UndefinedBehaviorSanitizer: stack-overflow in miniscript (descriptor_parse) #25824

issue MarcoFalke openend this issue on August 11, 2022
  1. MarcoFalke commented at 4:23 pm on August 11, 2022: member

    To reproduce:

    0wget https://github.com/bitcoin/bitcoin/files/9309619/crash-2f09727aed5aca089c341208564876bc9c096ebf.bin.not.txt
1FUZZ=descriptor_parse ./src/test/fuzz/fuzz ./crash-2f09727aed5aca089c341208564876bc9c096ebf.bin.not.txt  -rss_limit_mb=1000

     0==119584==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7ffcf4e35ff8 (pc 0x55a9a0f40e0c bp 0x7ffcf4e36010 sp 0x7ffcf4e36000 T119584)
 1    [#0](/bitcoin-bitcoin/0/) 0x55a9a0f40e0c in void __gnu_cxx::new_allocator<miniscript::Node<unsigned int>>::destroy<miniscript::Node<unsigned int> const>(miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/ext/new_allocator.h:152
 2    [#1](/bitcoin-bitcoin/1/) 0x55a9a0f3c96b in void std::allocator_traits<std::allocator<miniscript::Node<unsigned int>>>::destroy<miniscript::Node<unsigned int> const>(std::allocator<miniscript::Node<unsigned int>>&, miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/alloc_traits.h:496:8
 3    [#2](/bitcoin-bitcoin/2/) 0x55a9a0f3c96b in std::_Sp_counted_ptr_inplace<miniscript::Node<unsigned int> const, std::allocator<miniscript::Node<unsigned int>>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:557:2
 4    [#3](/bitcoin-bitcoin/3/) 0x55a9a0f40eec in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:155:6
 5    [#4](/bitcoin-bitcoin/4/) 0x55a9a0f40eec in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:730:11
 6    [#5](/bitcoin-bitcoin/5/) 0x55a9a0f40eec in std::__shared_ptr<miniscript::Node<unsigned int> const, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:1169:31
 7    [#6](/bitcoin-bitcoin/6/) 0x55a9a0f40eec in void std::_Destroy<std::shared_ptr<miniscript::Node<unsigned int> const>>(std::shared_ptr<miniscript::Node<unsigned int> const>*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:98:19
 8    [#7](/bitcoin-bitcoin/7/) 0x55a9a0f40eec in void std::_Destroy_aux<false>::__destroy<std::shared_ptr<miniscript::Node<unsigned int> const>*>(std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:108:6
 9    [#8](/bitcoin-bitcoin/8/) 0x55a9a0f40eec in void std::_Destroy<std::shared_ptr<miniscript::Node<unsigned int> const>*>(std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:136:7
10    [#9](/bitcoin-bitcoin/9/) 0x55a9a0f40eec in void std::_Destroy<std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>>(std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>*, std::allocator<std::shared_ptr<miniscript::Node<unsigned int> const>>&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:206:7
11    [#10](/bitcoin-bitcoin/10/) 0x55a9a0f40eec in std::vector<std::shared_ptr<miniscript::Node<unsigned int> const>, std::allocator<std::shared_ptr<miniscript::Node<unsigned int> const>>>::~vector() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_vector.h:677:2
12    [#11](/bitcoin-bitcoin/11/) 0x55a9a0f40eec in miniscript::Node<unsigned int>::~Node() src/./script/miniscript.h:185:31
13    [#12](/bitcoin-bitcoin/12/) 0x55a9a0f40eec in void __gnu_cxx::new_allocator<miniscript::Node<unsigned int>>::destroy<miniscript::Node<unsigned int> const>(miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/ext/new_allocator.h:152:10
14    [#13](/bitcoin-bitcoin/13/) 0x55a9a0f3c96b in void std::allocator_traits<std::allocator<miniscript::Node<unsigned int>>>::destroy<miniscript::Node<unsigned int> const>(std::allocator<miniscript::Node<unsigned int>>&, miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/alloc_traits.h:496:8
15    [#14](/bitcoin-bitcoin/14/) 0x55a9a0f3c96b in std::_Sp_counted_ptr_inplace<miniscript::Node<unsigned int> const, std::allocator<miniscript::Node<unsigned int>>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:557:2
16...
17...
18...
19+/9/bits/stl_vector.h:677:2
20    [#1475](/bitcoin-bitcoin/1475/) 0x55a9a0f40eec in miniscript::Node<unsigned int>::~Node() src/./script/miniscript.h:185:31
21    [#1476](/bitcoin-bitcoin/1476/) 0x55a9a0f40eec in void __gnu_cxx::new_allocator<miniscript::Node<unsigned int>>::destroy<miniscript::Node<unsigned int> const>(miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/ext/new_allocator.h:152:10
22    [#1477](/bitcoin-bitcoin/1477/) 0x55a9a0f3c96b in void std::allocator_traits<std::allocator<miniscript::Node<unsigned int>>>::destroy<miniscript::Node<unsigned int> const>(std::allocator<miniscript::Node<unsigned int>>&, miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/alloc_traits.h:496:8
23    [#1478](/bitcoin-bitcoin/1478/) 0x55a9a0f3c96b in std::_Sp_counted_ptr_inplace<miniscript::Node<unsigned int> const, std::allocator<miniscript::Node<unsigned int>>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:557:2
24    [#1479](/bitcoin-bitcoin/1479/) 0x55a9a0f40eec in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:155:6
25    [#1480](/bitcoin-bitcoin/1480/) 0x55a9a0f40eec in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:730:11
26    [#1481](/bitcoin-bitcoin/1481/) 0x55a9a0f40eec in std::__shared_ptr<miniscript::Node<unsigned int> const, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:1169:31
27    [#1482](/bitcoin-bitcoin/1482/) 0x55a9a0f40eec in void std::_Destroy<std::shared_ptr<miniscript::Node<unsigned int> const>>(std::shared_ptr<miniscript::Node<unsigned int> const>*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:98:19
28    [#1483](/bitcoin-bitcoin/1483/) 0x55a9a0f40eec in void std::_Destroy_aux<false>::__destroy<std::shared_ptr<miniscript::Node<unsigned int> const>*>(std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:108:6
29    [#1484](/bitcoin-bitcoin/1484/) 0x55a9a0f40eec in void std::_Destroy<std::shared_ptr<miniscript::Node<unsigned int> const>*>(std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:136:7
30    [#1485](/bitcoin-bitcoin/1485/) 0x55a9a0f40eec in void std::_Destroy<std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>>(std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>*, std::allocator<std::shared_ptr<miniscript::Node<unsigned int> const>>&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:206:7
31    [#1486](/bitcoin-bitcoin/1486/) 0x55a9a0f40eec in std::vector<std::shared_ptr<miniscript::Node<unsigned int> const>, std::allocator<std::shared_ptr<miniscript::Node<unsigned int> const>>>::~vector() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_vector.h:677:2
32    [#1487](/bitcoin-bitcoin/1487/) 0x55a9a0f40eec in miniscript::Node<unsigned int>::~Node() src/./script/miniscript.h:185:31
33    [#1488](/bitcoin-bitcoin/1488/) 0x55a9a0f40eec in void __gnu_cxx::new_allocator<miniscript::Node<unsigned int>>::destroy<miniscript::Node<unsigned int> const>(miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/ext/new_allocator.h:152:10
34
35SUMMARY: UndefinedBehaviorSanitizer: stack-overflow /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/ext/new_allocator.h:152 in void __gnu_cxx::new_allocator<miniscript::Node<unsigned int>>::destroy<miniscript::Node<unsigned int> const>(miniscript::Node<unsigned int> const*)
  2. MarcoFalke added the label Bug on Aug 11, 2022
  3. MarcoFalke commented at 4:25 pm on August 11, 2022: member
    Maybe this can be fixed by limiting the input length for the fuzz test and RPC (I presume it is also reproducible there)?
  4. MarcoFalke commented at 7:46 am on August 12, 2022: member
    Or maybe this is already fixed by #25540? I might re-check once that pull is merged.
  5. darosior commented at 7:47 am on August 14, 2022: member
    Yes, #25540 does intend to fix this crash. I’ll edit the OP to mark it as such.
  6. fanquake added this to the milestone 24.0 on Sep 15, 2022
  7. glozow closed this on Sep 19, 2022
  8. sidhujag referenced this in commit a06877b1b4 on Sep 20, 2022
  9. bitcoin locked this on Sep 19, 2023


MarcoFalke darosior

Labels
Bug

Milestone
24.0

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-07-08 19:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me