CBOR fuzzing (#7839)

Co-authored-by: Amaury Chamayou <amchamay@microsoft.com>

Author: maxtropets

.gitattributes

@@ -3,6 +3,8 @@
 *.png binary
 *.jpg binary
 
+src/crypto/test/cbor_fuzz_corpus/* binary
+
 *.h linguist-language=C++
 *.cpp linguist-language=C++
 

.github/workflows/long-test.yml

@@ -190,6 +190,18 @@ jobs:
           cd build
           ./tests.sh --output-on-failure --timeout 1600 -LE "benchmark"
 
+      - name: "Run CBOR fuzz test"
+        run: |
+          set -o pipefail
+          set -ex
+          mkdir -p build_fuzz
+          cd build_fuzz
+          rm -f CMakeCache.txt
+          cmake -GNinja -DFUZZING=ON -DSAN=ON -DUSE_LIBCXX=ON -DUSE_SNMALLOC=OFF ..
+          ninja cbor_fuzz_test
+          mkdir -p /tmp/cbor_fuzz_live
+          ./cbor_fuzz_test /tmp/cbor_fuzz_live ../src/crypto/test/cbor_fuzz_corpus -max_total_time=60
+
       - name: "Upload logs"
         if: success() || failure()
         uses: actions/upload-artifact@v7

CMakeLists.txt

@@ -677,6 +677,15 @@ if(BUILD_TESTS)
     target_include_directories(cbor_test PRIVATE ${CCFCRYPTO_INC})
     target_link_libraries(cbor_test PRIVATE ccfcrypto)
 
+    if(FUZZING)
+      add_fuzz_test(
+        cbor_fuzz_test
+        ${CMAKE_CURRENT_SOURCE_DIR}/src/crypto/cbor.cpp
+        ${CMAKE_CURRENT_SOURCE_DIR}/src/crypto/test/cbor_fuzz.cpp
+      )
+      target_link_libraries(cbor_fuzz_test PRIVATE evercbor)
+    endif()
+
     add_unit_test(
       sharing_test
       ${CMAKE_CURRENT_SOURCE_DIR}/src/crypto/test/secret_sharing.cpp

cmake/common.cmake

@@ -52,6 +52,23 @@ function(add_unit_test name)
   add_san_test_properties(${name})
 endfunction()
 
+# Fuzz test wrapper (requires -DFUZZING=ON -DUSE_LIBCXX=ON)
+function(add_fuzz_test name)
+  if(NOT USE_LIBCXX)
+    message(
+      FATAL_ERROR
+      "Fuzz targets require USE_LIBCXX=ON to avoid UBSAN false positives from libstdc++ shared_ptr"
+    )
+  endif()
+
+  add_executable(${name} ${CCF_DIR}/src/enclave/thread_local.cpp ${ARGN})
+  target_compile_options(${name} PRIVATE ${COMPILE_LIBCXX} -fsanitize=fuzzer)
+  target_link_options(${name} PRIVATE -fsanitize=fuzzer)
+  target_include_directories(${name} PRIVATE src ${CCFCRYPTO_INC})
+  target_link_libraries(${name} PRIVATE ${LINK_LIBCXX} -pthread)
+  add_san(${name})
+endfunction()
+
 # Test binary wrapper
 function(add_test_bin name)
   add_executable(${name} ${CCF_DIR}/src/enclave/thread_local.cpp ${ARGN})

cmake/preproject.cmake

@@ -57,6 +57,11 @@ if(NOT CMAKE_BUILD_TYPE AND NOT CMAKE_CONFIGURATION_TYPES)
 endif()
 
 option(TSAN "Enable Thread Sanitizers" OFF)
+option(FUZZING "Enable libFuzzer fuzz testing" OFF)
+
+if(FUZZING AND TSAN)
+  message(FATAL_ERROR "FUZZING and TSAN cannot be enabled together")
+endif()
 
 option(COLORED_OUTPUT "Always produce ANSI-colored output." ON)
 

src/crypto/test/cbor_fuzz.cpp

@@ -0,0 +1,35 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the Apache 2.0 License.
+
+#include "crypto/cbor.h"
+
+#include <cstddef>
+#include <cstdint>
+#include <span>
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+  ccf::cbor::Value value;
+  try
+  {
+    value = ccf::cbor::parse({data, size});
+  }
+  catch (const ccf::cbor::CBORDecodeError&)
+  {
+    return 0;
+  }
+
+  // If parse succeeded, exercise serialization round-trip and string
+  // rendering. Any failure here is a real bug — let the fuzzer surface it.
+  std::ignore = ccf::cbor::to_string(value);
+  auto serialized = ccf::cbor::serialize(value);
+  auto reparsed = ccf::cbor::parse(serialized);
+  auto reserialized = ccf::cbor::serialize(reparsed);
+
+  if (serialized != reserialized)
+  {
+    __builtin_trap();
+  }
+
+  return 0;
+}

src/crypto/test/cbor_fuzz_corpus/array123

@@ -0,0 +1 @@
+�


src/crypto/test/cbor_fuzz_corpus/array_of_maps

@@ -0,0 +1 @@
+��ax
�ay�az

src/crypto/test/cbor_fuzz_corpus/array_with_map

@@ -0,0 +1 @@
+�
�aa

src/crypto/test/cbor_fuzz_corpus/bstr_hello

@@ -0,0 +1 @@
+Ehello