fuzz: Fix off-by-one in package_rbf target #32122

pull maflcko wants to merge 1 commits into bitcoin:master from maflcko:2503-fuzz-one-ub changing 1 files +7 −8
  1. maflcko commented at 6:41 am on March 22, 2025: member

    Running the while loop up to NUM_ITERS times may set iter to g_outpoints.size(), which will then lead to an out-of-bounds read.

    There was an assert, which I guess tried to catch this, but the condition in the assert was wrong as well.

    Fix all issues by replacing the broken assert with the internal and correct check inside std::vector::at and by limiting iter to NUM_ITERS in the while loop.

    Fixes https://github.com/bitcoin/bitcoin/issues/32121

  2. DrahtBot commented at 6:41 am on March 22, 2025: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage & Benchmarks

    For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/32122.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK glozow, brunoerg
    Concept ACK kevkevinpal
    Stale ACK dergoegge, instagibbs

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

  3. DrahtBot added the label Tests on Mar 22, 2025
  4. maflcko removed the label Tests on Mar 22, 2025
  5. maflcko added the label Needs backport (29.x) on Mar 22, 2025
  6. maflcko removed the label Needs backport (29.x) on Mar 22, 2025
  7. DrahtBot added the label Tests on Mar 22, 2025
  8. maflcko added this to the milestone 29.0 on Mar 22, 2025
  9. maflcko added the label Needs backport (29.x) on Mar 22, 2025
  10. maflcko commented at 6:42 am on March 22, 2025: member
    Can be tested with the input and steps from https://github.com/bitcoin/bitcoin/issues/32121
  11. kevkevinpal commented at 3:19 am on March 23, 2025: contributor

    Concept ACK

    I was able to reproduce the error using the input in #32121

    I think your approach works but I was wondering why not just modify initialize_package_rbf to use this statement

    for (int i = 0; i <= NUM_ITERS; ++i) instead of for (int i = 0; i < NUM_ITERS; ++i)

  12. maflcko commented at 7:49 am on March 24, 2025: member

    why not just modify initialize_package_rbf to use this statement

    Why would that be better? Once an off-by-two is added in a future patch, the fuzz target once again will crash, whereas with the patch in this pull, it will work fine?

  13. dergoegge approved
  14. dergoegge commented at 9:56 am on March 24, 2025: member

    utACK fa9d9a33420c2db35e9ee7eebe5d6e475e26a8e8

    This was caught in the qa-assets CI because we’re using a hardened libc++ build? Trying to understand why I haven’t seen this in my fuzzing.

  15. maflcko commented at 10:13 am on March 24, 2025: member

    This was caught in the qa-assets CI because we’re using a hardened libc++ build? Trying to understand why I haven’t seen this in my fuzzing.

    Yes. This particular one doesn’t require an ABI breaking build, so I think you should be able to find it with any of (fast, extensive, debug) from https://libcxx.llvm.org/Hardening.html#mapping-between-the-hardening-modes-and-the-assertion-categories. Same for GCC: It should be found by any of (ASSERTIONS, DEBUG, DEBUG_PEDANTIC). However, I haven’t tried any of this.

  16. maflcko requested review from instagibbs on Mar 24, 2025
  17. instagibbs commented at 1:07 pm on March 24, 2025: member

    utACK fa9d9a33420c2db35e9ee7eebe5d6e475e26a8e8

    change looks right

  18. in src/test/fuzz/rbf.cpp:128 in fa9d9a3342 outdated 
    127     int64_t running_vsize_total{replacement_vsize};
128 
129     LOCK2(cs_main, pool.cs);
130 
131-    LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), NUM_ITERS)
132+    LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), NUM_ITERS - iter)
    sipa commented at 1:29 pm on March 24, 2025:

    Nit: I find it a bit unintuitive to use a loop variable inside the condition here, and would prefer:

    0LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), NUM_ITERS) {
1    if (iter >= NUM_ITERS) break;
2    ...
    maflcko commented at 1:55 pm on March 24, 2025:
    If the limit check is split up into a manual break, I’d prefer to switch to a plain while loop, but no strong opinion.
    maflcko commented at 8:43 am on March 25, 2025:
    thx, done. Should be trivial to re-review
  19. kevkevinpal commented at 5:47 pm on March 24, 2025: contributor

    why not just modify initialize_package_rbf to use this statement

    Why would that be better? Once an off-by-two is added in a future patch, the fuzz target once again will crash, whereas with the patch in this pull, it will work fine?

    ahh ok I see now that makes sense to me

  20. fuzz: Fix off-by-one in package_rbf target fa5674c264
  21. maflcko force-pushed on Mar 25, 2025
  22. glozow commented at 12:41 pm on March 25, 2025: member
    ACK fa5674c264d91eb3a99fa74ace8a1b6be113c0a8
  23. DrahtBot requested review from dergoegge on Mar 25, 2025
  24. brunoerg approved
  25. brunoerg commented at 7:37 pm on March 25, 2025: contributor
    code review ACK fa5674c264d91eb3a99fa74ace8a1b6be113c0a8
  26. glozow merged this on Mar 25, 2025
  27. glozow closed this on Mar 25, 2025
  28. glozow referenced this in commit 288163ea0f on Mar 25, 2025
  29. maflcko deleted the branch on Mar 25, 2025
  30. glozow commented at 8:59 pm on March 25, 2025: member
    backported in #32136
  31. glozow removed the label Needs backport (29.x) on Mar 25, 2025


maflcko DrahtBot kevkevinpal dergoegge instagibbs sipa glozow brunoerg


instagibbs dergoegge

Labels
Tests

Milestone
29.0

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-03-28 15:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me