Null pointer derefence in CBlockIndexWorkComparator::operator() reachable via RPC call invalidateblock #20914

issue practicalswift opened this issue on January 12, 2021
  1. practicalswift commented at 2:40 PM on January 12, 2021: contributor

    While fuzzing the RPC interface I stumbled upon a null pointer dereference in CBlockIndexWorkComparator::operator() which is reachable via the invalidateblock RPC call:

    $ ./autogen.sh
$ CC=clang CXX=clang++ ./configure --with-sanitizers=address,undefined
$ make
$ src/bitcoind -regtest &
$ src/bitcoin-cli -regtest generatetodescriptor 1 'addr(bcrt1qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq3xueyj)#juyq9d97'
2021-01-12T14:27:41Z CreateNewBlock(): block weight: 932 txs: 0 fees: 0 sigops 400
2021-01-12T14:27:41Z Pre-allocating up to position 0x100000 in rev00000.dat
2021-01-12T14:27:41Z Leaving InitialBlockDownload (latching to false)
2021-01-12T14:27:41Z UpdateTip: new best=60c56626f298548305381979897bc2ac4ced1c1f6b3b7b6ba7dfaa83c428eb92 height=1 version=0x20000000 log2_work=2.000000 tx=2 date='2021-01-12T14:27:41Z' progress=1.000000 cache=0.0MiB(1txo)
[
  "60c56626f298548305381979897bc2ac4ced1c1f6b3b7b6ba7dfaa83c428eb92"
]
$ src/bitcoin-cli -regtest invalidateblock 0f9188f13cb7b2c71f2a335e3a4fc328bf5beb436012afca590b1a11466e2206
2021-01-12T14:28:01Z UpdateTip: new best=0f9188f13cb7b2c71f2a335e3a4fc328bf5beb436012afca590b1a11466e2206 height=0 version=0x00000001 log2_work=1.000000 tx=1 date='2011-02-02T23:16:42Z' progress=1.000000 cache=0.0MiB(1txo)
2021-01-12T14:28:01Z ERROR: UndoReadFromDisk: no undo data available
2021-01-12T14:28:01Z ERROR: DisconnectBlock(): failure reading undo data
2021-01-12T14:28:01Z ERROR: DisconnectTip(): DisconnectBlock 0f9188f13cb7b2c71f2a335e3a4fc328bf5beb436012afca590b1a11466e2206 failed
$ src/bitcoin-cli -regtest invalidateblock 0f9188f13cb7b2c71f2a335e3a4fc328bf5beb436012afca590b1a11466e2206
validation.cpp:87:30: runtime error: member access within null pointer of type 'const CBlockIndex'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior validation.cpp:87:30 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==7489==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000044 (pc 0x559ffc210c43 bp 0x60d0000e7301 sp 0x7f83af6b6890 T16)
==7489==The signal is caused by a READ memory access.
==7489==Hint: address points to the zero page.
    [#0](/bitcoin-bitcoin/0/) 0x559ffc210c42 in base_uint<256u>::CompareTo(base_uint<256u> const&) const src/arith_uint256.cpp
    [#1](/bitcoin-bitcoin/1/) 0x559ffbc96c55 in operator>(base_uint<256u> const&, base_uint<256u> const&) src/./arith_uint256.h:219:85
    [#2](/bitcoin-bitcoin/2/) 0x559ffbc96c55 in CBlockIndexWorkComparator::operator()(CBlockIndex const*, CBlockIndex const*) const src/validation.cpp:87:24
    [#3](/bitcoin-bitcoin/3/) 0x559ffbcc3363 in CChainState::InvalidateBlock(BlockValidationState&, CChainParams const&, CBlockIndex*) src/validation.cpp:2954:22
    [#4](/bitcoin-bitcoin/4/) 0x559ffbcc50d3 in InvalidateBlock(BlockValidationState&, CChainParams const&, CBlockIndex*) src/validation.cpp:3061:33
    [#5](/bitcoin-bitcoin/5/) 0x559ffb9a6eb7 in invalidateblock()::$_22::operator()(RPCHelpMan const&, JSONRPCRequest const&) const src/rpc/blockchain.cpp:1603:5
…
[1]+  Exit 1                  src/bitcoind -regtest

    Nothing high priority of course, but still worth fixing :)

  2. MarcoFalke commented at 2:50 PM on January 12, 2021: member

    0f9188f13cb7b2c71f2a335e3a4fc328bf5beb436012afca590b1a11466e2206

    looks like the hash of the genesis block

  3. theStack commented at 6:02 PM on January 17, 2021: member

    This happens due to the fact that the genesis block doesn't have a previous block. Provided a simple solution in #20921 that should be straight-forward to review.

  4. MarcoFalke closed this on Mar 20, 2021
  5. sidhujag referenced this in commit aca1a216dd on Mar 20, 2021
  6. PastaPastaPasta referenced this in commit 318c2d9f14 on Dec 22, 2021
  7. PastaPastaPasta referenced this in commit 7618fe5379 on Dec 22, 2021
  8. PastaPastaPasta referenced this in commit 100ad15449 on Dec 22, 2021
  9. PastaPastaPasta referenced this in commit e1675bdd84 on Dec 28, 2021
  10. DrahtBot locked this on Aug 18, 2022
Contributors
practicalswiftMarcoFalketheStack
Linked (view graph)
#1 JSON-RPC support for mobile devices ("ultra-lightweight" clients)#2 Long-term, safe, store-of-value#3 Encrypt wallet#4 Export/Import wallet in a human readable, future-proof format#5 Make the version number the protocol version and not the client version#20921 validation: don't try to invalidate genesis block in CChainState::InvalidateBlock
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-13 21:14 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me