LCOV - code coverage report
Current view: top level - waltz/quic/tests - fuzz_quic_wire.c (source / functions) Hit Total Coverage
Test: cov.lcov Lines: 133 271 49.1 %
Date: 2025-10-13 04:42:14 Functions: 4 10 40.0 %

          Line data    Source code
       1             : /* fuzz_quic_wire is a simple and stateless fuzz target for fd_quic.
       2             : 
       3             :    The attack surface consists of fd_quic's packet handlers.
       4             :    The input vectors are the raw contents of UDP datagrams (in encrypted
       5             :    form)  A custom mutator is used to temporarily remove the decryption
       6             :    before calling the generic libFuzzer mutator.  If we tried mutating
       7             :    the encrypted inputs directly, everything would just be an encryption
       8             :    failure.
       9             : 
      10             :    The goal of fuzz_quic_wire is to cover the early upstream stages of
      11             :    the QUIC packet processing pipeline.  This includes packet header
      12             :    parsing, connection creation, retry handling, etc. */
      13             : 
      14             : #include "../../../util/sanitize/fd_fuzz.h"
      15             : #include "fd_quic_test_helpers.h"
      16             : #include "../crypto/fd_quic_crypto_suites.h"
      17             : #include "../templ/fd_quic_parse_util.h"
      18             : #include "../../tls/test_tls_helper.h"
      19             : #include "../../../util/net/fd_ip4.h"
      20             : #include "../../../util/net/fd_udp.h"
      21             : #include "../fd_quic_proto.h"
      22             : #include "../fd_quic_proto.c"
      23             : #include "../fd_quic_private.h"
      24             : #include "../fd_quic_svc_q.h"
      25             : 
      26             : #include <assert.h>
      27             : #include <stdlib.h> /* putenv, atexit */
      28             : 
      29             : static FD_TL long g_clock = 1L;
      30             : 
      31             : int
      32             : LLVMFuzzerInitialize( int *    pargc,
      33          12 :                       char *** pargv ) {
      34          12 :   putenv( "FD_LOG_BACKTRACE=0" );
      35          12 :   fd_boot( pargc, pargv );
      36          12 :   atexit( fd_halt );
      37          12 :   fd_log_level_logfile_set(0);
      38          12 :   fd_log_level_stderr_set(0);
      39          12 : # ifndef FD_DEBUG_MODE
      40          12 :   fd_log_level_core_set(3); /* crash on warning log */
      41          12 : # endif
      42          12 :   return 0;
      43          12 : }
      44             : 
      45             : static int
      46             : _aio_send( void *                    ctx,
      47             :            fd_aio_pkt_info_t const * batch,
      48             :            ulong                     batch_cnt,
      49             :            ulong *                   opt_batch_idx,
      50         174 :            int                       flush ) {
      51         174 :   (void)flush;
      52         174 :   (void)batch;
      53         174 :   (void)batch_cnt;
      54         174 :   (void)opt_batch_idx;
      55         174 :   (void)ctx;
      56         174 :   return 0;
      57         174 : }
      58             : 
      59             : static void
      60             : send_udp_packet( fd_quic_t *   quic,
      61             :                  uchar const * data,
      62        2088 :                  ulong         size ) {
      63             : 
      64        2088 :   uchar buf[16384];
      65             : 
      66        2088 :   ulong headers_sz = sizeof(fd_ip4_hdr_t) + sizeof(fd_udp_hdr_t);
      67             : 
      68        2088 :   uchar * cur = buf;
      69        2088 :   uchar * end = buf + sizeof(buf);
      70             : 
      71        2088 :   fd_ip4_hdr_t ip4 = {
      72        2088 :     .verihl      = FD_IP4_VERIHL(4,5),
      73        2088 :     .protocol    = FD_IP4_HDR_PROTOCOL_UDP,
      74        2088 :     .net_tot_len = (ushort)( sizeof(fd_ip4_hdr_t)+sizeof(fd_udp_hdr_t)+size ),
      75        2088 :   };
      76        2088 :   fd_udp_hdr_t udp = {
      77        2088 :     .net_sport = 8000,
      78        2088 :     .net_dport = 8001,
      79        2088 :     .net_len   = (ushort)( sizeof(fd_udp_hdr_t)+size ),
      80        2088 :     .check     = 0
      81        2088 :   };
      82             : 
      83             :   /* Guaranteed to not overflow */
      84        2088 :   fd_quic_encode_ip4( cur, (ulong)( end-cur ), &ip4 ); cur += sizeof(fd_ip4_hdr_t);
      85        2088 :   fd_quic_encode_udp( cur, (ulong)( end-cur ), &udp ); cur += sizeof(fd_udp_hdr_t);
      86             : 
      87        2088 :   if( cur + size > end ) return;
      88        2088 :   fd_memcpy( cur, data, size );
      89             : 
      90             :   /* Main fuzz entrypoint */
      91             : 
      92        2088 :   fd_quic_process_packet( quic, buf, headers_sz + size, g_clock );
      93        2088 : }
      94             : 
      95             : int
      96             : LLVMFuzzerTestOneInput( uchar const * data,
      97        2088 :                         ulong         size ) {
      98             : 
      99        2088 :   fd_rng_t _rng[1]; fd_rng_t * rng = fd_rng_join( fd_rng_new( _rng, 0U, 0UL ) );
     100             : 
     101             :   /* Memory region to hold the QUIC instance */
     102        2088 :   static uchar quic_mem[ 1<<23 ] __attribute__((aligned(FD_QUIC_ALIGN)));
     103             : 
     104             :   /* Create ultra low limits for QUIC instance for maximum performance */
     105        2088 :   fd_quic_limits_t const quic_limits = {
     106        2088 :     .conn_cnt           = 2,
     107        2088 :     .handshake_cnt      = 2,
     108        2088 :     .conn_id_cnt        = 4,
     109        2088 :     .inflight_frame_cnt = 16UL,
     110        2088 :     .stream_pool_cnt    = 8UL,
     111        2088 :     .tx_buf_sz          = 1UL<<8UL
     112        2088 :   };
     113             : 
     114             :   /* Enable features depending on the last few bits.  The last bits are
     115             :      pseudorandom (either ignored or belong to the MAC tag) */
     116        2088 :   uint last_byte = 0U;
     117        2088 :   if( size > 0 ) last_byte = data[ size-1 ];
     118        2088 :   int enable_retry = !!(last_byte & 1);
     119        2088 :   int role         =   (last_byte & 2) ? FD_QUIC_ROLE_SERVER : FD_QUIC_ROLE_CLIENT;
     120        2088 :   int established  = !!(last_byte & 4);
     121             : 
     122        2088 :   assert( fd_quic_footprint( &quic_limits ) <= sizeof(quic_mem) );
     123        2088 :   void *      shquic = fd_quic_new( quic_mem, &quic_limits );
     124        2088 :   fd_quic_t * quic   = fd_quic_join( shquic );
     125             : 
     126        2088 :   fd_quic_config_anonymous( quic, role );
     127             : 
     128        2088 :   fd_tls_test_sign_ctx_t test_signer[1];
     129        2088 :   fd_tls_test_sign_ctx( test_signer, rng );
     130        2088 :   fd_quic_config_test_signer( quic, test_signer );
     131             : 
     132        2088 :   quic->config.retry = enable_retry;
     133             : 
     134        2088 :   fd_aio_t aio_[1];
     135        2088 :   fd_aio_t * aio = fd_aio_join( fd_aio_new( aio_, NULL, _aio_send ) );
     136        2088 :   assert( aio );
     137             : 
     138        2088 :   fd_quic_set_aio_net_tx( quic, aio );
     139        2088 :   assert( fd_quic_init( quic ) );
     140        2088 :   assert( quic->config.idle_timeout > 0 );
     141             : 
     142        2088 :   fd_quic_state_t * state = fd_quic_get_state( quic );
     143        2088 :   g_clock    = 1000L;
     144        2088 :   state->now = g_clock;
     145             : 
     146             :   /* Create dummy connection */
     147        2088 :   ulong             our_conn_id  = ULONG_MAX;
     148        2088 :   fd_quic_conn_id_t peer_conn_id = { .sz=8 };
     149        2088 :   uint              dst_ip_addr  = 0U;
     150        2088 :   ushort            dst_udp_port = (ushort)0;
     151             : 
     152        2088 :   fd_quic_conn_t * conn =
     153        2088 :     fd_quic_conn_create( quic,
     154        2088 :                          our_conn_id, &peer_conn_id,
     155        2088 :                          dst_ip_addr,  (ushort)dst_udp_port,
     156        2088 :                          0U, 0U,
     157        2088 :                          1  /* we are the server */ );
     158        2088 :   assert( conn );
     159        2088 :   fd_quic_svc_timers_schedule( state->svc_timers, conn, g_clock );
     160        2088 :   {
     161        2088 :     fd_quic_svc_event_t event = fd_quic_svc_timers_get_event( state->svc_timers, conn, g_clock );
     162        2088 :     assert( event.conn );
     163        2088 :     assert( event.timeout > g_clock );
     164        2088 :   }
     165             : 
     166        2088 :   conn->tx_max_data                            =       512UL;
     167        2088 :   conn->tx_initial_max_stream_data_uni         =        64UL;
     168        2088 :   conn->srx->rx_max_data                       =       512UL;
     169        2088 :   conn->srx->rx_sup_stream_id                  =        32UL;
     170        2088 :   conn->tx_max_datagram_sz                     = FD_QUIC_MTU;
     171        2088 :   conn->tx_sup_stream_id                       =        32UL;
     172             : 
     173        2088 :   if( established ) {
     174         861 :     conn->state = FD_QUIC_CONN_STATE_ACTIVE;
     175         861 :     conn->keys_avail = 0xff;
     176         861 :   }
     177             : 
     178             :   /* Calls fuzz entrypoint */
     179        2088 :   send_udp_packet( quic, data, size );
     180             : 
     181             :   /* svc_quota is the max number of service calls that we expect to
     182             :      schedule in response to a single packet. */
     183        2088 :   long svc_quota = fd_long_max( (long)size, 1000L );
     184             : 
     185             :   /* service all 'instant' events */
     186        2169 :   while( g_clock == fd_quic_svc_timers_next( state->svc_timers, g_clock, 0 ).timeout ) {
     187          81 :     fd_quic_service( quic, g_clock );
     188          81 :     assert( --svc_quota > 0 );
     189          81 :   }
     190             :   /* assert no INSTANT left, and first prq event (if any) is in future */
     191        2088 :   assert( state->svc_timers->instant.cnt == 0 && conn->svc_meta.private.svc_type!=FD_QUIC_SVC_INSTANT );
     192        2088 :   const ulong event_idx = conn->svc_meta.private.prq_idx;
     193        2088 :   assert( event_idx == FD_QUIC_SVC_PRQ_IDX_INVAL || state->svc_timers->prq[ event_idx ].timeout > g_clock );
     194             : 
     195             :   /* Generate ACKs, if any left */
     196        2088 :   long  pre_ack_ts = g_clock;
     197        2088 :   fd_quic_svc_event_t next = fd_quic_svc_timers_next( state->svc_timers, g_clock, 0 );
     198        2088 :   while( next.conn && next.timeout <= pre_ack_ts + (long)quic->config.ack_delay ) {
     199           0 :     g_clock = next.timeout;
     200           0 :     fd_quic_service( quic, g_clock );
     201           0 :     assert( --svc_quota > 0 );
     202           0 :     next = fd_quic_svc_timers_next( state->svc_timers, g_clock, 0 );
     203           0 :   }
     204        2088 :   assert( next.timeout > pre_ack_ts+(long)quic->config.ack_delay );
     205             : 
     206             :   /* Simulate conn timeout */
     207        4176 :   while( next.conn ) {
     208        2088 :     long idle_timeout_ts = next.conn->last_activity + quic->config.idle_timeout + 1L;
     209             : 
     210             :     /* Idle timeouts should not be scheduled significantly late */
     211        2088 :     assert( next.timeout < idle_timeout_ts + (long)2e9 );
     212             : 
     213        2088 :     g_clock = next.timeout;
     214        2088 :     fd_quic_service( quic, g_clock );
     215        2088 :     assert( --svc_quota > 0 );
     216        2088 :     next = fd_quic_svc_timers_next( state->svc_timers, g_clock, 0 );
     217        2088 :   }
     218             : 
     219             :   /* connection should be dead */
     220        2088 :   assert( conn->svc_meta.private.prq_idx == FD_QUIC_SVC_PRQ_IDX_INVAL );
     221        2088 :   assert( conn->state == FD_QUIC_CONN_STATE_DEAD || conn->state == FD_QUIC_CONN_STATE_INVALID );
     222             : 
     223             :   /* freed stream resources */
     224        2088 :   assert( state->stream_pool->cur_cnt == quic_limits.stream_pool_cnt );
     225        2088 :   assert( conn->used_streams->sentinel );
     226        2088 :   assert( conn->send_streams->sentinel );
     227        2088 :   assert( !conn->tls_hs );
     228             : 
     229        2088 :   fd_quic_delete( fd_quic_leave( fd_quic_fini( quic ) ) );
     230        2088 :   fd_aio_delete( fd_aio_leave( aio ) );
     231        2088 :   fd_rng_delete( fd_rng_leave( rng ) );
     232        2088 :   return 0;
     233        2088 : }
     234             : 
     235             : #if !FD_QUIC_DISABLE_CRYPTO
     236             : 
     237             : static fd_quic_crypto_keys_t const keys[1] = {{
     238             :   .pkt_key    = {0},
     239             :   .iv         = {0},
     240             :   .hp_key     = {0},
     241             : }};
     242             : 
     243             : /* guess_packet_size attempts to discover the end of a QUIC packet.
     244             :    Returns the total length (including GCM tag) on success, sets *pn_off
     245             :    to the packet number offset and *pn to the packet number.  Returns
     246             :    0UL on failure. */
     247             : 
     248             : static ulong
     249             : guess_packet_size( uchar const * data,
     250             :                    ulong         size,
     251           0 :                    ulong *       pn_off ) {
     252             : 
     253           0 :   uchar const * cur_ptr = data;
     254           0 :   ulong         cur_sz  = size;
     255             : 
     256           0 :   ulong pkt_num_pnoff = 0UL;
     257           0 :   ulong total_len     = size;
     258             : 
     259           0 :   if( FD_UNLIKELY( size < 1 ) ) return FD_QUIC_PARSE_FAIL;
     260           0 :   uchar hdr_form = fd_quic_h0_hdr_form( *cur_ptr );
     261             : 
     262           0 :   ulong rc;
     263           0 :   if( hdr_form == 1 ) {  /* long header */
     264             : 
     265           0 :     uchar long_packet_type = fd_quic_h0_long_packet_type( *cur_ptr );
     266           0 :     cur_ptr += 1; cur_sz -= 1UL;
     267           0 :     fd_quic_long_hdr_t long_hdr[1];
     268           0 :     rc = fd_quic_decode_long_hdr( long_hdr, cur_ptr, cur_sz );
     269           0 :     if( rc == FD_QUIC_PARSE_FAIL ) return 0UL;
     270           0 :     cur_ptr += rc; cur_sz -= rc;
     271             : 
     272           0 :     switch( long_packet_type ) {
     273           0 :     case FD_QUIC_PKT_TYPE_INITIAL: {
     274           0 :       fd_quic_initial_t initial[1];
     275           0 :       rc = fd_quic_decode_initial( initial, cur_ptr, cur_sz );
     276           0 :       if( rc == FD_QUIC_PARSE_FAIL ) return 0UL;
     277           0 :       cur_ptr += rc; cur_sz -= rc;
     278             : 
     279           0 :       pkt_num_pnoff = initial->pkt_num_pnoff;
     280           0 :       total_len     = pkt_num_pnoff + initial->len;
     281           0 :       break;
     282           0 :     }
     283           0 :     case FD_QUIC_PKT_TYPE_HANDSHAKE: {
     284           0 :       fd_quic_handshake_t handshake[1];
     285           0 :       rc = fd_quic_decode_handshake( handshake, cur_ptr, cur_sz );
     286           0 :       if( rc == FD_QUIC_PARSE_FAIL ) return 0UL;
     287           0 :       cur_ptr += rc; cur_sz -= rc;
     288             : 
     289           0 :       pkt_num_pnoff = handshake->pkt_num_pnoff;
     290           0 :       total_len     = pkt_num_pnoff + handshake->len;
     291           0 :       break;
     292           0 :     }
     293           0 :     case FD_QUIC_PKT_TYPE_RETRY:
     294             :       /* Do we need to decrypt Retry packets?  I'm not sure */
     295             :       /* TODO correctly derive size of packet in case there is another
     296             :               packet following the retry packet */
     297           0 :       return 0UL;
     298           0 :     case FD_QUIC_PKT_TYPE_ZERO_RTT:
     299             :       /* No support for 0-RTT yet */
     300           0 :       return 0UL;
     301           0 :     default:
     302           0 :       __builtin_unreachable();
     303           0 :     }
     304             : 
     305           0 :   } else {  /* short header */
     306             : 
     307           0 :     fd_quic_one_rtt_t one_rtt[1];
     308           0 :     one_rtt->dst_conn_id_len = 8;
     309           0 :     rc = fd_quic_decode_one_rtt( one_rtt, cur_ptr, cur_sz );
     310           0 :     if( rc == FD_QUIC_PARSE_FAIL ) return 0UL;
     311           0 :     cur_ptr += rc; cur_sz -= rc;
     312             : 
     313           0 :     pkt_num_pnoff = one_rtt->pkt_num_pnoff;
     314             : 
     315           0 :   }
     316             : 
     317           0 :   *pn_off = pkt_num_pnoff;
     318           0 :   return total_len;
     319           0 : }
     320             : 
     321             : /* decrypt_packet attempts to decrypt the first QUIC packet in the given
     322             :    buffer.  data points to the first byte of the QUIC packet.  size is
     323             :    the number of bytes until the end of the UDP datagram.  Returns the
     324             :    number of bytes that belonged to the first packet (<= size) on
     325             :    success.  Returns 0 on failure and leaves the packet (partially)
     326             :    encrypted. */
     327             : 
     328             : static ulong
     329             : decrypt_packet( uchar * const data,
     330           0 :                 ulong   const size ) {
     331             : 
     332           0 :   ulong pkt_num_pnoff = 0UL;
     333           0 :   ulong total_len = guess_packet_size( data, size, &pkt_num_pnoff );
     334           0 :   if( !total_len ) return 0UL;
     335             : 
     336             :   /* Decrypt the packet */
     337             : 
     338           0 :   int decrypt_res = fd_quic_crypto_decrypt_hdr( data, size, pkt_num_pnoff, keys );
     339           0 :   if( decrypt_res != FD_QUIC_SUCCESS ) return 0UL;
     340             : 
     341           0 :   uint  pkt_number_sz = fd_quic_h0_pkt_num_len( data[0] ) + 1u;
     342           0 :   ulong pkt_number    = fd_quic_pktnum_decode( data+pkt_num_pnoff, pkt_number_sz );
     343             : 
     344           0 :   decrypt_res =
     345           0 :     fd_quic_crypto_decrypt( data,           size,
     346           0 :                             pkt_num_pnoff,  pkt_number,
     347           0 :                             keys );
     348           0 :   if( decrypt_res != FD_QUIC_SUCCESS ) return 0UL;
     349             : 
     350           0 :   return fd_ulong_min( total_len + FD_QUIC_CRYPTO_TAG_SZ, size );
     351           0 : }
     352             : 
     353             : /* decrypt_payload attempts to remove packet protection of a UDP
     354             :    datagram payload in-place.  Note that a UDP datagram can contain
     355             :    multiple QUIC packets. */
     356             : 
     357             : static int
     358             : decrypt_payload( uchar * data,
     359           0 :                  ulong   size ) {
     360             : 
     361           0 :   if( size < 16 ) return 0;
     362             : 
     363             :   /* Heuristic: If the last 16 bytes of the packet (the AES-GCM tag) are
     364             :      zero consider it an unencrypted packet */
     365             : 
     366           0 :   uint mask=0U;
     367           0 :   for( ulong j=0UL; j<16UL; j++ ) mask |= data[size-16+j];
     368           0 :   if( !mask ) return 1;
     369             : 
     370           0 :   uchar * cur_ptr = data;
     371           0 :   ulong   cur_sz  = size;
     372             : 
     373           0 :   do {
     374             : 
     375           0 :     ulong sz = decrypt_packet( cur_ptr, cur_sz );
     376           0 :     if( !sz ) return 0;
     377           0 :     assert( sz <= cur_sz );  /* prevent out of bounds */
     378             : 
     379           0 :     cur_ptr += sz;  cur_sz -= sz;
     380             : 
     381           0 :   } while( cur_sz );
     382             : 
     383           0 :   return 1;
     384           0 : }
     385             : 
     386             : static ulong
     387             : encrypt_packet( uchar * const data,
     388           0 :                 ulong   const size ) {
     389             : 
     390           0 :   uchar out[ FD_QUIC_MTU ];
     391             : 
     392           0 :   ulong pkt_num_pnoff = 0UL;
     393           0 :   ulong total_len = guess_packet_size( data, size, &pkt_num_pnoff );
     394           0 :   if( ( total_len < FD_QUIC_CRYPTO_TAG_SZ ) |
     395           0 :       ( total_len > size                  ) |
     396           0 :       ( total_len > sizeof(out)           ) )
     397           0 :     return size;
     398             : 
     399           0 :   uchar first = data[0];
     400           0 :   ulong pkt_number_sz = ( first & 0x03u ) + 1;
     401             : 
     402           0 :   ulong         out_sz = total_len;
     403           0 :   uchar const * hdr    = data;
     404           0 :   ulong         hdr_sz = pkt_num_pnoff + pkt_number_sz;
     405             : 
     406           0 :   ulong pkt_number = 0UL;
     407           0 :   for( ulong j = 0UL; j < pkt_number_sz; ++j ) {
     408           0 :     pkt_number = ( pkt_number << 8UL ) + (ulong)( hdr[pkt_num_pnoff + j] );
     409           0 :   }
     410             : 
     411           0 :   if( ( out_sz          < hdr_sz ) |
     412           0 :       ( out_sz - hdr_sz < FD_QUIC_CRYPTO_TAG_SZ ) )
     413           0 :     return size;
     414             : 
     415           0 :   uchar const * pay    = hdr + hdr_sz;
     416           0 :   ulong         pay_sz = out_sz - hdr_sz - FD_QUIC_CRYPTO_TAG_SZ;
     417             : 
     418           0 :   int encrypt_res =
     419           0 :     fd_quic_crypto_encrypt( out, &out_sz,
     420           0 :                             hdr, hdr_sz,
     421           0 :                             pay, pay_sz,
     422           0 :                             keys, keys,
     423           0 :                             pkt_number );
     424           0 :   if( encrypt_res != FD_QUIC_SUCCESS )
     425           0 :     return size;
     426           0 :   assert( out_sz == total_len );
     427             : 
     428           0 :   fd_memcpy( data, out, out_sz );
     429           0 :   return out_sz;
     430           0 : }
     431             : 
     432             : static void
     433             : encrypt_payload( uchar * data,
     434           0 :                  ulong   size ) {
     435             : 
     436           0 :   uchar * cur_ptr = data;
     437           0 :   ulong   cur_sz  = size;
     438             : 
     439           0 :   while( cur_sz ) {
     440           0 :     ulong sz = encrypt_packet( cur_ptr, cur_sz );
     441           0 :     assert( sz );            /* prevent infinite loop */
     442           0 :     assert( sz <= cur_sz );  /* prevent out of bounds */
     443             : 
     444           0 :     cur_ptr += sz;  cur_sz -= sz;
     445           0 :   }
     446           0 : }
     447             : 
     448             : /* LLVMFuzzerCustomMutator has the following behavior:
     449             : 
     450             :    - If the input is not encrypted, mutates the raw input, and produces
     451             :      an encrypted output
     452             :    - If the input is encrypted, mutates the decrypted input, and
     453             :      produces another encrypted output
     454             :    - If the input appears to be encrypted but fails to decrypt, mutates
     455             :      the raw encrypted input, and produces another output that will fail
     456             :      to decrypt. */
     457             : 
     458             : ulong
     459             : LLVMFuzzerCustomMutator( uchar * data,
     460             :                          ulong   data_sz,
     461             :                          ulong   max_sz,
     462           0 :                          uint    seed ) {
     463           0 :   int ok = decrypt_payload( data, data_sz );
     464           0 :   data_sz = LLVMFuzzerMutate( data, data_sz, max_sz );
     465           0 :   if( ok ) encrypt_payload( data, data_sz );
     466           0 :   (void)seed;
     467           0 :   return data_sz;
     468           0 : }
     469             : 
     470             : /* Find a strategy for custom crossover of decrypted packets */
     471             : 
     472             : #endif /* !FD_QUIC_DISABLE_CRYPTO */

Generated by: LCOV version 1.14