util.cpp
1 // Copyright (c) 2021-2022 The Bitcoin Core developers 2 // Distributed under the MIT software license, see the accompanying 3 // file COPYING or http://www.opensource.org/licenses/mit-license.php. 4 5 #include <consensus/amount.h> 6 #include <pubkey.h> 7 #include <test/fuzz/util.h> 8 #include <test/util/script.h> 9 #include <util/check.h> 10 #include <util/overflow.h> 11 #include <util/rbf.h> 12 #include <util/time.h> 13 14 #include <memory> 15 16 std::vector<uint8_t> ConstructPubKeyBytes(FuzzedDataProvider& fuzzed_data_provider, Span<const uint8_t> byte_data, const bool compressed) noexcept 17 { 18 uint8_t pk_type; 19 if (compressed) { 20 pk_type = fuzzed_data_provider.PickValueInArray({0x02, 0x03}); 21 } else { 22 pk_type = fuzzed_data_provider.PickValueInArray({0x04, 0x06, 0x07}); 23 } 24 std::vector<uint8_t> pk_data{byte_data.begin(), byte_data.begin() + (compressed ? CPubKey::COMPRESSED_SIZE : CPubKey::SIZE)}; 25 pk_data[0] = pk_type; 26 return pk_data; 27 } 28 29 CAmount ConsumeMoney(FuzzedDataProvider& fuzzed_data_provider, const std::optional<CAmount>& max) noexcept 30 { 31 return fuzzed_data_provider.ConsumeIntegralInRange<CAmount>(0, max.value_or(MAX_MONEY)); 32 } 33 34 int64_t ConsumeTime(FuzzedDataProvider& fuzzed_data_provider, const std::optional<int64_t>& min, const std::optional<int64_t>& max) noexcept 35 { 36 // Avoid t=0 (1970-01-01T00:00:00Z) since SetMockTime(0) disables mocktime. 37 static const int64_t time_min{946684801}; // 2000-01-01T00:00:01Z 38 static const int64_t time_max{4133980799}; // 2100-12-31T23:59:59Z 39 return fuzzed_data_provider.ConsumeIntegralInRange<int64_t>(min.value_or(time_min), max.value_or(time_max)); 40 } 41 42 CMutableTransaction ConsumeTransaction(FuzzedDataProvider& fuzzed_data_provider, const std::optional<std::vector<Txid>>& prevout_txids, const int max_num_in, const int max_num_out) noexcept 43 { 44 CMutableTransaction tx_mut; 45 const auto p2wsh_op_true = fuzzed_data_provider.ConsumeBool(); 46 tx_mut.nVersion = fuzzed_data_provider.ConsumeBool() ? 47 CTransaction::CURRENT_VERSION : 48 fuzzed_data_provider.ConsumeIntegral<int32_t>(); 49 tx_mut.nLockTime = fuzzed_data_provider.ConsumeIntegral<uint32_t>(); 50 const auto num_in = fuzzed_data_provider.ConsumeIntegralInRange<int>(0, max_num_in); 51 const auto num_out = fuzzed_data_provider.ConsumeIntegralInRange<int>(0, max_num_out); 52 for (int i = 0; i < num_in; ++i) { 53 const auto& txid_prev = prevout_txids ? 54 PickValue(fuzzed_data_provider, *prevout_txids) : 55 Txid::FromUint256(ConsumeUInt256(fuzzed_data_provider)); 56 const auto index_out = fuzzed_data_provider.ConsumeIntegralInRange<uint32_t>(0, max_num_out); 57 const auto sequence = ConsumeSequence(fuzzed_data_provider); 58 const auto script_sig = p2wsh_op_true ? CScript{} : ConsumeScript(fuzzed_data_provider); 59 CScriptWitness script_wit; 60 if (p2wsh_op_true) { 61 script_wit.stack = std::vector<std::vector<uint8_t>>{WITNESS_STACK_ELEM_OP_TRUE}; 62 } else { 63 script_wit = ConsumeScriptWitness(fuzzed_data_provider); 64 } 65 CTxIn in; 66 in.prevout = COutPoint{txid_prev, index_out}; 67 in.nSequence = sequence; 68 in.scriptSig = script_sig; 69 in.scriptWitness = script_wit; 70 71 tx_mut.vin.push_back(in); 72 } 73 for (int i = 0; i < num_out; ++i) { 74 const auto amount = fuzzed_data_provider.ConsumeIntegralInRange<CAmount>(-10, 50 * COIN + 10); 75 const auto script_pk = p2wsh_op_true ? 76 P2WSH_OP_TRUE : 77 ConsumeScript(fuzzed_data_provider, /*maybe_p2wsh=*/true); 78 tx_mut.vout.emplace_back(amount, script_pk); 79 } 80 return tx_mut; 81 } 82 83 CScriptWitness ConsumeScriptWitness(FuzzedDataProvider& fuzzed_data_provider, const size_t max_stack_elem_size) noexcept 84 { 85 CScriptWitness ret; 86 const auto n_elements = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, max_stack_elem_size); 87 for (size_t i = 0; i < n_elements; ++i) { 88 ret.stack.push_back(ConsumeRandomLengthByteVector(fuzzed_data_provider)); 89 } 90 return ret; 91 } 92 93 CScript ConsumeScript(FuzzedDataProvider& fuzzed_data_provider, const bool maybe_p2wsh) noexcept 94 { 95 CScript r_script{}; 96 { 97 // Keep a buffer of bytes to allow the fuzz engine to produce smaller 98 // inputs to generate CScripts with repeated data. 99 static constexpr unsigned MAX_BUFFER_SZ{128}; 100 std::vector<uint8_t> buffer(MAX_BUFFER_SZ, uint8_t{'a'}); 101 while (fuzzed_data_provider.ConsumeBool()) { 102 CallOneOf( 103 fuzzed_data_provider, 104 [&] { 105 // Insert byte vector directly to allow malformed or unparsable scripts 106 r_script.insert(r_script.end(), buffer.begin(), buffer.begin() + fuzzed_data_provider.ConsumeIntegralInRange(0U, MAX_BUFFER_SZ)); 107 }, 108 [&] { 109 // Push a byte vector from the buffer 110 r_script << std::vector<uint8_t>{buffer.begin(), buffer.begin() + fuzzed_data_provider.ConsumeIntegralInRange(0U, MAX_BUFFER_SZ)}; 111 }, 112 [&] { 113 // Push multisig 114 // There is a special case for this to aid the fuzz engine 115 // navigate the highly structured multisig format. 116 r_script << fuzzed_data_provider.ConsumeIntegralInRange<int64_t>(0, 22); 117 int num_data{fuzzed_data_provider.ConsumeIntegralInRange(1, 22)}; 118 while (num_data--) { 119 auto pubkey_bytes{ConstructPubKeyBytes(fuzzed_data_provider, buffer, fuzzed_data_provider.ConsumeBool())}; 120 if (fuzzed_data_provider.ConsumeBool()) { 121 pubkey_bytes.back() = num_data; // Make each pubkey different 122 } 123 r_script << pubkey_bytes; 124 } 125 r_script << fuzzed_data_provider.ConsumeIntegralInRange<int64_t>(0, 22); 126 }, 127 [&] { 128 // Mutate the buffer 129 const auto vec{ConsumeRandomLengthByteVector(fuzzed_data_provider, /*max_length=*/MAX_BUFFER_SZ)}; 130 std::copy(vec.begin(), vec.end(), buffer.begin()); 131 }, 132 [&] { 133 // Push an integral 134 r_script << fuzzed_data_provider.ConsumeIntegral<int64_t>(); 135 }, 136 [&] { 137 // Push an opcode 138 r_script << ConsumeOpcodeType(fuzzed_data_provider); 139 }, 140 [&] { 141 // Push a scriptnum 142 r_script << ConsumeScriptNum(fuzzed_data_provider); 143 }); 144 } 145 } 146 if (maybe_p2wsh && fuzzed_data_provider.ConsumeBool()) { 147 uint256 script_hash; 148 CSHA256().Write(r_script.data(), r_script.size()).Finalize(script_hash.begin()); 149 r_script.clear(); 150 r_script << OP_0 << ToByteVector(script_hash); 151 } 152 return r_script; 153 } 154 155 uint32_t ConsumeSequence(FuzzedDataProvider& fuzzed_data_provider) noexcept 156 { 157 return fuzzed_data_provider.ConsumeBool() ? 158 fuzzed_data_provider.PickValueInArray({ 159 CTxIn::SEQUENCE_FINAL, 160 CTxIn::MAX_SEQUENCE_NONFINAL, 161 MAX_BIP125_RBF_SEQUENCE, 162 }) : 163 fuzzed_data_provider.ConsumeIntegral<uint32_t>(); 164 } 165 166 std::map<COutPoint, Coin> ConsumeCoins(FuzzedDataProvider& fuzzed_data_provider) noexcept 167 { 168 std::map<COutPoint, Coin> coins; 169 LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 10000) { 170 const std::optional<COutPoint> outpoint{ConsumeDeserializable<COutPoint>(fuzzed_data_provider)}; 171 if (!outpoint) { 172 break; 173 } 174 const std::optional<Coin> coin{ConsumeDeserializable<Coin>(fuzzed_data_provider)}; 175 if (!coin) { 176 break; 177 } 178 coins[*outpoint] = *coin; 179 } 180 181 return coins; 182 } 183 184 CTxDestination ConsumeTxDestination(FuzzedDataProvider& fuzzed_data_provider) noexcept 185 { 186 CTxDestination tx_destination; 187 const size_t call_size{CallOneOf( 188 fuzzed_data_provider, 189 [&] { 190 tx_destination = CNoDestination{}; 191 }, 192 [&] { 193 bool compressed = fuzzed_data_provider.ConsumeBool(); 194 CPubKey pk{ConstructPubKeyBytes( 195 fuzzed_data_provider, 196 ConsumeFixedLengthByteVector(fuzzed_data_provider, (compressed ? CPubKey::COMPRESSED_SIZE : CPubKey::SIZE)), 197 compressed 198 )}; 199 tx_destination = PubKeyDestination{pk}; 200 }, 201 [&] { 202 tx_destination = PKHash{ConsumeUInt160(fuzzed_data_provider)}; 203 }, 204 [&] { 205 tx_destination = ScriptHash{ConsumeUInt160(fuzzed_data_provider)}; 206 }, 207 [&] { 208 tx_destination = WitnessV0ScriptHash{ConsumeUInt256(fuzzed_data_provider)}; 209 }, 210 [&] { 211 tx_destination = WitnessV0KeyHash{ConsumeUInt160(fuzzed_data_provider)}; 212 }, 213 [&] { 214 tx_destination = WitnessV1Taproot{XOnlyPubKey{ConsumeUInt256(fuzzed_data_provider)}}; 215 }, 216 [&] { 217 std::vector<unsigned char> program{ConsumeRandomLengthByteVector(fuzzed_data_provider, /*max_length=*/40)}; 218 if (program.size() < 2) { 219 program = {0, 0}; 220 } 221 tx_destination = WitnessUnknown{fuzzed_data_provider.ConsumeIntegralInRange<unsigned int>(2, 16), program}; 222 })}; 223 Assert(call_size == std::variant_size_v<CTxDestination>); 224 return tx_destination; 225 } 226 227 CKey ConsumePrivateKey(FuzzedDataProvider& fuzzed_data_provider, std::optional<bool> compressed) noexcept 228 { 229 auto key_data = fuzzed_data_provider.ConsumeBytes<uint8_t>(32); 230 key_data.resize(32); 231 CKey key; 232 bool compressed_value = compressed ? *compressed : fuzzed_data_provider.ConsumeBool(); 233 key.Set(key_data.begin(), key_data.end(), compressed_value); 234 return key; 235 } 236 237 bool ContainsSpentInput(const CTransaction& tx, const CCoinsViewCache& inputs) noexcept 238 { 239 for (const CTxIn& tx_in : tx.vin) { 240 const Coin& coin = inputs.AccessCoin(tx_in.prevout); 241 if (coin.IsSpent()) { 242 return true; 243 } 244 } 245 return false; 246 } 247 248 FILE* FuzzedFileProvider::open() 249 { 250 SetFuzzedErrNo(m_fuzzed_data_provider); 251 if (m_fuzzed_data_provider.ConsumeBool()) { 252 return nullptr; 253 } 254 std::string mode; 255 CallOneOf( 256 m_fuzzed_data_provider, 257 [&] { 258 mode = "r"; 259 }, 260 [&] { 261 mode = "r+"; 262 }, 263 [&] { 264 mode = "w"; 265 }, 266 [&] { 267 mode = "w+"; 268 }, 269 [&] { 270 mode = "a"; 271 }, 272 [&] { 273 mode = "a+"; 274 }); 275 #if defined _GNU_SOURCE && (defined(__linux__) || defined(__FreeBSD__)) 276 const cookie_io_functions_t io_hooks = { 277 FuzzedFileProvider::read, 278 FuzzedFileProvider::write, 279 FuzzedFileProvider::seek, 280 FuzzedFileProvider::close, 281 }; 282 return fopencookie(this, mode.c_str(), io_hooks); 283 #else 284 (void)mode; 285 return nullptr; 286 #endif 287 } 288 289 ssize_t FuzzedFileProvider::read(void* cookie, char* buf, size_t size) 290 { 291 FuzzedFileProvider* fuzzed_file = (FuzzedFileProvider*)cookie; 292 SetFuzzedErrNo(fuzzed_file->m_fuzzed_data_provider); 293 if (buf == nullptr || size == 0 || fuzzed_file->m_fuzzed_data_provider.ConsumeBool()) { 294 return fuzzed_file->m_fuzzed_data_provider.ConsumeBool() ? 0 : -1; 295 } 296 const std::vector<uint8_t> random_bytes = fuzzed_file->m_fuzzed_data_provider.ConsumeBytes<uint8_t>(size); 297 if (random_bytes.empty()) { 298 return 0; 299 } 300 std::memcpy(buf, random_bytes.data(), random_bytes.size()); 301 if (AdditionOverflow(fuzzed_file->m_offset, (int64_t)random_bytes.size())) { 302 return fuzzed_file->m_fuzzed_data_provider.ConsumeBool() ? 0 : -1; 303 } 304 fuzzed_file->m_offset += random_bytes.size(); 305 return random_bytes.size(); 306 } 307 308 ssize_t FuzzedFileProvider::write(void* cookie, const char* buf, size_t size) 309 { 310 FuzzedFileProvider* fuzzed_file = (FuzzedFileProvider*)cookie; 311 SetFuzzedErrNo(fuzzed_file->m_fuzzed_data_provider); 312 const ssize_t n = fuzzed_file->m_fuzzed_data_provider.ConsumeIntegralInRange<ssize_t>(0, size); 313 if (AdditionOverflow(fuzzed_file->m_offset, (int64_t)n)) { 314 return 0; 315 } 316 fuzzed_file->m_offset += n; 317 return n; 318 } 319 320 int FuzzedFileProvider::seek(void* cookie, int64_t* offset, int whence) 321 { 322 assert(whence == SEEK_SET || whence == SEEK_CUR || whence == SEEK_END); 323 FuzzedFileProvider* fuzzed_file = (FuzzedFileProvider*)cookie; 324 SetFuzzedErrNo(fuzzed_file->m_fuzzed_data_provider); 325 int64_t new_offset = 0; 326 if (whence == SEEK_SET) { 327 new_offset = *offset; 328 } else if (whence == SEEK_CUR) { 329 if (AdditionOverflow(fuzzed_file->m_offset, *offset)) { 330 return -1; 331 } 332 new_offset = fuzzed_file->m_offset + *offset; 333 } else if (whence == SEEK_END) { 334 const int64_t n = fuzzed_file->m_fuzzed_data_provider.ConsumeIntegralInRange<int64_t>(0, 4096); 335 if (AdditionOverflow(n, *offset)) { 336 return -1; 337 } 338 new_offset = n + *offset; 339 } 340 if (new_offset < 0) { 341 return -1; 342 } 343 fuzzed_file->m_offset = new_offset; 344 *offset = new_offset; 345 return fuzzed_file->m_fuzzed_data_provider.ConsumeIntegralInRange<int>(-1, 0); 346 } 347 348 int FuzzedFileProvider::close(void* cookie) 349 { 350 FuzzedFileProvider* fuzzed_file = (FuzzedFileProvider*)cookie; 351 SetFuzzedErrNo(fuzzed_file->m_fuzzed_data_provider); 352 return fuzzed_file->m_fuzzed_data_provider.ConsumeIntegralInRange<int>(-1, 0); 353 }