util.cpp
1 // Copyright (c) 2021-present The Bitcoin Core developers 2 // Distributed under the MIT software license, see the accompanying 3 // file COPYING or http://www.opensource.org/licenses/mit-license.php. 4 5 #include <consensus/amount.h> 6 #include <pubkey.h> 7 #include <test/fuzz/util.h> 8 #include <test/util/script.h> 9 #include <util/check.h> 10 #include <util/overflow.h> 11 #include <util/rbf.h> 12 #include <util/time.h> 13 14 #include <memory> 15 16 std::vector<uint8_t> ConstructPubKeyBytes(FuzzedDataProvider& fuzzed_data_provider, std::span<const uint8_t> byte_data, const bool compressed) noexcept 17 { 18 uint8_t pk_type; 19 if (compressed) { 20 pk_type = fuzzed_data_provider.PickValueInArray({0x02, 0x03}); 21 } else { 22 pk_type = fuzzed_data_provider.PickValueInArray({0x04, 0x06, 0x07}); 23 } 24 std::vector<uint8_t> pk_data{byte_data.begin(), byte_data.begin() + (compressed ? CPubKey::COMPRESSED_SIZE : CPubKey::SIZE)}; 25 pk_data[0] = pk_type; 26 return pk_data; 27 } 28 29 CAmount ConsumeMoney(FuzzedDataProvider& fuzzed_data_provider, const std::optional<CAmount>& max) noexcept 30 { 31 return fuzzed_data_provider.ConsumeIntegralInRange<CAmount>(0, max.value_or(MAX_MONEY)); 32 } 33 34 NodeSeconds ConsumeTime(FuzzedDataProvider& fuzzed_data_provider, const std::optional<int64_t>& min, const std::optional<int64_t>& max) noexcept 35 { 36 // Avoid t=0 (1970-01-01T00:00:00Z) since SetMockTime(0) disables mocktime. 37 static const int64_t time_min{ParseISO8601DateTime("2000-01-01T00:00:01Z").value()}; 38 static const int64_t time_max{ParseISO8601DateTime("2100-12-31T23:59:59Z").value()}; 39 return NodeSeconds{ConsumeDuration(fuzzed_data_provider, min.value_or(time_min) * 1s, max.value_or(time_max) * 1s)}; 40 } 41 42 std::chrono::seconds ConsumeDuration(FuzzedDataProvider& fuzzed_data_provider, std::chrono::seconds min, std::chrono::seconds max) noexcept 43 { 44 return 1s * fuzzed_data_provider.ConsumeIntegralInRange<int64_t>(min.count(), max.count()); 45 } 46 47 CMutableTransaction ConsumeTransaction(FuzzedDataProvider& fuzzed_data_provider, const std::optional<std::vector<Txid>>& prevout_txids, const int max_num_in, const int max_num_out) noexcept 48 { 49 CMutableTransaction tx_mut; 50 const auto p2wsh_op_true = fuzzed_data_provider.ConsumeBool(); 51 tx_mut.version = fuzzed_data_provider.ConsumeBool() ? 52 CTransaction::CURRENT_VERSION : 53 fuzzed_data_provider.ConsumeIntegral<uint32_t>(); 54 tx_mut.nLockTime = fuzzed_data_provider.ConsumeIntegral<uint32_t>(); 55 const auto num_in = fuzzed_data_provider.ConsumeIntegralInRange<int>(0, max_num_in); 56 const auto num_out = fuzzed_data_provider.ConsumeIntegralInRange<int>(0, max_num_out); 57 for (int i = 0; i < num_in; ++i) { 58 const auto& txid_prev = prevout_txids ? 59 PickValue(fuzzed_data_provider, *prevout_txids) : 60 Txid::FromUint256(ConsumeUInt256(fuzzed_data_provider)); 61 const auto index_out = fuzzed_data_provider.ConsumeIntegralInRange<uint32_t>(0, max_num_out); 62 const auto sequence = ConsumeSequence(fuzzed_data_provider); 63 const auto script_sig = p2wsh_op_true ? CScript{} : ConsumeScript(fuzzed_data_provider); 64 CScriptWitness script_wit; 65 if (p2wsh_op_true) { 66 script_wit.stack = std::vector<std::vector<uint8_t>>{WITNESS_STACK_ELEM_OP_TRUE}; 67 } else { 68 script_wit = ConsumeScriptWitness(fuzzed_data_provider); 69 } 70 CTxIn in; 71 in.prevout = COutPoint{txid_prev, index_out}; 72 in.nSequence = sequence; 73 in.scriptSig = script_sig; 74 in.scriptWitness = script_wit; 75 76 tx_mut.vin.push_back(in); 77 } 78 for (int i = 0; i < num_out; ++i) { 79 const auto amount = fuzzed_data_provider.ConsumeIntegralInRange<CAmount>(-10, 50 * COIN + 10); 80 const auto script_pk = p2wsh_op_true ? 81 P2WSH_OP_TRUE : 82 ConsumeScript(fuzzed_data_provider, /*maybe_p2wsh=*/true); 83 tx_mut.vout.emplace_back(amount, script_pk); 84 } 85 return tx_mut; 86 } 87 88 CScriptWitness ConsumeScriptWitness(FuzzedDataProvider& fuzzed_data_provider, const size_t max_stack_elem_size) noexcept 89 { 90 CScriptWitness ret; 91 const auto n_elements = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, max_stack_elem_size); 92 for (size_t i = 0; i < n_elements; ++i) { 93 ret.stack.push_back(ConsumeRandomLengthByteVector(fuzzed_data_provider)); 94 } 95 return ret; 96 } 97 98 CScript ConsumeScript(FuzzedDataProvider& fuzzed_data_provider, const bool maybe_p2wsh) noexcept 99 { 100 CScript r_script{}; 101 { 102 // Keep a buffer of bytes to allow the fuzz engine to produce smaller 103 // inputs to generate CScripts with repeated data. 104 static constexpr unsigned MAX_BUFFER_SZ{128}; 105 std::vector<uint8_t> buffer(MAX_BUFFER_SZ, uint8_t{'a'}); 106 while (fuzzed_data_provider.ConsumeBool()) { 107 CallOneOf( 108 fuzzed_data_provider, 109 [&] { 110 // Insert byte vector directly to allow malformed or unparsable scripts 111 r_script.insert(r_script.end(), buffer.begin(), buffer.begin() + fuzzed_data_provider.ConsumeIntegralInRange(0U, MAX_BUFFER_SZ)); 112 }, 113 [&] { 114 // Push a byte vector from the buffer 115 r_script << std::vector<uint8_t>{buffer.begin(), buffer.begin() + fuzzed_data_provider.ConsumeIntegralInRange(0U, MAX_BUFFER_SZ)}; 116 }, 117 [&] { 118 // Push multisig 119 // There is a special case for this to aid the fuzz engine 120 // navigate the highly structured multisig format. 121 r_script << fuzzed_data_provider.ConsumeIntegralInRange<int64_t>(0, 22); 122 int num_data{fuzzed_data_provider.ConsumeIntegralInRange(1, 22)}; 123 while (num_data--) { 124 auto pubkey_bytes{ConstructPubKeyBytes(fuzzed_data_provider, buffer, fuzzed_data_provider.ConsumeBool())}; 125 if (fuzzed_data_provider.ConsumeBool()) { 126 pubkey_bytes.back() = num_data; // Make each pubkey different 127 } 128 r_script << pubkey_bytes; 129 } 130 r_script << fuzzed_data_provider.ConsumeIntegralInRange<int64_t>(0, 22); 131 }, 132 [&] { 133 // Mutate the buffer 134 const auto vec{ConsumeRandomLengthByteVector(fuzzed_data_provider, /*max_length=*/MAX_BUFFER_SZ)}; 135 std::copy(vec.begin(), vec.end(), buffer.begin()); 136 }, 137 [&] { 138 // Push an integral 139 r_script << fuzzed_data_provider.ConsumeIntegral<int64_t>(); 140 }, 141 [&] { 142 // Push an opcode 143 r_script << ConsumeOpcodeType(fuzzed_data_provider); 144 }, 145 [&] { 146 // Push a scriptnum 147 r_script << ConsumeScriptNum(fuzzed_data_provider); 148 }); 149 } 150 } 151 if (maybe_p2wsh && fuzzed_data_provider.ConsumeBool()) { 152 uint256 script_hash; 153 CSHA256().Write(r_script.data(), r_script.size()).Finalize(script_hash.begin()); 154 r_script.clear(); 155 r_script << OP_0 << ToByteVector(script_hash); 156 } 157 return r_script; 158 } 159 160 uint32_t ConsumeSequence(FuzzedDataProvider& fuzzed_data_provider) noexcept 161 { 162 return fuzzed_data_provider.ConsumeBool() ? 163 fuzzed_data_provider.PickValueInArray({ 164 CTxIn::SEQUENCE_FINAL, 165 CTxIn::MAX_SEQUENCE_NONFINAL, 166 MAX_BIP125_RBF_SEQUENCE, 167 }) : 168 fuzzed_data_provider.ConsumeIntegral<uint32_t>(); 169 } 170 171 std::map<COutPoint, Coin> ConsumeCoins(FuzzedDataProvider& fuzzed_data_provider) noexcept 172 { 173 std::map<COutPoint, Coin> coins; 174 LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 10000) { 175 const std::optional<COutPoint> outpoint{ConsumeDeserializable<COutPoint>(fuzzed_data_provider)}; 176 if (!outpoint) { 177 break; 178 } 179 const std::optional<Coin> coin{ConsumeDeserializable<Coin>(fuzzed_data_provider)}; 180 if (!coin) { 181 break; 182 } 183 coins[*outpoint] = *coin; 184 } 185 186 return coins; 187 } 188 189 CTxDestination ConsumeTxDestination(FuzzedDataProvider& fuzzed_data_provider) noexcept 190 { 191 CTxDestination tx_destination; 192 const size_t call_size{CallOneOf( 193 fuzzed_data_provider, 194 [&] { 195 tx_destination = CNoDestination{}; 196 }, 197 [&] { 198 bool compressed = fuzzed_data_provider.ConsumeBool(); 199 CPubKey pk{ConstructPubKeyBytes( 200 fuzzed_data_provider, 201 ConsumeFixedLengthByteVector(fuzzed_data_provider, (compressed ? CPubKey::COMPRESSED_SIZE : CPubKey::SIZE)), 202 compressed 203 )}; 204 tx_destination = PubKeyDestination{pk}; 205 }, 206 [&] { 207 tx_destination = PKHash{ConsumeUInt160(fuzzed_data_provider)}; 208 }, 209 [&] { 210 tx_destination = ScriptHash{ConsumeUInt160(fuzzed_data_provider)}; 211 }, 212 [&] { 213 tx_destination = WitnessV0ScriptHash{ConsumeUInt256(fuzzed_data_provider)}; 214 }, 215 [&] { 216 tx_destination = WitnessV0KeyHash{ConsumeUInt160(fuzzed_data_provider)}; 217 }, 218 [&] { 219 tx_destination = WitnessV1Taproot{XOnlyPubKey{ConsumeUInt256(fuzzed_data_provider)}}; 220 }, 221 [&] { 222 tx_destination = PayToAnchor{}; 223 }, 224 [&] { 225 std::vector<unsigned char> program{ConsumeRandomLengthByteVector(fuzzed_data_provider, /*max_length=*/40)}; 226 if (program.size() < 2) { 227 program = {0, 0}; 228 } 229 tx_destination = WitnessUnknown{fuzzed_data_provider.ConsumeIntegralInRange<unsigned int>(2, 16), program}; 230 })}; 231 Assert(call_size == std::variant_size_v<CTxDestination>); 232 return tx_destination; 233 } 234 235 CKey ConsumePrivateKey(FuzzedDataProvider& fuzzed_data_provider, std::optional<bool> compressed) noexcept 236 { 237 auto key_data = fuzzed_data_provider.ConsumeBytes<uint8_t>(32); 238 key_data.resize(32); 239 CKey key; 240 bool compressed_value = compressed ? *compressed : fuzzed_data_provider.ConsumeBool(); 241 key.Set(key_data.begin(), key_data.end(), compressed_value); 242 return key; 243 } 244 245 bool ContainsSpentInput(const CTransaction& tx, const CCoinsViewCache& inputs) noexcept 246 { 247 for (const CTxIn& tx_in : tx.vin) { 248 const Coin& coin = inputs.AccessCoin(tx_in.prevout); 249 if (coin.IsSpent()) { 250 return true; 251 } 252 } 253 return false; 254 } 255 256 FILE* FuzzedFileProvider::open() 257 { 258 SetFuzzedErrNo(m_fuzzed_data_provider); 259 if (m_fuzzed_data_provider.ConsumeBool()) { 260 return nullptr; 261 } 262 std::string mode; 263 CallOneOf( 264 m_fuzzed_data_provider, 265 [&] { 266 mode = "r"; 267 }, 268 [&] { 269 mode = "r+"; 270 }, 271 [&] { 272 mode = "w"; 273 }, 274 [&] { 275 mode = "w+"; 276 }, 277 [&] { 278 mode = "a"; 279 }, 280 [&] { 281 mode = "a+"; 282 }); 283 #if defined _GNU_SOURCE && (defined(__linux__) || defined(__FreeBSD__)) 284 const cookie_io_functions_t io_hooks = { 285 FuzzedFileProvider::read, 286 FuzzedFileProvider::write, 287 FuzzedFileProvider::seek, 288 FuzzedFileProvider::close, 289 }; 290 return fopencookie(this, mode.c_str(), io_hooks); 291 #else 292 (void)mode; 293 return nullptr; 294 #endif 295 } 296 297 ssize_t FuzzedFileProvider::read(void* cookie, char* buf, size_t size) 298 { 299 FuzzedFileProvider* fuzzed_file = (FuzzedFileProvider*)cookie; 300 SetFuzzedErrNo(fuzzed_file->m_fuzzed_data_provider); 301 if (buf == nullptr || size == 0 || fuzzed_file->m_fuzzed_data_provider.ConsumeBool()) { 302 return fuzzed_file->m_fuzzed_data_provider.ConsumeBool() ? 0 : -1; 303 } 304 const std::vector<uint8_t> random_bytes = fuzzed_file->m_fuzzed_data_provider.ConsumeBytes<uint8_t>(size); 305 if (random_bytes.empty()) { 306 return 0; 307 } 308 std::memcpy(buf, random_bytes.data(), random_bytes.size()); 309 if (AdditionOverflow(fuzzed_file->m_offset, (int64_t)random_bytes.size())) { 310 return fuzzed_file->m_fuzzed_data_provider.ConsumeBool() ? 0 : -1; 311 } 312 fuzzed_file->m_offset += random_bytes.size(); 313 return random_bytes.size(); 314 } 315 316 ssize_t FuzzedFileProvider::write(void* cookie, const char* buf, size_t size) 317 { 318 FuzzedFileProvider* fuzzed_file = (FuzzedFileProvider*)cookie; 319 SetFuzzedErrNo(fuzzed_file->m_fuzzed_data_provider); 320 const ssize_t n = fuzzed_file->m_fuzzed_data_provider.ConsumeIntegralInRange<ssize_t>(0, size); 321 if (AdditionOverflow(fuzzed_file->m_offset, (int64_t)n)) { 322 return 0; 323 } 324 fuzzed_file->m_offset += n; 325 return n; 326 } 327 328 int FuzzedFileProvider::seek(void* cookie, int64_t* offset, int whence) 329 { 330 assert(whence == SEEK_SET || whence == SEEK_CUR || whence == SEEK_END); 331 FuzzedFileProvider* fuzzed_file = (FuzzedFileProvider*)cookie; 332 SetFuzzedErrNo(fuzzed_file->m_fuzzed_data_provider); 333 int64_t new_offset = 0; 334 if (whence == SEEK_SET) { 335 new_offset = *offset; 336 } else if (whence == SEEK_CUR) { 337 if (AdditionOverflow(fuzzed_file->m_offset, *offset)) { 338 return -1; 339 } 340 new_offset = fuzzed_file->m_offset + *offset; 341 } else if (whence == SEEK_END) { 342 const int64_t n = fuzzed_file->m_fuzzed_data_provider.ConsumeIntegralInRange<int64_t>(0, 4096); 343 if (AdditionOverflow(n, *offset)) { 344 return -1; 345 } 346 new_offset = n + *offset; 347 } 348 if (new_offset < 0) { 349 return -1; 350 } 351 fuzzed_file->m_offset = new_offset; 352 *offset = new_offset; 353 return fuzzed_file->m_fuzzed_data_provider.ConsumeIntegralInRange<int>(-1, 0); 354 } 355 356 int FuzzedFileProvider::close(void* cookie) 357 { 358 FuzzedFileProvider* fuzzed_file = (FuzzedFileProvider*)cookie; 359 SetFuzzedErrNo(fuzzed_file->m_fuzzed_data_provider); 360 return fuzzed_file->m_fuzzed_data_provider.ConsumeIntegralInRange<int>(-1, 0); 361 }