Merge #18994: tests: Add fuzzing harnesses for functions in script/

f898ef6 tests: Add fuzzing harness for functions in script/sign.h (practicalswift)
c91d2f0 tests: Add fuzzing harness for functions in script/sigcache.h (practicalswift)
d3d8adb tests: Add fuzzing harness for functions in script/interpreter.h (practicalswift)
fa80117 tests: Add fuzzing harness for functions in script/descriptor.h (practicalswift)
43fb8f0 tests: Add fuzzing harness for functions in script/bitcoinconsensus.h (practicalswift)
8de7271 tests: Fill fuzzing coverage gaps for functions in script/script.h, script/script_error.h and script/standard.h (practicalswift)
c571ecb tests: Add fuzzing helper functions ConsumeDataStream, ConsumeTxDestination and ConsumeUInt160 (practicalswift)

Pull request description:

  Add fuzzing harnesses for functions in `script/`:
  * Add fuzzing helper functions `ConsumeDataStream` and `ConsumeUInt160`
  * Fill fuzzing coverage gaps for functions in `script/script.h`, `script/script_error.h` and `script/standard.h`
  * Add fuzzing harness for functions in `script/bitcoinconsensus.h`
  * Add fuzzing harness for functions in `script/descriptor.h`
  * Add fuzzing harness for functions in `script/interpreter.h`
  * Add fuzzing harness for functions in `script/sigcache.h`
  * Add fuzzing harness for functions in `script/sign.h`

  See [`doc/fuzzing.md`](https://github.com/bitcoin/bitcoin/blob/master/doc/fuzzing.md) for information on how to fuzz Bitcoin Core. Don't forget to contribute any coverage increasing inputs you find to the [Bitcoin Core fuzzing corpus repo](https://github.com/bitcoin-core/qa-assets).

  Happy fuzzing :)

ACKs for top commit:
  MarcoFalke:
    ACK f898ef6 🔉

Tree-SHA512: f6e77b34dc79f23de5fa9e38ac06e6554b5b946ec3e9a67e2bd982e60aca37ce844f785457ef427a5e3b45e31c305456bca8587cc9f4a0b50b3852e39726eb04

Author: MarcoFalke

src/Makefile.test.include

@@ -110,9 +110,14 @@ FUZZ_TARGETS = \
   test/fuzz/rbf \
   test/fuzz/rolling_bloom_filter \
   test/fuzz/script \
+  test/fuzz/script_bitcoin_consensus \
+  test/fuzz/script_descriptor_cache \
   test/fuzz/script_deserialize \
   test/fuzz/script_flags \
+  test/fuzz/script_interpreter \
   test/fuzz/script_ops \
+  test/fuzz/script_sigcache \
+  test/fuzz/script_sign \
   test/fuzz/scriptnum_ops \
   test/fuzz/service_deserialize \
   test/fuzz/signature_checker \
@@ -941,6 +946,18 @@ test_fuzz_script_LDADD = $(FUZZ_SUITE_LD_COMMON)
 test_fuzz_script_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
 test_fuzz_script_SOURCES = test/fuzz/script.cpp
 
+test_fuzz_script_bitcoin_consensus_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
+test_fuzz_script_bitcoin_consensus_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
+test_fuzz_script_bitcoin_consensus_LDADD = $(FUZZ_SUITE_LD_COMMON)
+test_fuzz_script_bitcoin_consensus_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
+test_fuzz_script_bitcoin_consensus_SOURCES = test/fuzz/script_bitcoin_consensus.cpp
+
+test_fuzz_script_descriptor_cache_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
+test_fuzz_script_descriptor_cache_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
+test_fuzz_script_descriptor_cache_LDADD = $(FUZZ_SUITE_LD_COMMON)
+test_fuzz_script_descriptor_cache_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
+test_fuzz_script_descriptor_cache_SOURCES = test/fuzz/script_descriptor_cache.cpp
+
 test_fuzz_script_deserialize_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES) -DSCRIPT_DESERIALIZE=1
 test_fuzz_script_deserialize_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
 test_fuzz_script_deserialize_LDADD = $(FUZZ_SUITE_LD_COMMON)
@@ -953,12 +970,30 @@ test_fuzz_script_flags_LDADD = $(FUZZ_SUITE_LD_COMMON)
 test_fuzz_script_flags_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
 test_fuzz_script_flags_SOURCES = test/fuzz/script_flags.cpp
 
+test_fuzz_script_interpreter_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
+test_fuzz_script_interpreter_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
+test_fuzz_script_interpreter_LDADD = $(FUZZ_SUITE_LD_COMMON)
+test_fuzz_script_interpreter_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
+test_fuzz_script_interpreter_SOURCES = test/fuzz/script_interpreter.cpp
+
 test_fuzz_script_ops_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
 test_fuzz_script_ops_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
 test_fuzz_script_ops_LDADD = $(FUZZ_SUITE_LD_COMMON)
 test_fuzz_script_ops_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
 test_fuzz_script_ops_SOURCES = test/fuzz/script_ops.cpp
 
+test_fuzz_script_sigcache_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
+test_fuzz_script_sigcache_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
+test_fuzz_script_sigcache_LDADD = $(FUZZ_SUITE_LD_COMMON)
+test_fuzz_script_sigcache_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
+test_fuzz_script_sigcache_SOURCES = test/fuzz/script_sigcache.cpp
+
+test_fuzz_script_sign_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
+test_fuzz_script_sign_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
+test_fuzz_script_sign_LDADD = $(FUZZ_SUITE_LD_COMMON)
+test_fuzz_script_sign_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
+test_fuzz_script_sign_SOURCES = test/fuzz/script_sign.cpp
+
 test_fuzz_scriptnum_ops_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
 test_fuzz_scriptnum_ops_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
 test_fuzz_scriptnum_ops_LDADD = $(FUZZ_SUITE_LD_COMMON)

src/test/fuzz/script.cpp

@@ -11,6 +11,7 @@
 #include <script/descriptor.h>
 #include <script/interpreter.h>
 #include <script/script.h>
+#include <script/script_error.h>
 #include <script/sign.h>
 #include <script/signingprovider.h>
 #include <script/standard.h>
@@ -21,6 +22,8 @@
 #include <univalue.h>
 #include <util/memory.h>
 
+#include <algorithm>
+#include <cassert>
 #include <cstdint>
 #include <optional>
 #include <string>
@@ -124,4 +127,40 @@ void test_one_input(const std::vector<uint8_t>& buffer)
             wit.SetNull();
         }
     }
+
+    (void)GetOpName(ConsumeOpcodeType(fuzzed_data_provider));
+    (void)ScriptErrorString(static_cast<ScriptError>(fuzzed_data_provider.ConsumeIntegralInRange<int>(0, SCRIPT_ERR_ERROR_COUNT)));
+
+    {
+        const std::vector<uint8_t> bytes = ConsumeRandomLengthByteVector(fuzzed_data_provider);
+        CScript append_script{bytes.begin(), bytes.end()};
+        append_script << fuzzed_data_provider.ConsumeIntegral<int64_t>();
+        append_script << ConsumeOpcodeType(fuzzed_data_provider);
+        append_script << CScriptNum{fuzzed_data_provider.ConsumeIntegral<int64_t>()};
+        append_script << ConsumeRandomLengthByteVector(fuzzed_data_provider);
+    }
+
+    {
+        WitnessUnknown witness_unknown_1{};
+        witness_unknown_1.version = fuzzed_data_provider.ConsumeIntegral<int>();
+        const std::vector<uint8_t> witness_unknown_program_1 = fuzzed_data_provider.ConsumeBytes<uint8_t>(40);
+        witness_unknown_1.length = witness_unknown_program_1.size();
+        std::copy(witness_unknown_program_1.begin(), witness_unknown_program_1.end(), witness_unknown_1.program);
+
+        WitnessUnknown witness_unknown_2{};
+        witness_unknown_2.version = fuzzed_data_provider.ConsumeIntegral<int>();
+        const std::vector<uint8_t> witness_unknown_program_2 = fuzzed_data_provider.ConsumeBytes<uint8_t>(40);
+        witness_unknown_2.length = witness_unknown_program_2.size();
+        std::copy(witness_unknown_program_2.begin(), witness_unknown_program_2.end(), witness_unknown_2.program);
+
+        (void)(witness_unknown_1 == witness_unknown_2);
+        (void)(witness_unknown_1 < witness_unknown_2);
+    }
+
+    {
+        const CTxDestination tx_destination_1 = ConsumeTxDestination(fuzzed_data_provider);
+        const CTxDestination tx_destination_2 = ConsumeTxDestination(fuzzed_data_provider);
+        (void)(tx_destination_1 == tx_destination_2);
+        (void)(tx_destination_1 < tx_destination_2);
+    }
 }

src/test/fuzz/script_bitcoin_consensus.cpp

@@ -0,0 +1,31 @@
+// Copyright (c) 2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <script/bitcoinconsensus.h>
+#include <script/interpreter.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+
+#include <cstdint>
+#include <string>
+#include <vector>
+
+void test_one_input(const std::vector<uint8_t>& buffer)
+{
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+    const std::vector<uint8_t> random_bytes_1 = ConsumeRandomLengthByteVector(fuzzed_data_provider);
+    const std::vector<uint8_t> random_bytes_2 = ConsumeRandomLengthByteVector(fuzzed_data_provider);
+    const CAmount money = ConsumeMoney(fuzzed_data_provider);
+    bitcoinconsensus_error err;
+    bitcoinconsensus_error* err_p = fuzzed_data_provider.ConsumeBool() ? &err : nullptr;
+    const unsigned int n_in = fuzzed_data_provider.ConsumeIntegral<unsigned int>();
+    const unsigned int flags = fuzzed_data_provider.ConsumeIntegral<unsigned int>();
+    assert(bitcoinconsensus_version() == BITCOINCONSENSUS_API_VER);
+    if ((flags & SCRIPT_VERIFY_WITNESS) != 0 && (flags & SCRIPT_VERIFY_P2SH) == 0) {
+        return;
+    }
+    (void)bitcoinconsensus_verify_script(random_bytes_1.data(), random_bytes_1.size(), random_bytes_2.data(), random_bytes_2.size(), n_in, flags, err_p);
+    (void)bitcoinconsensus_verify_script_with_amount(random_bytes_1.data(), random_bytes_1.size(), money, random_bytes_2.data(), random_bytes_2.size(), n_in, flags, err_p);
+}

src/test/fuzz/script_descriptor_cache.cpp

@@ -0,0 +1,42 @@
+// Copyright (c) 2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <optional.h>
+#include <pubkey.h>
+#include <script/descriptor.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+
+#include <cstdint>
+#include <string>
+#include <vector>
+
+void test_one_input(const std::vector<uint8_t>& buffer)
+{
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+    DescriptorCache descriptor_cache;
+    while (fuzzed_data_provider.ConsumeBool()) {
+        const std::vector<uint8_t> code = fuzzed_data_provider.ConsumeBytes<uint8_t>(BIP32_EXTKEY_SIZE);
+        if (code.size() == BIP32_EXTKEY_SIZE) {
+            CExtPubKey xpub;
+            xpub.Decode(code.data());
+            const uint32_t key_exp_pos = fuzzed_data_provider.ConsumeIntegral<uint32_t>();
+            CExtPubKey xpub_fetched;
+            if (fuzzed_data_provider.ConsumeBool()) {
+                (void)descriptor_cache.GetCachedParentExtPubKey(key_exp_pos, xpub_fetched);
+                descriptor_cache.CacheParentExtPubKey(key_exp_pos, xpub);
+                assert(descriptor_cache.GetCachedParentExtPubKey(key_exp_pos, xpub_fetched));
+            } else {
+                const uint32_t der_index = fuzzed_data_provider.ConsumeIntegral<uint32_t>();
+                (void)descriptor_cache.GetCachedDerivedExtPubKey(key_exp_pos, der_index, xpub_fetched);
+                descriptor_cache.CacheDerivedExtPubKey(key_exp_pos, der_index, xpub);
+                assert(descriptor_cache.GetCachedDerivedExtPubKey(key_exp_pos, der_index, xpub_fetched));
+            }
+            assert(xpub == xpub_fetched);
+        }
+        (void)descriptor_cache.GetCachedParentExtPubKeys();
+        (void)descriptor_cache.GetCachedDerivedExtPubKeys();
+    }
+}

src/test/fuzz/script_interpreter.cpp

@@ -0,0 +1,41 @@
+// Copyright (c) 2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <primitives/transaction.h>
+#include <script/interpreter.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+
+#include <cstdint>
+#include <optional>
+#include <string>
+#include <vector>
+
+bool CastToBool(const std::vector<unsigned char>& vch);
+
+void test_one_input(const std::vector<uint8_t>& buffer)
+{
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+    {
+        const CScript script_code = ConsumeScript(fuzzed_data_provider);
+        const std::optional<CMutableTransaction> mtx = ConsumeDeserializable<CMutableTransaction>(fuzzed_data_provider);
+        if (mtx) {
+            const CTransaction tx_to{*mtx};
+            const unsigned int in = fuzzed_data_provider.ConsumeIntegral<unsigned int>();
+            if (in < tx_to.vin.size()) {
+                (void)SignatureHash(script_code, tx_to, in, fuzzed_data_provider.ConsumeIntegral<int>(), ConsumeMoney(fuzzed_data_provider), fuzzed_data_provider.PickValueInArray({SigVersion::BASE, SigVersion::WITNESS_V0}), nullptr);
+                const std::optional<CMutableTransaction> mtx_precomputed = ConsumeDeserializable<CMutableTransaction>(fuzzed_data_provider);
+                if (mtx_precomputed) {
+                    const CTransaction tx_precomputed{*mtx_precomputed};
+                    const PrecomputedTransactionData precomputed_transaction_data{tx_precomputed};
+                    (void)SignatureHash(script_code, tx_to, in, fuzzed_data_provider.ConsumeIntegral<int>(), ConsumeMoney(fuzzed_data_provider), fuzzed_data_provider.PickValueInArray({SigVersion::BASE, SigVersion::WITNESS_V0}), &precomputed_transaction_data);
+                }
+            }
+        }
+    }
+    {
+        (void)CastToBool(ConsumeRandomLengthByteVector(fuzzed_data_provider));
+    }
+}

src/test/fuzz/script_sigcache.cpp

@@ -0,0 +1,45 @@
+// Copyright (c) 2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <chainparams.h>
+#include <chainparamsbase.h>
+#include <key.h>
+#include <pubkey.h>
+#include <script/sigcache.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+
+#include <cstdint>
+#include <optional>
+#include <string>
+#include <vector>
+
+void initialize()
+{
+    static const ECCVerifyHandle ecc_verify_handle;
+    ECC_Start();
+    SelectParams(CBaseChainParams::REGTEST);
+    InitSignatureCache();
+}
+
+void test_one_input(const std::vector<uint8_t>& buffer)
+{
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+
+    const std::optional<CMutableTransaction> mutable_transaction = ConsumeDeserializable<CMutableTransaction>(fuzzed_data_provider);
+    const CTransaction tx = mutable_transaction ? CTransaction{*mutable_transaction} : CTransaction{};
+    const unsigned int n_in = fuzzed_data_provider.ConsumeIntegral<unsigned int>();
+    const CAmount amount = ConsumeMoney(fuzzed_data_provider);
+    const bool store = fuzzed_data_provider.ConsumeBool();
+    PrecomputedTransactionData tx_data;
+    CachingTransactionSignatureChecker caching_transaction_signature_checker{mutable_transaction ? &tx : nullptr, n_in, amount, store, tx_data};
+    const std::optional<CPubKey> pub_key = ConsumeDeserializable<CPubKey>(fuzzed_data_provider);
+    if (pub_key) {
+        const std::vector<uint8_t> random_bytes = ConsumeRandomLengthByteVector(fuzzed_data_provider);
+        if (!random_bytes.empty()) {
+            (void)caching_transaction_signature_checker.VerifySignature(random_bytes, *pub_key, ConsumeUInt256(fuzzed_data_provider));
+        }
+    }
+}