wallet: Fix use-after-free in WalletBatch::EraseRecords #29176

pull maflcko wants to merge 1 commits into bitcoin:master from maflcko:2401-wallet-fix-a-bug- changing 1 files +2 −2
  1. maflcko commented at 11:23 am on January 4, 2024: member

    Creating a copy of the pointer to the underlying data of the stream is not enough to copy the data.

    Currently this happens to work sometimes, because the stream may not immediately free unused memory. However, there is no guarantee by the stream interface to always behave this way. Also, if vector::clear is called on the underlying memory, any pointers to it are invalid.

    Fix this, by creating a full copy of all bytes.

  2. wallet: Fix use-after-free in WalletBatch::EraseRecords faebf1df2a
  3. DrahtBot commented at 11:23 am on January 4, 2024: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage

    For detailed information about the code coverage, see the test coverage report.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK achow101

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

  4. DrahtBot added the label Wallet on Jan 4, 2024
  5. maflcko commented at 11:28 am on January 4, 2024: member

    I believe this bug existed since the code was written in commit 22401f17e026ead4bc3fe96967eec56a719a4f75.

    If one wants to trigger the bug in any c++ standard library, forcing a clear to also shrink may work:

     0diff --git a/src/streams.h b/src/streams.h
     1index bc04a2babd..26320db602 100644
     2--- a/src/streams.h
     3+++ b/src/streams.h
     4@@ -10,6 +10,7 @@
     5 #include <span.h>
     6 #include <support/allocators/zeroafterfree.h>
     7 #include <util/overflow.h>
     8+#include <util/vector.h>
     9 
    10 #include <algorithm>
    11 #include <assert.h>
    12@@ -227,7 +228,7 @@ public:
    13         memcpy(dst.data(), &vch[m_read_pos], dst.size());
    14         if (next_read_pos.value() == vch.size()) {
    15             m_read_pos = 0;
    16-            vch.clear();
    17+            ClearShrink(vch);//.clear();
    18             return;
    19         }
    20         m_read_pos = next_read_pos.value();
    

    This should then crash tests, such as:

    0./test/functional/test_runner.py --valgrind wallet_migration
    1valgrind ./src/test/test_bitcoin -t walletdb_tests  --catch_system_errors=no
    

    An alternative would be to assert early when a clear happened:

     0diff --git a/src/wallet/walletdb.cpp b/src/wallet/walletdb.cpp
     1index 9820c7c0ee..dbdd4181c4 100644
     2--- a/src/wallet/walletdb.cpp
     3+++ b/src/wallet/walletdb.cpp
     4@@ -1406,4 +1406,8 @@ bool WalletBatch::EraseRecords(const std::unordered_set<std::string>& types)
     5         std::string type;
     6         key >> type;
     7+        if(key.size()==0){
     8+         std::cout << type << std::endl;
     9+         assert(key.size());
    10+        }
    11 
    12         if (types.count(type) > 0) {
    

    This shows that the violating keys are:

    • hdchain for the unit test walletdb_tests
    • flags for wallet_migration.py
  6. maflcko added the label Needs backport (24.x) on Jan 4, 2024
  7. maflcko added the label Needs backport (25.x) on Jan 4, 2024
  8. maflcko added the label Needs backport (26.x) on Jan 4, 2024
  9. achow101 commented at 3:10 pm on January 4, 2024: member
    ACK faebf1df2afe207f5d2d4f73f50ac66824fe34bb
  10. achow101 merged this on Jan 4, 2024
  11. achow101 closed this on Jan 4, 2024

  12. maflcko deleted the branch on Jan 4, 2024
  13. fanquake removed the label Needs backport (26.x) on Jan 4, 2024
  14. fanquake referenced this in commit edfef48d0c on Jan 4, 2024
  15. fanquake commented at 3:38 pm on January 4, 2024: member
    Backported to 26.x in #29011.
  16. fanquake referenced this in commit ccf00b1e6e on Jan 4, 2024
  17. glozow referenced this in commit 04edf9f586 on Jan 9, 2024
  18. achow101 referenced this in commit cf0f43ee42 on Feb 21, 2024
  19. achow101 commented at 11:56 pm on February 21, 2024: member
    Backported to 25.x in #29464
  20. achow101 removed the label Needs backport (25.x) on Feb 21, 2024

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-21 15:12 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me