Some fuzzing crashes when running under ASan and/or UBSan #18046

issue practicalswift openend this issue on January 31, 2020
  1. practicalswift commented at 9:56 pm on January 31, 2020: contributor

    When running the fuzzers in master with ASan and UBSan enabled the crashes below will eventually be encountered.

    Ideally one should be able to run all fuzzers in master continuously with all sanitisers enabled without ever hitting any issues.

    Note that the presence of an issue in the list below does not necessarily imply a bug in the code under test: it could simply mean that the harness is fuzzing code that is not intended to be robust against random input.

    Thus avoiding these issues will require either:

    • a.) making the fuzzing harness avoid triggering code that is not meant to be robust to random input, or
    • b.) making the code under test more robust.

    Some of these will be easy to fix and could thus be good candidates for a “good first issue” :)

    Fuzzer Issue Fix PR
    blockundo_deserialize undo.h:30:24: runtime error: signed integer overflow: 1972491776 * 2 cannot be represented in type 'int'
    coins_deserialize coins.h:62:33: runtime error: signed integer overflow: 1969937248 * 2 cannot be represented in type 'int'
    parse_iso8601 util/time.cpp:101:67: runtime error: signed integer overflow: 2147482930 + 1900 cannot be represented in type 'int' Fixed by #18162
    parse_script script/script.h:332:35: runtime error: negation of -9223372036854775808 cannot be represented in type 'int64_t' (aka 'long'); cast to an unsigned type to negate this value to itself Fixed by #18416
    psbt prevector.h:453:19: runtime error: reference binding to misaligned address 0x7f5c1d552022 for type 'prevector<28, unsigned char, unsigned int, int>::size_type' (aka 'unsigned int'), which requires 4 byte alignment Fixed by #17708
    script prevector.h:453:19: runtime error: reference binding to misaligned address 0x7f182c5a5a22 for type 'prevector<28, unsigned char, unsigned int, int>::size_type' (aka 'unsigned int'), which requires 4 byte alignment Fixed by #17708
    transaction primitives/transaction.cpp:87:19: runtime error: signed integer overflow: 1095216725760 + 9223372032559808512 cannot be represented in type 'long' Fixed by #18383
    txundo_deserialize undo.h:30:24: runtime error: signed integer overflow: 1960862720 * 2 cannot be represented in type 'int'

    To reproduce:

     0$ make distclean
 1$ ./autogen.sh
 2$ CC=clang CXX=clang++ ./configure --enable-fuzz \
 3      --with-sanitizers=address,fuzzer,undefined
 4$ make
 5$ export UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1:report_error_type=1"
 6
 7$ xxd -p -r <<< "d10000b401018dd88dd7001b0a06" > crash-blockundo_deserialize
 8$ src/test/fuzz/blockundo_deserialize crash-blockundo_deserialize
 9undo.h:30:24: runtime error: signed integer overflow: 1972491776 * 2 cannot be represented in type 'int'
10    [#0](/bitcoin-bitcoin/0/) 0x555b1634e7db in void TxInUndoSerializer::Serialize<CDataStream>(CDataStream&) const src/./undo.h:30:24
11    [#1](/bitcoin-bitcoin/1/) 0x555b1634da3a in void Serialize<CDataStream, TxInUndoSerializer>(CDataStream&, TxInUndoSerializer const&) src/./serialize.h:667:7
12    [#2](/bitcoin-bitcoin/2/) 0x555b1634da3a in void CTxUndo::Serialize<CDataStream>(CDataStream&) const src/./undo.h:81:13
13    [#3](/bitcoin-bitcoin/3/) 0x555b16348fc1 in void Serialize<CDataStream, CTxUndo>(CDataStream&, CTxUndo const&) src/./serialize.h:667:7
14    [#4](/bitcoin-bitcoin/4/) 0x555b16348fc1 in void Serialize_impl<CDataStream, CTxUndo, std::allocator<CTxUndo>, CTxUndo>(CDataStream&, std::vector<CTxUndo, std::allocator<CTxUndo> > const&, CTxUndo const&) src/./serialize.h:798:9
15    [#5](/bitcoin-bitcoin/5/) 0x555b16348b40 in void Serialize<CDataStream, CTxUndo, std::allocator<CTxUndo> >(CDataStream&, std::vector<CTxUndo, std::allocator<CTxUndo> > const&) src/./serialize.h:804:5
16    [#6](/bitcoin-bitcoin/6/) 0x555b16348b40 in void SerializeMany<CDataStream, std::vector<CTxUndo, std::allocator<CTxUndo> > >(CDataStream&, std::vector<CTxUndo, std::allocator<CTxUndo> > const&) src/./serialize.h:1029:5
17    [#7](/bitcoin-bitcoin/7/) 0x555b16348b40 in void SerReadWriteMany<CDataStream, std::vector<CTxUndo, std::allocator<CTxUndo> > >(CDataStream&, CSerActionSerialize, std::vector<CTxUndo, std::allocator<CTxUndo> > const&) src/./serialize.h:1048:5
18    [#8](/bitcoin-bitcoin/8/) 0x555b16348896 in void CBlockUndo::SerializationOp<CDataStream, CSerActionSerialize>(CDataStream&, CSerActionSerialize) src/./undo.h:110:9
19    [#9](/bitcoin-bitcoin/9/) 0x555b16348896 in void CBlockUndo::Serialize<CDataStream>(CDataStream&) const src/./undo.h:106:5
20    [#10](/bitcoin-bitcoin/10/) 0x555b16348896 in void Serialize<CDataStream, CBlockUndo>(CDataStream&, CBlockUndo const&) src/./serialize.h:667:7
21    [#11](/bitcoin-bitcoin/11/) 0x555b1634851f in CDataStream& CDataStream::operator<<<CBlockUndo>(CBlockUndo const&) src/./streams.h:452:9
22    [#12](/bitcoin-bitcoin/12/) 0x555b163377c5 in CDataStream (anonymous namespace)::Serialize<CBlockUndo>(CBlockUndo const&) src/test/fuzz/deserialize.cpp:49:8
23    [#13](/bitcoin-bitcoin/13/) 0x555b163334e0 in void (anonymous namespace)::DeserializeFromFuzzingInput<CBlockUndo>(std::vector<unsigned char, std::allocator<unsigned char> > const&, CBlockUndo&) src/test/fuzz/deserialize.cpp:77:5
24    [#14](/bitcoin-bitcoin/14/) 0x555b1633314b in test_one_input(std::vector<unsigned char, std::allocator<unsigned char> > const&) src/test/fuzz/deserialize.cpp:178:9
25
26$ xxd -p -r <<< "f60a20008dd5d5ec400006" > crash-coins_deserialize
27$ src/test/fuzz/coins_deserialize crash-coins_deserialize
28coins.h:62:33: runtime error: signed integer overflow: 1969937248 * 2 cannot be represented in type 'int'
29    [#0](/bitcoin-bitcoin/0/) 0x557d369a4be5 in void Coin::Serialize<CDataStream>(CDataStream&) const src/./coins.h:62:33
30    [#1](/bitcoin-bitcoin/1/) 0x557d369a45fb in void Serialize<CDataStream, Coin>(CDataStream&, Coin const&) src/./serialize.h:667:7
31    [#2](/bitcoin-bitcoin/2/) 0x557d369a45fb in CDataStream& CDataStream::operator<<<Coin>(Coin const&) src/./streams.h:452:9
32    [#3](/bitcoin-bitcoin/3/) 0x557d3699d325 in CDataStream (anonymous namespace)::Serialize<Coin>(Coin const&) src/test/fuzz/deserialize.cpp:49:8
33    [#4](/bitcoin-bitcoin/4/) 0x557d36998a60 in void (anonymous namespace)::DeserializeFromFuzzingInput<Coin>(std::vector<unsigned char, std::allocator<unsigned char> > const&, Coin&) src/test/fuzz/deserialize.cpp:77:5
34    [#5](/bitcoin-bitcoin/5/) 0x557d369986bd in test_one_input(std::vector<unsigned char, std::allocator<unsigned char> > const&) src/test/fuzz/deserialize.cpp:181:9
35
36$ xxd -p -r <<< "7200393636e2f031" > crash-parse_iso8601
37$ src/test/fuzz/parse_iso8601 crash-parse_iso8601
38util/time.cpp:101:67: runtime error: signed integer overflow: 2147482930 + 1900 cannot be represented in type 'int'
39    [#0](/bitcoin-bitcoin/0/) 0x562ccf9bd323 in FormatISO8601DateTime[abi:cxx11](long) src/util/time.cpp:101:67
40    [#1](/bitcoin-bitcoin/1/) 0x562ccf9ba5fb in test_one_input(std::vector<unsigned char, std::allocator<unsigned char> > const&) src/test/fuzz/parse_iso8601.cpp:21:42
41
42$ xxd -p -r <<< "2d360932445550092d36093609092d393939393939393939393939393939393939360955" > crash-parse_script
43$ src/test/fuzz/parse_script crash-parse_script
44script/script.h:332:35: runtime error: negation of -9223372036854775808 cannot be represented in type 'int64_t' (aka 'long'); cast to an unsigned type to negate this value to itself
45    [#0](/bitcoin-bitcoin/0/) 0x55e134173738 in CScriptNum::serialize(long const&) src/./script/script.h:332:35
46    [#1](/bitcoin-bitcoin/1/) 0x55e134172f40 in CScript::push_int64(long) src/./script/script.h:405:22
47    [#2](/bitcoin-bitcoin/2/) 0x55e13416984f in CScript::operator<<(long) src/./script/script.h:445:45
48    [#3](/bitcoin-bitcoin/3/) 0x55e13416984f in ParseScript(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) src/core_read.cpp:62:20
49    [#4](/bitcoin-bitcoin/4/) 0x55e134167b0b in test_one_input(std::vector<unsigned char, std::allocator<unsigned char> > const&) src/test/fuzz/parse_script.cpp:13:15
50
51$ xxd -p -r <<< "70736274ff010085830303230309006d0000003c000000006f1a30ff0002b37700726b65721a1a0000000000000000000000000000000000000000000000280040009e2900000000000000000000000000000000000000040000000000000070736274ff01002e00000000000303030303030300000000e51a360000010303000000000000000000000000000000000101090000000000000000000000" > crash-psbt
52$ src/test/fuzz/psbt crash-psbt
53prevector.h:453:19: runtime error: reference binding to misaligned address 0x7f5c1d552022 for type 'prevector<28, unsigned char, unsigned int, int>::size_type' (aka 'unsigned int'), which requires 4 byte alignment
540x7f5c1d552022: note: pointer points here
55 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00
56              ^
57    [#0](/bitcoin-bitcoin/0/) 0x555e737c657e in prevector<28u, unsigned char, unsigned int, int>::swap(prevector<28u, unsigned char, unsigned int, int>&) src/./prevector.h:453:9
58    [#1](/bitcoin-bitcoin/1/) 0x555e737c61be in prevector<28u, unsigned char, unsigned int, int>::operator=(prevector<28u, unsigned char, unsigned int, int>&&) src/./prevector.h:273:9
59    [#2](/bitcoin-bitcoin/2/) 0x555e737c61be in CScript::operator=(CScript&&) src/./script/script.h:390:7
60    [#3](/bitcoin-bitcoin/3/) 0x555e7383a4e6 in ProduceSignature(SigningProvider const&, BaseSignatureCreator const&, CScript const&, SignatureData&) src/script/sign.cpp:245:23
61    [#4](/bitcoin-bitcoin/4/) 0x555e737e91a8 in SignPSBTInput(SigningProvider const&, PartiallySignedTransaction&, int, int, SignatureData*, bool) src/psbt.cpp:285:24
62    [#5](/bitcoin-bitcoin/5/) 0x555e73780ff5 in AnalyzePSBT(PartiallySignedTransaction) src/node/psbt.cpp:64:29
63    [#6](/bitcoin-bitcoin/6/) 0x555e73745694 in test_one_input(std::vector<unsigned char, std::allocator<unsigned char> > const&) src/test/fuzz/psbt.cpp:35:35
64
65$ touch crash-script
66$ src/test/fuzz/script crash-script
67prevector.h:453:19: runtime error: reference binding to misaligned address 0x7f182c5a5a22 for type 'prevector<28, unsigned char, unsigned int, int>::size_type' (aka 'unsigned int'), which requires 4 byte alignment
680x7f182c5a5a22: note: pointer points here
69 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00
70              ^
71    [#0](/bitcoin-bitcoin/0/) 0x55867c4d0c5e in prevector<28u, unsigned char, unsigned int, int>::swap(prevector<28u, unsigned char, unsigned int, int>&) src/./prevector.h:453:9
72    [#1](/bitcoin-bitcoin/1/) 0x55867c4c989e in prevector<28u, unsigned char, unsigned int, int>::operator=(prevector<28u, unsigned char, unsigned int, int>&&) src/./prevector.h:273:9
73    [#2](/bitcoin-bitcoin/2/) 0x55867c4c989e in CScript::operator=(CScript&&) src/./script/script.h:390:7
74    [#3](/bitcoin-bitcoin/3/) 0x55867c5564c6 in ProduceSignature(SigningProvider const&, BaseSignatureCreator const&, CScript const&, SignatureData&) src/script/sign.cpp:245:23
75    [#4](/bitcoin-bitcoin/4/) 0x55867c5604f9 in IsSolvable(SigningProvider const&, CScript const&) src/script/sign.cpp:444:9
76    [#5](/bitcoin-bitcoin/5/) 0x55867c4b6647 in test_one_input(std::vector<unsigned char, std::allocator<unsigned char> > const&) src/test/fuzz/script.cpp:48:11
77
78$ xxd -p -r <<< "fb67656c70000000000200ff0000ff0000000000000000ffffff7f0000000000" > crash-transaction
79$ src/test/fuzz/transaction crash-transaction
80primitives/transaction.cpp:87:19: runtime error: signed integer overflow: 1095216725760 + 9223372032559808512 cannot be represented in type 'long'
81    [#0](/bitcoin-bitcoin/0/) 0x5574b725f6c1 in CTransaction::GetValueOut() const src/primitives/transaction.cpp:87:19
82    [#1](/bitcoin-bitcoin/1/) 0x5574b611e5bb in test_one_input(std::vector<unsigned char, std::allocator<unsigned char> > const&) src/test/fuzz/transaction.cpp:71:18
83
84$ xxd -p -r <<< "d1000000018dcd828f01000006" > crash-txundo_deserialize
85$ src/test/fuzz/txundo_deserialize crash-txundo_deserialize
86undo.h:30:24: runtime error: signed integer overflow: 1960862720 * 2 cannot be represented in type 'int'
87    [#0](/bitcoin-bitcoin/0/) 0x55e6eb9ae8bb in void TxInUndoSerializer::Serialize<CDataStream>(CDataStream&) const src/./undo.h:30:24
88    [#1](/bitcoin-bitcoin/1/) 0x55e6eb9a99ba in void Serialize<CDataStream, TxInUndoSerializer>(CDataStream&, TxInUndoSerializer const&) src/./serialize.h:667:7
89    [#2](/bitcoin-bitcoin/2/) 0x55e6eb9a99ba in void CTxUndo::Serialize<CDataStream>(CDataStream&) const src/./undo.h:81:13
90    [#3](/bitcoin-bitcoin/3/) 0x55e6eb9a93eb in void Serialize<CDataStream, CTxUndo>(CDataStream&, CTxUndo const&) src/./serialize.h:667:7
91    [#4](/bitcoin-bitcoin/4/) 0x55e6eb9a93eb in CDataStream& CDataStream::operator<<<CTxUndo>(CTxUndo const&) src/./streams.h:452:9
92    [#5](/bitcoin-bitcoin/5/) 0x55e6eb99c3d5 in CDataStream (anonymous namespace)::Serialize<CTxUndo>(CTxUndo const&) src/test/fuzz/deserialize.cpp:49:8
93    [#6](/bitcoin-bitcoin/6/) 0x55e6eb9987f0 in void (anonymous namespace)::DeserializeFromFuzzingInput<CTxUndo>(std::vector<unsigned char, std::allocator<unsigned char> > const&, CTxUndo&) src/test/fuzz/deserialize.cpp:77:5
94    [#7](/bitcoin-bitcoin/7/) 0x55e6eb99845b in test_one_input(std::vector<unsigned char, std::allocator<unsigned char> > const&) src/test/fuzz/deserialize.cpp:175:9
  2. sanjaykdragon commented at 2:54 pm on February 2, 2020: contributor
    1,2,4, and 8 seem to be solved? or I just don’t see the issue
  3. practicalswift commented at 8:28 pm on February 17, 2020: contributor
    @sanjaykdragon I just confirmed all cases against master with Clang 10. I removed one false positive (an assertion failure). Could it be that you’re running with an older Clang version?
  4. elichai commented at 11:44 am on March 19, 2020: contributor
    Just tested with clang 9.0.1 (as 10 isn’t officially released yet) and I get the same errors on all except for the psbt, FormatISO8601DateTime and crash_script where I see no error
  5. pierreN commented at 9:03 pm on March 23, 2020: contributor

    I could reproduce 1,2,4,8 on my system.

    I proposed a PR for 4 : #18413 1,2,8 can be similarly trivially fixed with 3 static_cast<uint32_t> (since nHeight is of size 31), but such a bug can’t happen until we wait ~37k years into the future. Unsure if I should do a PR for that ?

  6. pierreN commented at 2:03 am on March 26, 2020: contributor
    I tried to start a PR to fix 1,2,8 : #18433
  7. fanquake referenced this in commit 6a11d9e330 on Mar 30, 2020
  8. sidhujag referenced this in commit 1914b0350e on Mar 30, 2020
  9. MarcoFalke referenced this in commit 9135903c76 on Mar 30, 2020
  10. MarcoFalke commented at 11:35 pm on March 30, 2020: member

    I’ve uploaded the parse_script seed, but none of our builds fails, nor does it fail locally for me :man_shrugging:

    https://github.com/bitcoin-core/qa-assets/commit/9135903c7613207a0aacbf0c08c4036f0aa1cd15

  11. pierreN commented at 0:51 am on March 31, 2020: contributor

    If I understand correctly, you mean that parse_script should fail ?

    On current master I have (since the exception is catched):

     0$ echo "-6  2DUP    -6      6               -9999999999999999996    U" >> crash_parse
 1$ ./src/test/fuzz/parse_script crash_parse
 2INFO: Seed: 1943483372
 3INFO: Loaded 1 modules   (18791 inline 8-bit counters): 18791 [0x556bd628dfa0, 0x556bd6292907),
 4INFO: Loaded 1 PC tables (18791 PCs): 18791 [0x556bd6292908,0x556bd62dbf78),
 5./src/test/fuzz/parse_script: Running 1 inputs 1 time(s) each.
 6Running: crash_parse
 7Executed crash_parse in 1 ms
 8***
 9*** NOTE: fuzzing was not performed, you have only
10***       executed the target code on a fixed set of inputs.
11***

    And on commit e3154aac I get :

     0$ ./src/test/fuzz/parse_script crash_parse                                                                                                                                                                                                                                                                                                                                                          130 ↵  3 ⚙  09:50
 1INFO: Seed: 841688900
 2INFO: Loaded 1 modules   (18843 inline 8-bit counters): 18843 [0x561b8e84d500, 0x561b8e851e9b),
 3INFO: Loaded 1 PC tables (18843 PCs): 18843 [0x561b8e851ea0,0x561b8e89b850),
 4./src/test/fuzz/parse_script: Running 1 inputs 1 time(s) each.
 5Running: crash_parse
 6script/script.h:332:35: runtime error: negation of -9223372036854775808 cannot be represented in type 'int64_t' (aka 'long'); cast to an unsigned type to negate this value to itself
 7SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior script/script.h:332:35 in
 8Executed crash_parse in 8 ms
 9***
10*** NOTE: fuzzing was not performed, you have only
11***       executed the target code on a fixed set of inputs.
12***
  12. MarcoFalke commented at 1:58 am on March 31, 2020: member

    Oh, I didn’t realize b53af72b8276e8a23915d38fe459889cccb56f50 is merged already.

    Anything left to do here or can this issue be closed?

  13. pierreN commented at 2:04 am on March 31, 2020: contributor
    AFAIK it can be closed (or we can wait for #18413).
  14. MarcoFalke commented at 2:06 am on March 31, 2020: member
    With or without #18413, the fuzzer doesn’t crash anymore, so it seems “unrelated” and this issue can be closed, I think.
  15. practicalswift commented at 7:36 pm on March 31, 2020: contributor

    Seven of the eight cases listed in this PR have now been fixed. Only one left to go until this PR can be closed :)

    The remaining issue:

    0$ xxd -p -r <<< "fb67656c70000000000200ff0000ff0000000000000000ffffff7f0000000000" > crash-transaction
1$ src/test/fuzz/transaction crash-transaction
2INFO: Seed: 2818828731
3INFO: Loaded 1 modules   (415121 inline 8-bit counters): 415121 [0x559366a736d8, 0x559366ad8c69), 
4INFO: Loaded 1 PC tables (415121 PCs): 415121 [0x559366ad8c70,0x55936712e580), 
5src/test/fuzz/transaction: Running 1 inputs 1 time(s) each.
6Running: crash-transaction
7primitives/transaction.cpp:87:19: runtime error: signed integer overflow: 1095216725760 + 9223372032559808512 cannot be represented in type 'long'
8SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior primitives/transaction.cpp:87:19 in
  16. practicalswift commented at 5:10 am on April 1, 2020: contributor
    The remaining case is fixed in #18383.
  17. MarcoFalke closed this on Apr 2, 2020
  18. sidhujag referenced this in commit 4c1e075bc9 on Apr 3, 2020
  19. fanquake referenced this in commit 68ef9523d1 on May 2, 2020
  20. sidhujag referenced this in commit 3fdaa759ad on May 2, 2020
  21. sinetek referenced this in commit e19a58bcd6 on May 25, 2020
  22. CaveSpectre11 referenced this in commit 37578dd2af on Jun 28, 2020
  23. Fabcien referenced this in commit c087941255 on Oct 27, 2020
  24. PastaPastaPasta referenced this in commit a0deb971ad on Jun 27, 2021
  25. PastaPastaPasta referenced this in commit 9845af0c9f on Jun 27, 2021
  26. PastaPastaPasta referenced this in commit 45311c83a8 on Jun 28, 2021
  27. PastaPastaPasta referenced this in commit c04052eb40 on Jun 28, 2021
  28. PastaPastaPasta referenced this in commit c7039c1b9d on Jun 29, 2021
  29. PastaPastaPasta referenced this in commit 889992b3d5 on Jun 29, 2021
  30. PastaPastaPasta referenced this in commit ad450e856f on Jul 1, 2021
  31. PastaPastaPasta referenced this in commit 652cea449d on Jul 1, 2021
  32. PastaPastaPasta referenced this in commit 8fa8d6fbaf on Jul 1, 2021
  33. PastaPastaPasta referenced this in commit c192334f41 on Jul 1, 2021
  34. PastaPastaPasta referenced this in commit 4f632952bf on Jul 14, 2021
  35. PastaPastaPasta referenced this in commit c542cd3a98 on Jul 14, 2021
  36. MarcoFalke locked this on Feb 15, 2022


practicalswift sanjaykdragon elichai pierreN MarcoFalke

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-11-21 12:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me