fuzz, rpc: Internal bug in finalizepsbt “CHECK_NONFATAL(last - first == 32)” #29851

issue dergoegge openend this issue on April 11, 2024
  1. dergoegge commented at 12:52 pm on April 11, 2024: member 
    0$ echo "ZmluYWxpemVwc2J0XABwc2J0/wEAo6ujYwMDAwMDmAAAANUABQAAY2xlYXJiDAAAAAAAAABgAPX///8A6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACTAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAwoDAwMDAwMDAwMDAwAK8wEDAHFkAAAAAAAAAAAAZQAAAAAAAAAAANzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3NzcAAAAAD8/Pz8/Pz8/Pz8/Pz8/P0Y/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz89Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/AAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAB3YWlwb2ZicmxvY2sDAwMD/fz8/AAK8wEDAHFkAAB+f39/o6Ojo6OjAgMDAwMDAAD/////AAAADg4ODg4OMDAwMDAnMDAwMDEzNDYwODkwNTUxMzA3NzYwDg5TU1NTSgMAJlNTU1NTU1NTU1MODg4ODg4ODgAODg4ODg4OAAAAIhUCAgICAhEREWNQDg4AAA4AAAoOMDEzNDYwODkwNTUxMzA3NzYwMDYODg4ODg5uZXR3b3JrY2xlYXJiYW5uZWQODg4Oog4ODg4ODg4ODgUAAAAKDg4ODgAAAKIVAgsLCwAAAAAAAAAA/////wAAAI4ODg4ODg4ODg4OAAAAAAAAAGAAAAAIAAAAAGRlc2NymXB0b3JfamFyc2UAAAAAAAAAAIAAAAAAAQAAAAAAAAADCgMDAwMDAwMDAwMDAArzAQMAYGT/AAAAAAAAAABlAAAAAAAAAAAA3Nzc3Nzc3Nz/AAQA3NzcycnJycLCwsLCwsLCwsLCwsLCwjw9PT09Fz02yMnJyf///////wIAAAAAAh4eNzc3ITYYGBgYGBgeHh4eGQAAAAAAAAAAALGSkpKSkpJrAGybm5KSwHhpbWF0ZS1tZW1vcnkA/////////wMAAAAAAAAAAGAAAAAAAAAAAAAACQAAQAAAAAAAAAAAAAAAAJDNAAAAAAAAAAAAAAAAAAsAYAAAAAAAAAAAZGVzY3KZcHRvcl9qx4cBAQEBKwL/ZABlcAAAMQ4ODg45OTMyDg4ODg4ODg4OIAAAAA4ODg4Oog4ODg4ODvsNDg4ODgABAQEBKwL/ZABlcAAAIlEgAwMcHBwDAwAL8wEDJnBmAQAAAAAAAAAAAAAAAAAAgAAtNzMmKiUAAAAAAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEAhwEBAQFjJGFiZmZhSWFhDg42Dg4OCg5dDg4ODgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgYGCgnGBgYGBgYGBgYA4ODjUODg4ODlsOAASlOsDbuSYODg4AAAABFyAAsQAADg4ODg4ODusOAAAAAAAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPomByEAAAH+//8AAAABAn4UAAAAAImJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJ/4lByon68P//AAIAAwAwAQg4MDM1MA4ODg4ODg1PT09PT09PT09PT09PT08ODg4OAAAAAAAAMAAAAAoAAAIAAABQUFBQUFBQUDQ5OZ45OXk5Uzn/dTAwMDAwJzAwMDAxMzQ2MDg5MDU1AwOsA/38/DEzMDc3NjAwNg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg6iDg4ODg4ODg4ODgAODg4ODg4OAAAAohUCCwsL1gAAAAAAAAD/////AAAADg4ODg4OMDAwMDAnMDAwMDEzNDYwODkwNTWJfzA3NzYwMDYODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4OogIADg4ODg4ODg4ADg4O1dXV1dXV1dXVZVxnXGdlZRUVFWVcZztcZ2UVZTAxMzQ2MDg5MDI3NTY1Mzg4MDAzDg4ODg4ODjA4OTA1NTEzMDc3NugDNw4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg6iDg4ODg4ODg4ODgAODg4ODg4OAAAAIm8CAgICAhEREWNQDg4AAA4AAAoOAnYnYnYnYnYwNTUxMzA3NzYwMDcODg4ODg4ODg4ODg4ODg58C9Qy5q1ATA4ODg4ODg7tDQ4ODg6iDg4ODg4ODg4ODgAODg4ODg4OAAAAohUCCwsLAAAAAAAAAAD/////AAAADg4ODg4ODg4ODg6JiYmJiYmJiYmJiYmJiYmJiYmJiYmJif+JQcqJ+vD//wACAE4AAAAIODAzNTAODg4ODg4ODg4ODg4ODg4Oog4ODg4ODg4ODgAAAAAAADAAAAAKAAACAAAAUFBQUFBQUFA0OTmeOTmNOVM5/3UwMDAwMCcwMDAwMTM0NjA4OTA1NDEzMDc3NjAwNg4ODg4ODg4ODg40NDI4Dg4ODg4ODp0OuRPusldPDg4ODg4ODg4ODgAODg7/Dg4OAAAiIhU5njk5eTlTOf91MDAwMDAn//8AADEzNDYwODkwNTUxMzA3NzYwMDYODg4ODg4ODg4ODg4ODg4ODg4ODg4yDg4ODg4ODqIOADA4MDM1MQ4ODg4ODg4ODg4ODg4ODg6iDg4ODg4AAAEAAAAAAAAAAAAAAAAAAAAAAAAAAIeHh4eHh4eHh8DAv8CvAAAAAAAAAAAAAAAAAAAAAAILMDAnMDAwMDEABwEOJ9+pGDUxHh4eHh4eHh4eHjMwNzc2MDA2Dg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODqIODg4ODg4ODg4OAA4ODg4ODg4AADAwy8vLy9PLy8vLy8t+y8vLy8vLy8vLy8vLDg5ycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycg4ODg4OBg4ODv9cbP+JdGmhiX+JiYlgAPYAAAAAAGxByon68P90/2kDMTMkiYmJicqJ+g==" | base64 --decode > rpc-36c31074f1f8e97885c2957d0b327b2e7f334cbc.crash
1$ FUZZ=rpc ./src/test/fuzz/fuzz rpc-36c31074f1f8e97885c2957d0b327b2e7f334cbc.crash
2fuzz_libfuzzer: test/fuzz/rpc.cpp:385: void rpc_fuzz_target(FuzzBufferType): Assertion `error_msg.find("trigger_internal_bug") != std::string::npos' failed.
  2. achow101 commented at 12:58 pm on April 11, 2024: member

    The CHECK_NONFATAL is in FromPKBytes: https://github.com/bitcoin/bitcoin/blob/bdb33ec51986570ea17406c83bad2c955ae23186/src/script/sign.cpp#L298 which is called when getting the miniscript for a script.

    This particular script is 173d36c8c9c9c9ffffffffffff0200000000021e1e37373721361818181818181e1e1e1e19000000000000000000b19292929292926b006c9b9b9292

  3. achow101 commented at 12:59 pm on April 11, 2024: member
    cc @darosior
  4. maflcko added the label RPC/REST/ZMQ on Apr 11, 2024
  5. maflcko added the label Bug on Apr 11, 2024
  6. maflcko commented at 1:03 pm on April 11, 2024: member
    I don’t think this is a fuzz issue. The RPC is finalizepsbt and it should be possible to hit it in finalizepsbt RPC as well.
  7. dergoegge renamed this:
    fuzz: Crash in `rpc` "CHECK_NONFATAL(last - first == 32)"
    fuzz, rpc: Internal bug in `finalizepsbt` "CHECK_NONFATAL(last - first == 32)"
    on Apr 11, 2024
  8. maflcko commented at 1:18 pm on April 11, 2024: member

    Somewhat smaller input for the RPC:

    0$ ./src/bitcoin-cli finalizepsbt cHNidP8BAKOro2MDAwMDA5gAAAbVAAUAAGNsZWFyYgwAAAAAAAAAYAD1////AOgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkwAAAAAAAAAAAAAAYAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAADwAAAAAAAAAAAAAAAAAAAAAAAAMKAwMDAwMDAwMDAwMACvMBAwBxZAAAAAAAAAAAAGUAAAAODgAAAAEBKwL/ZABlcAAAIlEgAwMcHBwDAwAL8wEDJnBmAQAAAAAAAAAAAAAAAAAAgACiFQILCwsAAAAAAAAAAP////8AAACODg4ODg4ODg4ODgAADg5wAAAiUSADAxwcHAMDAAvzAQMmcGYBAAAAAAAAAAAAAAAAAACAAAAAAAAAACSJiYmJyon6AAAAgAAAAAAAAADw/3T/aQMxMySJiYmJyon6AGxByon68P90/2kDMTMkiYmJicqJ+tzc3MnJycnCwsLCwsLCwsLCwsLCwsI8PT09PRc9NsjJycn///////8CAAAAAAIeHjc3NyE2GBgYGBgYHh4eHhkAAAAAAAAAAACxkpKSkpKSawBsm5uSksAAAAAAAAA= 
1
2error code: -1
3error message:
4Internal bug detected: last - first == 32
5script/sign.cpp:298 (FromPKBytes)
6Bitcoin Core v27.99.0-3f6a6da3b08d-dirty
  9. darosior commented at 2:01 pm on April 11, 2024: member

    A repro as a unit test:

     0BOOST_AUTO_TEST_CASE(sign_invalid_miniscript)
 1{
 2    FillableSigningProvider keystore;
 3    SignatureData sig_data;
 4    CMutableTransaction prev, curr;
 5
 6    const auto invalid_pubkey{ParseHex("173d36c8c9c9c9ffffffffffff0200000000021e1e37373721361818181818181e1e1e1e19000000000000000000b19292929292926b006c9b9b9292")};
 7    TaprootBuilder builder;
 8    builder.Add(0, {invalid_pubkey}, 0xc0);
 9    XOnlyPubKey dummy{ParseHex("50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0")};
10    builder.Finalize(dummy);
11    prev.vout.emplace_back(0, GetScriptForDestination(builder.GetOutput()));
12    curr.vin.emplace_back(COutPoint{prev.GetHash(), 0});
13    sig_data.tr_spenddata = builder.GetSpendData();
14
15    SignSignature(keystore, CTransaction(prev), curr, 0, SIGHASH_ALL, sig_data);
16}
  10. fanquake closed this on Apr 24, 2024
  11. fanquake referenced this in commit c143244ce3 on Apr 24, 2024


dergoegge achow101 maflcko darosior

Labels
Bug RPC/REST/ZMQ

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-09-28 22:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me