fuzz: Add missing CheckTransaction before CheckTxInputs #21970

MarcoFalke commented at 8:09 AM on May 17, 2021: member

This bug was introduced by myself in commit eeee8f5be1d4ccfb7e237248be5c6bef45b0fbb8 (https://github.com/bitcoin/bitcoin/pull/21553)

Reproducer: https://github.com/bitcoin/bitcoin/files/6492249/clusterfuzz-testcase-minimized-coins_view-6109460079706112.log

Hopefully fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34301

fuzz: Sanity check result of CheckTransaction faacb7eadb

fuzz: Add missing CheckTransaction before CheckTxInputs fae4ee545a

DrahtBot added the label Tests on May 17, 2021

glozow commented at 9:08 AM on May 17, 2021: member

Concept ACK Please excuse my nosiness, I can't see the error but makes sense to me. We'd want to call CheckTransaction() to make sure it's well-formed first :shrug:

MarcoFalke commented at 9:54 AM on May 17, 2021: member

I can't see the error

It should be possible to reproduce with the reproducer input in the OP

adamjonas commented at 4:32 PM on May 17, 2021: member

Tested fae4ee5.

<details> <summary>Was able to reproduce with master (c85714863)</summary>

python infra/helper.py reproduce bitcoin-core coins_view clusterfuzz-testcase-minimized-coins_view-6109460079706112
Running: docker run --rm --privileged -i -v /home/jonas/oss-fuzz/build/out/bitcoin-core:/out -v /home/jonas/clusterfuzz-testcase-minimized-coins_view-6109460079706112:/testcase -t gcr.io/oss-fuzz-base/bas
e-runner reproduce coins_view -runs=100
+ FUZZER=coins_view
+ shift
+ '[' '!' -v TESTCASE ']'
+ TESTCASE=/testcase
+ '[' '!' -f /testcase ']'
+ export RUN_FUZZER_MODE=interactive
+ RUN_FUZZER_MODE=interactive
+ export FUZZING_ENGINE=libfuzzer
+ FUZZING_ENGINE=libfuzzer
+ export SKIP_SEED_CORPUS=1
+ SKIP_SEED_CORPUS=1
+ run_fuzzer coins_view -runs=100 /testcase
/out/coins_view -rss_limit_mb=2560 -timeout=25 -runs=100 /testcase < /dev/null
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 310929130
INFO: Loaded 1 modules   (177026 inline 8-bit counters): 177026 [0x55862ca7d158, 0x55862caa84da),
INFO: Loaded 1 PC tables (177026 PCs): 177026 [0x55862caa84e0,0x55862cd5bd00),
/out/coins_view: Running 1 inputs 100 time(s) each.
Running: /testcase
libc++abi: terminating with uncaught exception of type std::runtime_error: GetValueOut: value out of range
AddressSanitizer:DEADLYSIGNAL
=================================================================
=================================================================
==13==ERROR: AddressSanitizer: ABRT on unknown address 0x00000000000d (pc 0x7f321e8e7438 bp 0x7ffc67fe9cf0 sp 0x7ffc67fe9588 T0)
SCARINESS: 10 (signal)
    [#0](/bitcoin-bitcoin/0/) 0x7f321e8e7438 in raise (/lib/x86_64-linux-gnu/libc.so.6+0x35438)
    [#1](/bitcoin-bitcoin/1/) 0x7f321e8e9039 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x37039)
    [#2](/bitcoin-bitcoin/2/) 0x55862bf98fb5 in abort_message (/out/coins_view+0x1ad0fb5)
    [#3](/bitcoin-bitcoin/3/) 0x55862bfa4e9e in demangling_terminate_handler() (/out/coins_view+0x1adce9e)
    [#4](/bitcoin-bitcoin/4/) 0x55862bf98a22 in std::__terminate(void (*)()) (/out/coins_view+0x1ad0a22)
    [#5](/bitcoin-bitcoin/5/) 0x55862bf9a775 in __cxxabiv1::failed_throw(__cxxabiv1::__cxa_exception*) (/out/coins_view+0x1ad2775)
    [#6](/bitcoin-bitcoin/6/) 0x55862bf9a70f in __cxa_throw (/out/coins_view+0x1ad270f)
    [#7](/bitcoin-bitcoin/7/) 0x55862bd7d512 in CTransaction::GetValueOut() const /src/bitcoin-core/src/primitives/transaction.cpp:88:13
    [#8](/bitcoin-bitcoin/8/) 0x55862b0f30ab in Consensus::CheckTxInputs(CTransaction const&, TxValidationState&, CCoinsViewCache const&, int, long&) /src/bitcoin-core/src/consensus/tx_verify.cpp:186:34
    [#9](/bitcoin-bitcoin/9/) 0x55862adfaf4c in coins_view_fuzz_target(Span<unsigned char const>)::$_12::operator()() const /src/bitcoin-core/src/test/fuzz/coins_view.cpp:233:23
    [#10](/bitcoin-bitcoin/10/) 0x55862ade8b6f in void CallOneOf<coins_view_fuzz_target(Span<unsigned char const>)::$_10, coins_view_fuzz_target(Span<unsigned char const>)::$_11, coins_view_fuzz_target(Span<unsigned char const>)::$_12, coins_view_fuzz_target(Span<unsigned char const>)::$_13, coins_view_fuzz_target(Span<unsigned char const>)::$_14, coins_view_fuzz_target(Span<unsigned char const>)::$_15, coins_view_fuzz_target(Span<unsigned char const>)::$_16>(FuzzedDataProvider&, coins_view_fuzz_target(Span<unsigned char const>)::$_10, coins_view_fuzz_target(Span<unsigned char const>)::$_11, coins_view_fuzz_target(Span<unsigned char const>)::$_12, coins_view_fuzz_target(Span<unsigned char const>)::$_13, coins_view_fuzz_target(Span<unsigned char const>)::$_14, coins_view_fuzz_target(Span<unsigned char const>)::$_15, coins_view_fuzz_target(Span<unsigned char const>)::$_16) /src/bitcoin-core/src/./test/fuzz/util.h:47:34
    [#11](/bitcoin-bitcoin/11/) 0x55862ade791a in coins_view_fuzz_target(Span<unsigned char const>) /src/bitcoin-core/src/test/fuzz/coins_view.cpp:191:9
    [#12](/bitcoin-bitcoin/12/) 0x55862ad0a8d6 in decltype(std::__1::forward<void (*&)(Span<unsigned char const>)>(fp)(std::__1::forward<Span<unsigned char const> >(fp0))) std::__1::__invoke<void (*&)(Span<unsigned char const>), Span<unsigned char const> >(void (*&)(Span<unsigned char const>), Span<unsigned char const>&&) /usr/local/bin/../include/c++/v1/type_traits:3679:1
    [#13](/bitcoin-bitcoin/13/) 0x55862ad0a7d1 in void std::__1::__invoke_void_return_wrapper<void>::__call<void (*&)(Span<unsigned char const>), Span<unsigned char const> >(void (*&)(Span<unsigned char const>), Span<unsigned char const>&&) /usr/local/bin/../include/c++/v1/__functional_base:348:9
    [#14](/bitcoin-bitcoin/14/) 0x55862ad0a721 in std::__1::__function::__alloc_func<void (*)(Span<unsigned char const>), std::__1::allocator<void (*)(Span<unsigned char const>)>, void (Span<unsigned char const>)>::operator()(Span<unsigned char const>&&) /usr/local/bin/../include/c++/v1/functional:1558:16
    [#15](/bitcoin-bitcoin/15/) 0x55862ad07a0b in std::__1::__function::__func<void (*)(Span<unsigned char const>), std::__1::allocator<void (*)(Span<unsigned char const>)>, void (Span<unsigned char const>)>::operator()(Span<unsigned char const>&&) /usr/local/bin/../include/c++/v1/functional:1732:12
    [#16](/bitcoin-bitcoin/16/) 0x55862bd6ec95 in std::__1::__function::__value_func<void (Span<unsigned char const>)>::operator()(Span<unsigned char const>&&) const /usr/local/bin/../include/c++/v1/functional:1885:16
    [#17](/bitcoin-bitcoin/17/) 0x55862bd69b35 in std::__1::function<void (Span<unsigned char const>)>::operator()(Span<unsigned char const>) const /usr/local/bin/../include/c++/v1/functional:2560:12
    [#18](/bitcoin-bitcoin/18/) 0x55862bd698a1 in LLVMFuzzerTestOneInput /src/bitcoin-core/src/test/fuzz/fuzz.cpp:74:5
    [#19](/bitcoin-bitcoin/19/) 0x55862ac07d53 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15
    [#20](/bitcoin-bitcoin/20/) 0x55862abf1b62 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6
    [#21](/bitcoin-bitcoin/21/) 0x55862abf79aa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9
    [#22](/bitcoin-bitcoin/22/) 0x55862ac23692 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    [#23](/bitcoin-bitcoin/23/) 0x7f321e8d283f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    [#24](/bitcoin-bitcoin/24/) 0x55862abcc818 in _start (/out/coins_view+0x704818)

DEDUP_TOKEN: raise--abort--abort_message
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x35438) in raise
==13==ABORTING

</details>

<details> <summary>Verified there is no crash with fae4ee5</summary>

python infra/helper.py reproduce bitcoin-core coins_view clusterfuzz-testcase-minimized-coins_view-6109460079706112
Running: docker run --rm --privileged -i -v /home/jonas/oss-fuzz/build/out/bitcoin-core:/out -v /home/jonas/clusterfuzz-testcase-minimized-coins_view-6109460079706112:/testcase -t gcr.io/oss-fuzz-base/base-runner reproduce coins_view -runs=100
+ FUZZER=coins_view
+ shift
+ '[' '!' -v TESTCASE ']'
+ TESTCASE=/testcase
+ '[' '!' -f /testcase ']'
+ export RUN_FUZZER_MODE=interactive
+ RUN_FUZZER_MODE=interactive
+ export FUZZING_ENGINE=libfuzzer
+ FUZZING_ENGINE=libfuzzer
+ export SKIP_SEED_CORPUS=1
+ SKIP_SEED_CORPUS=1
+ run_fuzzer coins_view -runs=100 /testcase
/out/coins_view -rss_limit_mb=2560 -timeout=25 -runs=100 /testcase < /dev/null
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 2597972927
INFO: Loaded 1 modules   (177031 inline 8-bit counters): 177031 [0x5619464791d8, 0x5619464a455f),
INFO: Loaded 1 PC tables (177031 PCs): 177031 [0x5619464a4560,0x561946757dd0),
/out/coins_view: Running 1 inputs 100 time(s) each.
Running: /testcase
Executed /testcase in 60 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.

</details>

MarcoFalke commented at 4:39 PM on May 17, 2021: member

Of course you can reproduce this inside Docker, if you want, but the recommended way to reproduce is to use "your build and test system" (https://google.github.io/oss-fuzz/advanced-topics/reproducing/#fuzz-target-bugs). This would be https://github.com/bitcoin/bitcoin/blob/master/doc/fuzzing.md .

Docker can always be used as a backup in case it it not trivial to build with the sanitizers for the given architecture.

practicalswift commented at 9:53 PM on May 18, 2021: contributor

cr ACK fae4ee545a652cc2934773b0e1fdb9004b0c5ba6: patch looks correct :)

MarcoFalke merged this on May 19, 2021

MarcoFalke closed this on May 19, 2021

MarcoFalke deleted the branch on May 19, 2021

sidhujag referenced this in commit ec73d491f9 on May 19, 2021

gwillen referenced this in commit ff432ef70e on Jun 1, 2022

DrahtBot locked this on Aug 18, 2022