bitcoin-bitcoin-core/src/test/fuzz/process_message.cpp

// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.

#include <banman.h>
#include <chainparams.h>
#include <consensus/consensus.h>
#include <net.h>
#include <net_processing.h>
#include <protocol.h>
#include <scheduler.h>
#include <script/script.h>
#include <streams.h>
#include <test/fuzz/FuzzedDataProvider.h>
#include <test/fuzz/fuzz.h>
#include <test/fuzz/util.h>
#include <test/util/mining.h>
#include <test/util/net.h>
#include <test/util/setup_common.h>
#include <test/util/validation.h>
#include <txorphanage.h>
#include <validationinterface.h>
#include <version.h>

#include <atomic>
#include <cassert>
#include <chrono>
#include <cstdint>
#include <iosfwd>
#include <iostream>
#include <memory>
#include <string>

namespace {
const TestingSetup* g_setup;
} // namespace

size_t& GetNumMsgTypes()
{
    static size_t g_num_msg_types{0};
    return g_num_msg_types;
}
#define FUZZ_TARGET_MSG(msg_type)                                            \
    struct msg_type##_Count_Before_Main {                                    \
        msg_type##_Count_Before_Main()                                       \
        {                                                                    \
            ++GetNumMsgTypes();                                              \
        }                                                                    \
    } const static g_##msg_type##_count_before_main;                         \
    FUZZ_TARGET_INIT(process_message_##msg_type, initialize_process_message) \
    {                                                                        \
        fuzz_target(buffer, #msg_type);                                      \
    }

void initialize_process_message()
{
    Assert(GetNumMsgTypes() == getAllNetMessageTypes().size()); // If this fails, add or remove the message type below

    static const auto testing_setup = MakeNoLogFileContext<const TestingSetup>();
    g_setup = testing_setup.get();
    for (int i = 0; i < 2 * COINBASE_MATURITY; i++) {
        MineBlock(g_setup->m_node, CScript() << OP_TRUE);
    }
    SyncWithValidationInterfaceQueue();
}

void fuzz_target(FuzzBufferType buffer, const std::string& LIMIT_TO_MESSAGE_TYPE)
{
    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());

    ConnmanTestMsg& connman = *static_cast<ConnmanTestMsg*>(g_setup->m_node.connman.get());
    TestChainState& chainstate = *static_cast<TestChainState*>(&g_setup->m_node.chainman->ActiveChainstate());
    SetMockTime(1610000000); // any time to successfully reset ibd
    chainstate.ResetIbd();

    const std::string random_message_type{fuzzed_data_provider.ConsumeBytesAsString(CMessageHeader::COMMAND_SIZE).c_str()};
    if (!LIMIT_TO_MESSAGE_TYPE.empty() && random_message_type != LIMIT_TO_MESSAGE_TYPE) {
        return;
    }
    CNode& p2p_node = *ConsumeNodeAsUniquePtr(fuzzed_data_provider).release();

    connman.AddTestNode(p2p_node);
    g_setup->m_node.peerman->InitializeNode(&p2p_node);
    FillNode(fuzzed_data_provider, connman, *g_setup->m_node.peerman, p2p_node);

    const auto mock_time = ConsumeTime(fuzzed_data_provider);
    SetMockTime(mock_time);

    // fuzzed_data_provider is fully consumed after this call, don't use it
    CDataStream random_bytes_data_stream{fuzzed_data_provider.ConsumeRemainingBytes<unsigned char>(), SER_NETWORK, PROTOCOL_VERSION};
    try {
        g_setup->m_node.peerman->ProcessMessage(p2p_node, random_message_type, random_bytes_data_stream,
                                                GetTime<std::chrono::microseconds>(), std::atomic<bool>{false});
    } catch (const std::ios_base::failure&) {
    }
    {
        LOCK(p2p_node.cs_sendProcessing);
        g_setup->m_node.peerman->SendMessages(&p2p_node);
    }
    SyncWithValidationInterfaceQueue();
    g_setup->m_node.connman->StopNodes();
}

FUZZ_TARGET_INIT(process_message, initialize_process_message) { fuzz_target(buffer, ""); }
FUZZ_TARGET_MSG(addr);
FUZZ_TARGET_MSG(addrv2);
FUZZ_TARGET_MSG(block);
FUZZ_TARGET_MSG(blocktxn);
FUZZ_TARGET_MSG(cfcheckpt);
FUZZ_TARGET_MSG(cfheaders);
FUZZ_TARGET_MSG(cfilter);
FUZZ_TARGET_MSG(cmpctblock);
FUZZ_TARGET_MSG(feefilter);
FUZZ_TARGET_MSG(filteradd);
FUZZ_TARGET_MSG(filterclear);
FUZZ_TARGET_MSG(filterload);
FUZZ_TARGET_MSG(getaddr);
FUZZ_TARGET_MSG(getblocks);
FUZZ_TARGET_MSG(getblocktxn);
FUZZ_TARGET_MSG(getcfcheckpt);
FUZZ_TARGET_MSG(getcfheaders);
FUZZ_TARGET_MSG(getcfilters);
FUZZ_TARGET_MSG(getdata);
FUZZ_TARGET_MSG(getheaders);
FUZZ_TARGET_MSG(headers);
FUZZ_TARGET_MSG(inv);
FUZZ_TARGET_MSG(mempool);
FUZZ_TARGET_MSG(merkleblock);
FUZZ_TARGET_MSG(notfound);
FUZZ_TARGET_MSG(ping);
FUZZ_TARGET_MSG(pong);
FUZZ_TARGET_MSG(sendaddrv2);
FUZZ_TARGET_MSG(sendcmpct);
FUZZ_TARGET_MSG(sendheaders);
FUZZ_TARGET_MSG(tx);
FUZZ_TARGET_MSG(verack);
FUZZ_TARGET_MSG(version);
FUZZ_TARGET_MSG(wtxidrelay);
scripted-diff: Rename MakeFuzzingContext to MakeNoLogFileContext -BEGIN VERIFY SCRIPT- # Rename sed -i -e 's/MakeFuzzingContext/MakeNoLogFileContext/g' $(git grep -l MakeFuzzingContext) # Bump the copyright of touched files in this scripted diff to avoid touching them again later ./contrib/devtools/copyright_header.py update ./src/test/fuzz/ -END VERIFY SCRIPT- 2021-01-25 12:23:45 +01:00			`// Copyright (c) 2020-2021 The Bitcoin Core developers`
tests: Add fuzzing harness for ProcessMessage(...) 2020-01-22 20:23:48 +00:00			`// Distributed under the MIT software license, see the accompanying`
			`// file COPYING or http://www.opensource.org/licenses/mit-license.php.`

			`#include <banman.h>`
			`#include <chainparams.h>`
			`#include <consensus/consensus.h>`
			`#include <net.h>`
			`#include <net_processing.h>`
			`#include <protocol.h>`
			`#include <scheduler.h>`
			`#include <script/script.h>`
			`#include <streams.h>`
			`#include <test/fuzz/FuzzedDataProvider.h>`
			`#include <test/fuzz/fuzz.h>`
fuzz: Use ConsumeNode in process_message target 2020-12-28 21:52:40 +01:00			`#include <test/fuzz/util.h>`
tests: Add fuzzing harness for ProcessMessage(...) 2020-01-22 20:23:48 +00:00			`#include <test/util/mining.h>`
fuzz: Give CNode ownership to ConnmanTestMsg in process_message fuzz harness 2020-05-10 20:12:25 -04:00			`#include <test/util/net.h>`
tests: Add fuzzing harness for ProcessMessage(...) 2020-01-22 20:23:48 +00:00			`#include <test/util/setup_common.h>`
test: Mock IBD in net_processing fuzzers 2020-11-06 15:03:51 +01:00			`#include <test/util/validation.h>`
move-only: Add txorphanage module This module captures orphan tracking code for tx relay. Can be reviewed with --color-moved=dimmed-zebra 2021-01-31 00:55:54 +10:00			`#include <txorphanage.h>`
tests: Add fuzzing harness for ProcessMessage(...) 2020-01-22 20:23:48 +00:00			`#include <validationinterface.h>`
			`#include <version.h>`

			`#include <atomic>`
			`#include <cassert>`
			`#include <chrono>`
			`#include <cstdint>`
			`#include <iosfwd>`
			`#include <iostream>`
			`#include <memory>`
			`#include <string>`

			`namespace {`
fuzz: Disable debug log file 2020-04-08 19:48:38 -04:00			`const TestingSetup* g_setup;`
tests: Add fuzzing harness for ProcessMessage(...) 2020-01-22 20:23:48 +00:00			`} // namespace`

fuzz: Count message type fuzzers before main() 2021-01-12 17:51:14 +01:00			`size_t& GetNumMsgTypes()`
			`{`
			`static size_t g_num_msg_types{0};`
			`return g_num_msg_types;`
			`}`
			`#define FUZZ_TARGET_MSG(msg_type) \`
			`struct msg_type##_Count_Before_Main { \`
			`msg_type##_Count_Before_Main() \`
			`{ \`
			`++GetNumMsgTypes(); \`
			`} \`
			`} const static g_##msg_type##_count_before_main; \`
			`FUZZ_TARGET_INIT(process_message_##msg_type, initialize_process_message) \`
			`{ \`
			`fuzz_target(buffer, #msg_type); \`
			`}`

fuzz: Link all targets once 2020-12-03 16:42:49 +01:00			`void initialize_process_message()`
tests: Add fuzzing harness for ProcessMessage(...) 2020-01-22 20:23:48 +00:00			`{`
fuzz: Fail if message type is not fuzzed 2021-01-12 18:23:59 +01:00			`Assert(GetNumMsgTypes() == getAllNetMessageTypes().size()); // If this fails, add or remove the message type below`

scripted-diff: Rename MakeFuzzingContext to MakeNoLogFileContext -BEGIN VERIFY SCRIPT- # Rename sed -i -e 's/MakeFuzzingContext/MakeNoLogFileContext/g' $(git grep -l MakeFuzzingContext) # Bump the copyright of touched files in this scripted diff to avoid touching them again later ./contrib/devtools/copyright_header.py update ./src/test/fuzz/ -END VERIFY SCRIPT- 2021-01-25 12:23:45 +01:00			`static const auto testing_setup = MakeNoLogFileContext<const TestingSetup>();`
fuzz: Consolidate fuzzing TestingSetup initialization Previously, the {Basic,}TestingSetup for fuzzers were set up in many ways: 1. Calling InitializeFuzzingContext, which implicitly constructs a static const BasicTestingSetup 2. Directly constructing a static const BasicTestingSetup in the initialize_* function 3. Directly constructing a static TestingSetup and reproducing the initialization arguments (I'm assuming because InitializeFuzzingContext only initializes a BasicTestingSetup) The new, relatively-simple MakeFuzzingContext function allows us to consolidate these methods of initialization by being flexible enough to be used in all situations. It: 1. Is templated so that we can choose to initialize any of the *TestingSetup classes 2. Has sane defaults which are often used in fuzzers but are also easily overridable 3. Returns a unique_ptr, explicitly transferring ownership to the caller to deal with according to its situation 2021-01-15 15:31:50 -05:00			`g_setup = testing_setup.get();`
tests: Add fuzzing harness for ProcessMessage(...) 2020-01-22 20:23:48 +00:00			`for (int i = 0; i < 2 * COINBASE_MATURITY; i++) {`
			`MineBlock(g_setup->m_node, CScript() << OP_TRUE);`
			`}`
			`SyncWithValidationInterfaceQueue();`
			`}`

fuzz: Avoid extraneous copy of input data, using Span<> 2021-01-02 19:29:36 +01:00			`void fuzz_target(FuzzBufferType buffer, const std::string& LIMIT_TO_MESSAGE_TYPE)`
tests: Add fuzzing harness for ProcessMessage(...) 2020-01-22 20:23:48 +00:00			`{`
			`FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());`
fuzz: Use mocktime in process_message* fuzz targets 2021-01-10 16:41:52 +01:00
fuzz: Style fixups 2021-03-23 11:04:18 +01:00			`ConnmanTestMsg& connman = static_cast<ConnmanTestMsg>(g_setup->m_node.connman.get());`
			`TestChainState& chainstate = static_cast<TestChainState>(&g_setup->m_node.chainman->ActiveChainstate());`
fuzz: Use mocktime in process_message* fuzz targets 2021-01-10 16:41:52 +01:00			`SetMockTime(1610000000); // any time to successfully reset ibd`
test: Mock IBD in net_processing fuzzers 2020-11-06 15:03:51 +01:00			`chainstate.ResetIbd();`
fuzz: Use mocktime in process_message* fuzz targets 2021-01-10 16:41:52 +01:00
tests: Add fuzzing harness for ProcessMessage(...) 2020-01-22 20:23:48 +00:00			`const std::string random_message_type{fuzzed_data_provider.ConsumeBytesAsString(CMessageHeader::COMMAND_SIZE).c_str()};`
			`if (!LIMIT_TO_MESSAGE_TYPE.empty() && random_message_type != LIMIT_TO_MESSAGE_TYPE) {`
			`return;`
			`}`
fuzz: Use ConsumeNode in process_message target 2020-12-28 21:52:40 +01:00			`CNode& p2p_node = *ConsumeNodeAsUniquePtr(fuzzed_data_provider).release();`
fuzz: Avoid initializing version to less than MIN_PEER_PROTO_VERSION 2021-01-23 19:39:30 +01:00
fuzz: Give CNode ownership to ConnmanTestMsg in process_message fuzz harness 2020-05-10 20:12:25 -04:00			`connman.AddTestNode(p2p_node);`
scripted-diff: [net processing] Rename PeerLogicValidation to PeerManager -BEGIN VERIFY SCRIPT- sed -i 's/PeerLogicValidation/PeerManager/g' $(git grep -l PeerLogicValidation ./src ./test) sed -i 's/peer_logic/peerman/g' $(git grep -l peer_logic ./src ./test) -END VERIFY SCRIPT- PeerLogicValidation was originally net_processing's implementation to the validation interface. It has since grown to contain much of net_processing's logic. Therefore rename it to reflect its responsibilities. Suggested in https://github.com/bitcoin/bitcoin/pull/10756#pullrequestreview-53892618. 2020-08-29 10:31:11 +01:00			`g_setup->m_node.peerman->InitializeNode(&p2p_node);`
refactor: Set fSuccessfullyConnected in FillNode Also, pass ConnmanTestMsg& and PeerManager& (needed for later commits). 2021-11-22 16:06:55 +01:00			`FillNode(fuzzed_data_provider, connman, *g_setup->m_node.peerman, p2p_node);`
fuzz: Use ConsumeNode in process_message target 2020-12-28 21:52:40 +01:00
fuzz: Use mocktime in process_message* fuzz targets 2021-01-10 16:41:52 +01:00			`const auto mock_time = ConsumeTime(fuzzed_data_provider);`
			`SetMockTime(mock_time);`

fuzz: Use ConsumeNode in process_message target 2020-12-28 21:52:40 +01:00			`// fuzzed_data_provider is fully consumed after this call, don't use it`
			`CDataStream random_bytes_data_stream{fuzzed_data_provider.ConsumeRemainingBytes<unsigned char>(), SER_NETWORK, PROTOCOL_VERSION};`
tests: Add fuzzing harness for ProcessMessage(...) 2020-01-22 20:23:48 +00:00			`try {`
scripted-diff: [net processing] Rename PeerLogicValidation to PeerManager -BEGIN VERIFY SCRIPT- sed -i 's/PeerLogicValidation/PeerManager/g' $(git grep -l PeerLogicValidation ./src ./test) sed -i 's/peer_logic/peerman/g' $(git grep -l peer_logic ./src ./test) -END VERIFY SCRIPT- PeerLogicValidation was originally net_processing's implementation to the validation interface. It has since grown to contain much of net_processing's logic. Therefore rename it to reflect its responsibilities. Suggested in https://github.com/bitcoin/bitcoin/pull/10756#pullrequestreview-53892618. 2020-08-29 10:31:11 +01:00			`g_setup->m_node.peerman->ProcessMessage(p2p_node, random_message_type, random_bytes_data_stream,`
test: Mock IBD in net_processing fuzzers 2020-11-06 15:03:51 +01:00			`GetTime<std::chrono::microseconds>(), std::atomic<bool>{false});`
fuzz: Remove enumeration of expected deserialization exceptions in ProcessMessage(...) fuzzer 2020-04-24 12:29:47 +00:00			`} catch (const std::ios_base::failure&) {`
tests: Add fuzzing harness for ProcessMessage(...) 2020-01-22 20:23:48 +00:00			`}`
fuzz: Call SendMessages after ProcessMessage to increase coverage 2020-11-12 18:06:00 +01:00			`{`
			`LOCK(p2p_node.cs_sendProcessing);`
			`g_setup->m_node.peerman->SendMessages(&p2p_node);`
			`}`
tests: Add fuzzing harness for ProcessMessage(...) 2020-01-22 20:23:48 +00:00			`SyncWithValidationInterfaceQueue();`
fuzz: Stop nodes in process_message* fuzzers 2020-05-04 20:16:22 -04:00			`g_setup->m_node.connman->StopNodes();`
tests: Add fuzzing harness for ProcessMessage(...) 2020-01-22 20:23:48 +00:00			`}`
fuzz: Link all targets once 2020-12-03 16:42:49 +01:00
			`FUZZ_TARGET_INIT(process_message, initialize_process_message) { fuzz_target(buffer, ""); }`
fuzz: Count message type fuzzers before main() 2021-01-12 17:51:14 +01:00			`FUZZ_TARGET_MSG(addr);`
fuzz: Fail if message type is not fuzzed 2021-01-12 18:23:59 +01:00			`FUZZ_TARGET_MSG(addrv2);`
fuzz: Count message type fuzzers before main() 2021-01-12 17:51:14 +01:00			`FUZZ_TARGET_MSG(block);`
			`FUZZ_TARGET_MSG(blocktxn);`
fuzz: Fail if message type is not fuzzed 2021-01-12 18:23:59 +01:00			`FUZZ_TARGET_MSG(cfcheckpt);`
			`FUZZ_TARGET_MSG(cfheaders);`
			`FUZZ_TARGET_MSG(cfilter);`
fuzz: Count message type fuzzers before main() 2021-01-12 17:51:14 +01:00			`FUZZ_TARGET_MSG(cmpctblock);`
			`FUZZ_TARGET_MSG(feefilter);`
			`FUZZ_TARGET_MSG(filteradd);`
			`FUZZ_TARGET_MSG(filterclear);`
			`FUZZ_TARGET_MSG(filterload);`
			`FUZZ_TARGET_MSG(getaddr);`
			`FUZZ_TARGET_MSG(getblocks);`
			`FUZZ_TARGET_MSG(getblocktxn);`
fuzz: Fail if message type is not fuzzed 2021-01-12 18:23:59 +01:00			`FUZZ_TARGET_MSG(getcfcheckpt);`
			`FUZZ_TARGET_MSG(getcfheaders);`
			`FUZZ_TARGET_MSG(getcfilters);`
fuzz: Count message type fuzzers before main() 2021-01-12 17:51:14 +01:00			`FUZZ_TARGET_MSG(getdata);`
			`FUZZ_TARGET_MSG(getheaders);`
			`FUZZ_TARGET_MSG(headers);`
			`FUZZ_TARGET_MSG(inv);`
			`FUZZ_TARGET_MSG(mempool);`
fuzz: Fail if message type is not fuzzed 2021-01-12 18:23:59 +01:00			`FUZZ_TARGET_MSG(merkleblock);`
fuzz: Count message type fuzzers before main() 2021-01-12 17:51:14 +01:00			`FUZZ_TARGET_MSG(notfound);`
			`FUZZ_TARGET_MSG(ping);`
			`FUZZ_TARGET_MSG(pong);`
fuzz: Fail if message type is not fuzzed 2021-01-12 18:23:59 +01:00			`FUZZ_TARGET_MSG(sendaddrv2);`
fuzz: Count message type fuzzers before main() 2021-01-12 17:51:14 +01:00			`FUZZ_TARGET_MSG(sendcmpct);`
			`FUZZ_TARGET_MSG(sendheaders);`
			`FUZZ_TARGET_MSG(tx);`
			`FUZZ_TARGET_MSG(verack);`
			`FUZZ_TARGET_MSG(version);`
fuzz: Fail if message type is not fuzzed 2021-01-12 18:23:59 +01:00			`FUZZ_TARGET_MSG(wtxidrelay);`