tests: Add fuzzing harness for miniscript::FromScript(…) #17129

pull practicalswift wants to merge 10 commits into bitcoin:master from practicalswift:fuzzers-miniscript-fromscript changing 10 files +1870 −38
  1. practicalswift commented at 9:13 pm on October 13, 2019: contributor

    Add fuzzing harness for miniscript::FromScript(...).

    Based on sipa’s PR #16800 (rebased on current master).

    Testing this PR

    Run:

     0$ CC=clang CXX=clang++ ./configure --enable-fuzz \
 1      --with-sanitizers=address,fuzzer,undefined
 2$ make
 3$ src/test/fuzz/from_script -max_len=3
 4
 5==1011==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000007d30 at pc 
 6    0x564149ae8922 bp 0x7ffdc121bb90 sp 0x7ffdc121b340
 7
 8$ src/test/fuzz/from_script -max_len=3
 9
10from_script: script/miniscript.cpp:51: miniscript::Type 
11    miniscript::internal::ComputeType(miniscript::NodeType, miniscript::Type, 
12    miniscript::Type, miniscript::Type, const std::vector<Type> &, uint32_t, size_t,
13    size_t, size_t): Assertion `k > 1 && k < n_subs' failed.
14

    The fix to those two issues demonstrated above was submitted a month ago to the upstream repo https://github.com/sipa/miniscript/pull/18 :)

    Here is my suggested patch if you want to try the fuzzer against the fixed version:

     0diff --git a/src/script/miniscript.h b/src/script/miniscript.h
 1index d5bc80f98..9bd3f8426 100644
 2--- a/src/script/miniscript.h
 3+++ b/src/script/miniscript.h
 4@@ -912,6 +912,9 @@ inline NodeRef<Key> DecodeSingle(I& in, I last, const Ctx& ctx) {
 5     }
 6     subs.clear();
 7     if (last - in >= 3 && in[0].first == OP_EQUAL && ParseScriptNumber(in[1], k)) {
 8+        if (k < 2) {
 9+            return {};
10+        }
11         in += 2;
12         while (last - in >= 2 && in[0].first == OP_ADD) {
13             ++in;
14@@ -922,6 +925,9 @@ inline NodeRef<Key> DecodeSingle(I& in, I last, const Ctx& ctx) {
15         auto sub = DecodeSingle<Key>(in, last, ctx);
16         if (!sub) return {};
17         subs.push_back(std::move(sub));
18+        if (k >= subs.size()) {
19+            return {};
20+        }
21         std::reverse(subs.begin(), subs.end());
22         return MakeNodeRef<Key>(NodeType::THRESH, std::move(subs), k);
23     }
  2. fanquake added the label Tests on Oct 13, 2019
  3. DrahtBot commented at 2:26 am on October 14, 2019: member

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    • #17229 (tests: Add fuzzing harnesses for various Base{32,58,64} and hex related functions by practicalswift)
    • #17225 (tests: Test serialisation as part of deserialisation fuzzing. Test round-trip equality where possible. by practicalswift)
    • #17136 (tests: Add fuzzing harness for various PSBT related functions by practicalswift)
    • #17109 (tests: Add fuzzing harness for various functions consuming only integrals by practicalswift)
    • #17093 (tests: Add fuzzing harness for various CTx{In,Out} related functions by practicalswift)
    • #17071 (tests: Add fuzzing harness for CheckBlock(…) and other CBlock related functions by practicalswift)
    • #17051 (tests: Add deserialization fuzzing harnesses by practicalswift)
    • #17050 (tests: Add fuzzing harnesses for functions parsing scripts, numbers, JSON and HD keypaths (bip32) by practicalswift)
    • #16710 (build: Enable -Wsuggest-override if available by hebasto)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  4. practicalswift force-pushed on Oct 14, 2019
  5. practicalswift force-pushed on Oct 14, 2019
  6. practicalswift force-pushed on Oct 17, 2019
  7. DrahtBot added the label Needs rebase on Oct 18, 2019
  8. Abstract out some of the descriptor Span-parsing helpers 5350cd85fb
  9. Add some general std::vector utility functions 
    Added are:

* Vector(arg1,arg2,arg3,...) constructs a vector with the specified
  arguments as elements. The vector's type is derived from the
  arguments. If some of the arguments are rvalue references, they
  will be moved into place rather than copied (which can't be achieved
  using list initialization).

* Cat(vector1,vector2) returns a concatenation of the two vectors,
  efficiently moving elements when relevant.

Vector generalizes (and replaces) the Singleton function in
src/descriptor.cpp, and Cat replaces the Cat function in bech32.cpp
    af31da39e7
  10. Miniscript: type system, script creation, text notation, tests 57a6c0e853
  11. Miniscript: conversion from script aeccaad6ca
  12. Miniscript: ops limit and stack size computation a4471ad5b5
  13. Abstract out DescriptorImpl::KeyToString 20dce1b648
  14. Basic Miniscript support in output descriptors 8220038785
  15. [wip] Fix compilation errors after merge a22c0e9bad
  16. tests: Add corpora suppression (FUZZERS_MISSING_CORPORA) for fuzzers missing in https://github.com/bitcoin-core/qa-assets/tree/master/fuzz_seed_corpus f9548e2b3d
  17. tests: Add fuzzing harness for miniscript::FromScript(...) cada7353c2
  18. practicalswift force-pushed on Oct 23, 2019
  19. DrahtBot removed the label Needs rebase on Oct 23, 2019
  20. practicalswift closed this on Nov 14, 2019
  21. practicalswift deleted the branch on Apr 10, 2021
  22. DrahtBot locked this on Aug 18, 2022


practicalswift DrahtBot

Labels
Tests

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-11-21 15:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me