Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net: Add regression fuzz harness for CVE-2017-18350. Add FuzzedSocket. #19203

Merged
merged 2 commits into from
Mar 3, 2021
Merged

net: Add regression fuzz harness for CVE-2017-18350. Add FuzzedSocket. #19203

merged 2 commits into from
Mar 3, 2021
+188 −17

Conversation

practicalswift
Copy link
Contributor

@practicalswift practicalswift commented Jun 7, 2020
edited
Loading

Add regression fuzz harness for CVE-2017-18350. This fuzzing harness would have found CVE-2017-18350 within a minute of fuzzing :)

See doc/fuzzing.md for information on how to fuzz Bitcoin Core. Don't forget to contribute any coverage increasing inputs you find to the Bitcoin Core fuzzing corpus repo.

Happy fuzzing :)

@maflcko
Copy link
Member

maflcko commented Jun 7, 2020

Concept ACK

@maflcko maflcko changed the title tests/net: Add regression fuzz harness for CVE-2017-18350. Add FuzzedSocket. Add thin SOCKET wrapper. net: Add regression fuzz harness for CVE-2017-18350. Add FuzzedSocket. Add thin SOCKET wrapper. Jun 7, 2020
@DrahtBot
Copy link
Contributor

DrahtBot commented Jun 7, 2020
edited
Loading

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

@DrahtBot DrahtBot mentioned this pull request Jun 8, 2020
Merged
This was referenced Jun 9, 2020
Closed
Merged
Merged
This was referenced Jun 13, 2020
Merged
Merged
Merged
This was referenced Jun 21, 2020
Open
Merged
@DrahtBot DrahtBot mentioned this pull request Jun 30, 2020
Merged
@laanwj
Copy link
Member

laanwj commented Feb 16, 2021

Code review ACK ff13f09

@laanwj laanwj changed the title net: Add regression fuzz harness for CVE-2017-18350. Add FuzzedSocket. Add thin SOCKET wrapper. net: Add regression fuzz harness for CVE-2017-18350. Add FuzzedSocket. Feb 16, 2021
maflcko
maflcko reviewed Feb 16, 2021
View reviewed changes
Copy link
Member

@maflcko maflcko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

left some style feedback

src/test/fuzz/util.h Outdated Show resolved Hide resolved
src/test/fuzz/util.h Outdated Show resolved Hide resolved
src/test/fuzz/socks5.cpp Outdated Show resolved Hide resolved
src/test/fuzz/util.h Outdated Show resolved Hide resolved
@practicalswift practicalswift force-pushed the fuzzers-Socks5 branch 2 times, most recently from ad65949 to 88af030 Compare February 16, 2021 19:14
@practicalswift
Copy link
Contributor Author

@laanwj Thanks for the quick review! ❤️ Pushed an updated version addressing @MarcoFalke's feedback. Should hopefully be ready for final review.

vasild
vasild approved these changes Feb 17, 2021
View reviewed changes
Copy link
Contributor

@vasild vasild left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 88af030

src/test/fuzz/socks5.cpp Outdated Show resolved Hide resolved
src/test/fuzz/util.h Show resolved Hide resolved
src/test/fuzz/util.h Show resolved Hide resolved
@vasild
Copy link
Contributor

vasild commented Feb 17, 2021
edited
Loading

Running the new fuzz test for a few tens of minutes produces no errors.

Reverting the fix for CVE-2017–18350 like this:

--- i/src/netbase.cpp
+++ w/src/netbase.cpp
@@ -533,13 +533,13 @@ bool Socks5(const std::string& strDest, int port, const ProxyCredentials* auth,
         case SOCKS5Atyp::DOMAINNAME:
         {
             recvr = InterruptibleRecv(pchRet3, 1, SOCKS5_RECV_TIMEOUT, sock);
             if (recvr != IntrRecvError::OK) {
                 return error("Error reading from proxy");
             }
-            int nRecv = pchRet3[0];
+            int nRecv = (char)pchRet3[0];
             recvr = InterruptibleRecv(pchRet3, nRecv, SOCKS5_RECV_TIMEOUT, sock);
             break;
         }
         default: return error("Error: malformed proxy response");
     }
     if (recvr != IntrRecvError::OK) {

crashes the test in less than a minute.

@vasild
Copy link
Contributor

vasild commented Feb 17, 2021

The PR description needs an update since it mentions 4 commits, but there are just 2 now.

@laanwj
Copy link
Member

laanwj commented Feb 17, 2021
edited
Loading

The PR description needs an update since it mentions 4 commits, but there are just 2 now.

Ah yes I had already updated the PR title for it, but you're right that the description is out of date too.

ryanofsky
ryanofsky approved these changes Feb 19, 2021
View reviewed changes
Copy link
Contributor

@ryanofsky ryanofsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code review ACK 88af030 with caveat that I don't know very much about fuzzing so ignore my suggestions.

src/test/fuzz/util.h Show resolved Hide resolved
src/test/fuzz/util.h Show resolved Hide resolved
src/test/fuzz/util.h Outdated Show resolved Hide resolved
src/netbase.cpp Outdated Show resolved Hide resolved
src/test/fuzz/util.h Show resolved Hide resolved
@DrahtBot DrahtBot mentioned this pull request Mar 2, 2021
Merged
@practicalswift practicalswift force-pushed the fuzzers-Socks5 branch 4 times, most recently from d06d25c to b62b90f Compare March 2, 2021 15:20
@vasild
Copy link
Contributor

vasild commented Mar 2, 2021

b62b90f looks good except that the first commit does not compile:

test/fuzz/socks5.cpp:23:5: error: use of undeclared identifier 'default_socks5_recv_timeout'
    default_socks5_recv_timeout = g_socks5_recv_timeout;
    ^
test/fuzz/socks5.cpp:23:35: error: use of undeclared identifier 'g_socks5_recv_timeout'
    default_socks5_recv_timeout = g_socks5_recv_timeout;
                                  ^

(the second commit fixes this)

@practicalswift
Copy link
Contributor Author

@vasild

b62b90f looks good except that the first commit does not compile:

(the second commit fixes this)

Oh, good catch!

Now addressed :)

Please re-review :)

vasild
vasild approved these changes Mar 3, 2021
View reviewed changes
Copy link
Contributor

@vasild vasild left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 366e3e1

@maflcko maflcko merged commit ebd8d66 into bitcoin:master Mar 3, 2021
sidhujag pushed a commit to syscoin/syscoin that referenced this pull request Mar 3, 2021
Merge bitcoin#19203: net: Add regression fuzz harness for CVE-2017-18350
217b5ba 
. Ad…
@fanquake fanquake mentioned this pull request Mar 4, 2021
Merged
@practicalswift practicalswift deleted the fuzzers-Socks5 branch April 10, 2021 19:44
@bitcoin bitcoin locked as resolved and limited conversation to collaborators Aug 16, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Crypt-iQ Crypt-iQ Crypt-iQ left review comments

@maflcko maflcko maflcko left review comments

@laanwj laanwj laanwj left review comments

@ryanofsky ryanofsky ryanofsky approved these changes

@vasild vasild vasild approved these changes

Assignees
No one assigned
Labels
P2P
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@practicalswift @maflcko @DrahtBot @Crypt-iQ @laanwj @vasild @ryanofsky