From 98796576d2a1cf8269814044d11a06abfd4a62db Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Mon, 20 May 2019 20:16:18 -0400 Subject: [PATCH 1/4] Fix trivial DoS when deserializing messages from the network --- src/consensus/encode.rs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/consensus/encode.rs b/src/consensus/encode.rs index 90e4d2f1..7620137a 100644 --- a/src/consensus/encode.rs +++ b/src/consensus/encode.rs @@ -659,6 +659,12 @@ impl Decodable for CheckedData { #[inline] fn consensus_decode(d: &mut D) -> Result { let len: u32 = Decodable::consensus_decode(d)?; + if len > MAX_VEC_SIZE as u32 { + return Err(self::Error::OversizedVectorAllocation { + requested: len as usize, + max: MAX_VEC_SIZE + }); + } let checksum: [u8; 4] = Decodable::consensus_decode(d)?; let mut ret = Vec::with_capacity(len as usize); ret.resize(len as usize, 0); From 836fdce475a66fd097e7a50d326d18e73a5da132 Mon Sep 17 00:00:00 2001 From: Carl Dong Date: Tue, 21 May 2019 11:36:50 -0400 Subject: [PATCH 2/4] fuzz: Add fuzzer for RawNetworkMessage. --- fuzz/Cargo.toml | 4 ++ .../deserialize_raw_network_message.rs | 52 +++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 fuzz/fuzz_targets/deserialize_raw_network_message.rs diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml index 4322c0e2..a6e60386 100644 --- a/fuzz/Cargo.toml +++ b/fuzz/Cargo.toml @@ -51,3 +51,7 @@ path = "fuzz_targets/outpoint_string.rs" [[bin]] name = "deserialize_psbt" path = "fuzz_targets/deserialize_psbt.rs" + +[[bin]] +name = "deserialize_raw_network_message" +path = "fuzz_targets/deserialize_raw_network_message.rs" \ No newline at end of file diff --git a/fuzz/fuzz_targets/deserialize_raw_network_message.rs b/fuzz/fuzz_targets/deserialize_raw_network_message.rs new file mode 100644 index 00000000..e2c1a0a7 --- /dev/null +++ b/fuzz/fuzz_targets/deserialize_raw_network_message.rs @@ -0,0 +1,52 @@ +extern crate bitcoin; + +fn do_test(data: &[u8]) { + let _: Result = bitcoin::consensus::encode::deserialize(data); +} + +#[cfg(feature = "afl")] +#[macro_use] extern crate afl; +#[cfg(feature = "afl")] +fn main() { + fuzz!(|data| { + do_test(&data); + }); +} + +#[cfg(feature = "honggfuzz")] +#[macro_use] extern crate honggfuzz; +#[cfg(feature = "honggfuzz")] +fn main() { + loop { + fuzz!(|data| { + do_test(data); + }); + } +} + +#[cfg(test)] +mod tests { + fn extend_vec_from_hex(hex: &str, out: &mut Vec) { + let mut b = 0; + for (idx, c) in hex.as_bytes().iter().enumerate() { + b <<= 4; + match *c { + b'A'...b'F' => b |= c - b'A' + 10, + b'a'...b'f' => b |= c - b'a' + 10, + b'0'...b'9' => b |= c - b'0', + _ => panic!("Bad hex"), + } + if (idx & 1) == 1 { + out.push(b); + b = 0; + } + } + } + + #[test] + fn duplicate_crash() { + let mut a = Vec::new(); + extend_vec_from_hex("00", &mut a); + super::do_test(&a); + } +} From 1b2dc9d6b043faf39eb5d8ef25b023473e324e8c Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Wed, 29 May 2019 16:27:34 -0400 Subject: [PATCH 3/4] Rename deserialize_raw_network_message to make my afl scripts happy --- fuzz/Cargo.toml | 4 ++-- .../{deserialize_raw_network_message.rs => deser_net_msg.rs} | 0 2 files changed, 2 insertions(+), 2 deletions(-) rename fuzz/fuzz_targets/{deserialize_raw_network_message.rs => deser_net_msg.rs} (100%) diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml index a6e60386..7b29827c 100644 --- a/fuzz/Cargo.toml +++ b/fuzz/Cargo.toml @@ -53,5 +53,5 @@ name = "deserialize_psbt" path = "fuzz_targets/deserialize_psbt.rs" [[bin]] -name = "deserialize_raw_network_message" -path = "fuzz_targets/deserialize_raw_network_message.rs" \ No newline at end of file +name = "deser_net_msg" +path = "fuzz_targets/deser_net_msg.rs" diff --git a/fuzz/fuzz_targets/deserialize_raw_network_message.rs b/fuzz/fuzz_targets/deser_net_msg.rs similarity index 100% rename from fuzz/fuzz_targets/deserialize_raw_network_message.rs rename to fuzz/fuzz_targets/deser_net_msg.rs From 0904935f19439777c560470a8dac4cfda3264bc8 Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Fri, 7 Jun 2019 07:07:50 -0400 Subject: [PATCH 4/4] Switch Travis fuzzing to 30 seconds per target from an iter count. --- fuzz/travis-fuzz.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fuzz/travis-fuzz.sh b/fuzz/travis-fuzz.sh index 3af8d1aa..731e52f4 100755 --- a/fuzz/travis-fuzz.sh +++ b/fuzz/travis-fuzz.sh @@ -7,7 +7,7 @@ for TARGET in fuzz_targets/*; do if [ -d hfuzz_input/$FILE ]; then HFUZZ_INPUT_ARGS="-f hfuzz_input/$FILE/input" fi - HFUZZ_BUILD_ARGS="--features honggfuzz_fuzz" HFUZZ_RUN_ARGS="-N200000 --exit_upon_crash -v $HFUZZ_INPUT_ARGS" cargo hfuzz run $FILE + HFUZZ_BUILD_ARGS="--features honggfuzz_fuzz" HFUZZ_RUN_ARGS="--run_time 30 --exit_upon_crash -v $HFUZZ_INPUT_ARGS" cargo hfuzz run $FILE if [ -f hfuzz_workspace/$FILE/HONGGFUZZ.REPORT.TXT ]; then cat hfuzz_workspace/$FILE/HONGGFUZZ.REPORT.TXT