UndefinedBehaviorSanitizer: stack-overflow in miniscript (descriptor_parse) #25824

issue MarcoFalke opened this issue on August 11, 2022
  1. MarcoFalke commented at 4:23 PM on August 11, 2022: member

    To reproduce:

    wget https://github.com/bitcoin/bitcoin/files/9309619/crash-2f09727aed5aca089c341208564876bc9c096ebf.bin.not.txt
FUZZ=descriptor_parse ./src/test/fuzz/fuzz ./crash-2f09727aed5aca089c341208564876bc9c096ebf.bin.not.txt  -rss_limit_mb=1000

    ==119584==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7ffcf4e35ff8 (pc 0x55a9a0f40e0c bp 0x7ffcf4e36010 sp 0x7ffcf4e36000 T119584)
    [#0](/bitcoin-bitcoin/0/) 0x55a9a0f40e0c in void __gnu_cxx::new_allocator<miniscript::Node<unsigned int>>::destroy<miniscript::Node<unsigned int> const>(miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/ext/new_allocator.h:152
    [#1](/bitcoin-bitcoin/1/) 0x55a9a0f3c96b in void std::allocator_traits<std::allocator<miniscript::Node<unsigned int>>>::destroy<miniscript::Node<unsigned int> const>(std::allocator<miniscript::Node<unsigned int>>&, miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/alloc_traits.h:496:8
    [#2](/bitcoin-bitcoin/2/) 0x55a9a0f3c96b in std::_Sp_counted_ptr_inplace<miniscript::Node<unsigned int> const, std::allocator<miniscript::Node<unsigned int>>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:557:2
    [#3](/bitcoin-bitcoin/3/) 0x55a9a0f40eec in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:155:6
    [#4](/bitcoin-bitcoin/4/) 0x55a9a0f40eec in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:730:11
    [#5](/bitcoin-bitcoin/5/) 0x55a9a0f40eec in std::__shared_ptr<miniscript::Node<unsigned int> const, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:1169:31
    [#6](/bitcoin-bitcoin/6/) 0x55a9a0f40eec in void std::_Destroy<std::shared_ptr<miniscript::Node<unsigned int> const>>(std::shared_ptr<miniscript::Node<unsigned int> const>*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:98:19
    [#7](/bitcoin-bitcoin/7/) 0x55a9a0f40eec in void std::_Destroy_aux<false>::__destroy<std::shared_ptr<miniscript::Node<unsigned int> const>*>(std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:108:6
    [#8](/bitcoin-bitcoin/8/) 0x55a9a0f40eec in void std::_Destroy<std::shared_ptr<miniscript::Node<unsigned int> const>*>(std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:136:7
    [#9](/bitcoin-bitcoin/9/) 0x55a9a0f40eec in void std::_Destroy<std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>>(std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>*, std::allocator<std::shared_ptr<miniscript::Node<unsigned int> const>>&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:206:7
    [#10](/bitcoin-bitcoin/10/) 0x55a9a0f40eec in std::vector<std::shared_ptr<miniscript::Node<unsigned int> const>, std::allocator<std::shared_ptr<miniscript::Node<unsigned int> const>>>::~vector() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_vector.h:677:2
    [#11](/bitcoin-bitcoin/11/) 0x55a9a0f40eec in miniscript::Node<unsigned int>::~Node() src/./script/miniscript.h:185:31
    [#12](/bitcoin-bitcoin/12/) 0x55a9a0f40eec in void __gnu_cxx::new_allocator<miniscript::Node<unsigned int>>::destroy<miniscript::Node<unsigned int> const>(miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/ext/new_allocator.h:152:10
    [#13](/bitcoin-bitcoin/13/) 0x55a9a0f3c96b in void std::allocator_traits<std::allocator<miniscript::Node<unsigned int>>>::destroy<miniscript::Node<unsigned int> const>(std::allocator<miniscript::Node<unsigned int>>&, miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/alloc_traits.h:496:8
    [#14](/bitcoin-bitcoin/14/) 0x55a9a0f3c96b in std::_Sp_counted_ptr_inplace<miniscript::Node<unsigned int> const, std::allocator<miniscript::Node<unsigned int>>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:557:2
...
...
...
+/9/bits/stl_vector.h:677:2
    [#1475](/bitcoin-bitcoin/1475/) 0x55a9a0f40eec in miniscript::Node<unsigned int>::~Node() src/./script/miniscript.h:185:31
    [#1476](/bitcoin-bitcoin/1476/) 0x55a9a0f40eec in void __gnu_cxx::new_allocator<miniscript::Node<unsigned int>>::destroy<miniscript::Node<unsigned int> const>(miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/ext/new_allocator.h:152:10
    [#1477](/bitcoin-bitcoin/1477/) 0x55a9a0f3c96b in void std::allocator_traits<std::allocator<miniscript::Node<unsigned int>>>::destroy<miniscript::Node<unsigned int> const>(std::allocator<miniscript::Node<unsigned int>>&, miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/alloc_traits.h:496:8
    [#1478](/bitcoin-bitcoin/1478/) 0x55a9a0f3c96b in std::_Sp_counted_ptr_inplace<miniscript::Node<unsigned int> const, std::allocator<miniscript::Node<unsigned int>>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:557:2
    [#1479](/bitcoin-bitcoin/1479/) 0x55a9a0f40eec in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:155:6
    [#1480](/bitcoin-bitcoin/1480/) 0x55a9a0f40eec in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:730:11
    [#1481](/bitcoin-bitcoin/1481/) 0x55a9a0f40eec in std::__shared_ptr<miniscript::Node<unsigned int> const, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:1169:31
    [#1482](/bitcoin-bitcoin/1482/) 0x55a9a0f40eec in void std::_Destroy<std::shared_ptr<miniscript::Node<unsigned int> const>>(std::shared_ptr<miniscript::Node<unsigned int> const>*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:98:19
    [#1483](/bitcoin-bitcoin/1483/) 0x55a9a0f40eec in void std::_Destroy_aux<false>::__destroy<std::shared_ptr<miniscript::Node<unsigned int> const>*>(std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:108:6
    [#1484](/bitcoin-bitcoin/1484/) 0x55a9a0f40eec in void std::_Destroy<std::shared_ptr<miniscript::Node<unsigned int> const>*>(std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:136:7
    [#1485](/bitcoin-bitcoin/1485/) 0x55a9a0f40eec in void std::_Destroy<std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>>(std::shared_ptr<miniscript::Node<unsigned int> const>*, std::shared_ptr<miniscript::Node<unsigned int> const>*, std::allocator<std::shared_ptr<miniscript::Node<unsigned int> const>>&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_construct.h:206:7
    [#1486](/bitcoin-bitcoin/1486/) 0x55a9a0f40eec in std::vector<std::shared_ptr<miniscript::Node<unsigned int> const>, std::allocator<std::shared_ptr<miniscript::Node<unsigned int> const>>>::~vector() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/stl_vector.h:677:2
    [#1487](/bitcoin-bitcoin/1487/) 0x55a9a0f40eec in miniscript::Node<unsigned int>::~Node() src/./script/miniscript.h:185:31
    [#1488](/bitcoin-bitcoin/1488/) 0x55a9a0f40eec in void __gnu_cxx::new_allocator<miniscript::Node<unsigned int>>::destroy<miniscript::Node<unsigned int> const>(miniscript::Node<unsigned int> const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/ext/new_allocator.h:152:10

SUMMARY: UndefinedBehaviorSanitizer: stack-overflow /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/ext/new_allocator.h:152 in void __gnu_cxx::new_allocator<miniscript::Node<unsigned int>>::destroy<miniscript::Node<unsigned int> const>(miniscript::Node<unsigned int> const*)
  2. MarcoFalke added the label Bug on Aug 11, 2022
  3. MarcoFalke commented at 4:25 PM on August 11, 2022: member

    Maybe this can be fixed by limiting the input length for the fuzz test and RPC (I presume it is also reproducible there)?

  4. MarcoFalke commented at 7:46 AM on August 12, 2022: member

    Or maybe this is already fixed by #25540? I might re-check once that pull is merged.

  5. darosior commented at 7:47 AM on August 14, 2022: member

    Yes, #25540 does intend to fix this crash. I'll edit the OP to mark it as such.

  6. fanquake added this to the milestone 24.0 on Sep 15, 2022
  7. glozow closed this on Sep 19, 2022
  8. sidhujag referenced this in commit a06877b1b4 on Sep 20, 2022
  9. bitcoin locked this on Sep 19, 2023
Contributors
MarcoFalkedarosior
Labels
Bug

Milestone
24.0

Linked (view graph)
#1 JSON-RPC support for mobile devices ("ultra-lightweight" clients)#2 Long-term, safe, store-of-value#3 Encrypt wallet#4 Export/Import wallet in a human readable, future-proof format#5 Make the version number the protocol version and not the client version#6 Treat wallet as a generic keystore#7 Block-header-only, faster startup client#8 RPC command to sign text with wallet private key#9 Fix for GUI on Macs and latest wxWidgets#10 Add address to listtransactions output#11 Nolisten patch#12 Monitor transactions and/or blocks#13 Messages with or about transactions#14 bitcoin: URI and/or bitcoin-request MIME type for click-to-pay#1475 GUI: fix immature display in GUI / add balance updates on block change#1476 "Transaction to yourself" problems#1477 Fix inverted logic for !Discover/!UPNP when !Listen.#1478 walletmodel: only update cached balances / transaction numbers and emit ...#1479 add CWalletTx::GetImmatureCredit() and use it in CWallet::GetImmatureBalance()#1480 Update OSX build instructions#1481 Tidy up build instructions#1482 Transactions amounts don't update when unit change is Apply'd#1483 GUI: ensure a changed bitcoin unit immediately updates the tx list amounts#1484 Document Gitian build process for Mac OS X bitcoind binary#1485 Small logical error in mruset#1486 Skip tons of duplicate GetHash() calls in Block Commit Thread#1487 CORS Headers for browser based Json RPC interaction#1488 Remove CTxDB::ReadOwnerTxes.#25540 miniscript: avoid wasteful computation, prevent memory blowup when fuzzing
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-02 21:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me