp256k1/include/secp256k1.h:373:3: note: nonnull attribute specified here
    #0 0x563bae41e3db in pubkey_from_der bitcoin/pubkey.c:19:7
    #1 0x563bae4205e0 in fromwire_pubkey bitcoin/pubkey.c:111:7
    #2 0x563bae46437c in run tests/fuzz/fuzz-channel_id.c:42:3
    #3 0x563bae2f6016 in LLVMFuzzerTestOneInput tests/fuzz/libfuzz.c:23:2
    #4 0x563bae20a450 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)
    #5 0x563bae1f4c3f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long)
    #6 0x563bae1fa6e6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))
    #7 0x563bae223052 in main (tests/fuzz/fuzz-channel_id+0x181052) (BuildId: f7f56e14ffc06df54ab732d79ea922e773de1f25)
    #8 0x7fa7fa113082 in __libc_start_main
    #9 0x563bae1efbdd in _start

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior bitcoin/pubkey.c:22:33 in
2023-03-23 13:34:24 +10:30
Matt Morehouse
07527d9fbb fuzz: avoid buffer overflow in bech32 target
If the fuzzer passes an empty data buffer, the fuzz target currently
attempts to read from it. We should short-circuit instead.
2023-03-23 13:28:28 +10:30
Rusty Russell
22c42de6f1 tests/fuzz: don't pull in JSON common at all.
No tests currently use it, and if they do we'll want to do some
per-test objects.  Otherwise, we are about it introduce a dependency
on common/json_filter.o, which is a can of worms.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2022-11-09 20:25:58 +10:30
Rusty Russell
8f6afedafe fuzz: fix fuzzing compilation.
It had bitrotted.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2022-07-25 08:08:32 -07:00
Rusty Russell
4ffda340d3 check: make sure all files outside contrib/ include "config.h" first.
And turn "" includes into full-path (which makes it easier to put
config.h first, and finds some cases check-includes.sh missed
previously).

config.h sets _GNU_SOURCE which really needs to be done before any
'#includes': we mainly got away with it with glibc, but other platforms
like Alpine may have stricter requirements.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2021-12-06 10:05:39 +10:30
Rusty Russell
c503232cde common: use bitcoin_outpoint.
I started pulling this thread, and the entire codebase got unravelled.

Oh well, it's done now!

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2021-10-15 12:09:36 +02:00
Rusty Russell
012dedc3d8 fuzz: make it build again.
How did this pass CI?  I saw this break in my PR, but it's (long)
broken in master.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2021-10-15 12:09:36 +02:00
Rusty Russell
7401b26824 cleanup: remove unneeded includes in C files.
Before:
 Ten builds, laptop -j5, no ccache:

```
real	0m36.686000-38.956000(38.608+/-0.65)s
user	2m32.864000-42.253000(40.7545+/-2.7)s
sys	0m16.618000-18.316000(17.8531+/-0.48)s
```

 Ten builds, laptop -j5, ccache (warm):

```
real	0m8.212000-8.577000(8.39989+/-0.13)s
user	0m12.731000-13.212000(12.9751+/-0.17)s
sys	0m3.697000-3.902000(3.83722+/-0.064)s
```

After:
 Ten builds, laptop -j5, no ccache: 8% faster

```
real	0m33.802000-35.773000(35.468+/-0.54)s
user	2m19.073000-27.754000(26.2542+/-2.3)s
sys	0m15.784000-17.173000(16.7165+/-0.37)s
```

 Ten builds, laptop -j5, ccache (warm): 1% faster

```
real	0m8.200000-8.485000(8.30138+/-0.097)s
user	0m12.485000-13.100000(12.7344+/-0.19)s
sys	0m3.702000-3.889000(3.78787+/-0.056)s
```

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2021-09-17 09:43:22 +09:30
niftynei
265f960cfe liquidity-ads: persist channel blockheight states to disk
Adds new tables to database, backfills, basically copies the fee_rates
state machine for channeld.
2021-07-20 13:28:38 -04:00
Rusty Russell
4cc3eaf79c common/bech32: update to bech32m reference.
I did this by copying the updated bech32 code, and then re-patching in
our minor changes:

1. Headers modded (we need size_t)
2. Explicit length for bech32_encode/decode (not 90).
3. Exposing and bech32_ prefix for convert_bits, charset, charset_rev.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2021-06-11 13:54:20 +09:30
Rusty Russell
4e2410742a tests/fuzz: update for fmt_amount changes, create pseudorand for fuzzing.
Reported-by: Christian Reitter
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2021-04-21 06:51:03 +09:30
Rusty Russell
06a54606a3 check-includes: allow redundant "config.h"
We should actually be including this (as it may define _GNU_SOURCE
etc) before any system headers.  But where we include <assert.h> we
often didn't, because check-includes would complain that the headers
included it too.

Weaken that check, and include config.h in C files before assert.h.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2021-02-04 12:02:36 +10:30
Antoine Poinsot
a4f07a3e78 tests/fuzz: add a fuzz target for hsm_encryption
Signed-off-by: Antoine Poinsot <darosior@protonmail.com>
2021-01-06 13:50:01 +01:00
Antoine Poinsot
506d524508 libfuzz: add a NULL-termination in to_string
It's more useful if we actually want to use the output as, well, a
string..

Signed-off-by: Antoine Poinsot <darosior@protonmail.com>
2021-01-06 13:50:01 +01:00
Antoine Poinsot
4f2ae48c54 fuzz: add a fuzz target for common/descriptor_checksum
A small one just to check that we don't crash nor go out of bounds!

Signed-off-by: Antoine Poinsot <darosior@protonmail.com>
2020-11-10 10:34:13 -06:00
Antoine Poinsot
bf0a2f2b85 fuzz: add a 'to_string' function to libfuzz
We want to use it outside of fuzz-amount

Signed-off-by: Antoine Poinsot <darosior@protonmail.com>
2020-11-10 10:34:13 -06:00
Antoine Poinsot
85aa53c778 fuzz: add a runner Python script for fuzz targets
Signed-off-by: Antoine Poinsot <darosior@protonmail.com>
2020-10-21 19:34:39 +02:00
Antoine Poinsot
c149a88bbe fuzz: add a fuzz target for initial_channel
Signed-off-by: Antoine Poinsot <darosior@protonmail.com>
2020-10-21 19:34:39 +02:00
Antoine Poinsot
1aa94ccd9e fuzz: add a fuzz target for the close tx
Signed-off-by: Antoine Poinsot <darosior@protonmail.com>
2020-10-21 19:34:39 +02:00
Antoine Poinsot
33c7eccb3b fuzz: add a fuzz target for channel_id derivation
Signed-off-by: Antoine Poinsot <darosior@protonmail.com>
2020-10-21 19:34:39 +02:00
Antoine Poinsot
f0061d0606 fuzz: add a fuzz target for common/bip32
Signed-off-by: Antoine Poinsot <darosior@protonmail.com>
2020-10-21 19:34:39 +02:00
Antoine Poinsot
a89a018475 fuzz: add a fuzz target for common/bigsize
Signed-off-by: Antoine Poinsot <darosior@protonmail.com>
2020-10-21 19:34:39 +02:00
Antoine Poinsot
5d987f2dec fuzz: add a target for base32/64 encoding
Signed-off-by: Antoine Poinsot <darosior@protonmail.com>
2020-10-21 19:34:39 +02:00
Antoine Poinsot
63b1ae54a1 fuzz: add a target for common/bech32
Signed-off-by: Antoine Poinsot <darosior@protonmail.com>
2020-10-21 19:34:39 +02:00
Antoine Poinsot
2f90c45454 fuzz: add a fuzz target for amounts parsing
Signed-off-by: Antoine Poinsot <darosior@protonmail.com>
2020-10-21 19:34:39 +02:00
Antoine Poinsot
62b54d0125 build: introduce a fuzzing mode
This adds a new configuration, --enable-fuzzing (which is more than
welcome to be coupled with --enable-address-sanitizer), to pass the
fuzzer sanitizer argument when compiling objects. This allows libfuzzer
to actually be able "to fuzz" by detecting coverage and be smart when
mutating inputs.

As libfuzzer brings its own ~~fees~~ main(), we compile objects with
fsanitize=fuzzer-no-link, and special-case the linkage of the fuzz
targets.

A "lib" is added to abstract out the interface to the fuzzing tool used.
This allow us to use the same targets to fuzz using AFL, hongfuzz or w/e
by adding their entrypoints into libfuzz. (h/t to practicalswift who
introduced this for bitcoin-core, which i mimiced)

Signed-off-by: Antoine Poinsot <darosior@protonmail.com>
2020-10-21 19:34:39 +02:00