Fix OOM when deserializing UTXO entries with invalid length #7933

pull sipa wants to merge 5 commits into bitcoin:master from sipa:fixcompressoroom changing 5 files +101 −5

sipa commented at 2:32 PM on April 24, 2016: member

Thanks to @pstratem for finding this.

The normal vector deserializer reads data in chunks of at most 5 MB, preventing OOM when insane vector lengths are encoded. This protection is not present in CScriptCompressor's specialized deserializer, however, resulting in a potential OOM when very large length descriptors exist, as the target CScript is resized before attempting to read that much data.

However, CScripts have a maximum length above which they're always invalid. We can treat scriptPubKeys with such lengths as unspendable, preventing them from going into the UTXO set even, and skipping them when deserializing.

Note that none of this is exposed to the network, as the P2P code uses normal (pre)vectors, which do have this OOM protection directly in serialize.h.
sipa force-pushed on Apr 24, 2016
sipa force-pushed on Apr 24, 2016
laanwj added the label Bug on Apr 25, 2016
laanwj added the label UTXO Db and Indexes on Apr 25, 2016
laanwj commented at 8:48 AM on April 25, 2016: member

I think this needs a test (that fails without this, and succeeds with it). Or are we talking about 'insane lengths' of such magnitude that would result in a very long running test case?
sipa commented at 9:04 AM on April 25, 2016: member

The test (without fix) would use 2 GB+ RAM, and segfault. With fix, it will work fine. I'll add one.
laanwj commented at 10:59 AM on April 25, 2016: member

The test (without fix) would use 2 GB+ RAM, and segfault.

Maybe we can cap it off before that happens? In any case a test that OOMs and crashes without this, but runs quickly with it, would be great too, it effectively prevents regression.
Introduce constant for maximum CScript length f8e6fb1800
Treat overly long scriptPubKeys as unspendable 4f87af6fc7
CDataStream::ignore Throw exception instead of assert on negative nSize.
Previously disk corruption would cause an assert instead of an exception.
4bf631e5e4
Fix OOM bug: UTXO entries with invalid script length 5d0434d13d
Add tests for CCoins deserialization 1e44169f0e
sipa force-pushed on Apr 25, 2016
sipa commented at 1:18 PM on April 25, 2016: member

Added a test, and included #7936 (the test fails without).
laanwj commented at 2:00 PM on April 25, 2016: member

utACK https://github.com/bitcoin/bitcoin/pull/7933/commits/1e44169f0e0c334a86b14a22ebc8fec45cec7354

MarcoFalke commented at 2:19 PM on April 25, 2016: member

Can confirm the test fails:

$ src/test/test_bitcoin -t coins_tests
Running 3 test cases...
unknown location(0): fatal error in "ccoins_serialization": memory access violation at address: 0x...: no mapping at fault address
test/coins_tests.cpp(411): last checkpoint

*** 1 failure detected in test suite "Bitcoin Test Suite"

dcousens commented at 3:43 AM on April 26, 2016: contributor

utACK 1e44169
laanwj merged this on Apr 26, 2016
laanwj closed this on Apr 26, 2016
laanwj referenced this in commit e26b62093a on Apr 26, 2016
zkbot referenced this in commit 7ccbcca62c on Oct 22, 2016
codablock referenced this in commit cfdc779cb6 on Sep 16, 2017
codablock referenced this in commit 6d4d71b3e4 on Sep 19, 2017
codablock referenced this in commit 98d371e2f5 on Sep 27, 2017
codablock referenced this in commit 30b0f52919 on Oct 12, 2017
codablock referenced this in commit 952383e16c on Oct 19, 2017
UdjinM6 referenced this in commit 1e4b1dea2f on Nov 8, 2017
random-zebra referenced this in commit 41d19c106f on Oct 9, 2019
akshaynexus referenced this in commit fc00be94a7 on Oct 26, 2019
akshaynexus referenced this in commit 96760031dd on Oct 26, 2019
akshaynexus referenced this in commit 90b43effe3 on Oct 26, 2019
MarcoFalke locked this on Sep 8, 2021

Contributors

Labels

Bug UTXO Db and Indexes