ElementsProject
fuzz-tests: Add a test for `fundee_channel()`
fundee_channel() in openingd/openingd.c is responsible for handling incoming open_channel messages from a peer. Since it deals with external input, add a test for it.
Checklist
Before submitting the PR, ensure the following tasks are completed. If an item is not applicable to your PR, please mark it as checked:
- [x] The changelog has been updated in the relevant commit(s) according to the guidelines.
- [x] Tests have been added or modified to reflect the changes.
- [x] Documentation has been reviewed and updated as needed.
- [x] Related issues have been listed and linked, including any that this PR closes.
The latest push triggers the Assertion 'bitcoin_tx_check(tx)' failed. bug when run on the corpus for some time even though it disables all the developer options...
The latest push triggers the
Assertion 'bitcoin_tx_check(tx)' failed.bug when run on the corpus for some time even though it disables all the developer options...
I looked into this. It seems that state->localconf->dust_limit is getting set to a really high value, which causes this problem. CLN normally sets this value to 546, so probably we should also be setting it to that.
I looked into this. It seems that
state->localconf->dust_limitis getting set to a really high value, which causes this problem. CLN normally sets this value to 546, so probably we should also be setting it to that.
This does seem to fix the issue at hand but while I was trying to fix the HSMD issues above, I ran into the following error:
==111597== ERROR: libFuzzer: deadly signal
#0 0x5850004a5e55 in __sanitizer_print_stack_trace (/home/chandra/lightning/tests/fuzz/fuzz-open_channel+0x2b8e55) (BuildId: 64642ce25a0283917080d8bc7f02ebc725e1f6dd)
#1 0x5850003ff96c in fuzzer::PrintStackTrace() (/home/chandra/lightning/tests/fuzz/fuzz-open_channel+0x21296c) (BuildId: 64642ce25a0283917080d8bc7f02ebc725e1f6dd)
#2 0x5850003e59f7 in fuzzer::Fuzzer::CrashCallback() (/home/chandra/lightning/tests/fuzz/fuzz-open_channel+0x1f89f7) (BuildId: 64642ce25a0283917080d8bc7f02ebc725e1f6dd)
#3 0x793f4984532f (/usr/lib/x86_64-linux-gnu/libc.so.6+0x4532f) (BuildId: 282c2c16e7b6600b0b22ea0c99010d2795752b5f)
#4 0x793f4989eb2b in __pthread_kill_implementation nptl/pthread_kill.c:43:17
#5 0x793f4989eb2b in __pthread_kill_internal nptl/pthread_kill.c:78:10
#6 0x793f4989eb2b in pthread_kill nptl/pthread_kill.c:89:10
#7 0x793f4984527d in raise signal/../sysdeps/posix/raise.c:26:13
#8 0x793f498288fe in abort stdlib/abort.c:79:7
#9 0x5850006abedd in psbt_get_bytes /home/chandra/lightning/bitcoin/psbt.c:873:3
#10 0x5850006ac763 in towire_wally_psbt /home/chandra/lightning/bitcoin/psbt.c:912:25
#11 0x5850006dcfab in towire_bitcoin_tx /home/chandra/lightning/bitcoin/tx.c:807:2
#12 0x5850004f7297 in towire_hsmd_validate_commitment_tx /home/chandra/lightning/hsmd/hsmd_wiregen.c:1515:2
#13 0x585000513a8d in validate_initial_commitment_signature /home/chandra/lightning/openingd/common.c:253:8
#14 0x5850007010bb in fundee_channel /home/chandra/lightning/tests/fuzz/../../openingd/openingd.c:1263:2
#15 0x5850006f2e62 in run /home/chandra/lightning/tests/fuzz/fuzz-open_channel.c:450:2
#16 0x58500051f168 in LLVMFuzzerTestOneInput /home/chandra/lightning/tests/fuzz/libfuzz.c:25:2
#17 0x5850003e6fc4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/chandra/lightning/tests/fuzz/fuzz-open_channel+0x1f9fc4) (BuildId: 64642ce25a0283917080d8bc7f02ebc725e1f6dd)
#18 0x5850003d00f6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/chandra/lightning/tests/fuzz/fuzz-open_channel+0x1e30f6) (BuildId: 64642ce25a0283917080d8bc7f02ebc725e1f6dd)
#19 0x5850003d5baa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/chandra/lightning/tests/fuzz/fuzz-open_channel+0x1e8baa) (BuildId: 64642ce25a0283917080d8bc7f02ebc725e1f6dd)
#20 0x585000400366 in main (/home/chandra/lightning/tests/fuzz/fuzz-open_channel+0x213366) (BuildId: 64642ce25a0283917080d8bc7f02ebc725e1f6dd)
#21 0x793f4982a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#22 0x793f4982a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#23 0x5850003cacc4 in _start (/home/chandra/lightning/tests/fuzz/fuzz-open_channel+0x1ddcc4) (BuildId: 64642ce25a0283917080d8bc7f02ebc725e1f6dd)
which seems to occur due to a malformed transaction by initial_commit_tx(). I have added the crashing input: crash-fac1fd5bceb991a6d9c9177d7eae47d2fbe78be5 to the corpus, let me know what you think.
Hey @morehouse, I've fixed all of the crashes but the only thing that bugs me is that the latest target isn't able to make it past this check. I believe it has something to do with the incorrect signing of the funding_created message but I'm not too sure.
I also tried getting rid of the check and letting the fuzzer discover any crash in the rest of the code that follows, but nothing else creeps up, so maybe this isn't worth the bother?
Yep, assertion failure confirmed here:
I ran the target for quite some time but was unable to reproduce this failure. Do you mind sharing the crashing input?
The crash happens because the peer seems to create a peer_error message with create_fuzz_msg() here:
if (fromwire_u8(cursor, max) % 2 == 0) {
struct sha256_double h;
struct bitcoin_signature sig;
struct bitcoin_outpoint out;
memset(&h, 1, sizeof(h));
sign_hash(&dummy_privkey, &h, &sig.s);
memset(&out.txid, 1, sizeof(out.txid));
out.n = 0;
return towire_funding_created(ctx, &state->channel_id,
&out.txid, out.n, &sig.s);
}
else
return create_fuzz_msg(ctx);
Getting rid of the if-else branch and only sending a valid funding_created message here would fix the issue, but negotiation_aborted() calls exit() so maybe this is a potential DoS vector?
Getting rid of the
if-elsebranch and only sending a validfunding_createdmessage here would fix the issue
No, we want to fuzz other messages besides funding_created, since a peer can do this as well.
but
negotiation_aborted()callsexit()so maybe this is a potential DoS vector?
How is it a DoS vector? In general I think it's okay for openingd to exit? We already longjmp in peer_failed_err for this reason.
Rebased. The inter-daemon comms changed, so the corpora will have to be rebuilt I think?
Rebased. The inter-daemon comms changed, so the corpora will have to be rebuilt I think?
Hey @rustyrussell, I was trying to rebuild the corpus for this test but the latest main branch fails to compile with ASan:
==26001==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 48 byte(s) in 1 object(s) allocated from:
#0 0x5b7e47104613 in malloc (/home/chandra/lightning/plugins/sql+0x269613) (BuildId: 6f9145479b1602c7d4d2cf705833213b62ac9d0e)
#1 0x5b7e473c51e1 in strmap_add_ /home/chandra/lightning/ccan/ccan/strmap/strmap.c:95:9
#2 0x5b7e471467af in new_table_desc /home/chandra/lightning/plugins/sql.c:1672:3
#3 0x5b7e47144004 in init_tablemap /home/chandra/lightning/plugins/sql.c:1836:8
#4 0x5b7e471430e3 in main /home/chandra/lightning/plugins/sql.c:1980:3
#5 0x77d691e2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x77d691e2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x5b7e470697c4 in _start (/home/chandra/lightning/plugins/sql+0x1ce7c4) (BuildId: 6f9145479b1602c7d4d2cf705833213b62ac9d0e)
Indirect leak of 672 byte(s) in 14 object(s) allocated from:
#0 0x5b7e47104613 in malloc (/home/chandra/lightning/plugins/sql+0x269613) (BuildId: 6f9145479b1602c7d4d2cf705833213b62ac9d0e)
#1 0x5b7e473c51e1 in strmap_add_ /home/chandra/lightning/ccan/ccan/strmap/strmap.c:95:9
#2 0x5b7e471467af in new_table_desc /home/chandra/lightning/plugins/sql.c:1672:3
#3 0x5b7e47144004 in init_tablemap /home/chandra/lightning/plugins/sql.c:1836:8
#4 0x5b7e471430e3 in main /home/chandra/lightning/plugins/sql.c:1980:3
#5 0x77d691e2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x77d691e2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x5b7e470697c4 in _start (/home/chandra/lightning/plugins/sql+0x1ce7c4) (BuildId: 6f9145479b1602c7d4d2cf705833213b62ac9d0e)
Indirect leak of 384 byte(s) in 8 object(s) allocated from:
#0 0x5b7e47104613 in malloc (/home/chandra/lightning/plugins/sql+0x269613) (BuildId: 6f9145479b1602c7d4d2cf705833213b62ac9d0e)
#1 0x5b7e473c51e1 in strmap_add_ /home/chandra/lightning/ccan/ccan/strmap/strmap.c:95:9
#2 0x5b7e471467af in new_table_desc /home/chandra/lightning/plugins/sql.c:1672:3
#3 0x5b7e47162f50 in add_table_properties /home/chandra/lightning/plugins/sql.c:1759:15
#4 0x5b7e471468a2 in add_table_object /home/chandra/lightning/plugins/sql.c:1793:3
#5 0x5b7e47144019 in init_tablemap /home/chandra/lightning/plugins/sql.c:1837:3
#6 0x5b7e471430e3 in main /home/chandra/lightning/plugins/sql.c:1980:3
#7 0x77d691e2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#8 0x77d691e2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#9 0x5b7e470697c4 in _start (/home/chandra/lightning/plugins/sql+0x1ce7c4) (BuildId: 6f9145479b1602c7d4d2cf705833213b62ac9d0e)
Indirect leak of 192 byte(s) in 4 object(s) allocated from:
#0 0x5b7e47104613 in malloc (/home/chandra/lightning/plugins/sql+0x269613) (BuildId: 6f9145479b1602c7d4d2cf705833213b62ac9d0e)
#1 0x5b7e473c51e1 in strmap_add_ /home/chandra/lightning/ccan/ccan/strmap/strmap.c:95:9
#2 0x5b7e471467af in new_table_desc /home/chandra/lightning/plugins/sql.c:1672:3
#3 0x5b7e47162f50 in add_table_properties /home/chandra/lightning/plugins/sql.c:1759:15
#4 0x5b7e471468a2 in add_table_object /home/chandra/lightning/plugins/sql.c:1793:3
#5 0x5b7e4716367b in add_table_properties /home/chandra/lightning/plugins/sql.c:1767:4
#6 0x5b7e471468a2 in add_table_object /home/chandra/lightning/plugins/sql.c:1793:3
#7 0x5b7e47144019 in init_tablemap /home/chandra/lightning/plugins/sql.c:1837:3
#8 0x5b7e471430e3 in main /home/chandra/lightning/plugins/sql.c:1980:3
#9 0x77d691e2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#10 0x77d691e2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#11 0x5b7e470697c4 in _start (/home/chandra/lightning/plugins/sql+0x1ce7c4) (BuildId: 6f9145479b1602c7d4d2cf705833213b62ac9d0e)
Indirect leak of 96 byte(s) in 2 object(s) allocated from:
#0 0x5b7e47104613 in malloc (/home/chandra/lightning/plugins/sql+0x269613) (BuildId: 6f9145479b1602c7d4d2cf705833213b62ac9d0e)
#1 0x5b7e473c51e1 in strmap_add_ /home/chandra/lightning/ccan/ccan/strmap/strmap.c:95:9
#2 0x5b7e471467af in new_table_desc /home/chandra/lightning/plugins/sql.c:1672:3
#3 0x5b7e47162f50 in add_table_properties /home/chandra/lightning/plugins/sql.c:1759:15
#4 0x5b7e471468a2 in add_table_object /home/chandra/lightning/plugins/sql.c:1793:3
#5 0x5b7e47146bc2 in add_table_object /home/chandra/lightning/plugins/sql.c:1803:3
#6 0x5b7e47146b1e in add_table_object /home/chandra/lightning/plugins/sql.c:1798:4
#7 0x5b7e47144019 in init_tablemap /home/chandra/lightning/plugins/sql.c:1837:3
#8 0x5b7e471430e3 in main /home/chandra/lightning/plugins/sql.c:1980:3
#9 0x77d691e2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#10 0x77d691e2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#11 0x5b7e470697c4 in _start (/home/chandra/lightning/plugins/sql+0x1ce7c4) (BuildId: 6f9145479b1602c7d4d2cf705833213b62ac9d0e)
SUMMARY: AddressSanitizer: 1392 byte(s) leaked in 29 allocation(s).
PYTHONPATH=contrib/msggen python3 contrib/msggen/msggen/__main__.py bundle doc/schemas
Combining schemas from /home/chandra/lightning/doc/schemas into /home/chandra/lightning/contrib/msggen/msggen/schema.json
genidx doc/index.rst
Created /home/chandra/lightning/contrib/msggen/msggen/schema.json from 2 files