test: add BIP37 remote crash bug [CVE-2013-5700] test to p2p_filter.py #18515

pull theStack wants to merge 1 commits into bitcoin:master from theStack:20200403-test-check-for-CVE20135700-vuln-in-bip37-tests changing 3 files +27 −0
  1. theStack commented at 2:44 pm on April 3, 2020: member

    Integrates the missing message type filteradd to the test framework and checks that the BIP37 implementation is not vulnerable to the “remote crash bug” CVE-2013-5700 anymore. Prior to v.0.8.4, it was possible to trigger a division-by-zero error on the following line in the function CBloomFilter::Hash(): https://github.com/bitcoin/bitcoin/blob/f0d6487e290761a4fb03798240a351b5fddfdb38/src/bloom.cpp#L45 By setting a zero-length filter via filterload, vData.size() is 0, so the modulo operation above, called on any .insert() or .contains() operation then crashed the node. The test uses the approach of just sending an arbitrary filteradd message after, which calls CBloomFilter::insert() (and in turn CBloomFilter::Hash()) on the node. The vulnerability was fixed by commit https://github.com/bitcoin/bitcoin/commit/37c6389c5a0ca63ae3573440ecdfe95d28ad8f07 (an intentional covert fix, according to gmaxwell), which introduced flags isEmpty/isFull that wouldn’t call the Hash() member function if isFull is true (set to true by default constructor).

    To validate that the test fails if the implementation is vulnerable, one can simply set the flags to false in the member function UpdateEmptyFull() (that is called after a filter received via filterload is constructed), which activates the vulnerable code path calling Hash in any case on adding or testing for data in the filter:

     0diff --git a/src/bloom.cpp b/src/bloom.cpp
     1index bd6069b..ef294a3 100644
     2--- a/src/bloom.cpp
     3+++ b/src/bloom.cpp
     4@@ -199,8 +199,8 @@ void CBloomFilter::UpdateEmptyFull()
     5         full &= vData[i] == 0xff;
     6         empty &= vData[i] == 0;
     7     }
     8-    isFull = full;
     9-    isEmpty = empty;
    10+    isFull = false;
    11+    isEmpty = false;
    12 }
    

    Resulting in:

    0$ ./p2p_filter.py
    1[...]
    22020-04-03T14:38:59.593000Z TestFramework (INFO): Check that division-by-zero remote crash bug [CVE-2013-5700] is fixed
    32020-04-03T14:38:59.695000Z TestFramework (ERROR): Assertion failed
    4[...]
    5[... some exceptions following ...]
    
  2. test: add BIP37 remote crash bug [CVE-2013-5700] test to p2p_filter.py 0ed2d8e07d
  3. fanquake added the label Tests on Apr 3, 2020
  4. naumenkogs commented at 2:56 pm on April 3, 2020: member
    utACK 0ed2d8e07d3806d78d03a77d2153f22f9d733a07
  5. sipa commented at 5:04 pm on April 3, 2020: member
    Code review ACK. I think this is exactly right.
  6. practicalswift commented at 2:13 pm on April 4, 2020: contributor

    Concept ACK

    Regression testing is good. Regression testing CVE bugs is great :)

    If you have time: please add more CVE regression tests like this :)

  7. MarcoFalke commented at 1:16 pm on April 5, 2020: member
    ACK. I’ve also written a fuzz test that can find this issue in less than a week of CPU time: #18521
  8. MarcoFalke merged this on Apr 5, 2020
  9. MarcoFalke closed this on Apr 5, 2020

  10. theStack commented at 10:05 am on April 6, 2020: member
    @practicalswift: Thanks, my plan is indeed to analyze other CVEs as well and see if regression tests can be added (my assumption is that it’s unlikely that others can triggered as simple as sending a pair of messages, but anyway it will be an interesting lesson, digging in the history of Bitcoin Core ;-)) @MarcoFalke: That’s interesting, I guess I’m still underestimating how powerful fuzzing can be!
  11. MarcoFalke referenced this in commit da4cbb7927 on Apr 20, 2020
  12. sidhujag referenced this in commit eeacf95574 on Apr 20, 2020
  13. fanquake referenced this in commit 551dc7f664 on May 6, 2020
  14. sidhujag referenced this in commit e9d4768e75 on May 12, 2020
  15. ComputerCraftr referenced this in commit 0a8fbef869 on Jun 10, 2020
  16. jasonbcox referenced this in commit 30f9859914 on Sep 24, 2020
  17. theStack deleted the branch on Dec 1, 2020
  18. DrahtBot locked this on Feb 15, 2022
  19. uvhw referenced this in commit 80d8d042ae on Jun 3, 2022

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-10-30 00:12 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me