Signed integer overflow in CFeeRate::GetFee(…) reachable via RPC call analyzepsbt #20607

issue practicalswift opened this issue on December 9, 2020
  1. practicalswift commented at 3:04 PM on December 9, 2020: contributor

    While fuzzing the RPC interface I stumbled upon a signed integer overflow in CFeeRate::GetFee(…) which is reachable via the following analyzepsbt RPC call:

    $ ./autogen.sh
$ CC=clang CXX=clang++ ./configure --with-sanitizers=address,undefined
$ make
$ UBSAN_OPTIONS="print_stacktrace=1" src/bitcoind &
$ src/bitcoin-cli analyzepsbt cHNidP8BABMAAAYAAAFdAAAKAAIEAAAAAAAGAAA=
policy/feerate.cpp:26:34: runtime error: signed integer overflow: -59373636730022578 * 1000 cannot be represented in type 'long'
    [#0](/bitcoin-bitcoin/0/) 0x55751767911b in CFeeRate::GetFee(unsigned long) const src/policy/feerate.cpp:26:34
    [#1](/bitcoin-bitcoin/1/) 0x557516e2e6a0 in CFeeRate::GetFeePerK() const src/./policy/feerate.h:60:41
    [#2](/bitcoin-bitcoin/2/) 0x557516e2e6a0 in analyzepsbt()::$_17::operator()(RPCHelpMan const&, JSONRPCRequest const&) const src/rpc/rawtransaction.cpp:1842:85
...

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior policy/feerate.cpp:26:34 in
{
  "estimated_vsize": 19,
  "estimated_feerate": -40334045.08893923,
  "fee": -11280990.97870429,
  "next": "extractor"
}

    Nothing high priority of course, but still worth fixing :)

  2. practicalswift commented at 3:14 PM on December 9, 2020: contributor

    When this is fixed the following two old fuzzing workarounds for the same underlying issue can be removed too:

    https://github.com/bitcoin/bitcoin/blob/795afe6e63a173a22597a59606e1c58d34cb3f1a/src/test/fuzz/util.h#L143-L147

    https://github.com/bitcoin/bitcoin/blob/795afe6e63a173a22597a59606e1c58d34cb3f1a/src/test/fuzz/fee_rate.cpp#L24-L26

  3. jonatack commented at 4:15 PM on December 9, 2020: member

    Thanks @practicalswift. I'm about to open a PR to refactor CFeeRate / feerate.{h,cpp} and will verify its behavior with respect to this issue.

  4. adamjonas commented at 8:48 PM on January 14, 2021: member

    Ref #20790, #20391, and #20546.

  5. practicalswift closed this on Oct 28, 2021
  6. DrahtBot locked this on Oct 30, 2022
Contributors
practicalswiftjonatackadamjonas
Linked (view graph)
#1 JSON-RPC support for mobile devices ("ultra-lightweight" clients)#2 Long-term, safe, store-of-value
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-16 15:14 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me