Merge pull request #949 from LedgerHQ/bbo/new_fuzzers

Add fuzzing harnesses

Author: bboilot-ledger

src/features/generic_tx_parser/gtp_field.c

@@ -124,6 +124,10 @@ static bool handle_param_constraint(const s_tlv_data *data, s_field_ctx *context
         PRINTF("Error: CONSTRAINT present but VISIBLE is not MUST_BE or IF_NOT_IN!\n");
         return false;
     }
+    if (data->length == 0 || data->value == NULL) {
+        PRINTF("Error: Empty constraint value!\n");
+        return false;
+    }
     // Allocate new constraint node
     s_field_constraint *node = NULL;
     if (mem_buffer_allocate((void **) &node, sizeof(s_field_constraint)) == false) {

src/plugins/erc1155/erc1155_ui.c

@@ -134,6 +134,11 @@ static void set_batch_transfer_ui(ethQueryContractUI_t *msg, erc1155_context_t *
 void handle_query_contract_ui_1155(ethQueryContractUI_t *msg) {
     erc1155_context_t *context = (erc1155_context_t *) msg->pluginContext;
 
+    if (msg->item1 == NULL) {
+        msg->result = ETH_PLUGIN_RESULT_ERROR;
+        return;
+    }
+
     msg->result = ETH_PLUGIN_RESULT_OK;
     switch (context->selectorIndex) {
         case SET_APPROVAL_FOR_ALL:

src/plugins/eth2/eth2_plugin.c

@@ -103,10 +103,7 @@ void eth2_plugin_call(eth_plugin_msg_t message, void *parameters) {
 
                 case 4 + (32 * 5):  // deposit pubkey 1
                 {
-                    // Copy the first 32 bytes.
-                    memcpy(context->deposit_address,
-                           msg->parameter,
-                           sizeof(context->deposit_address));
+                    memcpy(context->deposit_address, msg->parameter, PARAMETER_LENGTH);
                     msg->result = ETH_PLUGIN_RESULT_OK;
                     break;
                 }
@@ -141,7 +138,7 @@ void eth2_plugin_call(eth_plugin_msg_t message, void *parameters) {
 
                 case 4 + (32 * 8):  // withdrawal credentials
                 {
-                    uint8_t tmp[48];
+                    uint8_t tmp[48] = {0};
                     uint32_t withdrawalKeyPath[4];
                     withdrawalKeyPath[0] = WITHDRAWAL_KEY_PATH_1;
                     withdrawalKeyPath[1] = WITHDRAWAL_KEY_PATH_2;

tests/fuzzing/harness/fuzz_eip7702.c

@@ -1,4 +1,6 @@
+#include <setjmp.h>
 #include "fuzz_utils.h"
+#include "mocks.h"
 
 int fuzzEIP7702(const uint8_t *data, size_t size) {
     size_t offset = 0;
@@ -17,11 +19,10 @@ int fuzzEIP7702(const uint8_t *data, size_t size) {
     return 0;
 }
 
-/* Main fuzzing handler called by libfuzzer */
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     init_fuzzing_environment();
+    if (sigsetjmp(fuzz_exit_jump_ctx.jmp_buf, 1)) return 0;
 
-    // Run the harness
     fuzzEIP7702(data, size);
 
     return 0;

tests/fuzzing/harness/fuzz_gating.c

@@ -0,0 +1,30 @@
+#include "fuzz_utils.h"
+#include "cmd_get_gating.h"
+
+int fuzzGating(const uint8_t *data, size_t size) {
+    size_t offset = 0;
+    size_t len = 0;
+    uint8_t p1;
+    uint8_t p2;
+
+    while (size - offset > 4) {
+        if (data[offset++] == 0) break;
+        p1 = data[offset++];
+        p2 = data[offset++];
+        len = data[offset++];
+        if (size - offset < len) return 0;
+        if (handle_gating(p1, p2, data + offset, len) != SWO_SUCCESS) return 0;
+        offset += len;
+    }
+    set_gating_warning();
+    return 0;
+}
+
+/* Main fuzzing handler called by libfuzzer */
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    init_fuzzing_environment();
+
+    fuzzGating(data, size);
+
+    return 0;
+}

tests/fuzzing/harness/fuzz_plugin_eip7002.c

@@ -0,0 +1,157 @@
+/**
+ * Fuzzing harness for the EIP-7002 internal plugin (withdrawal requests)
+ */
+
+#include "fuzz_utils.h"
+#include "eip7002_plugin.h"
+
+// Buffer sizes for UI queries
+#define NAME_LENGTH    32
+#define VERSION_LENGTH 32
+#define TITLE_LENGTH   32
+#define MSG_LENGTH     79
+
+static int fuzz_eip7002_plugin(const uint8_t *data, size_t size) {
+    ethPluginInitContract_t init_contract = {0};
+    ethPluginProvideParameter_t provide_param = {0};
+    ethPluginFinalize_t finalize = {0};
+    ethPluginProvideInfo_t provide_info = {0};
+    ethQueryContractID_t query_id = {0};
+    ethQueryContractUI_t query_ui = {0};
+    txContent_t content = {0};
+
+    uint8_t plugin_context[PLUGIN_CONTEXT_SIZE] = {0};
+
+    const uint8_t address[ADDRESS_LENGTH] = {0};
+
+    char name[NAME_LENGTH] = {0};
+    char version[VERSION_LENGTH] = {0};
+    char title[TITLE_LENGTH] = {0};
+    char msg[MSG_LENGTH] = {0};
+
+    extraInfo_t item1 = {0};
+    extraInfo_t item2 = {0};
+
+    // Need at least selector (4 bytes)
+    if (size < SELECTOR_SIZE) {
+        return 0;
+    }
+
+    // Initialize content from fuzzed data if available
+    if (size >= SELECTOR_SIZE + sizeof(txContent_t)) {
+        memcpy(&content, data + SELECTOR_SIZE, sizeof(txContent_t));
+    }
+
+    // Setup init contract
+    init_contract.interfaceVersion = ETH_PLUGIN_INTERFACE_VERSION_LATEST;
+    init_contract.selector = data;
+    init_contract.txContent = &content;
+    init_contract.pluginContext = plugin_context;
+    init_contract.pluginContextLength = sizeof(plugin_context);
+    init_contract.dataSize = size;
+
+    eip7002_plugin_call(ETH_PLUGIN_INIT_CONTRACT, &init_contract);
+    if (init_contract.result != ETH_PLUGIN_RESULT_OK) {
+        return 0;
+    }
+
+    // Provide parameters
+    size_t offset = SELECTOR_SIZE;
+    if (size >= SELECTOR_SIZE + sizeof(txContent_t)) {
+        offset += sizeof(txContent_t);
+    }
+
+    while (size - offset >= PARAMETER_LENGTH) {
+        provide_param.parameter = data + offset;
+        provide_param.parameterOffset = offset;
+        provide_param.parameter_size = PARAMETER_LENGTH;
+        provide_param.pluginContext = plugin_context;
+        provide_param.txContent = &content;
+
+        eip7002_plugin_call(ETH_PLUGIN_PROVIDE_PARAMETER, &provide_param);
+        if (provide_param.result != ETH_PLUGIN_RESULT_OK) {
+            return 0;
+        }
+        offset += PARAMETER_LENGTH;
+    }
+
+    // Handle remaining bytes if any (last parameter may be smaller)
+    if (size - offset > 0) {
+        provide_param.parameter = data + offset;
+        provide_param.parameterOffset = offset;
+        provide_param.parameter_size = size - offset;
+        provide_param.pluginContext = plugin_context;
+        provide_param.txContent = &content;
+
+        eip7002_plugin_call(ETH_PLUGIN_PROVIDE_PARAMETER, &provide_param);
+        if (provide_param.result != ETH_PLUGIN_RESULT_OK) {
+            return 0;
+        }
+    }
+
+    // Finalize
+    finalize.pluginContext = plugin_context;
+    finalize.address = address;
+    finalize.txContent = &content;
+
+    eip7002_plugin_call(ETH_PLUGIN_FINALIZE, &finalize);
+    if (finalize.result != ETH_PLUGIN_RESULT_OK) {
+        return 0;
+    }
+
+    // Provide token info if requested
+    if (finalize.tokenLookup1 || finalize.tokenLookup2) {
+        provide_info.pluginContext = plugin_context;
+        provide_info.txContent = &content;
+        if (finalize.tokenLookup1) {
+            provide_info.item1 = &item1;
+        }
+        if (finalize.tokenLookup2) {
+            provide_info.item2 = &item2;
+        }
+
+        eip7002_plugin_call(ETH_PLUGIN_PROVIDE_INFO, &provide_info);
+        if (provide_info.result != ETH_PLUGIN_RESULT_OK &&
+            provide_info.result != ETH_PLUGIN_RESULT_FALLBACK) {
+            return 0;
+        }
+    }
+
+    // Query contract ID
+    query_id.pluginContext = plugin_context;
+    query_id.txContent = &content;
+    query_id.name = name;
+    query_id.nameLength = sizeof(name);
+    query_id.version = version;
+    query_id.versionLength = sizeof(version);
+
+    eip7002_plugin_call(ETH_PLUGIN_QUERY_CONTRACT_ID, &query_id);
+    if (query_id.result != ETH_PLUGIN_RESULT_OK) {
+        return 0;
+    }
+
+    // Query contract UI for each screen
+    uint8_t total_screens = finalize.numScreens + provide_info.additionalScreens;
+    for (uint8_t i = 0; i < total_screens; i++) {
+        query_ui.pluginContext = plugin_context;
+        query_ui.txContent = &content;
+        query_ui.title = title;
+        query_ui.titleLength = sizeof(title);
+        query_ui.msg = msg;
+        query_ui.msgLength = sizeof(msg);
+        query_ui.screenIndex = i;
+
+        eip7002_plugin_call(ETH_PLUGIN_QUERY_CONTRACT_UI, &query_ui);
+        if (query_ui.result != ETH_PLUGIN_RESULT_OK) {
+            return 0;
+        }
+    }
+
+    return 0;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    init_fuzzing_environment();
+    fuzz_eip7002_plugin(data, size);
+    return 0;
+}