Audit corrections

.github/workflows/cflite_cron.yml

@@ -0,0 +1,41 @@
+name: ClusterFuzzLite cron tasks
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main  # Use your actual default branch here.
+  schedule:
+    - cron: '0 13 * * 6'  # At 01:00 PM, only on Saturday
+permissions: read-all
+jobs:
+  Fuzzing:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - mode: batch
+            sanitizer: address
+          - mode: batch
+            sanitizer: memory
+          - mode: prune
+            sanitizer: address
+          - mode: coverage
+            sanitizer: coverage
+    steps:
+    - name: Build Fuzzers (${{ matrix.mode }} - ${{ matrix.sanitizer }})
+      id: build
+      uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        language: c # Change this to the language you are fuzzing.
+        sanitizer: ${{ matrix.sanitizer }}
+    - name: Run Fuzzers (${{ matrix.mode }} - ${{ matrix.sanitizer }})
+      id: run
+      uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        fuzz-seconds: 300 # 5 minutes
+        mode: ${{ matrix.mode }}
+        sanitizer: ${{ matrix.sanitizer }}
+

.github/workflows/cflite_pr.yml

@@ -0,0 +1,43 @@
+name: ClusterFuzzLite PR fuzzing
+on:
+    pull_request:
+        paths:
+            - "**"
+permissions: read-all
+jobs:
+    PR:
+        runs-on: ubuntu-latest
+        concurrency:
+            group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
+            cancel-in-progress: true
+        strategy:
+            fail-fast: false
+            matrix:
+                sanitizer: [address, undefined, memory] # Override this with the sanitizers you want.
+        steps:
+            - name: Build Fuzzers (${{ matrix.sanitizer }})
+              id: build
+              uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+              with:
+                  language: c # Change this to the language you are fuzzing.
+                  github-token: ${{ secrets.GITHUB_TOKEN }}
+                  sanitizer: ${{ matrix.sanitizer }}
+                  # Optional but recommended: used to only run fuzzers that are affected
+                  # by the PR.
+                  # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git
+                  # storage-repo-branch: main   # Optional. Defaults to "main"
+                  # storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".
+            - name: Run Fuzzers (${{ matrix.sanitizer }})
+              id: run
+              uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+              with:
+                  github-token: ${{ secrets.GITHUB_TOKEN }}
+                  fuzz-seconds: 300 # 5 minutes
+                  mode: "code-change"
+                  sanitizer: ${{ matrix.sanitizer }}
+                  output-sarif: true
+                  # Optional but recommended: used to download the corpus produced by
+                  # batch fuzzing.
+                  # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git
+                  # storage-repo-branch: main   # Optional. Defaults to "main"
+                  # storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".

PLUGIN_SPECIFICATION.md

@@ -27,9 +27,9 @@ For the smart contracts implemented, the functions covered by the plugin shall b
 
 |Contract |    Function   | Selector  | Displayed Parameters |
 |   ---   |    ---        | ---       | --- |
-|Stakewise  | burnOsToken | `0x066055e0`| <table><tbody> <tr><td><code>uint128 osTokenShares</code></td></tr> <tr><td><code>uint256 timestamp</code></td></tr> <tr><td><code>uint256 exitQueueIndex</code></td></tr> </tbody></table> |
-|Stakewise  | claimExitedAssets | `0x8697d2c2`| <table><tbody> <tr><td><code>address receiver</code></td></tr> <tr><td><code>address referrer</code></td></tr> </tbody></table> |
-|Stakewise  | deposit | `0xf9609f08`| <table><tbody> <tr><td><code>type ParameterName</code></td></tr> </tbody></table> |
+|Stakewise  | burnOsToken | `0x066055e0`| <table><tbody> <tr><td><code>uint128 osTokenShares</code></td></tr> </tbody></table> |
+|Stakewise  | claimExitedAssets | `0x8697d2c2`| <table><tbody> <tr><td><code>uint256 positionTicket</code></td></tr> <tr><td><code>uint256 timestamp</code></td></tr> <tr><td><code>uint256 exitQueueIndex</code></td></tr></tbody></table> |
+|Stakewise  | deposit | `0xf9609f08`| <table><tbody> <tr><td><code>address receiver</code></td></tr> <tr><td><code>address referrer</code></td></tr> </tbody></table> |
 |Stakewise  | enterExitQueue | `0x8ceab9aa`| <table><tbody> <tr><td><code>uint256 shares</code></td></tr> <tr><td><code>address receiver</code></td></tr> </tbody></table> |
 |Stakewise  | mintOsToken | `0x201b9eb5`| <table><tbody> <tr><td><code>address receiver</code></td></tr> <tr><td><code>uint256 osTokenShares</code></td></tr> <tr><td><code>address referrer</code></td></tr> </tbody></table> |
 |Stakewise  | redeem | `0x7bde82f2`| <table><tbody> <tr><td><code>uint256 shares</code></td></tr> <tr><td><code>address receiver</code></td></tr> </tbody></table> |

fuzzing/CMakeLists.txt

@@ -73,6 +73,7 @@ add_compile_definitions(
 
 include_directories(
     ${BOLOS_SDK}/include
+    ${BOLOS_SDK}/lib_standard_app
     ${BOLOS_SDK}/lib_cxng/include
     ${BOLOS_SDK}/lib_cxng/src
     ${BOLOS_SDK}/target/nanox/include
@@ -91,11 +92,16 @@ add_executable(fuzz
     ${SRC_DIR}/handle_provide_token.c
     ${SRC_DIR}/handle_query_contract_ui.c
     ${SRC_DIR}/handle_query_contract_id.c
+    ${SRC_DIR}/utils.c
 
     # Ethereum SDK
     ${ETH_DIR}/src/common_utils.c
     ${ETH_DIR}/src/plugin_utils.c
 
+    # sdk utils
+    ${BOLOS_SDK}/src/ledger_assert.c
+    ${BOLOS_SDK}/lib_standard_app/format.c
+
     # cxng
     ${BOLOS_SDK}/lib_cxng/src/cx_hash.c
     ${BOLOS_SDK}/lib_cxng/src/cx_sha256.c

fuzzing/mocks.c

@@ -1,4 +1,7 @@
 #include "plugin.h"
+#include "lcx_common.h"
+#include "lcx_hash.h"
+#include <stddef.h>
 
 size_t strlcat(char *dst, const char *src, size_t size) {
     size_t srclen; /* Length of source string */
@@ -33,3 +36,13 @@ size_t strlcpy(char *dst, const char *src, size_t size) {
 
     return (srclen);
 }
+
+cx_err_t cx_keccak_256_hash_iovec(const cx_iovec_t *iovec,
+                                  size_t iovec_len,
+                                  uint8_t digest[static CX_KECCAK_256_SIZE]) {
+    return CX_OK;
+}
+
+void os_sched_exit(bolos_task_status_t exit_code) {
+    return;
+}

src/handle_provide_parameter.c

@@ -1,4 +1,5 @@
 #include "plugin.h"
+#include "utils.h"
 
 static void handle_stakewise_deposit(ethPluginProvideParameter_t *msg, context_t *context) {
     switch (context->next_param) {
@@ -135,14 +136,20 @@ static void handle_stakewise_mint_os_token(ethPluginProvideParameter_t *msg, con
 }
 
 static void handle_eigenlayer_delegate_to(ethPluginProvideParameter_t *msg, context_t *context) {
+    uint8_t expected_bytes[3] = {0x60, 0x40, 0x41};
     switch (context->next_param) {
         case OPERATOR:
             copy_address(context->receiver, msg->parameter, sizeof(context->receiver));
             context->next_param = OFFSET_1;
             break;
 
         case OFFSET_1:
-            context->next_param = APPROVER_SALT;
+            if (compare_last_n_bytes(msg->parameter, &expected_bytes[0], 1)) {
+                context->next_param = APPROVER_SALT;
+            } else {
+                msg->result = ETH_PLUGIN_RESULT_ERROR;
+                context->next_param = UNEXPECTED_PARAMETER;
+            }
             break;
 
         case APPROVER_SALT:
@@ -151,7 +158,12 @@ static void handle_eigenlayer_delegate_to(ethPluginProvideParameter_t *msg, cont
             break;
 
         case OFFSET_2:
-            context->next_param = EXPIRY;
+            if (compare_last_n_bytes(msg->parameter, &expected_bytes[1], 1)) {
+                context->next_param = EXPIRY;
+            } else {
+                msg->result = ETH_PLUGIN_RESULT_ERROR;
+                context->next_param = UNEXPECTED_PARAMETER;
+            }
             break;
 
         case EXPIRY:
@@ -160,7 +172,12 @@ static void handle_eigenlayer_delegate_to(ethPluginProvideParameter_t *msg, cont
             break;
 
         case ARRAY_LEN_1:
-            context->next_param = SIGNATURE_1;
+            if (compare_last_n_bytes(msg->parameter, &expected_bytes[2], 1)) {
+                context->next_param = SIGNATURE_1;
+            } else {
+                msg->result = ETH_PLUGIN_RESULT_ERROR;
+                context->next_param = UNEXPECTED_PARAMETER;
+            }
             break;
 
         case SIGNATURE_1:
@@ -214,13 +231,31 @@ static void handle_eigenlayer_inc_dec_delegated_shares(ethPluginProvideParameter
 
 static void handle_eigenlayer_complete_queued_withdrawal(ethPluginProvideParameter_t *msg,
                                                          context_t *context) {
+    uint8_t expected_bytes[5] = {
+        0x80,
+        0x01,
+        0xe0,
+        0x01,
+        0x20,
+    };
     switch (context->next_param) {
         case OFFSET_1:
-            context->next_param = OFFSET_2;
+            if (compare_last_n_bytes(msg->parameter, &expected_bytes[0], 1)) {
+                context->next_param = OFFSET_2;
+            } else {
+                msg->result = ETH_PLUGIN_RESULT_ERROR;
+                context->next_param = UNEXPECTED_PARAMETER;
+            }
+
             break;
 
         case OFFSET_2:
-            context->next_param = MIDDLEWARE_TIMES_INDEX;
+            if (compare_last_n_bytes(msg->parameter, &expected_bytes[1], 2)) {
+                context->next_param = MIDDLEWARE_TIMES_INDEX;
+            } else {
+                msg->result = ETH_PLUGIN_RESULT_ERROR;
+                context->next_param = UNEXPECTED_PARAMETER;
+            }
             break;
 
         case MIDDLEWARE_TIMES_INDEX:
@@ -259,20 +294,35 @@ static void handle_eigenlayer_complete_queued_withdrawal(ethPluginProvideParamet
             break;
 
         case START_BLOCK:
-            copy_parameter(context->uint32_var, msg->parameter + 28, sizeof(context->uint32_var));
+            copy_parameter(context->os_token_shares, msg->parameter + 28, 4);
             context->next_param = OFFSET_3;
             break;
 
         case OFFSET_3:
-            context->next_param = OFFSET_4;
+            if (compare_last_n_bytes(msg->parameter, &expected_bytes[2], 1)) {
+                context->next_param = OFFSET_4;
+            } else {
+                msg->result = ETH_PLUGIN_RESULT_ERROR;
+                context->next_param = UNEXPECTED_PARAMETER;
+            }
             break;
 
         case OFFSET_4:
-            context->next_param = ARRAY_LEN_1;
+            if (compare_last_n_bytes(msg->parameter, &expected_bytes[3], 2)) {
+                context->next_param = ARRAY_LEN_1;
+            } else {
+                msg->result = ETH_PLUGIN_RESULT_ERROR;
+                context->next_param = UNEXPECTED_PARAMETER;
+            }
             break;
 
         case ARRAY_LEN_1:
-            context->next_param = STRATEGY;
+            if (compare_last_n_bytes(msg->parameter, &expected_bytes[1], 1)) {
+                context->next_param = STRATEGY;
+            } else {
+                msg->result = ETH_PLUGIN_RESULT_ERROR;
+                context->next_param = UNEXPECTED_PARAMETER;
+            }
             break;
 
         case STRATEGY:
@@ -282,7 +332,12 @@ static void handle_eigenlayer_complete_queued_withdrawal(ethPluginProvideParamet
             break;
 
         case ARRAY_LEN_2:
-            context->next_param = SHARES;
+            if (compare_last_n_bytes(msg->parameter, &expected_bytes[1], 1)) {
+                context->next_param = SHARES;
+            } else {
+                msg->result = ETH_PLUGIN_RESULT_ERROR;
+                context->next_param = UNEXPECTED_PARAMETER;
+            }
             break;
 
         case SHARES:
@@ -291,7 +346,12 @@ static void handle_eigenlayer_complete_queued_withdrawal(ethPluginProvideParamet
             break;
 
         case ARRAY_LEN_3:
-            context->next_param = TOKENS;
+            if (compare_last_n_bytes(msg->parameter, &expected_bytes[1], 1)) {
+                context->next_param = TOKENS;
+            } else {
+                msg->result = ETH_PLUGIN_RESULT_ERROR;
+                context->next_param = UNEXPECTED_PARAMETER;
+            }
             break;
 
         case TOKENS:
@@ -310,25 +370,57 @@ static void handle_eigenlayer_complete_queued_withdrawal(ethPluginProvideParamet
 
 static void handle_eigenlayer_queue_withdrawal(ethPluginProvideParameter_t *msg,
                                                context_t *context) {
+    uint8_t expected_bytes[5] = {
+        0x20,
+        0x01,
+        0x60,
+        0xa0,
+    };
     switch (context->next_param) {
         case OFFSET_1:
-            context->next_param = ARRAY_LEN_1;
+            if (compare_last_n_bytes(msg->parameter, &expected_bytes[0], 1)) {
+                context->next_param = ARRAY_LEN_1;
+            } else {
+                msg->result = ETH_PLUGIN_RESULT_ERROR;
+                context->next_param = UNEXPECTED_PARAMETER;
+            }
+
             break;
 
         case ARRAY_LEN_1:
-            context->next_param = OFFSET_2;
+            if (compare_last_n_bytes(msg->parameter, &expected_bytes[1], 1)) {
+                context->next_param = OFFSET_2;
+            } else {
+                msg->result = ETH_PLUGIN_RESULT_ERROR;
+                context->next_param = UNEXPECTED_PARAMETER;
+            }
             break;
 
         case OFFSET_2:
-            context->next_param = OFFSET_3;
+            if (compare_last_n_bytes(msg->parameter, &expected_bytes[0], 1)) {
+                context->next_param = OFFSET_3;
+            } else {
+                msg->result = ETH_PLUGIN_RESULT_ERROR;
+                context->next_param = UNEXPECTED_PARAMETER;
+            }
             break;
 
         case OFFSET_3:
-            context->next_param = OFFSET_4;
+            if (compare_last_n_bytes(msg->parameter, &expected_bytes[2], 1)) {
+                context->next_param = OFFSET_4;
+            } else {
+                msg->result = ETH_PLUGIN_RESULT_ERROR;
+                context->next_param = UNEXPECTED_PARAMETER;
+            }
             break;
 
         case OFFSET_4:
-            context->next_param = WITHDRAWER;
+            if (compare_last_n_bytes(msg->parameter, &expected_bytes[3], 1)) {
+                context->next_param = WITHDRAWER;
+            } else {
+                msg->result = ETH_PLUGIN_RESULT_ERROR;
+                context->next_param = UNEXPECTED_PARAMETER;
+            }
             break;
 
         case WITHDRAWER:
@@ -337,7 +429,12 @@ static void handle_eigenlayer_queue_withdrawal(ethPluginProvideParameter_t *msg,
             break;
 
         case ARRAY_LEN_2:
-            context->next_param = STRATEGY;
+            if (compare_last_n_bytes(msg->parameter, &expected_bytes[1], 1)) {
+                context->next_param = STRATEGY;
+            } else {
+                msg->result = ETH_PLUGIN_RESULT_ERROR;
+                context->next_param = UNEXPECTED_PARAMETER;
+            }
             break;
 
         case STRATEGY:
@@ -346,7 +443,12 @@ static void handle_eigenlayer_queue_withdrawal(ethPluginProvideParameter_t *msg,
             break;
 
         case ARRAY_LEN_3:
-            context->next_param = SHARES;
+            if (compare_last_n_bytes(msg->parameter, &expected_bytes[1], 1)) {
+                context->next_param = SHARES;
+            } else {
+                msg->result = ETH_PLUGIN_RESULT_ERROR;
+                context->next_param = UNEXPECTED_PARAMETER;
+            }
             break;
 
         case SHARES: