From 654472a461bc9d1603c46dcb7a5b2dc87a44045a Mon Sep 17 00:00:00 2001 From: Dhruv Mehta <856960+dhruv@users.noreply.github.com> Date: Sun, 23 May 2021 08:10:25 -0700 Subject: [fuzz] Add serialization to deserialization test Before commit: 306853 REDUCE cov: 798 ft: 5820 corp: 150/375Kb lim: 68333 exec/s: 1382 rss: 461Mb L: 254/63171 MS: 1 EraseBytes- 1453105 REDUCE cov: 798 ft: 5820 corp: 150/369Kb lim: 79613 exec/s: 1467 rss: 461Mb L: 6027/60873 MS: 1 EraseBytes- After commit: 303389 NEW cov: 1202 ft: 8382 corp: 157/382Kb lim: 68189 exec/s: 1451 rss: 447Mb L: 1386/65459 MS: 1 CopyPart- 1428759 REDUCE cov: 1202 ft: 8512 corp: 169/389Kb lim: 78749 exec/s: 1528 rss: 463Mb L: 1627/60488 MS: 1 EraseBytes- --- src/test/fuzz/p2p_transport_deserializer.cpp | 43 ----------------------- src/test/fuzz/p2p_transport_serialization.cpp | 49 +++++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 43 deletions(-) delete mode 100644 src/test/fuzz/p2p_transport_deserializer.cpp create mode 100644 src/test/fuzz/p2p_transport_serialization.cpp (limited to 'src/test/fuzz') diff --git a/src/test/fuzz/p2p_transport_deserializer.cpp b/src/test/fuzz/p2p_transport_deserializer.cpp deleted file mode 100644 index 3a1fdaad8f..0000000000 --- a/src/test/fuzz/p2p_transport_deserializer.cpp +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright (c) 2019-2020 The Bitcoin Core developers -// Distributed under the MIT software license, see the accompanying -// file COPYING or http://www.opensource.org/licenses/mit-license.php. - -#include -#include -#include -#include - -#include -#include -#include -#include -#include - -void initialize_p2p_transport_deserializer() -{ - SelectParams(CBaseChainParams::REGTEST); -} - -FUZZ_TARGET_INIT(p2p_transport_deserializer, initialize_p2p_transport_deserializer) -{ - // Construct deserializer, with a dummy NodeId - V1TransportDeserializer deserializer{Params(), (NodeId)0, SER_NETWORK, INIT_PROTO_VERSION}; - Span msg_bytes{buffer}; - while (msg_bytes.size() > 0) { - const int handled = deserializer.Read(msg_bytes); - if (handled < 0) { - break; - } - if (deserializer.Complete()) { - const std::chrono::microseconds m_time{std::numeric_limits::max()}; - uint32_t out_err_raw_size{0}; - std::optional result{deserializer.GetMessage(m_time, out_err_raw_size)}; - if (result) { - assert(result->m_command.size() <= CMessageHeader::COMMAND_SIZE); - assert(result->m_raw_message_size <= buffer.size()); - assert(result->m_raw_message_size == CMessageHeader::HEADER_SIZE + result->m_message_size); - assert(result->m_time == m_time); - } - } - } -} diff --git a/src/test/fuzz/p2p_transport_serialization.cpp b/src/test/fuzz/p2p_transport_serialization.cpp new file mode 100644 index 0000000000..2618a2a398 --- /dev/null +++ b/src/test/fuzz/p2p_transport_serialization.cpp @@ -0,0 +1,49 @@ +// Copyright (c) 2019-2020 The Bitcoin Core developers +// Distributed under the MIT software license, see the accompanying +// file COPYING or http://www.opensource.org/licenses/mit-license.php. + +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +void initialize_p2p_transport_serialization() +{ + SelectParams(CBaseChainParams::REGTEST); +} + +FUZZ_TARGET_INIT(p2p_transport_serialization, initialize_p2p_transport_serialization) +{ + // Construct deserializer, with a dummy NodeId + V1TransportDeserializer deserializer{Params(), (NodeId)0, SER_NETWORK, INIT_PROTO_VERSION}; + V1TransportSerializer serializer{}; + Span msg_bytes{buffer}; + while (msg_bytes.size() > 0) { + const int handled = deserializer.Read(msg_bytes); + if (handled < 0) { + break; + } + if (deserializer.Complete()) { + const std::chrono::microseconds m_time{std::numeric_limits::max()}; + uint32_t out_err_raw_size{0}; + std::optional result{deserializer.GetMessage(m_time, out_err_raw_size)}; + if (result) { + assert(result->m_command.size() <= CMessageHeader::COMMAND_SIZE); + assert(result->m_raw_message_size <= buffer.size()); + assert(result->m_raw_message_size == CMessageHeader::HEADER_SIZE + result->m_message_size); + assert(result->m_time == m_time); + + std::vector header; + auto msg = CNetMsgMaker{result->m_recv.GetVersion()}.Make(result->m_command, MakeUCharSpan(result->m_recv)); + serializer.prepareForTransport(msg, header); + } + } + } +} -- cgit v1.2.3 From 35571d8d9ec112bd7b6741d10052dded08410c77 Mon Sep 17 00:00:00 2001 From: Dhruv Mehta <856960+dhruv@users.noreply.github.com> Date: Mon, 24 May 2021 20:11:44 -0700 Subject: [fuzz] Occasional valid checksum for transport serialization fuzz test Before commit: Unable to deserialize: 0% Wrong message start : ~1.27% Header too large : ~0.5% Wrong checksum : ~67.99% Invalid message type : ~30.1% 303389 NEW cov: 1202 ft: 8382 corp: 157/382Kb lim: 68189 exec/s: 1451 rss: 447Mb L: 1386/65459 MS: 1 CopyPart- 1428759 REDUCE cov: 1202 ft: 8512 corp: 169/389Kb lim: 78749 exec/s: 1528 rss: 463Mb L: 1627/60488 MS: 1 EraseBytes- After commit(new seeds; old seeds invalidated): Unable to deserialize: 0% Wrong message start : ~45.62% Header too large : ~14.5% Wrong checksum : ~38.13% Invalid message type : ~1.78% 304820 NEW cov: 1440 ft: 4452 corp: 92/12551b lim: 2237 exec/s: 3386 rss: 486Mb L: 47/1111 MS: 1 ChangeByte- 1416181 REDUCE cov: 1442 ft: 5681 corp: 125/59Kb lim: 4096 exec/s: 3522 rss: 535Mb L: 2164/4049 MS: 1 EraseBytes- --- src/test/fuzz/p2p_transport_serialization.cpp | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) (limited to 'src/test/fuzz') diff --git a/src/test/fuzz/p2p_transport_serialization.cpp b/src/test/fuzz/p2p_transport_serialization.cpp index 2618a2a398..c29d8e7039 100644 --- a/src/test/fuzz/p2p_transport_serialization.cpp +++ b/src/test/fuzz/p2p_transport_serialization.cpp @@ -3,9 +3,11 @@ // file COPYING or http://www.opensource.org/licenses/mit-license.php. #include +#include #include #include #include +#include #include #include @@ -24,7 +26,25 @@ FUZZ_TARGET_INIT(p2p_transport_serialization, initialize_p2p_transport_serializa // Construct deserializer, with a dummy NodeId V1TransportDeserializer deserializer{Params(), (NodeId)0, SER_NETWORK, INIT_PROTO_VERSION}; V1TransportSerializer serializer{}; - Span msg_bytes{buffer}; + FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()}; + + auto checksum_assist = fuzzed_data_provider.ConsumeBool(); + int header_random_bytes_count = checksum_assist ? CMessageHeader::CHECKSUM_OFFSET : CMessageHeader :: HEADER_SIZE; + auto mutable_msg_bytes = fuzzed_data_provider.ConsumeBytes(header_random_bytes_count); + auto payload_bytes = fuzzed_data_provider.ConsumeRemainingBytes(); + + if (checksum_assist && mutable_msg_bytes.size() == CMessageHeader::CHECKSUM_OFFSET) { + CHash256 hasher; + unsigned char hsh[32]; + hasher.Write(payload_bytes); + hasher.Finalize(hsh); + for (size_t i = 0; i < CMessageHeader::CHECKSUM_SIZE; ++i) { + mutable_msg_bytes.push_back(hsh[i]); + } + } + + mutable_msg_bytes.insert(mutable_msg_bytes.end(), payload_bytes.begin(), payload_bytes.end()); + Span msg_bytes{mutable_msg_bytes}; while (msg_bytes.size() > 0) { const int handled = deserializer.Read(msg_bytes); if (handled < 0) { @@ -36,7 +56,7 @@ FUZZ_TARGET_INIT(p2p_transport_serialization, initialize_p2p_transport_serializa std::optional result{deserializer.GetMessage(m_time, out_err_raw_size)}; if (result) { assert(result->m_command.size() <= CMessageHeader::COMMAND_SIZE); - assert(result->m_raw_message_size <= buffer.size()); + assert(result->m_raw_message_size <= mutable_msg_bytes.size()); assert(result->m_raw_message_size == CMessageHeader::HEADER_SIZE + result->m_message_size); assert(result->m_time == m_time); -- cgit v1.2.3 From e33714557747dd479f123425aa2dd08d272ef377 Mon Sep 17 00:00:00 2001 From: Dhruv Mehta <856960+dhruv@users.noreply.github.com> Date: Mon, 24 May 2021 22:14:23 -0700 Subject: [fuzz] Occasional valid magic bytes for transport serialization test Before commit: Unable to deserialize : 0% Wrong message start : ~45.62% Header too large : ~14.5% Wrong checksum : ~38.13% Invalid message type : ~1.78% 304820 NEW cov: 1440 ft: 4452 corp: 92/12551b lim: 2237 exec/s: 3386 rss: 486Mb L: 47/1111 MS: 1 ChangeByte- 1416181 REDUCE cov: 1442 ft: 5681 corp: 125/59Kb lim: 4096 exec/s: 3522 rss: 535Mb L: 2164/4049 MS: 1 EraseBytes- After commit: Unable to deserialize : 0% Wrong message start : ~39.6% Header too large : ~30.85% Wrong checksum : ~25.54% Invalid message type : ~4.01% 302684 NEW cov: 1454 ft: 3936 corp: 84/7056b lim: 2424 exec/s: 4146 rss: 477Mb L: 65/1108 MS: 3 CopyPart-CrossOver-CMP- DE: "\x0e\x00\x00\x00"- 1383925 REDUCE cov: 1454 ft: 4828 corp: 102/14573b lim: 4096 exec/s: 3954 rss: 534Mb L: 116/4050 MS: 2 EraseBytes-ChangeByte- --- src/test/fuzz/p2p_transport_serialization.cpp | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) (limited to 'src/test/fuzz') diff --git a/src/test/fuzz/p2p_transport_serialization.cpp b/src/test/fuzz/p2p_transport_serialization.cpp index c29d8e7039..edee5aeef7 100644 --- a/src/test/fuzz/p2p_transport_serialization.cpp +++ b/src/test/fuzz/p2p_transport_serialization.cpp @@ -29,8 +29,24 @@ FUZZ_TARGET_INIT(p2p_transport_serialization, initialize_p2p_transport_serializa FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()}; auto checksum_assist = fuzzed_data_provider.ConsumeBool(); - int header_random_bytes_count = checksum_assist ? CMessageHeader::CHECKSUM_OFFSET : CMessageHeader :: HEADER_SIZE; - auto mutable_msg_bytes = fuzzed_data_provider.ConsumeBytes(header_random_bytes_count); + auto magic_bytes_assist = fuzzed_data_provider.ConsumeBool(); + std::vector mutable_msg_bytes; + + auto header_bytes_remaining = CMessageHeader::HEADER_SIZE; + if (magic_bytes_assist) { + auto msg_start = Params().MessageStart(); + for (size_t i = 0; i < CMessageHeader::MESSAGE_SIZE_SIZE; ++i) { + mutable_msg_bytes.push_back(msg_start[i]); + } + header_bytes_remaining -= CMessageHeader::MESSAGE_SIZE_SIZE; + } + + if (checksum_assist) { + header_bytes_remaining -= CMessageHeader::CHECKSUM_SIZE; + } + + auto header_random_bytes = fuzzed_data_provider.ConsumeBytes(header_bytes_remaining); + mutable_msg_bytes.insert(mutable_msg_bytes.end(), header_random_bytes.begin(), header_random_bytes.end()); auto payload_bytes = fuzzed_data_provider.ConsumeRemainingBytes(); if (checksum_assist && mutable_msg_bytes.size() == CMessageHeader::CHECKSUM_OFFSET) { -- cgit v1.2.3