overflow

Author: duytai

libfuzzer/Fuzzer.cpp

@@ -147,7 +147,8 @@ void Fuzzer::showStats(Mutation mutation, OracleResult oracleResult) {
   printf("    " bH "\n");
   printf(bH " ");
   printfWithColor(oracleResult.integerOverflow, " Integer-Overflow");
-  printf("%s" bH "\n", padStr(" ", 48).c_str());
+  printfWithColor(oracleResult.integerUnderflow, " Integer-Underflow");
+  printf("%s" bH "\n", padStr(" ", 30).c_str());
   printf(bBL bV50 bV5 bV2 bV20 bV2 bV2 bBR "\n");
 }
 

libfuzzer/TargetContainer.cpp

@@ -90,16 +90,20 @@ namespace fuzzer {
             inst == Instruction::NUMBER ||
             inst == Instruction::TIMESTAMP ||
             inst == Instruction::INVALID ||
-            inst == Instruction::ADD
+            inst == Instruction::ADD ||
+            inst == Instruction::SUB
           ) {
+            vector<u256>::size_type stackSize = vm->stack().size();
+            auto left = vm->stack()[stackSize - 1];
+            auto right = vm->stack()[stackSize - 2];
             if (inst == Instruction::ADD) {
-              vector<u256>::size_type stackSize = vm->stack().size();
-              auto left = vm->stack()[stackSize - 1];
-              auto right = vm->stack()[stackSize - 2];
               auto total256 = left + right;
               auto total512 = (u512) left + (u512) right;
               payload.isOverflow = total512 != total256;
             }
+            if (inst == Instruction::SUB) {
+              payload.isUnderflow = left < right;
+            }
             oracleFactory->save(CallLogItem(ext->depth + 1, payload));
           }
           oracleFactory->log(CallLogItem(ext->depth + 1, payload));

liboracle/Common.h

@@ -16,6 +16,7 @@ namespace fuzzer {
     bytes data;
     bytes code;
     bool isOverflow = false;
+    bool isUnderflow = false;
     string noted = "";
   };
   struct CallLogItem {
@@ -33,6 +34,7 @@ namespace fuzzer {
     u256 reentrancy = 0;
     u256 freezingEther = 0;
     u256 integerOverflow = 0;
+    u256 integerUnderflow = 0;
   };
 
   using CallLogs = vector<vector<CallLogItem>>;

liboracle/IntegerUnderflow.cpp

@@ -0,0 +1,11 @@
+#include "IntegerUnderflow.h"
+
+namespace fuzzer {
+  bool IntegerUnderflow::analyze(CallLog callLog) {
+    for (auto callLogItem : callLog) {
+      auto isUnderflow = callLogItem.payload.isUnderflow;
+      if (isUnderflow) return true;
+    }
+    return false;
+  }
+}

liboracle/IntegerUnderflow.h

@@ -0,0 +1,13 @@
+#include <iostream>
+#include "Common.h"
+
+using namespace dev;
+using namespace eth;
+using namespace std;
+
+namespace fuzzer {
+  class IntegerUnderflow : public Oracle {
+    public:
+      bool analyze(CallLog callLog);
+  };
+}

liboracle/OracleFactory.cpp

@@ -55,6 +55,9 @@ namespace fuzzer  {
       if (!oracleResult.integerOverflow) {
         oracleResult.integerOverflow += integerOverflow.analyze(callLog) ? 1 : 0;
       }
+      if (!oracleResult.integerUnderflow) {
+        oracleResult.integerUnderflow += integerUnderflow.analyze(callLog) ? 1 : 0;
+      }
       if (!oracleResult.freezingEther) {
         oracleResult.freezingEther += freezingEther.analyze(callLog) ? 1 : 0;
       }

liboracle/OracleFactory.h

@@ -8,6 +8,7 @@
 #include "DangerDelegateCall.h"
 #include "FreezingEther.h"
 #include "IntegerOverflow.h"
+#include "IntegerUnderflow.h"
 
 using namespace dev;
 using namespace eth;
@@ -25,6 +26,7 @@ namespace fuzzer {
     DangerDelegateCall dangerDelegateCall;
     FreezingEther freezingEther;
     IntegerOverflow integerOverflow;
+    IntegerUnderflow integerUnderflow;
     public:
       OracleResult oracleResult;
       OracleFactory();