wallet: Fuzz crash in `spkm_migration` #35434

issue marcofleon opened this issue on June 1, 2026

marcofleon commented at 3:31 PM on June 1, 2026: contributor

Base64:

IQIAJ1sAo6MYAcBQGP+VdP////////83v9sAAAAAAAAAAAAAAP8VAAAAAAAAAUUAAAAAWwD+////////CwAAAAAAAAB///8AAAAAAAAAAAAAAP8VAAAAAAAAAUUAAAAAAAD/k5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5MhAgAnWwCjoxgDwFAY/5V0/////////z+/2wAAAAABAAAAAAAA/xUAAAAAAAABRQAAAAAAAP////////8LAAAAAAAA/////wAA/P8AAAAAAAAA/xUAAAAAAAABRQAAAAAAAP+Tk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTkyECACdbAKOjGAPqUBhRa3Q+Pj4+Pj4+Pj4+Pj4+Pj4+Pj48Pj4+Pj4+wsHBuT4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+/////////zm/2wAAAAAAAAAAhqurq6urAAD/FQAAXAAAANoAAAAAAAAAAAAAAPgA0wAAAAAAAAAA/v/DX+Wel3+Tk5OTk5OTk5OTk5OTk5OTk0aB6YU2k5OTk5OTk5OTk5MhAgAAAAAAAP+Tk5OTk5OTk5OTk5OTk5OTk5OTopOTk5OTk5OTkyECACdbAKOjGAPAUBj/lXT/////////P7/bAAAAAAAAAAAAAAAAAABkAAAAAAFFAAAAAAAA/////////wsAAAAAAAD/////AAD8/wAAAAAAAAD/FQAAAAAAAAFFAAAAAAAA/5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTIQIAJ1sAo6MYA+pQGFFrdEA+Pj4+Pj4+Pj4+Pj4+Pj4+Pjw+Pj4+Pj7CwcG5Pj4+Pj4+Pv83v9sAAAAAAAAAAAAAAP8VAAAAAAAAAUUAAAAAWwD+/////v//CwAAAAAAAAB///8AAAAAAAAAAAAAAP8VAAAAAAAAAUUAAAAAAAD/k5OTk5OTk5OTk5OTk5N6k5OTk5OTk5OTk5OTk5MhAgAnWwCjoxgDwFAY/5V0/////////z+/2wAAAAAAAAAAAAAA/xUAAAAAAAABRQAAAAAAAP////////8LAAAAAAAA/////wAA/P8AAAAAAAAA/xUAAAAAAAABRQAAAAAAAP+Tk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OTkyECACdbAKOjGAPqUBhRa3Q+Pj4+Pj4+Pj4+Pj4+Pj4+Pj48Pj4+Pj4+wsHBuT4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+/////////zm/2wAAAAAAAAAAhqurq6urAAD/Fd7/WwAAANoAAAAAAAAAAAAAAPgA0wAAAAAAAAAA/v/YX+Wel3+Tk5MAAP+Y/6Ghnpd/k5OTk5OTkwAAAKE=

Stack trace:

INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 2298833682
INFO: Loaded 1 modules   (441286 inline 8-bit counters): 441286 [0xaaaac8367450, 0xaaaac83d3016), 
INFO: Loaded 1 PC tables (441286 PCs): 441286 [0xaaaac83d3018,0xaaaac8a8ec78), 
/workdir/out/libfuzzer/fuzz: Running 1 inputs 1 time(s) each.
Running: /workdir/workspace/solutions/id:000000,sig:06,src:000805,time:2001996,execs:647939,op:havoc,rep:12
terminate called after throwing an instance of 'std::runtime_error'
 what():  UpdateWithSigningProvider: writing descriptor private key failed
==16297== ERROR: libFuzzer: deadly signal
/usr/bin/llvm-symbolizer: error: 'linux-vdso.so.1': No such file or directory
   [#0](/bitcoin-bitcoin/0/) 0xaaaac6d24fe0 in __sanitizer_print_stack_trace /llvm-project/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:31:3
   [#1](/bitcoin-bitcoin/1/) 0xaaaac6c96894 in fuzzer::PrintStackTrace() /llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
   [#2](/bitcoin-bitcoin/2/) 0xaaaac6c7aa04 in fuzzer::Fuzzer::CrashCallback() /llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:231:3
   [#3](/bitcoin-bitcoin/3/) 0xffff975e37b8  (linux-vdso.so.1+0x7b8) (BuildId: d721ef96679f76202b9d0a21a3db1069daa73c69)
   [#4](/bitcoin-bitcoin/4/) 0xffff970d7d7c  (/lib/aarch64-linux-gnu/libc.so.6+0x87d7c) (BuildId: 45918bc10b33fd96afc550c98de062dccdf44328)
   [#5](/bitcoin-bitcoin/5/) 0xffff9708693c in raise (/lib/aarch64-linux-gnu/libc.so.6+0x3693c) (BuildId: 45918bc10b33fd96afc550c98de062dccdf44328)
   [#6](/bitcoin-bitcoin/6/) 0xffff97071a80 in abort (/lib/aarch64-linux-gnu/libc.so.6+0x21a80) (BuildId: 45918bc10b33fd96afc550c98de062dccdf44328)
   [#7](/bitcoin-bitcoin/7/) 0xffff973dc0c0 in __gnu_cxx::__verbose_terminate_handler() (/lib/aarch64-linux-gnu/libstdc++.so.6+0xac0c0) (BuildId: 42f7f063581c06d0944bac51464a918ebb9a54d8)
   [#8](/bitcoin-bitcoin/8/) 0xffff973d964c  (/lib/aarch64-linux-gnu/libstdc++.so.6+0xa964c) (BuildId: 42f7f063581c06d0944bac51464a918ebb9a54d8)
   [#9](/bitcoin-bitcoin/9/) 0xffff973d0a60 in std::terminate() (/lib/aarch64-linux-gnu/libstdc++.so.6+0xa0a60) (BuildId: 42f7f063581c06d0944bac51464a918ebb9a54d8)
   [#10](/bitcoin-bitcoin/10/) 0xffff973d99e4 in __cxa_throw (/lib/aarch64-linux-gnu/libstdc++.so.6+0xa99e4) (BuildId: 42f7f063581c06d0944bac51464a918ebb9a54d8)
   [#11](/bitcoin-bitcoin/11/) 0xaaaac77dbf24 in wallet::DescriptorScriptPubKeyMan::UpdateWithSigningProvider(wallet::WalletBatch&, FlatSigningProvider const&) scriptpubkeyman.cpp
   [#12](/bitcoin-bitcoin/12/) 0xaaaac77db144 in wallet::DescriptorScriptPubKeyMan::CreateFromMigration(wallet::WalletStorage&, wallet::WalletBatch&, wallet::WalletDescriptor&, long, FlatSigningProvider const&) scriptpubkeyman.cpp
   [#13](/bitcoin-bitcoin/13/) 0xaaaac77d6184 in wallet::LegacyDataSPKM::MigrateToDescriptor() scriptpubkeyman.cpp
   [#14](/bitcoin-bitcoin/14/) 0xaaaac717ba50 in wallet::(anonymous namespace)::spkm_migration_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>) scriptpubkeyman.cpp
   [#15](/bitcoin-bitcoin/15/) 0xaaaac7196534 in LLVMFuzzerTestOneInput fuzz.cpp
   [#16](/bitcoin-bitcoin/16/) 0xaaaac6c7bfd0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:619:13
   [#17](/bitcoin-bitcoin/17/) 0xaaaac6c67f24 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:329:6
   [#18](/bitcoin-bitcoin/18/) 0xaaaac6c6d330 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:864:9
   [#19](/bitcoin-bitcoin/19/) 0xaaaac6c97074 in main /llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
   [#20](/bitcoin-bitcoin/20/) 0xffff97072258  (/lib/aarch64-linux-gnu/libc.so.6+0x22258) (BuildId: 45918bc10b33fd96afc550c98de062dccdf44328)
   [#21](/bitcoin-bitcoin/21/) 0xffff97072338 in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x22338) (BuildId: 45918bc10b33fd96afc550c98de062dccdf44328)
   [#22](/bitcoin-bitcoin/22/) 0xaaaac6c6202c in _start (/workdir/out/libfuzzer/fuzz+0xe6202c)

NOTE: libFuzzer has rudimentary signal handlers.
     Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal

I added some debug logs that are hopefully helpful:

./fuzzbuild/bin/fuzz: Running 1 inputs 1 time(s) each.
Running: spkmmigrate_input
spkm_migration_hd chain_i=0 seed_id=63efc626d0735c1743bebcd10c93ac117e1e652d seed_pub=02a3a9664be086498975017446fcbbfea6d23ae45ff35fd92d7825b6fb2b246a1d seed_compressed=1 seed_secret=0000ff9393939393939393939393939393939393939393939393939393939393 master_pub=02184bde09c4855ebdd96f13c50ab7c986dd34b346d27337e6fbb88e17d895c1a1 master_id=9eea275cd9b429d5f1846958bf54bc603d6f2117 desc_id=3627bfc12de9ce8262383b68747c391b8304a7958afc17af4c069947e397abd5 desc=combo(tpubD6NzVbkrYhZ4WVWQiaXibwcQbTwVrz1E3GsBgnz9S5z5ny7NVVnA3ofotJSgC1mMoapJtB896u1bxKaYPrX62KVwUfa4ywcPebR3YMu2Eu3/0h/0h/*h)
spkm_migration_hd chain_i=1 seed_id=63efc626d0735c1743bebcd10c93ac117e1e652d seed_pub=02a3a9664be086498975017446fcbbfea6d23ae45ff35fd92d7825b6fb2b246a1d seed_compressed=1 seed_secret=0000ff9393939393939393939393939393939393939393939393939393939393 master_pub=02184bde09c4855ebdd96f13c50ab7c986dd34b346d27337e6fbb88e17d895c1a1 master_id=9eea275cd9b429d5f1846958bf54bc603d6f2117 desc_id=e4e39f26cfd59dc1445094a9dbf58985f1f7c81568195fb2297d04cf7a303519 desc=combo(tpubD6NzVbkrYhZ4WVWQiaXibwcQbTwVrz1E3GsBgnz9S5z5ny7NVVnA3ofotJSgC1mMoapJtB896u1bxKaYPrX62KVwUfa4ywcPebR3YMu2Eu3/0h/1h/*h)
spkm_migration_hd chain_i=0 seed_id=022315e44c19bfe85e565d8b245799d664e69d81 seed_pub=04a3a9664be086498975017446fcbbfea6d23ae45ff35fd92d7825b6fb2b246a1d6f1e5091702f491de624465df3dc30ea9b9c2fb02b5c07ec2071c8e301f9a01e seed_compressed=0 seed_secret=0000ff9393939393939393939393939393939393939393939393939393939393 master_pub=02184bde09c4855ebdd96f13c50ab7c986dd34b346d27337e6fbb88e17d895c1a1 master_id=9eea275cd9b429d5f1846958bf54bc603d6f2117 desc_id=3627bfc12de9ce8262383b68747c391b8304a7958afc17af4c069947e397abd5 desc=combo(tpubD6NzVbkrYhZ4WVWQiaXibwcQbTwVrz1E3GsBgnz9S5z5ny7NVVnA3ofotJSgC1mMoapJtB896u1bxKaYPrX62KVwUfa4ywcPebR3YMu2Eu3/0h/0h/*h)
libc++abi: terminating due to uncaught exception of type std::runtime_error: UpdateWithSigningProvider: writing descriptor private key failed
==57870== ERROR: libFuzzer: deadly signal
NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal

Looks like chains with the same seed secret but with compressed vs uncompressed pubkeys lead to different seed ids but the same migrated master key, causing a duplicate write in UpdateWithSigningProvider(). This might be related to the fuzz crash 0301c758ea0d0b95090d7492f1e5d30e6b447b9c was addressing?

fanquake added the label Wallet on Jun 1, 2026
fanquake added the label Fuzzing on Jun 1, 2026
kevkevinpal commented at 3:41 AM on June 2, 2026: contributor

It looks like this commit may have caused the crash https://github.com/bitcoin/bitcoin/commit/aa4f7823aa18eea7e310a355981bbf70c0496b98

#28333 (comment)
maflcko added this to the milestone 32.0 on Jun 2, 2026

Contributors

marcofleon

kevkevinpal

Labels

Wallet Fuzzing

Milestone
32.0

Linked (view graph)

#1 JSON-RPC support for mobile devices ("ultra-lightweight" clients)#2 Long-term, safe, store-of-value #3 Encrypt wallet #4 Export/Import wallet in a human readable, future-proof format #5 Make the version number the protocol version and not the client version #6 Treat wallet as a generic keystore #7 Block-header-only, faster startup client #8 RPC command to sign text with wallet private key #9 Fix for GUI on Macs and latest wxWidgets #10 Add address to listtransactions output #11 Nolisten patch #12 Monitor transactions and/or blocks #13 Messages with or about transactions #14 bitcoin: URI and/or bitcoin-request MIME type for click-to-pay #15 Option to specify external IP address #16 Mac UI issues #17 listaccounts method #18 Error when trying to send very precise amount #19 bitcoin(d) --help should output version number #20 JSON-RPC callback #21 Add time to category:move transactions #22 Update the list of hard-coded node IP addresses #35437 migrate: Handle HD chains that have identical seeds but different IDs