Merge pull request #6656

bde7f1c fuzz_tests: fix init check in oss-fuzz mode (moneromooo-monero)
c4b7420 Do not use PIE with OSS-Fuzz (moneromooo-monero)
c4df8b1 fix leaks in fuzz tests (moneromooo-monero)
38ca1bb fuzz_tests: add a tx extra fuzz test (moneromooo-monero)

9 files changed, 94 insertions, 19 deletions

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 4fcf782aa..45a6aa1b5 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -652,7 +652,7 @@ else()
   endif()
 
   # linker
-  if (NOT SANITIZE AND NOT (WIN32 AND (CMAKE_C_COMPILER_ID STREQUAL "GNU" AND CMAKE_C_COMPILER_VERSION VERSION_LESS 9.1)))
+  if (NOT SANITIZE AND NOT OSSFUZZ AND NOT (WIN32 AND (CMAKE_C_COMPILER_ID STREQUAL "GNU" AND CMAKE_C_COMPILER_VERSION VERSION_LESS 9.1)))
     # PIE executables randomly crash at startup with ASAN
     # Windows binaries die on startup with PIE when compiled with GCC <9.x
     add_linker_flag_if_supported(-pie LD_SECURITY_FLAGS)
diff --git a/tests/data/fuzz/tx-extra/TXEXTRA1 b/tests/data/fuzz/tx-extra/TXEXTRA1
new file mode 100644
index 000000000..08852abe3
--- /dev/null
+++ b/tests/data/fuzz/tx-extra/TXEXTRA1
diff --git a/tests/data/fuzz/tx-extra/TXEXTRA2 b/tests/data/fuzz/tx-extra/TXEXTRA2
new file mode 100644
index 000000000..170301145
--- /dev/null
+++ b/tests/data/fuzz/tx-extra/TXEXTRA2
diff --git a/tests/fuzz/CMakeLists.txt b/tests/fuzz/CMakeLists.txt
index 8654d41d5..606fec465 100644
--- a/tests/fuzz/CMakeLists.txt
+++ b/tests/fuzz/CMakeLists.txt
@@ -200,3 +200,21 @@ set_property(TARGET bulletproof_fuzz_tests
   PROPERTY
     FOLDER "tests")
 
+add_executable(tx-extra_fuzz_tests tx-extra.cpp fuzzer.cpp)
+target_link_libraries(tx-extra_fuzz_tests
+  PRIVATE
+    cryptonote_basic
+    common
+    epee
+    ${Boost_THREAD_LIBRARY}
+    ${Boost_CHRONO_LIBRARY}
+    ${Boost_REGEX_LIBRARY}
+    ${Boost_PROGRAM_OPTIONS_LIBRARY}
+    ${Boost_SYSTEM_LIBRARY}
+    ${CMAKE_THREAD_LIBS_INIT}
+    ${EXTRA_LIBRARIES}
+    $ENV{LIB_FUZZING_ENGINE})
+set_property(TARGET tx-extra_fuzz_tests
+  PROPERTY
+    FOLDER "tests")
+
diff --git a/tests/fuzz/cold-outputs.cpp b/tests/fuzz/cold-outputs.cpp
index af0a33422..ce6d6640c 100644
--- a/tests/fuzz/cold-outputs.cpp
+++ b/tests/fuzz/cold-outputs.cpp
@@ -34,16 +34,19 @@
 #include "wallet/wallet2.h"
 #include "fuzzer.h"
 
-static tools::wallet2 wallet;
+static tools::wallet2 *wallet = NULL;
 
 BEGIN_INIT_SIMPLE_FUZZER()
+  static tools::wallet2 local_wallet;
+  wallet = &local_wallet;
+
   static const char * const spendkey_hex = "0b4f47697ec99c3de6579304e5f25c68b07afbe55b71d99620bf6cbf4e45a80f";
   crypto::secret_key spendkey;
   epee::string_tools::hex_to_pod(spendkey_hex, spendkey);
 
-  wallet.init("", boost::none, boost::asio::ip::tcp::endpoint{}, 0, true, epee::net_utils::ssl_support_t::e_ssl_support_disabled);
-  wallet.set_subaddress_lookahead(1, 1);
-  wallet.generate("", "", spendkey, true, false);
+  wallet->init("", boost::none, boost::asio::ip::tcp::endpoint{}, 0, true, epee::net_utils::ssl_support_t::e_ssl_support_disabled);
+  wallet->set_subaddress_lookahead(1, 1);
+  wallet->generate("", "", spendkey, true, false);
 END_INIT_SIMPLE_FUZZER()
 
 BEGIN_SIMPLE_FUZZER()
@@ -53,6 +56,6 @@ BEGIN_SIMPLE_FUZZER()
   iss << s;
   boost::archive::portable_binary_iarchive ar(iss);
   ar >> outputs;
-  size_t n_outputs = wallet.import_outputs(outputs);
+  size_t n_outputs = wallet->import_outputs(outputs);
   std::cout << boost::lexical_cast<std::string>(n_outputs) << " outputs imported" << std::endl;
 END_SIMPLE_FUZZER()
diff --git a/tests/fuzz/cold-transaction.cpp b/tests/fuzz/cold-transaction.cpp
index 9808362e4..ebbbc283f 100644
--- a/tests/fuzz/cold-transaction.cpp
+++ b/tests/fuzz/cold-transaction.cpp
@@ -34,16 +34,19 @@
 #include "wallet/wallet2.h"
 #include "fuzzer.h"
 
-static tools::wallet2 wallet;
+static tools::wallet2 *wallet = NULL;
 
 BEGIN_INIT_SIMPLE_FUZZER()
+  static tools::wallet2 local_wallet;
+  wallet = &local_wallet;
+
   static const char * const spendkey_hex = "0b4f47697ec99c3de6579304e5f25c68b07afbe55b71d99620bf6cbf4e45a80f";
   crypto::secret_key spendkey;
   epee::string_tools::hex_to_pod(spendkey_hex, spendkey);
 
-  wallet.init("", boost::none, boost::asio::ip::tcp::endpoint{}, 0, true, epee::net_utils::ssl_support_t::e_ssl_support_disabled);
-  wallet.set_subaddress_lookahead(1, 1);
-  wallet.generate("", "", spendkey, true, false);
+  wallet->init("", boost::none, boost::asio::ip::tcp::endpoint{}, 0, true, epee::net_utils::ssl_support_t::e_ssl_support_disabled);
+  wallet->set_subaddress_lookahead(1, 1);
+  wallet->generate("", "", spendkey, true, false);
 END_INIT_SIMPLE_FUZZER()
 
 BEGIN_SIMPLE_FUZZER()
@@ -54,6 +57,6 @@ BEGIN_SIMPLE_FUZZER()
   boost::archive::portable_binary_iarchive ar(iss);
   ar >> exported_txs;
   std::vector<tools::wallet2::pending_tx> ptx;
-  bool success = wallet.sign_tx(exported_txs, "/tmp/cold-transaction-test-signed", ptx);
+  bool success = wallet->sign_tx(exported_txs, "/tmp/cold-transaction-test-signed", ptx);
   std::cout << (success ? "signed" : "error") << std::endl;
 END_SIMPLE_FUZZER()
diff --git a/tests/fuzz/fuzzer.h b/tests/fuzz/fuzzer.h
index 2d0a29dfc..ce230fb66 100644
--- a/tests/fuzz/fuzzer.h
+++ b/tests/fuzz/fuzzer.h
@@ -56,7 +56,7 @@ extern "C" { \
       static bool first = true; \
       if (first) \
       { \
-        if (!init()) \
+        if (init()) \
           return 1; \
         first = false; \
       } \
@@ -66,8 +66,12 @@ extern "C" { \
     catch (const std::exception &e) \
     { \
       fprintf(stderr, "Exception: %s\n", e.what()); \
-      return 1; \
+      delete el::base::elStorage; \
+      el::base::elStorage = NULL; \
+      return 0; \
     } \
+    delete el::base::elStorage; \
+    el::base::elStorage = NULL; \
     return 0; \
   } \
 }
@@ -122,8 +126,12 @@ int run_fuzzer(int argc, const char **argv, Fuzzer &fuzzer);
       catch (const std::exception &e) \
       { \
         fprintf(stderr, "Exception: %s\n", e.what()); \
-        return 1; \
+        delete el::base::elStorage; \
+        el::base::elStorage = NULL; \
+        return 0; \
       } \
+      delete el::base::elStorage; \
+      el::base::elStorage = NULL; \
       return 0; \
     } \
   }; \
diff --git a/tests/fuzz/signature.cpp b/tests/fuzz/signature.cpp
index cd65e42d0..3743cfdd0 100644
--- a/tests/fuzz/signature.cpp
+++ b/tests/fuzz/signature.cpp
@@ -34,17 +34,20 @@
 #include "wallet/wallet2.h"
 #include "fuzzer.h"
 
-static tools::wallet2 wallet(cryptonote::TESTNET);
+static tools::wallet2 *wallet = NULL;
 static cryptonote::account_public_address address;
 
 BEGIN_INIT_SIMPLE_FUZZER()
+  static tools::wallet2 local_wallet(cryptonote::TESTNET);
+  wallet = &local_wallet;
+
   static const char * const spendkey_hex = "0b4f47697ec99c3de6579304e5f25c68b07afbe55b71d99620bf6cbf4e45a80f";
   crypto::secret_key spendkey;
   epee::string_tools::hex_to_pod(spendkey_hex, spendkey);
 
-  wallet.init("", boost::none, boost::asio::ip::tcp::endpoint{}, 0, true, epee::net_utils::ssl_support_t::e_ssl_support_disabled);
-  wallet.set_subaddress_lookahead(1, 1);
-  wallet.generate("", "", spendkey, true, false);
+  wallet->init("", boost::none, boost::asio::ip::tcp::endpoint{}, 0, true, epee::net_utils::ssl_support_t::e_ssl_support_disabled);
+  wallet->set_subaddress_lookahead(1, 1);
+  wallet->generate("", "", spendkey, true, false);
 
   cryptonote::address_parse_info info;
   if (!cryptonote::get_account_address_from_str_or_url(info, cryptonote::TESTNET, "9uVsvEryzpN8WH2t1WWhFFCG5tS8cBNdmJYNRuckLENFimfauV5pZKeS1P2CbxGkSDTUPHXWwiYE5ZGSXDAGbaZgDxobqDN"))
@@ -56,6 +59,6 @@ BEGIN_INIT_SIMPLE_FUZZER()
 END_INIT_SIMPLE_FUZZER()
 
 BEGIN_SIMPLE_FUZZER()
-  bool valid = wallet.verify("test", address, std::string((const char*)buf, len));
+  bool valid = wallet->verify("test", address, std::string((const char*)buf, len));
   std::cout << "Signature " << (valid ? "valid" : "invalid") << std::endl;
 END_SIMPLE_FUZZER()
diff --git a/tests/fuzz/tx-extra.cpp b/tests/fuzz/tx-extra.cpp
new file mode 100644
index 000000000..35b14b802
--- /dev/null
+++ b/tests/fuzz/tx-extra.cpp
@@ -0,0 +1,40 @@
+// Copyright (c) 2020, The Monero Project
+// 
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+// 
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+//    conditions and the following disclaimer.
+// 
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+//    of conditions and the following disclaimer in the documentation and/or other
+//    materials provided with the distribution.
+// 
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+//    used to endorse or promote products derived from this software without specific
+//    prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#include "include_base_utils.h"
+#include "cryptonote_basic/cryptonote_format_utils.h"
+#include "fuzzer.h"
+
+BEGIN_INIT_SIMPLE_FUZZER()
+END_INIT_SIMPLE_FUZZER()
+
+BEGIN_SIMPLE_FUZZER()
+  std::vector<cryptonote::tx_extra_field> tx_extra_fields;
+  cryptonote::parse_tx_extra(std::vector<uint8_t>(buf, buf + len), tx_extra_fields);
+END_SIMPLE_FUZZER()
+