[fuzz] Guard PASE fuzz harness against uninitialized verifier on Generate() failure by Alami-Amine · Pull Request #72749 · project-chip/connectedhomeip

Alami-Amine · 2026-06-26T12:24:09Z

Summary

The PASE fuzz harness reads an uninitialized verifier when Generate() fails — flagged by MSan in the OSS-Fuzz memory build (fuzz-PASE-pw@…Pake2/Pake3).

FuzzPASE_PW.cpp's FuzzHandlePake1/2/3 ignored the result of pairingAccessory.mPASEVerifier.Generate() and then read the verifier via BeginVerifier() / HandleMsg*(). Generate() can fail because the Pake fuzz domains intentionally include out-of-range PBKDF iteration counts and salt lengths; on failure mPASEVerifier stays uninitialized and is read downstream.

Guard each site with VerifyOrReturn(... == CHIP_NO_ERROR) so the harness bails when the precondition can't be established. Production always checks Generate(), so this is a test-harness gap, not a product bug.

(CI flagged Pake2/Pake3; Pake1 has the identical pattern and is fixed for consistency.)

Testing

Surfaced by the OSS-Fuzz memory (MemorySanitizer) check_build run, which reported use-of-uninitialized-value reaching bin2bn via Spake2p::FELoad/BeginVerifier from these harnesses, with the origin in the harness pairingAccessory object.
No behavior change for valid inputs: the harness now returns early only when Generate() fails — i.e. for the out-of-range PBKDF iteration/salt values in the fuzz domains, where the accessory verifier precondition could not be established anyway. In-range inputs (the bulk of the domain) exercise the message handlers exactly as before.
Confirmation is the OSS-Fuzz memory build re-run with this change applied (the targets that previously aborted now run cleanly).

gemini-code-assist

Code Review

This pull request improves MemorySanitizer (MSan) support and prevents false positives during fuzz testing. Specifically, it automatically enables CHIP_MEMORY_SANITIZER_ENABLED when the compiler detects MSan (such as in OSS-Fuzz builds). Additionally, in FuzzPASE_PW.cpp, it replaces ignored return values of Generate() with VerifyOrReturn checks to bail early if the generation fails, preventing MSan false positives caused by uninitialized verifier reads. There are no review comments, and I have no feedback to provide.

…rate() failure FuzzPASE_PW.cpp's Pake1/Pake2/Pake3 harnesses ignored mPASEVerifier.Generate()'s result and then read the verifier via BeginVerifier()/HandleMsg*(). Generate() can fail because the fuzz domains intentionally include out-of-range PBKDF iteration counts and salt lengths; on failure mPASEVerifier stays uninitialized and is read downstream (an MSan use-of-uninitialized-value flagged by the OSS-Fuzz memory build). Guard each site with VerifyOrReturn; production always checks Generate(), so this is a test-harness gap, not a product bug.

github-actions · 2026-06-26T13:13:04Z

PR #72749: Size comparison from fc4a9e8 to d27ba35

Full report (33 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, efr32, esp32, nrfconnect, psoc6, qpg, realtek, stm32, telink)

platform	target	config	section	`fc4a9e8`	`d27ba35`	change
bl602	lighting-app	bl602+mfd+littlefs+rpc	FLASH	1099176	1099176	0
			RAM	133418	133418	0
bl702	lighting-app	bl702+eth	FLASH	1085726	1085726	0
			RAM	109029	109029	0
bl702l	contact-sensor-app	bl702l+mfd+littlefs	FLASH	882218	882218	0
			RAM	108596	108596	0
cc13x4_26x4	lighting-app	LP_EM_CC1354P10_6	FLASH	777368	777368	0
			RAM	103404	103404	0
	lock-ftd	LP_EM_CC1354P10_6	FLASH	790120	790120	0
			RAM	108684	108684	0
	pump-app	LP_EM_CC1354P10_6	FLASH	739376	739376	0
			RAM	97612	97612	0
	pump-controller-app	LP_EM_CC1354P10_6	FLASH	719548	719548	0
			RAM	97644	97644	0
cc32xx	air-purifier	CC3235SF_LAUNCHXL	FLASH	569654	569654	0
			RAM	205112	205112	0
	lock	CC3235SF_LAUNCHXL	FLASH	597214	597214	0
			RAM	205272	205272	0
efr32	lighting-app	BRD4187C	FLASH	1094924	1094924	0
			RAM	135256	135256	0
	lock-app	BRD4187C	FLASH	995184	995184	0
			RAM	131292	131292	0
		BRD4338a	FLASH	799809	799809	0
			RAM	243432	243432	0
esp32	all-clusters-app	c3devkit	DRAM	99556	99556	0
			FLASH	`1626146`	`1626146`	0
			IRAM	94776	94776	0
nrfconnect	all-clusters-app	nrf52840dk_nrf52840	FLASH	844772	844772	0
			RAM	157771	157771	0
psoc6	all-clusters	cy8ckit_062s2_43012	FLASH	1750756	1750756	0
			RAM	215492	215492	0
	all-clusters-minimal	cy8ckit_062s2_43012	FLASH	1626548	1626548	0
			RAM	211604	211604	0
	light	cy8ckit_062s2_43012	FLASH	1470860	1470860	0
			RAM	197436	197436	0
	lock	cy8ckit_062s2_43012	FLASH	`1504308`	`1504308`	0
			RAM	225268	225268	0
qpg	lighting-app	qpg6200+debug	FLASH	843156	843156	0
			RAM	127908	127908	0
	lock-app	qpg6200+debug	FLASH	782976	782976	0
			RAM	118840	118840	0
realtek	light-switch-app	rtl8777g	FLASH	689368	689368	0
			RAM	101780	101780	0
	lighting-app	rtl8777g	FLASH	730304	730304	0
			RAM	102052	102052	0
stm32	light	STM32WB5MM-DK	FLASH	478976	478976	0
			RAM	141492	141492	0
telink	all-devices-app	tl7218x	FLASH	881716	881716	0
			RAM	99716	99716	0
		tlsr9118bdk40d	FLASH	673322	673322	0
			RAM	120848	120848	0
	bridge-app	tl7218x	FLASH	734156	734156	0
			RAM	97700	97700	0
	light-app-ota-compress-lzma-factory-data	tl3218x	FLASH	800682	800682	0
			RAM	42380	42380	0
	light-app-ota-compress-lzma-shell-factory-data	tl7218x	FLASH	845822	845822	0
			RAM	101492	101492	0
	light-switch-app-ota-compress-lzma-factory-data	tl7218x_retention	FLASH	734714	734714	0
			RAM	57824	57824	0
	light-switch-app-ota-compress-lzma-shell-factory-data	tlsr9528a	FLASH	795802	795802	0
			RAM	75176	75176	0
	light-switch-app-ota-factory-data	tl3218x_retention	FLASH	734630	734630	0
			RAM	34480	34480	0
	lighting-app-ota-factory-data	tlsr9118bdk40d	FLASH	615214	615214	0
			RAM	118508	118508	0
	lighting-app-ota-rpc-factory-data-4mb	tlsr9518adk80d	FLASH	842038	842042	4
			RAM	97376	97376	0

codecov · 2026-06-26T13:17:10Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.61%. Comparing base (fc4a9e8) to head (0e01ae3).
⚠️ Report is 7 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #72749      +/-   ##
==========================================
- Coverage   56.79%   56.61%   -0.19%     
==========================================
  Files        1642     1642              
  Lines      112757   113137     +380     
  Branches    13139    13243     +104     
==========================================
+ Hits        64041    64048       +7     
- Misses      48716    49089     +373

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Address review: ReturnOnFailure takes the CHIP_ERROR directly instead of VerifyOrReturn(... == CHIP_NO_ERROR), at all three Generate() sites.

github-actions · 2026-06-26T20:53:51Z

PR #72749: Size comparison from fc4a9e8 to 0e01ae3

Full report (33 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, efr32, esp32, nrfconnect, psoc6, qpg, realtek, stm32, telink)

platform	target	config	section	`fc4a9e8`	`0e01ae3`	change	% change
bl602	lighting-app	bl602+mfd+littlefs+rpc	FLASH	1099176	1099194	18	0.0
			RAM	133418	133418	0	0.0
bl702	lighting-app	bl702+eth	FLASH	1085726	1085744	18	0.0
			RAM	109029	109029	0	0.0
bl702l	contact-sensor-app	bl702l+mfd+littlefs	FLASH	882218	882236	18	0.0
			RAM	108596	108596	0	0.0
cc13x4_26x4	lighting-app	LP_EM_CC1354P10_6	FLASH	777368	777384	16	0.0
			RAM	103404	103404	0	0.0
	lock-ftd	LP_EM_CC1354P10_6	FLASH	790120	790136	16	0.0
			RAM	108684	108684	0	0.0
	pump-app	LP_EM_CC1354P10_6	FLASH	739376	739392	16	0.0
			RAM	97612	97612	0	0.0
	pump-controller-app	LP_EM_CC1354P10_6	FLASH	719548	719564	16	0.0
			RAM	97644	97644	0	0.0
cc32xx	air-purifier	CC3235SF_LAUNCHXL	FLASH	569654	569670	16	0.0
			RAM	205112	205112	0	0.0
	lock	CC3235SF_LAUNCHXL	FLASH	597214	597230	16	0.0
			RAM	205272	205272	0	0.0
efr32	lighting-app	BRD4187C	FLASH	1094924	1094956	32	0.0
			RAM	135256	135256	0	0.0
	lock-app	BRD4187C	FLASH	995184	995184	0	0.0
			RAM	131292	131292	0	0.0
		BRD4338a	FLASH	799809	799825	16	0.0
			RAM	243432	243432	0	0.0
esp32	all-clusters-app	c3devkit	DRAM	99556	99556	0	0.0
			FLASH	`1626146`	`1626306`	160	0.0
			IRAM	94776	94776	0	0.0
nrfconnect	all-clusters-app	nrf52840dk_nrf52840	FLASH	844772	845892	1120	0.1
			RAM	157771	157923	152	0.1
psoc6	all-clusters	cy8ckit_062s2_43012	FLASH	1750756	1752716	1960	0.1
			RAM	215492	215644	152	0.1
	all-clusters-minimal	cy8ckit_062s2_43012	FLASH	1626548	`1626564`	16	0.0
			RAM	211604	211604	0	0.0
	light	cy8ckit_062s2_43012	FLASH	1470860	1470876	16	0.0
			RAM	197436	197436	0	0.0
	lock	cy8ckit_062s2_43012	FLASH	`1504308`	1504324	16	0.0
			RAM	225268	225268	0	0.0
qpg	lighting-app	qpg6200+debug	FLASH	843156	843172	16	0.0
			RAM	127908	127908	0	0.0
	lock-app	qpg6200+debug	FLASH	782976	783008	32	0.0
			RAM	118840	118840	0	0.0
realtek	light-switch-app	rtl8777g	FLASH	689368	689392	24	0.0
			RAM	101780	101780	0	0.0
	lighting-app	rtl8777g	FLASH	730304	730320	16	0.0
			RAM	102052	102052	0	0.0
stm32	light	STM32WB5MM-DK	FLASH	478976	478996	20	0.0
			RAM	141492	141492	0	0.0
telink	all-devices-app	tl7218x	FLASH	881716	881732	16	0.0
			RAM	99716	99716	0	0.0
		tlsr9118bdk40d	FLASH	673322	673338	16	0.0
			RAM	120848	120848	0	0.0
	bridge-app	tl7218x	FLASH	734156	734172	16	0.0
			RAM	97700	97700	0	0.0
	light-app-ota-compress-lzma-factory-data	tl3218x	FLASH	800682	800698	16	0.0
			RAM	42380	42380	0	0.0
	light-app-ota-compress-lzma-shell-factory-data	tl7218x	FLASH	845822	845838	16	0.0
			RAM	101492	101492	0	0.0
	light-switch-app-ota-compress-lzma-factory-data	tl7218x_retention	FLASH	734714	734730	16	0.0
			RAM	57824	57824	0	0.0
	light-switch-app-ota-compress-lzma-shell-factory-data	tlsr9528a	FLASH	795802	795818	16	0.0
			RAM	75176	75176	0	0.0
	light-switch-app-ota-factory-data	tl3218x_retention	FLASH	734630	734646	16	0.0
			RAM	34480	34480	0	0.0
	lighting-app-ota-factory-data	tlsr9118bdk40d	FLASH	615214	615230	16	0.0
			RAM	118508	118508	0	0.0
	lighting-app-ota-rpc-factory-data-4mb	tlsr9518adk80d	FLASH	842038	842058	20	0.0
			RAM	97376	97376	0	0.0

github-actions Bot added lib core protocols labels Jun 26, 2026

pullapprove Bot added review - pending and removed lib core protocols labels Jun 26, 2026

gemini-code-assist Bot reviewed Jun 26, 2026

View reviewed changes

Alami-Amine marked this pull request as draft June 26, 2026 12:29

Alami-Amine force-pushed the AA/msan-fuzz-fixes branch from f2f94f7 to d27ba35 Compare June 26, 2026 12:34

github-actions Bot added the protocols label Jun 26, 2026

Alami-Amine changed the title ~~[fuzz] Fix MSan false positives in OSS-Fuzz fuzz targets (if_nameindex guard + PASE harness)~~ [fuzz] Guard PASE fuzz harness against uninitialized verifier on Generate() failure Jun 26, 2026

Alami-Amine marked this pull request as ready for review June 26, 2026 12:39

andy31415 reviewed Jun 26, 2026

View reviewed changes

Comment thread src/protocols/secure_channel/tests/FuzzPASE_PW.cpp Outdated

[fuzz] Use ReturnOnFailure for PASE verifier Generate() checks

0e01ae3

Address review: ReturnOnFailure takes the CHIP_ERROR directly instead of VerifyOrReturn(... == CHIP_NO_ERROR), at all three Generate() sites.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[fuzz] Guard PASE fuzz harness against uninitialized verifier on Generate() failure#72749

[fuzz] Guard PASE fuzz harness against uninitialized verifier on Generate() failure#72749
Alami-Amine wants to merge 2 commits into
project-chip:masterfrom
Alami-Amine:AA/msan-fuzz-fixes

Alami-Amine commented Jun 26, 2026 •

edited

Loading

Uh oh!

gemini-code-assist Bot left a comment

Uh oh!

github-actions Bot commented Jun 26, 2026 •

edited

Loading

Uh oh!

codecov Bot commented Jun 26, 2026 •

edited

Loading

Uh oh!

Uh oh!

github-actions Bot commented Jun 26, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

Alami-Amine commented Jun 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Testing

Uh oh!

gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

github-actions Bot commented Jun 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov Bot commented Jun 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Uh oh!

github-actions Bot commented Jun 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Alami-Amine commented Jun 26, 2026 •

edited

Loading

github-actions Bot commented Jun 26, 2026 •

edited

Loading

codecov Bot commented Jun 26, 2026 •

edited

Loading

github-actions Bot commented Jun 26, 2026 •

edited

Loading