GetMappedAS(…) lookup on an IPv6 address against a maliciously constructed AS-map triggers heap buffer-overflow #18033

issue practicalswift openend this issue on January 30, 2020
  1. practicalswift commented at 11:18 pm on January 30, 2020: contributor

    Very glad to see that -asmap was merged yesterday!

    I noticed that it is possible to trigger a heap buffer-overflow when doing a GetMappedAS(...) lookup on an IPv6 address against a maliciously constructed AS-map.

    Looking up the mapped AS-number for IPv6 address dead:dead:dead:dead:dead:dead:dead:dead

    0CNetAddr net_addr;
1const std::vector<uint8_t> b = {222, 173, 222, 173, 222, 173, 222, 173, 222, 173, 222, 173, 222, 173, 222, 173};
2net_addr.SetRaw(NET_IPV6, b.data());
3assert(net_addr.ToString() == "dead:dead:dead:dead:dead:dead:dead:dead");
4const std::vector<bool> asmap = {true, true, true, true, false, true, false, false};
5(void)net_addr.GetMappedAS(asmap);

    … yields …

    0==957==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000001a0 at pc 0x55aef2adf02a bp 0x7ffdbab92400 sp 0x7ffdbab923f8
1READ of size 8 at 0x6020000001a0 thread T0
2    [#0](/bitcoin-bitcoin/0/) 0x55aef2adf029 in std::_Bit_reference::operator bool() const /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_bvector.h:83:17
3    [#1](/bitcoin-bitcoin/1/) 0x55aef2adedf6 in std::_Bit_const_iterator::operator*() const /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_bvector.h:323:14
4    [#2](/bitcoin-bitcoin/2/) 0x55aef2ade2ac in (anonymous namespace)::DecodeBits(std::_Bit_const_iterator&, unsigned char, std::vector<unsigned char, std::allocator<unsigned char> > const&) src/util/asmap.cpp:18:19
5    [#3](/bitcoin-bitcoin/3/) 0x55aef2add49e in (anonymous namespace)::DecodeType(std::_Bit_const_iterator&) src/util/asmap.cpp:40:12
6    [#4](/bitcoin-bitcoin/4/) 0x55aef2add49e in Interpret(std::vector<bool, std::allocator<bool> > const&, std::vector<bool, std::allocator<bool> > const&) src/util/asmap.cpp:73:18
7    [#5](/bitcoin-bitcoin/5/) 0x560f2052b833 in CNetAddr::GetMappedAS(std::vector<bool, std::allocator<bool> > const&) const src/netaddress.cpp:433:26
  2. fanquake added the label P2P on Jan 30, 2020
  3. sipa commented at 0:47 am on January 31, 2020: member
    @practicalswift Does the added commit in #18023 fix this?
  4. fanquake commented at 1:37 am on January 31, 2020: member

    I’ve recreated the same issue as @practicalswift (happens immediately).

     0[#2607](/bitcoin-bitcoin/2607/)	NEW    cov: 1194 ft: 2098 corp: 30/471b lim: 21 exec/s: 0 rss: 30Mb L: 20/21 MS: 1 ChangeBinInt-
 1=================================================================
 2==37374==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000029d98 at pc 0x000106d510db bp 0x7ffee8f05a20 sp 0x7ffee8f05a18
 3READ of size 8 at 0x602000029d98 thread T0
 4    [#0](/bitcoin-bitcoin/0/) 0x106d510da in std::__1::__bit_const_reference<std::__1::vector<bool, std::__1::allocator<bool> > >::operator bool() const __bit_reference:140
 5    [#1](/bitcoin-bitcoin/1/) 0x106d51ea2 in (anonymous namespace)::DecodeBits(std::__1::__bit_iterator<std::__1::vector<bool, std::__1::allocator<bool> >, true, 0ul>&, unsigned char, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&) asmap.cpp:27
 6    [#2](/bitcoin-bitcoin/2/) 0x106d50d00 in Interpret(std::__1::vector<bool, std::__1::allocator<bool> > const&, std::__1::vector<bool, std::__1::allocator<bool> > const&) asmap.cpp:46
 7    [#3](/bitcoin-bitcoin/3/) 0x106d2629f in CNetAddr::GetMappedAS(std::__1::vector<bool, std::__1::allocator<bool> > const&) const netaddress.cpp:433
 8    [#4](/bitcoin-bitcoin/4/) 0x106d0a1c4 in test_one_input(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&) asmap.cpp:27
 9    [#5](/bitcoin-bitcoin/5/) 0x106cfabb4 in LLVMFuzzerTestOneInput fuzz.cpp:38
10    [#6](/bitcoin-bitcoin/6/) 0x106db50d0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) FuzzerLoop.cpp:553
11    [#7](/bitcoin-bitcoin/7/) 0x106db4935 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) FuzzerLoop.cpp:469
12    [#8](/bitcoin-bitcoin/8/) 0x106db69e6 in fuzzer::Fuzzer::MutateAndTestOne() FuzzerLoop.cpp:695
13    [#9](/bitcoin-bitcoin/9/) 0x106db7655 in fuzzer::Fuzzer::Loop(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) FuzzerLoop.cpp:831
14    [#10](/bitcoin-bitcoin/10/) 0x106da3d18 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) FuzzerDriver.cpp:825
15    [#11](/bitcoin-bitcoin/11/) 0x106dd05c2 in main FuzzerMain.cpp:19
16    [#12](/bitcoin-bitcoin/12/) 0x7fff71b543d4 in start (libdyld.dylib:x86_64+0x163d4)

    Testing with master + #18029 + #18023 I no-longer see an immediate fuzzing related crash.

  5. practicalswift commented at 4:20 pm on January 31, 2020: contributor

    @sipa Yes, it fixed the first heap buffer overflow but I’m afraid I found another heap buffer overflow which it does not fix:

    Looking up the mapped AS-number for IPv6 address dead:dead:dead:dead:dead:dead:dead:dead

    0CNetAddr net_addr;
1const std::vector<uint8_t> b = {222, 173, 222, 173, 222, 173, 222, 173, 222, 173, 222, 173, 222, 173, 222, 173};
2net_addr.SetRaw(NET_IPV6, b.data());
3assert(net_addr.ToString() == "dead:dead:dead:dead:dead:dead:dead:dead");
4const std::vector<bool> asmap = {1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,1,1,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,1,1,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
5(void)net_addr.GetMappedAS(asmap);

    … yields …

    0==12896==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000120 at pc 0x5563ebea77ca bp 0x7fff1a22b9c0 sp 0x7fff1a22b9b8
1READ of size 8 at 0x602000000120 thread T0
2    [#0](/bitcoin-bitcoin/0/) 0x5563ebea77c9 in std::_Bit_reference::operator bool() const /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_bvector.h:83:17
3    [#1](/bitcoin-bitcoin/1/) 0x5563ebea7596 in std::_Bit_const_iterator::operator*() const /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_bvector.h:323:14
4    [#2](/bitcoin-bitcoin/2/) 0x5563ebea62d8 in std::vector<bool, std::allocator<bool> >::operator[](unsigned long) const /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_bvector.h:891:9
5    [#3](/bitcoin-bitcoin/3/) 0x5563ebea5d43 in Interpret(std::vector<bool, std::allocator<bool> > const&, std::vector<bool, std::allocator<bool> > const&) src/util/asmap.cpp:78:17
6    [#4](/bitcoin-bitcoin/4/) 0x5563ebe852ae in CNetAddr::GetMappedAS(std::vector<bool, std::allocator<bool> > const&) const src/netaddress.cpp:433:26

    This is the offending code …

    0if (ip[ip.size() - bits]) {

    … which doesn’t guard against the bits == 0 case :)

  6. practicalswift commented at 4:22 pm on January 31, 2020: contributor
    @sipa You might want to run src/test/fuzz/asmap (#18029) to verify any robustness fixes – libFuzzer is amazing :)
  7. jonatack commented at 10:21 am on February 1, 2020: member

    Reproduced, heap overflow found almost immediately.

    0[#796](/bitcoin-bitcoin/796/)	NEW    cov: 961 ft: 2024 corp: 51/110Kb exec/s: 398 rss: 69Mb L: 92/4096 MS: 3 InsertByte-ChangeByte-InsertRepeatedBytes-
1=================================================================
2==4105==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000017998 at pc 0x55a231e658c3 bp 0x7fff64f8ff60 sp 0x7fff64f8ff58
3READ of size 8 at 0x602000017998 thread T0
4    [#0](/bitcoin-bitcoin/0/) 0x55a231e658c2 in std::_Bit_reference::operator bool() const /usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_bvector.h:83:17
  8. MarcoFalke commented at 4:18 pm on February 6, 2020: member
    @practicalswift Would be nice to get the inputs submitted to https://github.com/bitcoin-core/qa-assets, so that this issue can be closed
  9. practicalswift commented at 11:25 am on May 19, 2020: contributor
    @MarcoFalke I believe it should be among the inputs already submitted by now. Closing :)
  10. practicalswift closed this on May 19, 2020
  11. DrahtBot locked this on Feb 15, 2022


practicalswift sipa fanquake jonatack MarcoFalke

Labels
P2P

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-07-06 01:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me