Commit Graph

19 Commits

Author SHA1 Message Date
Matt Morehouse
3260d7dd5e fuzz: initial fuzz-bolt12-invoice-decode corpus 2024-01-23 20:21:48 +10:30
Matt Morehouse
1c18269cd1 fuzz: initial fuzz-bolt12-invrequest-decode corpus 2024-01-23 20:21:48 +10:30
Matt Morehouse
2073d9771d fuzz: initial fuzz-bolt12-offer-decode corpus 2024-01-23 20:21:48 +10:30
Matt Morehouse
3af61e087c fuzz: initial fuzz-bolt12-bech32-decode corpus 2024-01-23 20:21:48 +10:30
Matt Morehouse
a59a8557d9 fuzz: new bolt11 seeds 2023-10-24 12:17:18 +10:30
Matt Morehouse
87f4907bb4 bolt11: don't abort on invalid pubkey
Rather than crashing the entire node on invalid pubkey, check the
validity of the pubkey in decode_n, and return an error if invalid.

Detected by libFuzzer:
==265599== ERROR: libFuzzer: deadly signal
    #7 abort
    #8 bolt11_decode common/bolt11.c:999:4
2023-10-18 09:53:22 +10:30
Matt Morehouse
c1f20687a6 bolt11: validate recovery ID
Invalid recovery IDs cause
secp256k1_ecdsa_recoverable_signature_parse_compact to abort, which
crashes the entire node. We should return an error instead.

Detected by libFuzzer:
[libsecp256k1] illegal argument: recid >= 0 && recid <= 3
2023-10-18 09:53:22 +10:30
Matt Morehouse
ee8cf69f28 bolt11: return error on unexpected lightning prefix
Remove the assertion so that an error is returned for invalid bech32.
An error is preferable to crashing the entire node if there's an extra
"lightning:" prefix:

  $ lightning-cli pay "lightning:lightning:"

Node log:
  pay: common/bolt11.c:718: bolt11_decode_nosig: Assertion `!has_lightning_prefix(str)' failed.
  pay: FATAL SIGNAL 6
  ...
  INFO    plugin-pay: Killing plugin: exited during normal operation
  **BROKEN** plugin-pay: Plugin marked as important, shutting down lightningd
2023-10-18 09:53:22 +10:30
Matt Morehouse
ee501b035b bolt11: avoid reading uninitialized memory
If both databits and *data_len are 0, pull_uint return uninitialized
stack memory in *val.

Detected by valgrind and UBSan.

valgrind:
==173904== Use of uninitialised value of size 8
==173904==    __sanitizer_cov_trace_cmp8
==173904==    decode_c (bolt11.c:292)
==173904==    bolt11_decode_nosig (bolt11.c:877)

UBSan:
common/bolt11.c:79:29: runtime error: shift exponent 64 is too large for 64-bit type 'uint64_t' (aka 'unsigned long')

Corpus input e6f7b9744a7d79b2aa4f7c477707bdd3483f40fa triggers the UBSan
report, but we didn't previously realize this because UBSan has been
disabled in the CI run. We rename the input to indicate its usefulness
as a permanent regression test.
2023-10-18 09:53:22 +10:30
Matt Morehouse
eeec529031 bolt11: check return value of pull_all
Otherwise, if pull_all fails, we attempt to create a script from NULL,
causing a UBSan report:

bitcoin/script.c:29:28: runtime error: null pointer passed as argument 2, which is declared to never be null

Corpus input bf703c2c20c0818af70a8c4caad6e6fd8cfd1ac6 triggers the UBSan
report, but we didn't previously realize this because UBSan has been
disabled in the CI run. We rename the input to indicate its usefulness
as a permanent regression test.
2023-10-18 09:53:22 +10:30
dergoegge
02717c73dc fuzz: bolt11 inputs 2023-10-12 19:28:28 +02:00
Matt Morehouse
8596208f52 fuzz: initial wire message seeds
Seeds for every peer wire message, generated from fuzzing with
-max_len=65533 and minimizing the resulting corpora.
2023-09-18 13:58:45 +09:30
Matt Morehouse
a264e10564 fuzz: initial sha256 seeds
Corpus generated from 100+ CPU hours of fuzzing and then minimized.
2023-07-10 14:56:50 +09:30
Matt Morehouse
8547912708 fuzz: initial ripemd160 seeds
Corpus generated from 100+ CPU hours of fuzzing and then minimized.
2023-07-10 14:56:50 +09:30
Matt Morehouse
8991f27497 fuzz: initial fuzz-cryptomsg seeds
Corpus generated by 300+ CPU hours of fuzzing and then minimized.
2023-06-23 13:12:42 +09:30
Matt Morehouse
8d9f033954 fuzz: initial handshake target seeds
Corpora generated for fuzz-connectd-handshake-act{1,2,3} from 300+ CPU
hours of fuzzing and then minimized.
2023-06-22 13:40:45 +09:30
Matt Morehouse
34d104b809 fuzz: new fuzz-bech32 seeds
Add new seeds generated after improving the fuzz-bech32 target.
2023-05-27 15:06:31 +09:30
Matt Morehouse
f7602ea335 fuzz: new fuzz-bip32 seeds
Add new seeds generated after improving the fuzz-bip32 target.
2023-05-21 12:46:27 +02:00
Matt Morehouse
9384692e2a fuzz: add initial seed corpora
These corpora were generated with default libFuzzer flags with 30+ hours
of CPU time, and then minimized with:
  ./fuzz-TARGET -merge=1 -shuffle=0 -prefer_small=1 -use_value_profile=1 corpora/fuzz-TARGET UNMINIMIZED_CORPUS
2023-04-09 12:41:27 +09:30