Add fuzzing hash_parser target & coverage

LedgerHQ · Oct 7, 2022 · 236d1a2 · 236d1a2
1 parent 7a08826
commit 236d1a2
Show file tree

Hide file tree

Showing 5 changed files with 70 additions and 18 deletions.
diff --git a/.gitignore b/.gitignore
@@ -39,3 +39,6 @@ dev-env
 
 # Fuzzer
 fuzzing/cmake-build-fuzz/
+fuzzing/cmake-build-fuzz-coverage/
+fuzzing/corpus/
+fuzzing/html-coverage/
diff --git a/fuzzing/CMakeLists.txt b/fuzzing/CMakeLists.txt
@@ -52,17 +52,17 @@ include_directories(.
 add_compile_options(-g -O3)
 
 # Build with code coverage generation
-#if(CODE_COVERAGE)
-#    if(CMAKE_C_COMPILER_ID MATCHES "(Apple)?[Cc]lang")
-#        add_compile_options(-fprofile-instr-generate -fcoverage-mapping)
-#        add_link_options(-fprofile-instr-generate -fcoverage-mapping)
-#    elseif(CMAKE_C_COMPILER_ID MATCHES "GNU")
-#        add_compile_options(-fprofile-arcs -ftest-coverage)
-#        link_libraries(gcov)
-#    else()
-#        message(FATAL_ERROR "Unsupported compiler used with code coverage generation")
-#    endif()
-#endif()
+if(CODE_COVERAGE)
+    if(CMAKE_C_COMPILER_ID MATCHES "(Apple)?[Cc]lang")
+        add_compile_options(-fprofile-instr-generate -fcoverage-mapping)
+        add_link_options(-fprofile-instr-generate -fcoverage-mapping)
+    elseif(CMAKE_C_COMPILER_ID MATCHES "GNU")
+        add_compile_options(-fprofile-arcs -ftest-coverage)
+        link_libraries(gcov)
+    else()
+        message(FATAL_ERROR "Unsupported compiler used with code coverage generation")
+    endif()
+endif()
 
 # Fuzzer target
 set(APP_SRC_DIR "../src")

diff --git a/fuzzing/coverage.sh b/fuzzing/coverage.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+# Generate code coverage reports from fuzzing results
+
+set -e
+
+SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+BUILDDIR="$SCRIPTDIR/cmake-build-fuzz-coverage"
+CORPUSDIR="$SCRIPTDIR/corpus"
+HTMLCOVDIR="$SCRIPTDIR/html-coverage"
+
+# Compile the fuzzer with code coverage support
+rm -rf "$BUILDDIR" "$HTMLCOVDIR"
+mkdir "$BUILDDIR"
+cd "$BUILDDIR"
+cmake -DCMAKE_C_COMPILER=clang -DCODE_COVERAGE=1 -B"$BUILDDIR" ..
+cmake --build "$BUILDDIR" --target fuzz_hive
+
+# Run the fuzzer on the corpus files
+export LLVM_PROFILE_FILE="$BUILDDIR/fuzz_hive.profraw"
+"$BUILDDIR/fuzz_hive" "$CORPUSDIR"/*
+llvm-profdata merge --sparse "$LLVM_PROFILE_FILE" -o "$BUILDDIR/fuzz_hive.profdata"
+llvm-cov show "$BUILDDIR/fuzz_hive" -instr-profile="$BUILDDIR/fuzz_hive.profdata" -show-line-counts-or-regions -output-dir="$HTMLCOVDIR" -format=html
+llvm-cov report "$BUILDDIR/fuzz_hive" -instr-profile="$BUILDDIR/fuzz_hive.profdata"
diff --git a/fuzzing/fuzz_hive.c b/fuzzing/fuzz_hive.c
@@ -11,21 +11,37 @@
 */
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+    if (Size < 5) {
+        //mimic buf_len < OFFSET_CDATA in apdu_parser()
+        return 1;
+    }
     BEGIN_TRY {
         TRY {
+            uint8_t lc;
+
+            lc = Data[0];
+
             explicit_bzero(&G_context, sizeof(G_context));
             G_context.req_type = CONFIRM_TRANSACTION;
             G_context.state = STATE_NONE;
 
-            G_context.tx_info.raw_tx_len = Size > MAX_TRANSACTION_LEN ? MAX_TRANSACTION_LEN : Size;
-            memcpy(G_context.tx_info.raw_tx, Data, G_context.tx_info.raw_tx_len);
+            G_context.tx_info.raw_tx_len = Size - 1 > MAX_TRANSACTION_LEN ? MAX_TRANSACTION_LEN : Size - 1;
+            memcpy(G_context.tx_info.raw_tx, Data + 1, G_context.tx_info.raw_tx_len);
+            buffer_t tx_buffer = {.offset = 0, .ptr = &G_context.tx_info.raw_tx, .size = lc};
 
-            buffer_t buf = {.offset = 0, .ptr = &G_context.tx_info.raw_tx, .size = G_context.tx_info.raw_tx_len};
+            transaction_parse(&tx_buffer);
 
-            transaction_parse(&buf);
-        }
-        CATCH(EXCEPTION_IO_RESET) {
-            return 0;
+            lc = Data[0];
+
+            explicit_bzero(&G_context, sizeof(G_context));
+            G_context.req_type = CONFIRM_HASH;
+            G_context.state = STATE_NONE;
+
+            G_context.tx_info.raw_tx_len = Size - 1 > MAX_TRANSACTION_LEN ? MAX_TRANSACTION_LEN : Size - 1;
+            memcpy(G_context.tx_info.raw_tx, Data + 1, G_context.tx_info.raw_tx_len);
+            buffer_t hash_buffer = {.offset = 0, .ptr = &G_context.tx_info.raw_tx, .size = lc};
+
+            hash_parse(&hash_buffer);
         }
         CATCH_OTHER(e) {
             return 0;
@@ -34,6 +50,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
         }
         END_TRY;
     }
+
     return 0;
 }
 

diff --git a/fuzzing/run.sh b/fuzzing/run.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+set -e
+
+SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+BUILDDIR="$SCRIPTDIR/cmake-build-fuzz"
+CORPUSDIR="$SCRIPTDIR/corpus"
+
+"$BUILDDIR"/fuzz_hive "$CORPUSDIR" "$@" > /dev/null