From 70302387fa9b81e435dcb778f58ecd25f2b61b7e Mon Sep 17 00:00:00 2001 From: Marius van der Wijden Date: Wed, 16 Sep 2020 13:15:22 +0200 Subject: [PATCH] tests/fuzzers/abi: add fuzzer for fuzzing package accounts/abi (#21217) * tests/fuzzers/abi: added abi fuzzer * accounts/abi: fixed issues found by fuzzing * tests/fuzzers/abi: update fuzzers, added repro test * tests/fuzzers/abi: renamed abi_fuzzer to abifuzzer * tests/fuzzers/abi: updated abi fuzzer * tests/fuzzers/abi: updated abi fuzzer * accounts/abi: minor style fix * go.mod: added go-fuzz dependency * tests/fuzzers/abi: updated abi fuzzer * tests/fuzzers/abi: make linter happy * tests/fuzzers/abi: make linter happy * tests/fuzzers/abi: comment out false positives --- accounts/abi/abi_test.go | 4 +- accounts/abi/error.go | 2 +- accounts/abi/pack.go | 23 ++-- accounts/abi/type.go | 2 +- accounts/abi/unpack.go | 5 +- go.mod | 3 +- go.sum | 4 +- tests/fuzzers/abi/abifuzzer.go | 186 ++++++++++++++++++++++++++++ tests/fuzzers/abi/abifuzzer_test.go | 50 ++++++++ 9 files changed, 262 insertions(+), 17 deletions(-) create mode 100644 tests/fuzzers/abi/abifuzzer.go create mode 100644 tests/fuzzers/abi/abifuzzer_test.go diff --git a/accounts/abi/abi_test.go b/accounts/abi/abi_test.go index 48aa46235738e..3d07e4cbf5175 100644 --- a/accounts/abi/abi_test.go +++ b/accounts/abi/abi_test.go @@ -33,7 +33,7 @@ import ( const jsondata = ` [ - { "type" : "function", "name" : "", "stateMutability" : "view" }, + { "type" : "function", "name" : ""}, { "type" : "function", "name" : "balance", "stateMutability" : "view" }, { "type" : "function", "name" : "send", "inputs" : [ { "name" : "amount", "type" : "uint256" } ] }, { "type" : "function", "name" : "test", "inputs" : [ { "name" : "number", "type" : "uint32" } ] }, @@ -88,7 +88,7 @@ var ( ) var methods = map[string]Method{ - "": NewMethod("", "", Function, "view", false, false, nil, nil), + "": NewMethod("", "", Function, "", false, false, nil, nil), "balance": NewMethod("balance", "balance", Function, "view", false, false, nil, nil), "send": NewMethod("send", "send", Function, "", false, false, []Argument{{"amount", Uint256, false}}, nil), "test": NewMethod("test", "test", Function, "", false, false, []Argument{{"number", Uint32, false}}, nil), diff --git a/accounts/abi/error.go b/accounts/abi/error.go index b63a215ad977b..f0f71b6c91646 100644 --- a/accounts/abi/error.go +++ b/accounts/abi/error.go @@ -52,7 +52,7 @@ func sliceTypeCheck(t Type, val reflect.Value) error { } } - if elemKind := val.Type().Elem().Kind(); elemKind != t.Elem.GetType().Kind() { + if val.Type().Elem().Kind() != t.Elem.GetType().Kind() { return typeErr(formatSliceString(t.Elem.GetType().Kind(), t.Size), val.Type()) } return nil diff --git a/accounts/abi/pack.go b/accounts/abi/pack.go index 58af1446bfb74..59b8b785ec72a 100644 --- a/accounts/abi/pack.go +++ b/accounts/abi/pack.go @@ -17,6 +17,8 @@ package abi import ( + "errors" + "fmt" "math/big" "reflect" @@ -33,35 +35,38 @@ func packBytesSlice(bytes []byte, l int) []byte { // packElement packs the given reflect value according to the abi specification in // t. -func packElement(t Type, reflectValue reflect.Value) []byte { +func packElement(t Type, reflectValue reflect.Value) ([]byte, error) { switch t.T { case IntTy, UintTy: - return packNum(reflectValue) + return packNum(reflectValue), nil case StringTy: - return packBytesSlice([]byte(reflectValue.String()), reflectValue.Len()) + return packBytesSlice([]byte(reflectValue.String()), reflectValue.Len()), nil case AddressTy: if reflectValue.Kind() == reflect.Array { reflectValue = mustArrayToByteSlice(reflectValue) } - return common.LeftPadBytes(reflectValue.Bytes(), 32) + return common.LeftPadBytes(reflectValue.Bytes(), 32), nil case BoolTy: if reflectValue.Bool() { - return math.PaddedBigBytes(common.Big1, 32) + return math.PaddedBigBytes(common.Big1, 32), nil } - return math.PaddedBigBytes(common.Big0, 32) + return math.PaddedBigBytes(common.Big0, 32), nil case BytesTy: if reflectValue.Kind() == reflect.Array { reflectValue = mustArrayToByteSlice(reflectValue) } - return packBytesSlice(reflectValue.Bytes(), reflectValue.Len()) + if reflectValue.Type() != reflect.TypeOf([]byte{}) { + return []byte{}, errors.New("Bytes type is neither slice nor array") + } + return packBytesSlice(reflectValue.Bytes(), reflectValue.Len()), nil case FixedBytesTy, FunctionTy: if reflectValue.Kind() == reflect.Array { reflectValue = mustArrayToByteSlice(reflectValue) } - return common.RightPadBytes(reflectValue.Bytes(), 32) + return common.RightPadBytes(reflectValue.Bytes(), 32), nil default: - panic("abi: fatal error") + return []byte{}, fmt.Errorf("Could not pack element, unknown type: %v", t.T) } } diff --git a/accounts/abi/type.go b/accounts/abi/type.go index 5b6d580e4ba05..83b553e6bf0c6 100644 --- a/accounts/abi/type.go +++ b/accounts/abi/type.go @@ -345,7 +345,7 @@ func (t Type) pack(v reflect.Value) ([]byte, error) { return append(ret, tail...), nil default: - return packElement(t, v), nil + return packElement(t, v) } } diff --git a/accounts/abi/unpack.go b/accounts/abi/unpack.go index 15da1827ad5fa..26e7ea1fe6468 100644 --- a/accounts/abi/unpack.go +++ b/accounts/abi/unpack.go @@ -225,7 +225,10 @@ func toGoType(index int, t Type, output []byte) (interface{}, error) { return forEachUnpack(t, output[begin:], 0, length) case ArrayTy: if isDynamicType(*t.Elem) { - offset := int64(binary.BigEndian.Uint64(returnOutput[len(returnOutput)-8:])) + offset := binary.BigEndian.Uint64(returnOutput[len(returnOutput)-8:]) + if offset > uint64(len(output)) { + return nil, fmt.Errorf("abi: toGoType offset greater than output length: offset: %d, len(output): %d", offset, len(output)) + } return forEachUnpack(t, output[offset:], 0, t.Size) } return forEachUnpack(t, output[index:], 0, t.Size) diff --git a/go.mod b/go.mod index 50ea1052010fa..ca5ba4223a838 100644 --- a/go.mod +++ b/go.mod @@ -48,8 +48,10 @@ require ( github.com/ethereum/c-kzg-4844 v0.4.0 github.com/gballet/go-libpcsclite v0.0.0-20191108122812-4678299bea08 github.com/go-yaml/yaml v2.1.0+incompatible + github.com/google/gofuzz v1.2.0 github.com/influxdata/influxdb-client-go/v2 v2.4.0 github.com/influxdata/influxdb1-client v0.0.0-20220302092344-a9ab5670611c + github.com/karalabe/usb v0.0.2 github.com/kylelemons/godebug v1.1.0 github.com/mattn/go-isatty v0.0.17 github.com/protolambda/bls12-381-util v0.0.0-20220416220906-d8552aa452c7 @@ -74,7 +76,6 @@ require ( github.com/go-sourcemap/sourcemap v2.1.3+incompatible // indirect github.com/google/uuid v1.3.0 // indirect github.com/influxdata/line-protocol v0.0.0-20200327222509-2487e7298839 // indirect - github.com/karalabe/usb v0.0.2 // indirect github.com/kilic/bls12-381 v0.1.0 // indirect github.com/kr/pretty v0.3.1 // indirect github.com/kr/text v0.2.0 // indirect diff --git a/go.sum b/go.sum index 87307bdb5ab26..5e02e18f44859 100644 --- a/go.sum +++ b/go.sum @@ -87,6 +87,8 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/subcommands v1.2.0/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= @@ -109,8 +111,6 @@ github.com/jackpal/go-nat-pmp v1.0.2 h1:KzKSgb7qkJvOUTqYl9/Hg/me3pWgBmERKrTGD7Bd github.com/jackpal/go-nat-pmp v1.0.2/go.mod h1:QPH045xvCAeXUZOxsnwmrtiCoxIr9eob+4orBN1SBKc= github.com/julienschmidt/httprouter v1.3.0 h1:U0609e9tgbseu3rBINet9P48AI/D3oJs4dN7jwJOQ1U= github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= -github.com/karalabe/hid v1.0.0 h1:+/CIMNXhSU/zIJgnIvBD2nKHxS/bnRHhhs9xBryLpPo= -github.com/karalabe/hid v1.0.0/go.mod h1:Vr51f8rUOLYrfrWDFlV12GGQgM5AT8sVh+2fY4MPeu8= github.com/karalabe/usb v0.0.2 h1:M6QQBNxF+CQ8OFvxrT90BA0qBOXymndZnk5q235mFc4= github.com/karalabe/usb v0.0.2/go.mod h1:Od972xHfMJowv7NGVDiWVxk2zxnWgjLlJzE+F4F7AGU= github.com/kilic/bls12-381 v0.1.0 h1:encrdjqKMEvabVQ7qYOKu1OvhqpK4s47wDYtNiPtlp4= diff --git a/tests/fuzzers/abi/abifuzzer.go b/tests/fuzzers/abi/abifuzzer.go new file mode 100644 index 0000000000000..5b8986c09b3c6 --- /dev/null +++ b/tests/fuzzers/abi/abifuzzer.go @@ -0,0 +1,186 @@ +// Copyright 2020 The go-ethereum Authors +// This file is part of the go-ethereum library. +// +// The go-ethereum library is free software: you can redistribute it and/or modify +// it under the terms of the GNU Lesser General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// The go-ethereum library is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Lesser General Public License for more details. +// +// You should have received a copy of the GNU Lesser General Public License +// along with the go-ethereum library. If not, see . + +package abi + +import ( + "bytes" + "fmt" + "math/rand" + "reflect" + "strings" + + "github.com/XinFinOrg/XDPoSChain/accounts/abi" + "github.com/XinFinOrg/XDPoSChain/crypto" + fuzz "github.com/google/gofuzz" +) + +func unpackPack(abi abi.ABI, method string, inputType []interface{}, input []byte) bool { + outptr := reflect.New(reflect.TypeOf(inputType)) + if err := abi.Unpack(outptr.Interface(), method, input); err == nil { + output, err := abi.Pack(method, input) + if err != nil { + // We have some false positives as we can unpack these type successfully, but not pack them + if err.Error() == "abi: cannot use []uint8 as type [0]int8 as argument" || + err.Error() == "abi: cannot use uint8 as type int8 as argument" { + return false + } + panic(err) + } + if !bytes.Equal(input, output[4:]) { + panic(fmt.Sprintf("unpackPack is not equal, \ninput : %x\noutput: %x", input, output[4:])) + } + return true + } + return false +} + +func packUnpack(abi abi.ABI, method string, input []interface{}) bool { + if packed, err := abi.Pack(method, input); err == nil { + outptr := reflect.New(reflect.TypeOf(input)) + err := abi.Unpack(outptr.Interface(), method, packed) + if err != nil { + panic(err) + } + out := outptr.Elem().Interface() + if !reflect.DeepEqual(input, out) { + panic(fmt.Sprintf("unpackPack is not equal, \ninput : %x\noutput: %x", input, out)) + } + return true + } + return false +} + +type args struct { + name string + typ string +} + +func createABI(name string, stateMutability, payable *string, inputs []args) (abi.ABI, error) { + sig := fmt.Sprintf(`[{ "type" : "function", "name" : "%v" `, name) + if stateMutability != nil { + sig += fmt.Sprintf(`, "stateMutability": "%v" `, *stateMutability) + } + if payable != nil { + sig += fmt.Sprintf(`, "payable": %v `, *payable) + } + if len(inputs) > 0 { + sig += `, "inputs" : [ {` + for i, inp := range inputs { + sig += fmt.Sprintf(`"name" : "%v", "type" : "%v" `, inp.name, inp.typ) + if i+1 < len(inputs) { + sig += "," + } + } + sig += "} ]" + sig += `, "outputs" : [ {` + for i, inp := range inputs { + sig += fmt.Sprintf(`"name" : "%v", "type" : "%v" `, inp.name, inp.typ) + if i+1 < len(inputs) { + sig += "," + } + } + sig += "} ]" + } + sig += `}]` + + return abi.JSON(strings.NewReader(sig)) +} + +func fillStruct(structs []interface{}, data []byte) { + if structs != nil && len(data) != 0 { + fuzz.NewFromGoFuzz(data).Fuzz(&structs) + } +} + +func createStructs(args []args) []interface{} { + structs := make([]interface{}, len(args)) + for i, arg := range args { + t, err := abi.NewType(arg.typ, "", nil) + if err != nil { + panic(err) + } + structs[i] = reflect.New(t.GetType()).Elem() + } + return structs +} + +func runFuzzer(input []byte) int { + good := false + + names := []string{"_name", "name", "NAME", "name_", "__", "_name_", "n"} + stateMut := []string{"", "pure", "view", "payable"} + stateMutabilites := []*string{nil, &stateMut[0], &stateMut[1], &stateMut[2], &stateMut[3]} + pays := []string{"true", "false"} + payables := []*string{nil, &pays[0], &pays[1]} + varNames := []string{"a", "b", "c", "d", "e", "f", "g"} + varNames = append(varNames, names...) + varTypes := []string{"bool", "address", "bytes", "string", + "uint8", "int8", "uint8", "int8", "uint16", "int16", + "uint24", "int24", "uint32", "int32", "uint40", "int40", "uint48", "int48", "uint56", "int56", + "uint64", "int64", "uint72", "int72", "uint80", "int80", "uint88", "int88", "uint96", "int96", + "uint104", "int104", "uint112", "int112", "uint120", "int120", "uint128", "int128", "uint136", "int136", + "uint144", "int144", "uint152", "int152", "uint160", "int160", "uint168", "int168", "uint176", "int176", + "uint184", "int184", "uint192", "int192", "uint200", "int200", "uint208", "int208", "uint216", "int216", + "uint224", "int224", "uint232", "int232", "uint240", "int240", "uint248", "int248", "uint256", "int256", + "bytes1", "bytes2", "bytes3", "bytes4", "bytes5", "bytes6", "bytes7", "bytes8", "bytes9", "bytes10", "bytes11", + "bytes12", "bytes13", "bytes14", "bytes15", "bytes16", "bytes17", "bytes18", "bytes19", "bytes20", "bytes21", + "bytes22", "bytes23", "bytes24", "bytes25", "bytes26", "bytes27", "bytes28", "bytes29", "bytes30", "bytes31", + "bytes32", "bytes"} + rnd := rand.New(rand.NewSource(123456)) + if len(input) > 0 { + kec := crypto.Keccak256(input) + rnd = rand.New(rand.NewSource(int64(kec[0]))) + } + name := names[rnd.Intn(len(names))] + stateM := stateMutabilites[rnd.Intn(len(stateMutabilites))] + payable := payables[rnd.Intn(len(payables))] + maxLen := 5 + for k := 1; k < maxLen; k++ { + var arg []args + for i := k; i > 0; i-- { + argName := varNames[i] + argTyp := varTypes[rnd.Int31n(int32(len(varTypes)))] + if rnd.Int31n(10) == 0 { + argTyp += "[]" + } else if rnd.Int31n(10) == 0 { + arrayArgs := rnd.Int31n(30) + 1 + argTyp += fmt.Sprintf("[%d]", arrayArgs) + } + arg = append(arg, args{ + name: argName, + typ: argTyp, + }) + } + abi, err := createABI(name, stateM, payable, arg) + if err != nil { + continue + } + structs := createStructs(arg) + b := unpackPack(abi, name, structs, input) + fillStruct(structs, input) + c := packUnpack(abi, name, structs) + good = good || b || c + } + if good { + return 1 + } + return 0 +} + +func Fuzz(input []byte) int { + return runFuzzer(input) +} diff --git a/tests/fuzzers/abi/abifuzzer_test.go b/tests/fuzzers/abi/abifuzzer_test.go new file mode 100644 index 0000000000000..c72577e9eef60 --- /dev/null +++ b/tests/fuzzers/abi/abifuzzer_test.go @@ -0,0 +1,50 @@ +// Copyright 2020 The go-ethereum Authors +// This file is part of the go-ethereum library. +// +// The go-ethereum library is free software: you can redistribute it and/or modify +// it under the terms of the GNU Lesser General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// The go-ethereum library is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Lesser General Public License for more details. +// +// You should have received a copy of the GNU Lesser General Public License +// along with the go-ethereum library. If not, see . + +package abi + +import ( + "testing" +) + +// TestReplicate can be used to replicate crashers from the fuzzing tests. +// Just replace testString with the data in .quoted +func TestReplicate(t *testing.T) { + testString := "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00" + + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + + "\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00000000000" + + "00000000000000000000" + + "00000000000000000000" + + "00000001" + + data := []byte(testString) + runFuzzer(data) +} + +// TestGenerateCorpus can be used to add corpus for the fuzzer. +// Just replace corpusHex with the hexEncoded output you want to add to the fuzzer. +func TestGenerateCorpus(t *testing.T) { + /* + corpusHex := "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" + data := common.FromHex(corpusHex) + checksum := sha1.Sum(data) + outf := fmt.Sprintf("corpus/%x", checksum) + if err := ioutil.WriteFile(outf, data, 0777); err != nil { + panic(err) + } + */ +}