fuzz-tests: Add a test for `fundee_channel()` #8411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

Chand-ra wants to merge 2 commits into ElementsProject:master from Chand-ra:open_channel

Chand-ra commented Jul 11, 2025

fundee_channel() in openingd/openingd.c is responsible for handling incoming open_channel messages from a peer. Since it deals with external input, add a test for it.

Checklist

Before submitting the PR, ensure the following tasks are completed. If an item is not applicable to your PR, please mark it as checked:

The changelog has been updated in the relevant commit(s) according to the guidelines.
Tests have been added or modified to reflect the changes.
Documentation has been reviewed and updated as needed.
Related issues have been listed and linked, including any that this PR closes.

Chand-ra mentioned this pull request

fuzz-tests: improve fuzz-initial_channel #8373

Draft

4 tasks

Chand-ra force-pushed the open_channel branch from e81afbc to c298bbb Compare

July 14, 2025 12:30

morehouse suggested changes

View reviewed changes

Contributor

morehouse left a comment

I think the crash is probably happening because the initial state we use may have certain developer flags enabled. We should make sure we're using flags that would be used in production.

tests/fuzz/Makefile Outdated

@@ @@ -72,5 +72,17 @@ FUZZ_COMMON_OBJS := \ @@
               $(FUZZ_TARGETS_OBJS): $(COMMON_HEADERS) $(WIRE_HEADERS) $(COMMON_SRC)
               $(FUZZ_TARGETS_BIN): $(LIBFUZZ_OBJS) $(FUZZ_COMMON_OBJS) $(BITCOIN_OBJS)
+              tests/fuzz/fuzz-open_channel:	common/shutdown_scriptpubkey.o		\

Contributor

morehouse Jul 16, 2025

Nit: let's put this rule up by the other target-specific ones

tests/fuzz/fuzz-open_channel.c Outdated

+              {
+              	struct state *state = talz(ctx, struct state);
+              	state->developer = fromwire_bool(cursor, max);

Contributor

morehouse Jul 16, 2025

We should always set developer = false, since we're only interested in bugs that happen in production.

tests/fuzz/fuzz-open_channel.c Outdated

+              		= state->upfront_shutdown_script[REMOTE]
+              		= NULL;
+              	fromwire_bitcoin_outpoint(cursor, max, &state->funding);

Contributor

morehouse Jul 16, 2025

Why are we setting the funding outpoint here? Shouldn't this be set later by the funding_create message?

tests/fuzz/fuzz-open_channel.c

+              					&state->minimum_depth,
+              					&state->min_feerate, &state->max_feerate,
+              					&state->dev_force_tmp_channel_id,
+              					&state->allowdustreserve,

Contributor

morehouse Jul 16, 2025

This is probably one immediate cause of the crash -- this lets the fuzzer set allowdustreserve = true, which bypasses the checks needed to sanitize dust limits and channel reserves.

allowdustreserve is a developer option that we should probably always set to false for this test.

tests/fuzz/fuzz-open_channel.c

+              	u8 remaining_len = fromwire_u8(cursor, max);
+              	if (remaining_len > *max)
+              		remaining_len = *max;
+              	towire_u8_array(&openingd_init_msg, *cursor, remaining_len);

Contributor

morehouse Jul 16, 2025

I think we need to be more careful than to just populate state with random values. At the very least there are several developer options we should probably disable. And there might be other constraints we need to satisfy.

Author

Chand-ra Jul 21, 2025

I agree on the point that we should turn off the developer options, but I think letting the fuzzer decide as much of the state as it can helps discover more code paths than a fixed set of values would. It also doesn't result in a crash in the latest push, so I think it's worth constructing the message like this.

tests/fuzz/fuzz-open_channel.c

+              }
+              static u8 *create_open_channel_msg(const tal_t *ctx, const u8 **cursor, size_t *max, struct state *state)
+              {

Contributor

morehouse Jul 16, 2025

I don't think we should be doing any of the validation in this function. The open_channel message comes from the peer, which means it could contain anything. We should basically use raw fuzzer-generated data for the message.

Author

Chand-ra Jul 17, 2025

Right, that's what I did initially but that approach took too long for the fuzzer to reach deeper code paths in the target function. By doing it this way, the fuzzer can achieve new coverage quicker while still retaining the ability to tweak the message.

Contributor

morehouse Jul 18, 2025

Maybe we could use one input byte to decide whether we do the validation or not. Then we get the best of both worlds -- 50% of the time we do random values in case a crash can be found that way and 50% of the time we do validated values to fuzz deeper.

tests/fuzz/fuzz-open_channel.c

Comment on lines +192 to +203

+              /* These have the same definitions as the original peer_reed and peer_write.
+               * We reiterate these here because we want them to use test_sync_write and
+               * test_sync_read.
+               */

Contributor

morehouse Jul 16, 2025

Since we're overriding peer_read and peer_write, we can just call test_sync_read and test_sync_write directly here for clarity.

tests/fuzz/fuzz-open_channel.c Outdated

+              		struct amount_sat reserve = amount_sat(100);
+              		u32 mindepth = 10;
+              		return towire_openingd_got_offer_reply(ctx, NULL, NULL, NULL,
+              							&reserve, mindepth);

Contributor

morehouse Jul 16, 2025

Maybe we should just use reserve=NULL for now, which will use the default of 1% of the channel capacity.

tests/fuzz/fuzz-open_channel.c

+              			assert(false && "Too many HSMD writes!");
+              	}
+              	else if (fd == PEER_FD)
+              	{

Contributor

morehouse Jul 16, 2025

It looks like we could also get in the case from negotiation_failed, and in that scenario there wouldn't be an accept_channel message to send.

tests/fuzz/fuzz-open_channel.c Outdated

Comment on lines 70 to 71

		return towire_funding_created(ctx, &state->channel_id,
		&state->funding.txid, state->funding.n, &sig.s);

Contributor

morehouse Jul 16, 2025

funding_created is a message sent by the peer and could contain anything. Ideally we would use fuzzer-generated data for this message, so we can check if the peer can crash us from this message.

In fact it looks like the peer can send other non-funding-created messages to fundee_channel as well, which we should also try here.

Of course to fuzz deeper in the state machine we also want valid funding_created messages to be created sometimes. So there's an opportunity for some optimization here.

Chand-ra force-pushed the open_channel branch from c298bbb to bf0f15a Compare

July 21, 2025 07:19

morehouse suggested changes

View reviewed changes

tests/fuzz/fuzz-open_channel.c

Comment on lines +260 to +262

    
              static u8 *create_fuzz_msg(const tal_t *ctx)

              {

Contributor

morehouse Jul 21, 2025

handle_peer_in only ever calls fundee_channel with open_channel messages. So we should manually prefix with WIRE_OPEN_CHANNEL for that case.

tests/fuzz/fuzz-open_channel.c Outdated

    
              static u8 *create_fuzz_msg(const tal_t *ctx)

              {

              	u8 *msg = tal_arr(ctx, u8, 0);

              	u8 msg_len = fromwire_u8(cursor, max);

Contributor

morehouse Jul 21, 2025

Reading one byte here gives a max len of 255. I don't think that's enough for any valid open_channel message: https://github.com/lightning/bolts/blob/master/02-peer-protocol.md#the-open_channel-message.

Probably we need to read 2 bytes for the length.

tests/fuzz/fuzz-open_channel.c Outdated

    
              	u8 *open_channel_msg;

              	/* Choose between creating a valid message and a fuzzed one. */

              	if (fromwire_bool(cursor, max))

Contributor

morehouse Jul 21, 2025

Looks like fromwire_bool reads one byte and then marks the cursor as failed if the byte isn't exactly 0 or 1. That means 99% of the time this will fail...

Probably we should write our own helper for fuzzing that reads one byte and then just checks the final bit to determine true or false.

tests/fuzz/fuzz-open_channel.c

Comment on lines +74 to +76

    
              			return towire_funding_created(ctx, &state->channel_id,

              					&state->funding.txid, state->funding.n, &sig.s);

Contributor

morehouse Jul 21, 2025

Looks like state->funding is uninitialized here.

Chand-ra force-pushed the open_channel branch from bf0f15a to 351dba0 Compare

July 22, 2025 08:20

Author

Chand-ra commented Jul 22, 2025

The latest push triggers the Assertion 'bitcoin_tx_check(tx)' failed. bug when run on the corpus for some time even though it disables all the developer options...

morehouse suggested changes

View reviewed changes

tests/fuzz/fuzz-open_channel.c

Comment on lines +437 to +442

    
              		open_channel_msg = tal_arr(tmpctx, u8, 0);

              		towire_u16(&open_channel_msg, WIRE_OPEN_CHANNEL);

              		towire_u8_array(&open_channel_msg, fuzz_msg, tal_bytelen(fuzz_msg));

Contributor

morehouse Jul 22, 2025

To avoid the extra copy here, we can add a msg type param to create_fuzz_msg, so it can directly prepend before copying the data bytes.

Author

Chand-ra Jul 23, 2025

create_fuzz_msg() is also used in test_sync_write() when fd == PEER_FD so I don't think it would be right to do this.

tests/fuzz/fuzz-open_channel.c

    
              								&htlcs,

              								&feerate));

              		}

              		else

Contributor

morehouse Jul 22, 2025

We also need to handle HSM messages for signature validation in validate_initial_commitment_signature.

tests/fuzz/fuzz-open_channel.c

    
              		u8 channel_flags;

              		u8 *shutdown_scriptpubkey;

              		assert(fromwire_openingd_got_offer(tmpctx, msg,

Contributor

morehouse Jul 22, 2025

It is also possible that we get here from negotiation_aborted in opening_negotiate_msg, in which case this assertion will fail.

Contributor

morehouse commented Jul 22, 2025

The latest push triggers the Assertion 'bitcoin_tx_check(tx)' failed. bug when run on the corpus for some time even though it disables all the developer options...

I looked into this. It seems that state->localconf->dust_limit is getting set to a really high value, which causes this problem. CLN normally sets this value to 546, so probably we should also be setting it to that.

Chandra Pratap added 2 commits

July 23, 2025 07:56


          fuzz-tests: Add a test for fundee_channel()

0966f43

Changelog-None: `fundee_channel()` in `openingd/openingd.c` is
responsible for handling incoming `open_channel` messages from a
peer. Since it deals with external input, add a test for it.


          fuzz-tests: Add a seed corpus for the new test

d7413df

Add a minimal input set as a seed corpus for the newly introduced
test. This leads to discovery of interesting code paths faster.

Author

Chand-ra commented Jul 23, 2025

I looked into this. It seems that state->localconf->dust_limit is getting set to a really high value, which causes this problem. CLN normally sets this value to 546, so probably we should also be setting it to that.

This does seem to fix the issue at hand but while I was trying to fix the HSMD issues above, I ran into the following error:

==111597== ERROR: libFuzzer: deadly signal
    #0 0x5850004a5e55 in __sanitizer_print_stack_trace (/home/chandra/lightning/tests/fuzz/fuzz-open_channel+0x2b8e55) (BuildId: 64642ce25a0283917080d8bc7f02ebc725e1f6dd)
    #1 0x5850003ff96c in fuzzer::PrintStackTrace() (/home/chandra/lightning/tests/fuzz/fuzz-open_channel+0x21296c) (BuildId: 64642ce25a0283917080d8bc7f02ebc725e1f6dd)
    #2 0x5850003e59f7 in fuzzer::Fuzzer::CrashCallback() (/home/chandra/lightning/tests/fuzz/fuzz-open_channel+0x1f89f7) (BuildId: 64642ce25a0283917080d8bc7f02ebc725e1f6dd)
    #3 0x793f4984532f  (/usr/lib/x86_64-linux-gnu/libc.so.6+0x4532f) (BuildId: 282c2c16e7b6600b0b22ea0c99010d2795752b5f)
    #4 0x793f4989eb2b in __pthread_kill_implementation nptl/pthread_kill.c:43:17
    #5 0x793f4989eb2b in __pthread_kill_internal nptl/pthread_kill.c:78:10
    #6 0x793f4989eb2b in pthread_kill nptl/pthread_kill.c:89:10
    #7 0x793f4984527d in raise signal/../sysdeps/posix/raise.c:26:13
    #8 0x793f498288fe in abort stdlib/abort.c:79:7
    #9 0x5850006abedd in psbt_get_bytes /home/chandra/lightning/bitcoin/psbt.c:873:3
    #10 0x5850006ac763 in towire_wally_psbt /home/chandra/lightning/bitcoin/psbt.c:912:25
    #11 0x5850006dcfab in towire_bitcoin_tx /home/chandra/lightning/bitcoin/tx.c:807:2
    #12 0x5850004f7297 in towire_hsmd_validate_commitment_tx /home/chandra/lightning/hsmd/hsmd_wiregen.c:1515:2
    #13 0x585000513a8d in validate_initial_commitment_signature /home/chandra/lightning/openingd/common.c:253:8
    #14 0x5850007010bb in fundee_channel /home/chandra/lightning/tests/fuzz/../../openingd/openingd.c:1263:2
    #15 0x5850006f2e62 in run /home/chandra/lightning/tests/fuzz/fuzz-open_channel.c:450:2
    #16 0x58500051f168 in LLVMFuzzerTestOneInput /home/chandra/lightning/tests/fuzz/libfuzz.c:25:2
    #17 0x5850003e6fc4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/chandra/lightning/tests/fuzz/fuzz-open_channel+0x1f9fc4) (BuildId: 64642ce25a0283917080d8bc7f02ebc725e1f6dd)
    #18 0x5850003d00f6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/chandra/lightning/tests/fuzz/fuzz-open_channel+0x1e30f6) (BuildId: 64642ce25a0283917080d8bc7f02ebc725e1f6dd)
    #19 0x5850003d5baa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/chandra/lightning/tests/fuzz/fuzz-open_channel+0x1e8baa) (BuildId: 64642ce25a0283917080d8bc7f02ebc725e1f6dd)
    #20 0x585000400366 in main (/home/chandra/lightning/tests/fuzz/fuzz-open_channel+0x213366) (BuildId: 64642ce25a0283917080d8bc7f02ebc725e1f6dd)
    #21 0x793f4982a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #22 0x793f4982a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #23 0x5850003cacc4 in _start (/home/chandra/lightning/tests/fuzz/fuzz-open_channel+0x1ddcc4) (BuildId: 64642ce25a0283917080d8bc7f02ebc725e1f6dd)

which seems to occur due to a malformed transaction by initial_commit_tx(). I have added the crashing input: crash-fac1fd5bceb991a6d9c9177d7eae47d2fbe78be5 to the corpus, let me know what you think.

Chand-ra force-pushed the open_channel branch from 351dba0 to d7413df Compare

July 23, 2025 07:57

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet