Browse Source
This adds a new configuration, --enable-fuzzing (which is more than welcome to be coupled with --enable-address-sanitizer), to pass the fuzzer sanitizer argument when compiling objects. This allows libfuzzer to actually be able "to fuzz" by detecting coverage and be smart when mutating inputs. As libfuzzer brings its own ~~fees~~ main(), we compile objects with fsanitize=fuzzer-no-link, and special-case the linkage of the fuzz targets. A "lib" is added to abstract out the interface to the fuzzing tool used. This allow us to use the same targets to fuzz using AFL, hongfuzz or w/e by adding their entrypoints into libfuzz. (h/t to practicalswift who introduced this for bitcoin-core, which i mimiced) Signed-off-by: Antoine Poinsot <darosior@protonmail.com>travis-experimental
Antoine Poinsot
4 years ago
committed by
Christian Decker
6 changed files with 127 additions and 6 deletions
@ -0,0 +1,30 @@ |
|||
LIBFUZZ_SRC := tests/fuzz/libfuzz.c |
|||
LIBFUZZ_HEADERS := $(LIBFUZZ_SRC:.c=.h) |
|||
LIBFUZZ_OBJS := $(LIBFUZZ_SRC:.c=.o) |
|||
|
|||
|
|||
FUZZ_TARGETS_SRC := $(wildcard tests/fuzz/fuzz-*.c) |
|||
FUZZ_TARGETS_OBJS := $(FUZZ_TARGETS_SRC:.c=.o) |
|||
FUZZ_TARGETS_BIN := $(FUZZ_TARGETS_SRC:.c=) |
|||
|
|||
FUZZ_COMMON_OBJS := \
|
|||
common/utils.o |
|||
$(FUZZ_TARGETS_OBJS): $(COMMON_HEADERS) $(WIRE_HEADERS) $(COMMON_SRC) |
|||
$(FUZZ_TARGETS_BIN): $(LIBFUZZ_OBJS) $(FUZZ_COMMON_OBJS) $(BITCOIN_OBJS) |
|||
|
|||
tests/fuzz/fuzz-addr: \ |
|||
common/amount.o \
|
|||
common/addr.o \
|
|||
common/base32.o \
|
|||
common/bech32.o \
|
|||
common/bigsize.o \
|
|||
common/json.o \
|
|||
common/json_stream.o \
|
|||
common/wireaddr.o \
|
|||
common/type_to_string.o \
|
|||
wire/fromwire.o \
|
|||
wire/onion_wiregen.o \
|
|||
wire/towire.o |
|||
|
|||
ALL_C_SOURCES += $(FUZZ_TARGETS_SRC) $(LIBFUZZ_SRC) |
|||
ALL_FUZZ_TARGETS += $(FUZZ_TARGETS_BIN) |
@ -0,0 +1,22 @@ |
|||
#include "common/utils.h" |
|||
#include <stdint.h> |
|||
#include <tests/fuzz/libfuzz.h> |
|||
|
|||
#include <ccan/ccan/tal/tal.h> |
|||
#include <common/addr.h> |
|||
#include <common/setup.h> |
|||
|
|||
void init(int *argc, char ***argv) |
|||
{ |
|||
chainparams = chainparams_for_network("bitcoin"); |
|||
common_setup("fuzzer"); |
|||
} |
|||
|
|||
void run(const uint8_t *data, size_t size) |
|||
{ |
|||
uint8_t *script_pubkey = tal_dup_arr(tmpctx, uint8_t, data, size, 0); |
|||
|
|||
encode_scriptpubkey_to_addr(tmpctx, chainparams, script_pubkey); |
|||
|
|||
clean_tmpctx(); |
|||
} |
@ -0,0 +1,16 @@ |
|||
#include <tests/fuzz/libfuzz.h> |
|||
|
|||
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); |
|||
int LLVMFuzzerInitialize(int *argc, char ***argv); |
|||
|
|||
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { |
|||
run(data, size); |
|||
|
|||
return 0; |
|||
} |
|||
|
|||
int LLVMFuzzerInitialize(int *argc, char ***argv) { |
|||
init(argc, argv); |
|||
|
|||
return 0; |
|||
} |
@ -0,0 +1,18 @@ |
|||
#ifndef LIGHTNING_TESTS_FUZZ_LIBFUZZ_H |
|||
#define LIGHTNING_TESTS_FUZZ_LIBFUZZ_H |
|||
|
|||
#include <stddef.h> |
|||
#include <stdint.h> |
|||
|
|||
/* Called once before running the target. Use it to setup the testing
|
|||
* environment. */ |
|||
void init(int *argc, char ***argv); |
|||
|
|||
/* The actual target called multiple times with mutated data. */ |
|||
void run(const uint8_t *data, size_t size); |
|||
|
|||
/* Copy an array of chunks from data. */ |
|||
const uint8_t **get_chunks(const void *ctx, const uint8_t *data, |
|||
size_t data_size, size_t chunk_size); |
|||
|
|||
#endif /* LIGHTNING_TESTS_FUZZ_LIBFUZZ_H */ |
Loading…
Reference in new issue