test: add BIP37 remote crash bug [CVE-2013-5700] test to p2p_filter.py #18515

pull theStack wants to merge 1 commits into bitcoin:master from theStack:20200403-test-check-for-CVE20135700-vuln-in-bip37-tests changing 3 files +27 −0

theStack commented at 2:44 pm on April 3, 2020: member
Integrates the missing message type filteradd to the test framework and checks that the BIP37 implementation is not vulnerable to the “remote crash bug” CVE-2013-5700 anymore. Prior to v.0.8.4, it was possible to trigger a division-by-zero error on the following line in the function CBloomFilter::Hash(): https://github.com/bitcoin/bitcoin/blob/f0d6487e290761a4fb03798240a351b5fddfdb38/src/bloom.cpp#L45 By setting a zero-length filter via filterload, vData.size() is 0, so the modulo operation above, called on any .insert() or .contains() operation then crashed the node. The test uses the approach of just sending an arbitrary filteradd message after, which calls CBloomFilter::insert() (and in turn CBloomFilter::Hash()) on the node. The vulnerability was fixed by commit https://github.com/bitcoin/bitcoin/commit/37c6389c5a0ca63ae3573440ecdfe95d28ad8f07 (an intentional covert fix, according to gmaxwell), which introduced flags isEmpty/isFull that wouldn’t call the Hash() member function if isFull is true (set to true by default constructor).

To validate that the test fails if the implementation is vulnerable, one can simply set the flags to false in the member function UpdateEmptyFull() (that is called after a filter received via filterload is constructed), which activates the vulnerable code path calling Hash in any case on adding or testing for data in the filter:
0diff --git a/src/bloom.cpp b/src/bloom.cpp 1index bd6069b..ef294a3 100644 2--- a/src/bloom.cpp 3+++ b/src/bloom.cpp 4@@ -199,8 +199,8 @@ void CBloomFilter::UpdateEmptyFull() 5 full &= vData[i] == 0xff; 6 empty &= vData[i] == 0; 7 } 8- isFull = full; 9- isEmpty = empty; 10+ isFull = false; 11+ isEmpty = false; 12 }
Resulting in:
0$ ./p2p_filter.py 1[...] 22020-04-03T14:38:59.593000Z TestFramework (INFO): Check that division-by-zero remote crash bug [CVE-2013-5700] is fixed 32020-04-03T14:38:59.695000Z TestFramework (ERROR): Assertion failed 4[...] 5[... some exceptions following ...]
test: add BIP37 remote crash bug [CVE-2013-5700] test to p2p_filter.py 0ed2d8e07d
fanquake added the label Tests on Apr 3, 2020
naumenkogs commented at 2:56 pm on April 3, 2020: member

utACK 0ed2d8e07d3806d78d03a77d2153f22f9d733a07
sipa commented at 5:04 pm on April 3, 2020: member

Code review ACK. I think this is exactly right.
practicalswift commented at 2:13 pm on April 4, 2020: contributor

Concept ACK

Regression testing is good. Regression testing CVE bugs is great :)

If you have time: please add more CVE regression tests like this :)
MarcoFalke commented at 1:16 pm on April 5, 2020: member

ACK. I’ve also written a fuzz test that can find this issue in less than a week of CPU time: #18521
MarcoFalke merged this on Apr 5, 2020
MarcoFalke closed this on Apr 5, 2020
theStack commented at 10:05 am on April 6, 2020: member

@practicalswift: Thanks, my plan is indeed to analyze other CVEs as well and see if regression tests can be added (my assumption is that it’s unlikely that others can triggered as simple as sending a pair of messages, but anyway it will be an interesting lesson, digging in the history of Bitcoin Core ;-)) @MarcoFalke: That’s interesting, I guess I’m still underestimating how powerful fuzzing can be!
MarcoFalke referenced this in commit da4cbb7927 on Apr 20, 2020
sidhujag referenced this in commit eeacf95574 on Apr 20, 2020
fanquake referenced this in commit 551dc7f664 on May 6, 2020
sidhujag referenced this in commit e9d4768e75 on May 12, 2020
ComputerCraftr referenced this in commit 0a8fbef869 on Jun 10, 2020
jasonbcox referenced this in commit 30f9859914 on Sep 24, 2020
theStack deleted the branch on Dec 1, 2020
DrahtBot locked this on Feb 15, 2022
uvhw referenced this in commit 80d8d042ae on Jun 3, 2022

Contributors
theStack naumenkogs sipa practicalswift MarcoFalke

Labels
Tests