test: fuzz 1.16.0 new features

Author: bboilot-ledger

tests/fuzzing/CMakeLists.txt

@@ -24,9 +24,12 @@ if (NOT DEFINED BOLOS_SDK)
   set(BOLOS_SDK /opt/${TARGET_DEVICE}-secure-sdk)
 endif()
 
+# some flags to mimic the embedded build (such as packed enums)
+set(CUSTOM_C_FLAGS -fdata-sections -ffunction-sections -funsigned-char -fshort-enums)
+
 # compatible with ClusterFuzzLite
 if (NOT DEFINED ENV{LIB_FUZZING_ENGINE})
-	set(COMPILATION_FLAGS -g -O0 -Wall -Wextra -fprofile-instr-generate -fcoverage-mapping)
+	set(COMPILATION_FLAGS ${CUSTOM_C_FLAGS} -g -O0 -Wall -Wextra -fprofile-instr-generate -fcoverage-mapping)
   if (SANITIZER MATCHES "address")
     set(COMPILATION_FLAGS ${COMPILATION_FLAGS} -fsanitize=fuzzer,address,undefined)
   elseif (SANITIZER MATCHES "memory")
@@ -35,7 +38,7 @@ if (NOT DEFINED ENV{LIB_FUZZING_ENGINE})
     message(FATAL_ERROR "Unkown sanitizer type. It must be set to `address` or `memory`.")
   endif()
 else()
-	set(COMPILATION_FLAGS "$ENV{LIB_FUZZING_ENGINE} $ENV{CFLAGS}")
+	set(COMPILATION_FLAGS "$ENV{LIB_FUZZING_ENGINE} $ENV{CFLAGS} ${CUSTOM_C_FLAGS}")
   separate_arguments(COMPILATION_FLAGS)
 endif()
 
@@ -155,6 +158,7 @@ set(DEFINES
     HAVE_ENUM_VALUE
     HAVE_NFT_SUPPORT
     HAVE_DYNAMIC_NETWORKS
+    HAVE_WEB3_CHECKS
     explicit_bzero=bzero # Fix for https://github.com/google/sanitizers/issues/1507
 )
 
@@ -185,6 +189,7 @@ include_directories(
   ${CMAKE_SOURCE_DIR}/../../src_features/getChallenge/
   ${CMAKE_SOURCE_DIR}/../../src_features/signMessageEIP712/
   ${CMAKE_SOURCE_DIR}/../../src_features/provide_proxy_info/
+  ${CMAKE_SOURCE_DIR}/../../src_features/provide_tx_simulation/
   ${BOLOS_SDK}/include
   ${BOLOS_SDK}/target/${TARGET_DEVICE}/include
   ${BOLOS_SDK}/lib_cxng/include
@@ -203,6 +208,7 @@ FILE(GLOB_RECURSE SOURCES
   ${CMAKE_SOURCE_DIR}/../../src_features/provide_network_info/*.c
   ${CMAKE_SOURCE_DIR}/../../src_features/provideNFTInformation/*.c
   ${CMAKE_SOURCE_DIR}/../../src_features/provide_proxy_info/*.c
+  ${CMAKE_SOURCE_DIR}/../../src_features/provide_tx_simulation/*.c
   ${CMAKE_SOURCE_DIR}/../../src/mem.c
   ${CMAKE_SOURCE_DIR}/../../src/mem_utils.c
   ${CMAKE_SOURCE_DIR}/../../src/network.c

tests/fuzzing/src/fuzzer.c

@@ -5,6 +5,10 @@
 
 #include "cmd_network_info.h"
 
+#include "cmd_get_tx_simulation.h"
+
+#include "cmd_proxy_info.h"
+
 #include "cmd_field.h"
 #include "cmd_tx_info.h"
 #include "cmd_enum_value.h"
@@ -15,6 +19,7 @@
 
 #include "shared_context.h"
 #include "tlv.h"
+#include "mem.h"
 #include "apdu_constants.h"
 
 // Fuzzing harness interface
@@ -34,6 +39,7 @@ const chain_config_t *chainConfig = &config;
 uint8_t appState;
 tmpCtx_t tmpCtx;
 strings_t strings;
+const internalStorage_t N_storage_real = {.w3c_enable = true, .w3c_opt_in = true};
 
 int fuzzGenericParserFieldCmd(const uint8_t *data, size_t size) {
     s_field field = {0};
@@ -105,6 +111,55 @@ int fuzzNFTInfo(const uint8_t *data, size_t size) {
     return handleProvideNFTInformation(data, size, &tx) != APDU_RESPONSE_OK;
 }
 
+int fuzzProxyInfo(const uint8_t *data, size_t size) {
+    if (size < 1) return 0;
+    return handle_proxy_info(data[0], 0, size - 1, data + 1);
+}
+
+int fuzzTxSimulation(const uint8_t *data, size_t size) {
+    unsigned int flags;
+    if (size < 2) return 0;
+
+    if (handleTxSimulation(data[0], data[1], data + 2, size - 2, &flags) != APDU_RESPONSE_OK)
+        return 1;
+
+    getTxSimuRiskStr();
+    getTxSimuCategoryStr();
+    return 0;
+}
+
+int fuzzCalldata(const uint8_t *data, size_t size) {
+    calldata_cleanup();
+    while (size > 0) {
+        switch (data[0]) {
+            case 'I':
+                data++;
+                size--;
+                calldata_init(500);
+                break;
+            case 'W':
+                size--;
+                data++;
+                if (size < 1 || size < data[0] + 1) return 0;
+                calldata_append(data + 1, data[0]);
+                size -= (1 + data[0]);
+                data += 1 + data[0];
+                break;
+            case 'R':
+                size--;
+                data++;
+                if (size < 1) return 0;
+                calldata_get_chunk(data[0]);
+                size--;
+                data++;
+                break;
+            default:
+                return 0;
+        }
+    }
+    return 0;
+}
+
 // Array of fuzzing harness functions
 harness harnesses[] = {
     fuzzGenericParserFieldCmd,
@@ -113,6 +168,9 @@ harness harnesses[] = {
     fuzzDynamicNetworks,
     fuzzTrustedNames,
     fuzzNFTInfo,
+    fuzzProxyInfo,
+    fuzzTxSimulation,
+    fuzzCalldata,
 };
 
 /* Main fuzzing handler called by libfuzzer */
@@ -126,6 +184,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     explicit_bzero(&G_io_apdu_buffer, 260);
     explicit_bzero(&sha3, sizeof(sha3));
 
+    calldata_cleanup();
+    mem_reset();
+
     uint8_t target;
 
     txContext.content = &txContent;

tests/fuzzing/src/mock.c

@@ -5,6 +5,7 @@
 #include "cx_sha256.h"
 #include "cx_sha3.h"
 #include "buffer.h"
+#include "lcx_ecfp.h"
 
 /** MemorySanitizer does not wrap explicit_bzero https://github.com/google/sanitizers/issues/1507
  * which results in false positives when running MemorySanitizer.
@@ -181,3 +182,18 @@ int io_send_response_buffers(const buffer_t *rdatalist, size_t count, uint16_t s
     UNUSED(sw);
     return 0;
 }
+
+uint16_t io_seproxyhal_send_status(uint16_t sw, uint32_t tx, bool reset, bool idle) {
+    return 0;
+}
+
+uint32_t os_pki_get_info(uint8_t *key_usage,
+                         uint8_t *trusted_name,
+                         size_t *trusted_name_len,
+                         cx_ecfp_384_public_key_t *public_key) {
+    memcpy(trusted_name, "trusted name", sizeof("trusted name"));
+    return 0;
+}
+
+void ui_tx_simulation_opt_in(bool response_expected) {
+}