mirrors/core-lightning
1
0
Fork 0
mirror of https://github.com/ElementsProject/lightning.git synced 2025-02-23 15:00:34 +01:00
Code Issues Projects Releases Wiki Activity
core-lightning/tests/fuzz/fuzz-channel_id.c
Matt Morehouse 3192be5c23 fuzz: fix UBSan nullability error 
The issue is that common_setup() wasn't called by the fuzz target,
leaving secp256k1_ctx as NULL.

UBSan error:

$ UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1" \
    ./fuzz-channel_id crash-1575b41ef09e62e4c09c165e6dc037a110b113f2

INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1153355603
INFO: Loaded 1 modules   (25915 inline 8-bit counters): 25915 [0x563bae7ac3a8, 0x563bae7b28e3),
INFO: Loaded 1 PC tables (25915 PCs): 25915 [0x563bae7b28e8,0x563bae817c98),
./fuzz-channel_id: Running 1 inputs 1 time(s) each.
Running: crash-1575b41ef09e62e4c09c165e6dc037a110b113f2
bitcoin/pubkey.c:22:33: runtime error: null pointer passed as argument 1, which is declared to never be null
external/libwally-core/src/secp256k1/include/secp256k1.h:373:3: note: nonnull attribute specified here
    #0 0x563bae41e3db in pubkey_from_der bitcoin/pubkey.c:19:7
    #1 0x563bae4205e0 in fromwire_pubkey bitcoin/pubkey.c:111:7
    #2 0x563bae46437c in run tests/fuzz/fuzz-channel_id.c:42:3
    #3 0x563bae2f6016 in LLVMFuzzerTestOneInput tests/fuzz/libfuzz.c:23:2
    #4 0x563bae20a450 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)
    #5 0x563bae1f4c3f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long)
    #6 0x563bae1fa6e6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))
    #7 0x563bae223052 in main (tests/fuzz/fuzz-channel_id+0x181052) (BuildId: f7f56e14ffc06df54ab732d79ea922e773de1f25)
    #8 0x7fa7fa113082 in __libc_start_main
    #9 0x563bae1efbdd in _start

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior bitcoin/pubkey.c:22:33 in
2023-03-23 13:34:24 +10:30

67 lines
1.7 KiB
C
Raw Blame History

#include "config.h"
#include <assert.h>
#include <bitcoin/pubkey.h>
#include <bitcoin/tx.h>
#include <tests/fuzz/libfuzz.h>
#include <common/channel_id.h>
#include <common/setup.h>
#include <wire/wire.h>
void init(int *argc, char ***argv)
{
common_setup("fuzzer");
}
void run(const uint8_t *data, size_t size)
{
struct channel_id chan_id;
struct pubkey basepoint_1, basepoint_2;
struct bitcoin_outpoint outpoint;
const uint8_t **v1_chunks, **v2_chunks, **marshal_chunks;
const uint8_t *wire_ptr;
size_t wire_max;
uint8_t *wire_buf;
/* 32 (txid) + 4 (vout) */
if (size < 36)
return;
v1_chunks = get_chunks(NULL, data, size, 36);
for (size_t i = 0; i < tal_count(v1_chunks); i++) {
wire_ptr = v1_chunks[i];
wire_max = 36;
fromwire_bitcoin_outpoint(&wire_ptr, &wire_max, &outpoint);
assert(wire_ptr);
derive_channel_id(&chan_id, &outpoint);
}
tal_free(v1_chunks);
v2_chunks = get_chunks(NULL, data, size, PUBKEY_CMPR_LEN * 2);
for (size_t i = 0; i < tal_count(v2_chunks); i++) {
wire_ptr = v2_chunks[i];
wire_max = PUBKEY_CMPR_LEN;
fromwire_pubkey(&wire_ptr, &wire_max, &basepoint_1);
if (!wire_ptr)
continue;
wire_max = PUBKEY_CMPR_LEN;
fromwire_pubkey(&wire_ptr, &wire_max, &basepoint_2);
if (!wire_ptr)
continue;
derive_channel_id_v2(&chan_id, &basepoint_1, &basepoint_2);
}
tal_free(v2_chunks);
marshal_chunks = get_chunks(NULL, data, size, 32);
for (size_t i = 0; i < tal_count(marshal_chunks); i++) {
wire_ptr = marshal_chunks[i];
wire_max = tal_count(marshal_chunks[i]);
fromwire_channel_id(&wire_ptr, &wire_max, &chan_id);
wire_buf = tal_arr(NULL, uint8_t, tal_count(marshal_chunks[i]));
towire_channel_id(&wire_buf, &chan_id);
tal_free(wire_buf);
}
tal_free(marshal_chunks);
}
Reference in a new issue View git blame Copy permalink