Merge pull request #10004

36bdfad rpc-fuzz: Add new fuzzers for RPC endpoints (Arthur Chan)

Author: tobtoht

CMakeLists.txt

@@ -484,8 +484,8 @@ endif()
 option(SANITIZE "Use ASAN memory sanitizer" OFF)
 if(SANITIZE)
   message(STATUS "Using ASAN")
-  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address")
-  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address")
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address,undefined")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address,undefined")
 endif()
 
 # Set default blockchain storage location:

src/common/perf_timer.cpp

@@ -90,7 +90,12 @@ namespace tools
 
 el::Level performance_timer_log_level = el::Level::Info;
 
-static __thread std::vector<LoggingPerformanceTimer*> *performance_timers = NULL;
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+  #warning "Building with fuzzing mode UNSAFE FOR PRODUCTION!"
+  __thread std::vector<LoggingPerformanceTimer*> *performance_timers = NULL;
+#else
+  static __thread std::vector<LoggingPerformanceTimer*> *performance_timers = NULL;
+#endif
 
 void set_performance_timer_log_level(el::Level level)
 {

tests/fuzz/CMakeLists.txt

@@ -26,6 +26,75 @@
 # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
 # THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+# Add the include path for <fuzzer/FuzzedDataProvider.h>
+include_directories(${CMAKE_SOURCE_DIR}/tests/fuzz/include)
+
+# Recompile perf_timer for fuzzing
+add_library(fuzz_unsafe_macro OBJECT
+  ${CMAKE_SOURCE_DIR}/src/common/perf_timer.cpp)
+target_compile_definitions(fuzz_unsafe_macro
+  PRIVATE FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
+
+monero_add_minimal_executable(fuzz_rpc
+  fuzz_rpc/initialisation.cpp
+  fuzz_rpc/rpc_endpoints.cpp
+  fuzz_rpc/fuzz_rpc.cpp
+  $<TARGET_OBJECTS:fuzz_unsafe_macro>)
+target_compile_definitions(fuzz_rpc PRIVATE SAFE)
+target_link_libraries(fuzz_rpc
+  PRIVATE
+    rpc
+    ${CMAKE_THREAD_LIBS_INIT}
+    ${EXTRA_LIBRARIES}
+    $ENV{LIB_FUZZING_ENGINE})
+set_property(TARGET fuzz_rpc
+  PROPERTY
+    FOLDER "tests")
+
+monero_add_minimal_executable(fuzz_rpc_full
+  fuzz_rpc/initialisation.cpp
+  fuzz_rpc/rpc_endpoints.cpp
+  fuzz_rpc/fuzz_rpc.cpp
+  $<TARGET_OBJECTS:fuzz_unsafe_macro>)
+target_link_libraries(fuzz_rpc_full
+  PRIVATE
+    rpc
+    ${CMAKE_THREAD_LIBS_INIT}
+    ${EXTRA_LIBRARIES}
+    $ENV{LIB_FUZZING_ENGINE})
+set_property(TARGET fuzz_rpc_full
+  PROPERTY
+    FOLDER "tests")
+
+monero_add_minimal_executable(fuzz_rpc_full_no_exceptions
+  fuzz_rpc/initialisation.cpp
+  fuzz_rpc/rpc_endpoints.cpp
+  fuzz_rpc/fuzz_rpc.cpp
+  $<TARGET_OBJECTS:fuzz_unsafe_macro>)
+target_compile_definitions(fuzz_rpc_full_no_exceptions PRIVATE CATCH_ALL_EXCEPTIONS)
+target_link_libraries(fuzz_rpc_full_no_exceptions
+  PRIVATE
+    rpc
+    ${CMAKE_THREAD_LIBS_INIT}
+    ${EXTRA_LIBRARIES}
+    $ENV{LIB_FUZZING_ENGINE})
+set_property(TARGET fuzz_rpc_full_no_exceptions
+  PROPERTY
+    FOLDER "tests")
+
+monero_add_minimal_executable(fuzz_zmq
+  fuzz_rpc/zmq_endpoints.cpp
+  fuzz_rpc/fuzz_zmq.cpp)
+target_link_libraries(fuzz_zmq
+  PRIVATE
+    rpc_pub
+    ${CMAKE_THREAD_LIBS_INIT}
+    ${EXTRA_LIBRARIES}
+    $ENV{LIB_FUZZING_ENGINE})
+set_property(TARGET fuzz_zmq
+  PROPERTY
+    FOLDER "tests")
+
 monero_add_minimal_executable(block_fuzz_tests block.cpp fuzzer.cpp)
 target_link_libraries(block_fuzz_tests
   PRIVATE

tests/fuzz/fuzz_rpc/README.md

@@ -0,0 +1,50 @@
+# Fuzzing Harness Explanation
+
+The fuzzing harness skips the transport layer and directly initialises a `core_rpc_server` object. It then calls and fuzzes the RPC endpoint function handlers directly, removing the need to start a fake server while still allowing the handler logic for each RPC API to be fuzzed.
+
+
+## `fuzz_rpc.cpp` / `fuzz_zmq.cpp`
+
+These are the main fuzzing entry points, containing `LLVMFuzzerTestOneInput`, which manages each iteration of the fuzzing process.
+
+## `initialisation.cpp` / `initialisation.h`
+
+This set of source files provides initialisation helper functions to configure the `core_rpc_server` class with dummy protocols, P2P, payment modules, and other components. It also includes functions to generate fake random blocks, miners, and transactions for use in fuzzing.
+
+## `rpc_endpoints.cpp` / `rpc_endpoints.h` / `zmq_endpoints.cpp` / `zmq_endpoints.h`
+
+These source files handle the creation of the necessary request and response objects and the invocation of specific endpoint functions. These simulate real RPC requests / ZMQ requests for the purpose of fuzzing. There are three categories of RPC endpoint functions and only one for ZMQ endpoint functions:
+
+* **Safe**: Considered stable and unlikely to fail.
+* **Risky**: More prone to failure and early exits, especially if no valid blockchain is generated or no payment modules are configured.
+* **Priority**: Most critical RPC endpoint functions that will at least run once per iteration.
+
+# Building the Fuzzing Harnesses
+
+The same `fuzz_rpc.cpp` is compiled into two versions of the fuzzer, one with the `SAFE` macro defined and one without. Meanwhile, `fuzz_zmq` is compiled into a single version.
+
+* With `SAFE` defined: Only safe endpoint functions are fuzzed.
+* Without `SAFE`: Both safe and risky functions are included in the fuzzing process, and payment modules are configured.
+
+# Fuzzing Harness Flow
+
+## Select a Random RPC Endpoint Function / ZMQ Endpoint Function
+
+Random data is used to generate selectors that choose an RPC endpoint function / ZMQ endpoint function to fuzz, either from the safe or risky function maps (depending on whether the `SAFE` macro is defined). A function from the priority category is always included at least once.
+
+
+## `initialise_rpc_core` / `initialise_rpc_server`
+
+At the start of each fuzzing iteration, a `core_rpc_server` object is created and initialised with dummy protocols, P2P, payment modules, and more.
+If the `SAFE` macro is not defined, the payment module will also be initialised.
+This step is skipped for `fuzz_zmq`.
+
+## `generate_random_blocks`
+
+The provided random data is used to initialise a set of random blocks, which are added to a dummy blockchain (initialised using `FAKECHAIN`).
+If blocks are successfully added, a list of random transactions is then generated and also pushed to the blockchain.
+This step is skipped for `fuzz_zmq`.
+
+## Real Fuzzing
+
+The selected RPC endpoint helper function in `rpc_endpoints` or `zmq_endpoints` generates a random request and response object for the specific call, and then invokes the corresponding handler in the `core_rpc_server` object.

tests/fuzz/fuzz_rpc/fuzz_rpc.cpp

@@ -0,0 +1,91 @@
+#include "initialisation.h"
+#include "rpc_endpoints.h"
+#include <fuzzer/FuzzedDataProvider.h>
+
+#include <csignal>
+#include <csetjmp>
+#include <iostream>
+#include <vector>
+#include <algorithm>
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  // In general an iteration needs a fair amount of data so ensure we have enough
+  // to work with, otherwise return 0 to skip this iteration.
+  if (size < 512) {
+    return 0;
+  }
+
+  // Determine if this iteration should run in safe mode
+#ifdef SAFE
+  constexpr bool is_safe_mode = true;
+#else
+  constexpr bool is_safe_mode = false;
+#endif
+
+  // Retrieve a list of all fuzz targets
+  auto fuzz_targets = get_fuzz_targets(is_safe_mode);
+
+  // Disable fatal exits for logging.
+  el::Loggers::addFlag(el::LoggingFlag::DisableApplicationAbortOnFatalLog);
+
+  // Prepare base FuzzedDataProvider
+  FuzzedDataProvider provider(data, size);
+
+  // Randomly choose multiple fuzz_targets to fuzz
+  int rpc_messages_to_send = provider.ConsumeIntegralInRange<int>(1, 16);
+  std::vector<int> selectors;
+  if (is_safe_mode) {
+    selectors.reserve(rpc_messages_to_send);
+  } else {
+    selectors.reserve(rpc_messages_to_send + priority_fuzz_targets.size());
+    for (int i = 0; i < priority_fuzz_targets.size(); ++i) {
+        selectors.push_back(i);
+    }
+
+    // Randomly shuffle the selectors for priority fuzz targets
+    for (int i = 0; i < priority_fuzz_targets.size(); i++) {
+      int target = provider.ConsumeIntegralInRange<int>(0, priority_fuzz_targets.size() - 1);
+      std::swap(selectors[i], selectors[target]);
+    }
+  }
+
+  // Randomly select rpc functions to call
+  for (int i = 0; i < rpc_messages_to_send && provider.remaining_bytes() >= 2; ++i) {
+    int selector = provider.ConsumeIntegralInRange<int>(0, fuzz_targets.size() - 1);
+    selectors.push_back(selector);
+  }
+
+  // Initialise core and core_rpc_server
+  auto core_env = initialise_rpc_core();
+  auto& dummy_core = core_env->core;
+  auto rpc_handler = initialise_rpc_server(*dummy_core, provider, !is_safe_mode);
+
+  // Generate random blocks/miners/transactions and push to the core blockchains
+  if (!generate_random_blocks(*dummy_core, provider)) {
+    // No randomised blocks have been successfully added, skipping this iteration
+    dummy_core->get_blockchain_storage().get_db().batch_stop();
+    return 0;
+  }
+
+  // Disable bootstrap daemon
+  disable_bootstrap_daemon(*rpc_handler->rpc);
+
+  for (int selector : selectors) {
+    try {
+      // Fuzz the target function
+      fuzz_targets[selector](*rpc_handler->rpc, provider);
+    } catch (const std::runtime_error&) {
+      // Known runtime_error thrown from monero
+    } catch (const cryptonote::DB_ERROR& e) {
+      // Known error thrown from monero on internal blockchain DB check
+      // when fuzzing with random values
+#ifdef CATCH_ALL_EXCEPTIONS
+    } catch (...) {
+      // Silent all exceptions
+#endif
+    }
+  }
+
+  dummy_core->get_blockchain_storage().get_db().batch_stop();
+  return 0;
+}

tests/fuzz/fuzz_rpc/fuzz_zmq.cpp

@@ -0,0 +1,43 @@
+#include <fuzzer/FuzzedDataProvider.h>
+#include "zmq_endpoints.h"
+#include <vector>
+#include <cstring>
+
+using namespace cryptonote;
+using namespace cryptonote::listener;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  if (size < 64) {
+    return 0;
+  }
+
+  FuzzedDataProvider provider(data, size);
+
+  void* ctx = zmq_ctx_new();
+  if (!ctx) {
+    return 0;
+  }
+
+  // Randomly choose multiple zmq_targets to fuzz
+  int to_sent = provider.ConsumeIntegralInRange<int>(1, 8);
+  std::vector<int> selectors;
+  selectors.reserve(to_sent);
+  for (int i = 0; i < to_sent && provider.remaining_bytes() >= 2; ++i) {
+    uint16_t raw = provider.ConsumeIntegral<uint16_t>();
+    selectors.push_back(raw % zmq_targets.size());
+  }
+
+  try {
+    zmq_pub pub(ctx);
+    for (int selector : selectors) {
+      zmq_targets[selector](pub, provider);
+    }
+  } catch (const std::runtime_error& e) {
+    // Ignore known runtime_error from checking
+  }
+
+  zmq_ctx_shutdown(ctx);
+  zmq_ctx_term(ctx);
+
+  return 0;
+}