fuzz: Stop nodes in process_message* fuzzers #18875

MarcoFalke commented at 11:59 PM on May 4, 2020: member

Background is that I saw an integer overflow in net_processing

[#30629113](/bitcoin-bitcoin/30629113/)	REDUCE cov: 25793 ft: 142917 corp: 3421/2417Kb lim: 4096 exec/s: 89 rss: 614Mb L: 1719/4096 MS: 1 EraseBytes-
net_processing.cpp:977:25: runtime error: signed integer overflow: 2147483624 + 100 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior net_processing.cpp:977:25 in 
net_processing.cpp:985:9: runtime error: signed integer overflow: -2147483572 - 100 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior net_processing.cpp:985:9 in

Telling from the line numbers, it looks like nMisbehavior wrapped around.

Fix that by calling StopNodes after each exec, which should clear the node state and thus nMisbehavior.

fanquake added the label Tests on May 5, 2020

MarcoFalke force-pushed on May 10, 2020

MarcoFalke commented at 11:45 AM on May 10, 2020: member

Rebased. This can be tested with the following diff (observing a failure on master and a pass with this pull applied):

diff --git a/src/net_processing.cpp b/src/net_processing.cpp
index a4d4953281..d68df49d34 100644
--- a/src/net_processing.cpp
+++ b/src/net_processing.cpp
@@ -804,6 +804,7 @@ void PeerLogicValidation::InitializeNode(CNode *pnode) {
     NodeId nodeid = pnode->GetId();
     {
         LOCK(cs_main);
+        assert(mapNodeState.find(nodeid) == mapNodeState.end());
         mapNodeState.emplace_hint(mapNodeState.end(), std::piecewise_construct, std::forward_as_tuple(nodeid), std::forward_as_tuple(addr, std::move(addrName), pnode->fInbound, pnode->m_manual_connection));
     }
     if(!pnode->fInbound)

practicalswift commented at 7:32 PM on May 10, 2020: contributor

@MarcoFalke

Thanks for addressing this!

With this make-it-easy-to-reproduce patch applied …

diff --git a/src/net_processing.cpp b/src/net_processing.cpp
index a4d495328..afa60d2e0 100644
--- a/src/net_processing.cpp
+++ b/src/net_processing.cpp
@@ -397,7 +397,7 @@ struct CNodeState {
         m_is_manual_connection (is_manual)
     {
         fCurrentlyConnected = false;
-        nMisbehavior = 0;
+        nMisbehavior = std::numeric_limits<int>::max() - 1000;
         fShouldBan = false;
         pindexBestKnownBlock = nullptr;
         hashLastUnknownBlock.SetNull();

… I'm still getting …

$ src/test/fuzz/process_message process_message/
net_processing.cpp:1021:25: runtime error: signed integer overflow: 2147483637 + 100 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior net_processing.cpp:1021:25 in
net_processing.cpp:1029:9: runtime error: signed integer overflow: -2147483559 - 100 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior net_processing.cpp:1029:9 in

… even with the suggested fix applied. What am I doing wrong? :)

fuzz: Give CNode ownership to ConnmanTestMsg in process_message fuzz harness 6666c828e0

MarcoFalke force-pushed on May 11, 2020

MarcoFalke commented at 7:16 PM on May 11, 2020: member

@practicalswift That is a separate issue in process_message. Fixed in 6666c828

fuzz: Stop nodes in process_message* fuzzers fab860aed4

MarcoFalke force-pushed on May 12, 2020

MarcoFalke commented at 7:23 PM on June 2, 2020: member

@practicalswift Any chance you could test this again? :pray:

practicalswift commented at 8:06 PM on June 2, 2020: contributor

@MarcoFalke

Sure! Confirming that I'm no longer able to reproduce the issue.

ACK fab860aed4878b831dae463e1ee68029b66210f5

Thanks for fixing this issue!

MarcoFalke merged this on Jun 3, 2020

MarcoFalke closed this on Jun 3, 2020

MarcoFalke deleted the branch on Jun 3, 2020

sidhujag referenced this in commit b8bea8b4f1 on Jun 3, 2020

deadalnix referenced this in commit 306b94dd6d on Dec 21, 2020

DrahtBot locked this on Feb 15, 2022