AI added fuzzing

cedelavergne-ledger · cedelavergne-ledger · commit 15ef29490ea8 · 2025-12-30T16:35:36.000+01:00
diff --git a/fuzzing/CMakeLists.txt b/fuzzing/CMakeLists.txt
@@ -118,6 +118,7 @@ if(NOT ${CMAKE_SOURCE_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
     secure_sdk
     INTERFACE macros
               alloc
+              c_list
               cxng
               io
               nbgl
diff --git a/fuzzing/README.md b/fuzzing/README.md
@@ -3,6 +3,7 @@
 ## Manual usage based on Ledger container
 
 ### About Fuzzing Framework
+
 The code is divided into the following folders:
 
 ```bash
@@ -49,23 +50,22 @@ export BOLOS_SDK=/app
 
 cd fuzzing # You must run it from the fuzzing folder
 
-./local_run.sh --build=1 --fuzzer=build/fuzz_bip32 --j=4 --run-fuzzer=1 --compute-coverage=1 --BOLOS_SDK=${BOLOS_SDK}
+./local_run.sh --BOLOS_SDK=${BOLOS_SDK} --j=4 --build=1 --fuzzer=build/fuzz_bip32 --run-fuzzer=1 --compute-coverage=1
 ```
 
 ### About local_run.sh
 
-| Parameter              | Type                | Description                                                          |
-| :--------------------- | :------------------ | :------------------------------------------------------------------- |
-| `--BOLOS_SDK`          | `PATH TO BOLOS SDK` | **Required**. Path to the BOLOS SDK                                  |
-| `--build`              | `bool`              | **Optional**. Whether to build the project (default: 0)              |
-| `--fuzzer`             | `PATH`              | **Required**. Path to the fuzzer binary                              |
-| `--compute-coverage`   | `bool`              | **Optional**. Whether to compute coverage after fuzzing (default: 0) |
-| `--run-fuzzer`         | `bool`              | **Optional**. Whether to run or not the fuzzer (default: 0)          |
-| `--run-crash`          | `FILENAME`          | **Optional**. Run the fuzzer on a specific crash input file (default: 0) |
-| `--sanitizer`          | `address or memory` | **Optional**. Compile fuzzer with sanitizer (default: address)       |
+| Parameter              | Type                | Description                                                                   |
+| :--------------------- | :------------------ | :------------------------------------------------------------------- ---------|
+| `--BOLOS_SDK`          | `PATH TO BOLOS SDK` | **Required**. Path to the BOLOS SDK                                           |
+| `--build`              | `bool`              | **Optional**. Whether to build the project (default: 0)                       |
+| `--fuzzer`             | `PATH`              | **Required**. Path to the fuzzer binary                                       |
+| `--compute-coverage`   | `bool`              | **Optional**. Whether to compute coverage after fuzzing (default: 0)          |
+| `--run-fuzzer`         | `bool`              | **Optional**. Whether to run or not the fuzzer (default: 0)                   |
+| `--run-crash`          | `FILENAME`          | **Optional**. Run the fuzzer on a specific crash input file (default: 0)      |
+| `--sanitizer`          | `address or memory` | **Optional**. Compile fuzzer with sanitizer (default: address)                |
 | `--j`                  | `int`               | **Optional**. Number of parallel jobs/CPUs for build and fuzzing (default: 1) |
-| `--help`               |                     | **Optional**. Display help message                                   |
-
+| `--help`               |                     | **Optional**. Display help message                                            |
 
 ### Writing your Harness
 
@@ -138,6 +138,7 @@ cmake -S . -B build -DCMAKE_C_COMPILER=clang -DSANITIZER=address -G Ninja -DTARG
 ./build/fuzz_apdu_parser
 ./build/fuzz_base58
 ./build/fuzz_bip32
+./build/fuzz_c_list
 ./build/fuzz_qrcodegen
 ./build/fuzz_alloc
 ./build/fuzz_alloc_utils
diff --git a/fuzzing/docs/fuzz_c_list.md b/fuzzing/docs/fuzz_c_list.md
@@ -0,0 +1,156 @@
+# Fuzzing lib_c_list
+
+## Overview
+
+This fuzzer tests the generic linked list library (`lib_c_list`) for memory safety issues, edge cases, and potential crashes. It exercises all list operations including insertion, removal, sorting, and traversal.
+
+## Operations Tested
+
+The fuzzer uses the lower 4 bits of each input byte to select operations:
+
+| Op Code | Operation         | Description                                    |
+|---------|-------------------|------------------------------------------------|
+| 0x00    | `push_front`      | Add node at the beginning                      |
+| 0x01    | `push_back`       | Add node at the end                            |
+| 0x02    | `pop_front`       | Remove first node                              |
+| 0x03    | `pop_back`        | Remove last node                               |
+| 0x04    | `insert_after`    | Insert node after reference node               |
+| 0x05    | `insert_before`   | Insert node before reference node              |
+| 0x06    | `remove`          | Remove specific node                           |
+| 0x07    | `clear`           | Remove all nodes                               |
+| 0x08    | `sort`            | Sort list by node ID                           |
+| 0x09    | `size`            | Get list size                                  |
+| 0x0A    | `traverse`        | Traverse and verify integrity (cycle detection)|
+
+## Features
+
+### Safety Checks
+
+- **Cycle detection**: Prevents infinite loops in traversal
+- **Node tracking**: All allocated nodes are tracked for cleanup
+- **Memory leak prevention**: Automatic cleanup at end of fuzzing iteration
+- **Integrity verification**: Validates list structure during traversal
+
+### Test Data
+
+Each node contains:
+
+- Unique ID (auto-incremented)
+- 16 bytes of fuzzer-provided data
+- Standard list node structure
+
+### Limits
+
+- `MAX_NODES`: 1000 (prevents excessive memory usage)
+- `MAX_TRACKERS`: 100 (limits number of tracked nodes)
+- Maximum input length: 256 bytes (configurable)
+
+## Building
+
+From the SDK root:
+
+```bash
+cd fuzzing
+mkdir -p build && cd build
+cmake -S .. -B . -DCMAKE_C_COMPILER=clang -DSANITIZER=address -DBOLOS_SDK=/path/to/sdk
+cmake --build . --target fuzz_c_list
+```
+
+## Running
+
+### Basic run
+
+```bash
+./fuzz_c_list
+```
+
+### With specific options
+
+```bash
+# Run for 10000 iterations
+./fuzz_c_list -runs=10000
+
+# Limit input size to 128 bytes
+./fuzz_c_list -max_len=128
+
+# Use corpus directory
+./fuzz_c_list corpus/
+
+# Timeout per input (in seconds)
+./fuzz_c_list -timeout=10
+```
+
+### Using the helper script
+
+```bash
+cd /path/to/sdk/fuzzing
+./local_run.sh --build=1 --fuzzer=build/fuzz_c_list --j=4 --run-fuzzer=1 --BOLOS_SDK=/path/to/sdk
+```
+
+## Corpus
+
+Initial corpus files can be placed in:
+
+```bash
+fuzzing/harness/fuzz_c_list/
+```
+
+Example corpus files:
+
+- Simple operations: `\x00\x00...` (push_front operations)
+- Mixed operations: `\x00...\x01...\x02` (push_front, push_back, pop_front)
+- Complex sequences: Various operation combinations
+
+## Debugging
+
+Enable debug output by uncommenting `#define DEBUG_CRASH` in `fuzzer_c_list.c`:
+
+```c
+#define DEBUG_CRASH
+```
+
+This will print:
+
+- Node creation/deletion
+- Operation execution
+- List size changes
+- Cleanup operations
+
+## Crash Analysis
+
+If a crash is found:
+
+1. The fuzzer will save the crashing input to `crash-*` or `leak-*` files
+2. Reproduce the crash:
+
+   ```bash
+   ./fuzz_c_list crash-HASH
+   ```
+
+3. Debug with AddressSanitizer output
+4. Fix the issue in `lib_c_list/c_list.c`
+5. Verify fix by re-running fuzzer
+
+## Expected Behavior
+
+The fuzzer should:
+
+- ✅ Handle all operations safely
+- ✅ Prevent memory leaks (all nodes cleaned up)
+- ✅ Detect invalid operations (return false)
+- ✅ Handle edge cases (empty list, single node, etc.)
+- ✅ Maintain list integrity (no cycles, no corruption)
+
+## Known Issues
+
+None currently. If you find a crash, please report it!
+
+## Coverage
+
+To generate coverage report:
+
+```bash
+./local_run.sh --build=1 --fuzzer=build/fuzz_c_list --compute-coverage=1 --BOLOS_SDK=/path/to/sdk
+```
+
+Coverage files will be in `fuzzing/out/coverage/`.
diff --git a/fuzzing/extra/lib_c_list.cmake b/fuzzing/extra/lib_c_list.cmake
@@ -0,0 +1,13 @@
+include_guard()
+
+# Include required libraries
+include(${BOLOS_SDK}/fuzzing/libs/lib_c_list.cmake)
+include(${BOLOS_SDK}/fuzzing/mock/mock.cmake)
+
+# Define the executable and its properties here
+add_executable(fuzz_c_list ${BOLOS_SDK}/fuzzing/harness/fuzzer_c_list.c)
+target_compile_options(fuzz_c_list PUBLIC ${COMPILATION_FLAGS})
+target_link_options(fuzz_c_list PUBLIC ${LINK_FLAGS})
+
+# Link with required libraries
+target_link_libraries(fuzz_c_list PUBLIC c_list mock)
diff --git a/fuzzing/harness/fuzzer_c_list.c b/fuzzing/harness/fuzzer_c_list.c
diff --git a/fuzzing/libs/lib_c_list.cmake b/fuzzing/libs/lib_c_list.cmake
