fuzz: Fix off-by-one in package_rbf target #32122

pull maflcko wants to merge 1 commits into bitcoin:master from maflcko:2503-fuzz-one-ub changing 1 files +7 −8

maflcko commented at 6:41 am on March 22, 2025: member

Running the while loop up to NUM_ITERS times may set iter to g_outpoints.size(), which will then lead to an out-of-bounds read.

There was an assert, which I guess tried to catch this, but the condition in the assert was wrong as well.

Fix all issues by replacing the broken assert with the internal and correct check inside std::vector::at and by limiting iter to NUM_ITERS in the while loop.

Fixes https://github.com/bitcoin/bitcoin/issues/32121

DrahtBot commented at 6:41 am on March 22, 2025: contributor

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage & Benchmarks

For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/32122.

Reviews

See the guideline for information on the review process.

Type	Reviewers
ACK	glozow, brunoerg
Concept ACK	kevkevinpal
Stale ACK	dergoegge, instagibbs

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

DrahtBot added the label Tests on Mar 22, 2025
maflcko removed the label Tests on Mar 22, 2025
maflcko added the label Needs backport (29.x) on Mar 22, 2025
maflcko removed the label Needs backport (29.x) on Mar 22, 2025
DrahtBot added the label Tests on Mar 22, 2025
maflcko added this to the milestone 29.0 on Mar 22, 2025
maflcko added the label Needs backport (29.x) on Mar 22, 2025
maflcko commented at 6:42 am on March 22, 2025: member

Can be tested with the input and steps from https://github.com/bitcoin/bitcoin/issues/32121
kevkevinpal commented at 3:19 am on March 23, 2025: contributor

Concept ACK

I was able to reproduce the error using the input in #32121

I think your approach works but I was wondering why not just modify initialize_package_rbf to use this statement

for (int i = 0; i <= NUM_ITERS; ++i) instead of for (int i = 0; i < NUM_ITERS; ++i)
maflcko commented at 7:49 am on March 24, 2025: member

why not just modify initialize_package_rbf to use this statement

Why would that be better? Once an off-by-two is added in a future patch, the fuzz target once again will crash, whereas with the patch in this pull, it will work fine?
dergoegge approved
dergoegge commented at 9:56 am on March 24, 2025: member

utACK fa9d9a33420c2db35e9ee7eebe5d6e475e26a8e8

This was caught in the qa-assets CI because we’re using a hardened libc++ build? Trying to understand why I haven’t seen this in my fuzzing.
maflcko commented at 10:13 am on March 24, 2025: member

This was caught in the qa-assets CI because we’re using a hardened libc++ build? Trying to understand why I haven’t seen this in my fuzzing.

Yes. This particular one doesn’t require an ABI breaking build, so I think you should be able to find it with any of (fast, extensive, debug) from https://libcxx.llvm.org/Hardening.html#mapping-between-the-hardening-modes-and-the-assertion-categories. Same for GCC: It should be found by any of (ASSERTIONS, DEBUG, DEBUG_PEDANTIC). However, I haven’t tried any of this.
maflcko requested review from instagibbs on Mar 24, 2025
instagibbs commented at 1:07 pm on March 24, 2025: member

utACK fa9d9a33420c2db35e9ee7eebe5d6e475e26a8e8

change looks right
in src/test/fuzz/rbf.cpp:128 in fa9d9a3342 outdated
127 int64_t running_vsize_total{replacement_vsize}; 128 129 LOCK2(cs_main, pool.cs); 130 131- LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), NUM_ITERS) 132+ LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), NUM_ITERS - iter)
sipa commented at 1:29 pm on March 24, 2025:

Nit: I find it a bit unintuitive to use a loop variable inside the condition here, and would prefer:

0LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), NUM_ITERS) { 1 if (iter >= NUM_ITERS) break; 2 ...
maflcko commented at 1:55 pm on March 24, 2025:

If the limit check is split up into a manual break, I’d prefer to switch to a plain while loop, but no strong opinion.

maflcko commented at 8:43 am on March 25, 2025:

thx, done. Should be trivial to re-review
kevkevinpal commented at 5:47 pm on March 24, 2025: contributor

why not just modify initialize_package_rbf to use this statement

Why would that be better? Once an off-by-two is added in a future patch, the fuzz target once again will crash, whereas with the patch in this pull, it will work fine?

ahh ok I see now that makes sense to me
fuzz: Fix off-by-one in package_rbf target fa5674c264
maflcko force-pushed on Mar 25, 2025
glozow commented at 12:41 pm on March 25, 2025: member

ACK fa5674c264d91eb3a99fa74ace8a1b6be113c0a8
DrahtBot requested review from dergoegge on Mar 25, 2025
brunoerg approved
brunoerg commented at 7:37 pm on March 25, 2025: contributor

code review ACK fa5674c264d91eb3a99fa74ace8a1b6be113c0a8
glozow merged this on Mar 25, 2025
glozow closed this on Mar 25, 2025
glozow referenced this in commit 288163ea0f on Mar 25, 2025
maflcko deleted the branch on Mar 25, 2025
glozow commented at 8:59 pm on March 25, 2025: member

backported in #32136
glozow removed the label Needs backport (29.x) on Mar 25, 2025
fanquake referenced this in commit 1344d3bd0f on Apr 1, 2025
TheCharlatan referenced this in commit a9c46ce3c3 on Apr 24, 2025
bitcoin deleted a comment on May 1, 2025
stickies-v referenced this in commit 772a33e052 on May 23, 2025
yuvicc referenced this in commit 069643f094 on Jul 6, 2025
bug-castercv502 referenced this in commit 5b0af4b944 on Sep 28, 2025
fanquake added the label Fuzzing on Oct 30, 2025

Contributors
maflcko DrahtBot kevkevinpal dergoegge instagibbs sipa glozow brunoerg

Review Requested
instagibbs dergoegge

Labels
Tests Fuzzing

Milestone
29.0