net: Fix an uninitialized read in ProcessMessage(…, "tx", …) when receiving a transaction we already have #17624
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
|
utACK 73b96c9 Great catch @practicalswift . Are the |
|
ACK 73b96c9, thanks for discovering and reporting this before it ended up in a release. (travis fail is unrelated, restarted …) |
|
Both branches are covered by our functional tests (specifically I found this issue after observing some weirdness on a Since discovering the issue on My personal view is that we really really underuse the excellent modern tooling that is typically used in security critical C++ projects to guard against introduction of bugs like this. I find that a bit surprising and I promise to do my best to help improve that situation going forward :) Rediscovery 1. Finding the issue using static analysis (Coverity in this example) Rediscovery 2. Finding the issue using dynamic analysis (MemorySanitizer) Running Rediscovery 3. Finding the issue using dynamic analysis (Valgrind) Running |
laanwj
added a commit
that referenced
this pull request
Nov 28, 2019
…", …) when receiving a transaction we already have 73b96c9 net: Fix uninitialized read in ProcessMessage(...) (practicalswift) Pull request description: Fix an uninitialized read in `ProcessMessage(…, "tx", …)` when receiving a transaction we already have. The uninitialized value is read and used on [L2526 in the case of `AlreadyHave(inv) == true`](https://github.com/bitcoin/bitcoin/blob/d8a66626d63135fd245d5afc524b88b9a94d208b/src/net_processing.cpp#L2494-L2526). Proof of concept being run against a `bitcoind` built with MemorySanitizer (`-fsanitize=memory`): ``` $ ./p2p-uninit-read-in-conditional-poc.py Usage: ./p2p-uninit-read-in-conditional-poc.py <dstaddr> <dstport> <net> $ bitcoind -regtest & $ ./p2p-uninit-read-in-conditional-poc.py 127.0.0.1 18444 regtest SUMMARY: MemorySanitizer: use-of-uninitialized-value [1]+ Exit 77 bitcoind -regtest $ ``` Proof of concept being run against a `bitcoind` running under Valgrind (`valgrind --exit-on-first-error`): ``` $ valgrind -q --exit-on-first-error=yes --error-exitcode=1 bitcoind -regtest & $ ./p2p-uninit-read-in-conditional-poc.py 127.0.0.1 18444 regtest ==27351== Conditional jump or move depends on uninitialised value(s) [1]+ Exit 1 valgrind -q --exit-on-first-error=yes --error-exitcode=1 bitcoind -regtest $ ``` Proof of concept script: ``` #!/usr/bin/env python3 import sys from test_framework.mininode import NetworkThread from test_framework.mininode import P2PDataStore from test_framework.messages import CTransaction, CTxIn, CTxOut, msg_tx def send_duplicate_tx(dstaddr="127.0.0.1", dstport=18444, net="regtest"): network_thread = NetworkThread() network_thread.start() node = P2PDataStore() node.peer_connect(dstaddr=dstaddr, dstport=dstport, net=net)() node.wait_for_verack() tx = CTransaction() tx.vin.append(CTxIn()) tx.vout.append(CTxOut()) node.send_message(msg_tx(tx)) node.send_message(msg_tx(tx)) node.peer_disconnect() network_thread.close() if __name__ == "__main__": if len(sys.argv) != 4: print("Usage: {} <dstaddr> <dstport> <net>".format(sys.argv[0])) sys.exit(0) send_duplicate_tx(sys.argv[1], int(sys.argv[2]), sys.argv[3]) ``` Note that the transaction in the proof of concept is the simplest possible, but really any transaction can be used. It does not have to be a valid transaction. This bug was introduced in #15921 ("validation: Tidy up ValidationState interface") which was merged in to `master` 28 days ago. Luckily this bug was caught before being part of any Bitcoin Core release :) ACKs for top commit: jnewbery: utACK 73b96c9 laanwj: ACK 73b96c9, thanks for discovering and reporting this before it ended up in a release. Tree-SHA512: 7ce6b8f260bcdd9b2ec4ff4b941a891bbef578acf4456df33b7a8d42b248237ec4949e65e2445b24851d1639b10681c701ad500b1c0b776ff050ef8c3812c795
maflcko
pushed a commit
that referenced
this pull request
Dec 10, 2019
…s under Valgrind 5db506b tests: Add option --valgrind to run nodes under valgrind in the functional tests (practicalswift) Pull request description: What is better than fixing bugs? Fixing entire bug classes of course! :) Add option `--valgrind` to run the functional tests under Valgrind. Regular functional testing under Valgrind would have caught many of the uninitialized reads we've seen historically. Let's kill this bug class once and for all: let's never use an uninitialized value ever again. Or at least not one that would be triggered by running the functional tests! :) My hope is that this addition will make it super-easy to run the functional tests under Valgrind and thus increase the probability of people making use of it :) Hopefully `test/functional/test_runner.py --valgrind` will become a natural part of the pre-release QA process. **Usage:** ``` $ test/functional/test_runner.py --help … --valgrind run nodes under the valgrind memory error detector: expect at least a ~10x slowdown, valgrind 3.14 or later required ``` **Live demo:** First, let's re-introduce a memory bug by reverting the recent P2P uninitialized read bug fix from PR #17624 ("net: Fix an uninitialized read in ProcessMessage(…, "tx", …) when receiving a transaction we already have"). ``` $ git diff diff --git a/src/consensus/validation.h b/src/consensus/validation.h index 3401eb64c..940adea33 100644 --- a/src/consensus/validation.h +++ b/src/consensus/validation.h @@ -114,7 +114,7 @@ inline ValidationState::~ValidationState() {}; class TxValidationState : public ValidationState { private: - TxValidationResult m_result = TxValidationResult::TX_RESULT_UNSET; + TxValidationResult m_result; public: bool Invalid(TxValidationResult result, const std::string &reject_reason="", ``` Second, let's test as normal without Valgrind: ``` $ test/functional/p2p_segwit.py -l INFO 2019-11-28T09:30:42.810000Z TestFramework (INFO): Initializing test directory /tmp/bitcoin_func_test__fc8q3qo … 2019-11-28T09:31:57.187000Z TestFramework (INFO): Subtest: test_non_standard_witness_blinding (Segwit active = True) … 2019-11-28T09:32:08.265000Z TestFramework (INFO): Tests successful ``` Third, let's test with `--valgrind` and see if the test fail (as we expect) when the unitialized value is used: ``` $ test/functional/p2p_segwit.py -l INFO --valgrind 2019-11-28T09:32:33.018000Z TestFramework (INFO): Initializing test directory /tmp/bitcoin_func_test_gtjecx2l … 2019-11-28T09:40:36.702000Z TestFramework (INFO): Subtest: test_non_standard_witness_blinding (Segwit active = True) 2019-11-28T09:40:37.813000Z TestFramework (ERROR): Assertion failed ConnectionRefusedError: [Errno 111] Connection refused ``` ACKs for top commit: MarcoFalke: ACK 5db506b jonatack: ACK 5db506b Tree-SHA512: 2eaecacf4da166febad88b2a8ee6d7ac2bcd38d4c1892ca39516b6343e8f8c8814edf5eaf14c90f11a069a0389d24f0713076112ac284de987e72fc5f6cc3795
sidhujag
pushed a commit
to syscoin/syscoin
that referenced
this pull request
Dec 10, 2019
…al tests under Valgrind 5db506b tests: Add option --valgrind to run nodes under valgrind in the functional tests (practicalswift) Pull request description: What is better than fixing bugs? Fixing entire bug classes of course! :) Add option `--valgrind` to run the functional tests under Valgrind. Regular functional testing under Valgrind would have caught many of the uninitialized reads we've seen historically. Let's kill this bug class once and for all: let's never use an uninitialized value ever again. Or at least not one that would be triggered by running the functional tests! :) My hope is that this addition will make it super-easy to run the functional tests under Valgrind and thus increase the probability of people making use of it :) Hopefully `test/functional/test_runner.py --valgrind` will become a natural part of the pre-release QA process. **Usage:** ``` $ test/functional/test_runner.py --help … --valgrind run nodes under the valgrind memory error detector: expect at least a ~10x slowdown, valgrind 3.14 or later required ``` **Live demo:** First, let's re-introduce a memory bug by reverting the recent P2P uninitialized read bug fix from PR bitcoin#17624 ("net: Fix an uninitialized read in ProcessMessage(…, "tx", …) when receiving a transaction we already have"). ``` $ git diff diff --git a/src/consensus/validation.h b/src/consensus/validation.h index 3401eb64c..940adea33 100644 --- a/src/consensus/validation.h +++ b/src/consensus/validation.h @@ -114,7 +114,7 @@ inline ValidationState::~ValidationState() {}; class TxValidationState : public ValidationState { private: - TxValidationResult m_result = TxValidationResult::TX_RESULT_UNSET; + TxValidationResult m_result; public: bool Invalid(TxValidationResult result, const std::string &reject_reason="", ``` Second, let's test as normal without Valgrind: ``` $ test/functional/p2p_segwit.py -l INFO 2019-11-28T09:30:42.810000Z TestFramework (INFO): Initializing test directory /tmp/bitcoin_func_test__fc8q3qo … 2019-11-28T09:31:57.187000Z TestFramework (INFO): Subtest: test_non_standard_witness_blinding (Segwit active = True) … 2019-11-28T09:32:08.265000Z TestFramework (INFO): Tests successful ``` Third, let's test with `--valgrind` and see if the test fail (as we expect) when the unitialized value is used: ``` $ test/functional/p2p_segwit.py -l INFO --valgrind 2019-11-28T09:32:33.018000Z TestFramework (INFO): Initializing test directory /tmp/bitcoin_func_test_gtjecx2l … 2019-11-28T09:40:36.702000Z TestFramework (INFO): Subtest: test_non_standard_witness_blinding (Segwit active = True) 2019-11-28T09:40:37.813000Z TestFramework (ERROR): Assertion failed ConnectionRefusedError: [Errno 111] Connection refused ``` ACKs for top commit: MarcoFalke: ACK 5db506b jonatack: ACK 5db506b Tree-SHA512: 2eaecacf4da166febad88b2a8ee6d7ac2bcd38d4c1892ca39516b6343e8f8c8814edf5eaf14c90f11a069a0389d24f0713076112ac284de987e72fc5f6cc3795
jasonbcox
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Jul 14, 2020
Summary:
3004d5a12d09d94bfc4dee2a8e8f2291996a4aaf [validation] Remove fMissingInputs from AcceptToMemoryPool() (John Newbery)
c428622a5bb1e37b2e6ab2c52791ac05d9271238 [validation] Remove unused first_invalid parameter from ProcessNewBlockHeaders() (John Newbery)
7204c6434b944f6ad51b3c895837729d3aa56eea [validation] Remove useless ret parameter from Invalid() (John Newbery)
1a37de4b3174d19a6d8691ae07e92b32fdfaef11 [validation] Remove error() calls from Invalid() calls (John Newbery)
067981e49246822421a7bcc720491427e1dba8a3 [validation] Tidy Up ValidationResult class (John Newbery)
a27a2957ed9afbe5a96caa5f0f4cbec730d27460 [validation] Add CValidationState subclasses (John Newbery)
Pull request description:
Carries out some remaining tidy-ups remaining after PR 15141:
- split ValidationState into TxValidationState and BlockValidationState (commit from ajtowns)
- various minor code style tidy-ups to the ValidationState class
- remove the useless `ret` parameter from `ValidationState::Invalid()`
- remove the now unused `first_invalid` parameter from `ProcessNewBlockHeaders()`
- remove the `fMissingInputs` parameter from `AcceptToMemoryPool()`, and deal with missing inputs the same way as other errors by using the `TxValidationState` object.
Tip for reviewers (thanks ryanofsky!): The first commit ("[validation] Add CValidationState subclasses" ) is huge and can be easier to start reviewing if you revert the rote, mechanical changes:
Substitute the commit hash of commit "[validation] Add CValidationState subclasses" for <CommitHash> in the commands below.
```sh
git checkout <CommitHash>
git grep -l ValidationState | xargs sed -i 's/BlockValidationState\|TxValidationState/CValidationState/g'
git grep -l ValidationResult | xargs sed -i 's/BlockValidationResult\|TxValidationResult/ValidationInvalidReason/g'
git grep -l MaybePunish | xargs sed -i 's/MaybePunishNode\(ForBlock\|ForTx\)/MaybePunishNode/g'
git diff HEAD^
```
After that it's possible to easily see the mechanical changes with:
```sh
git log -p -n1 -U0 --word-diff-regex=. <CommitHash>
```
ACKs for top commit:
laanwj:
ACK 3004d5a12d09d94bfc4dee2a8e8f2291996a4aaf
amitiuttarwar:
code review ACK 3004d5a12d09d94bfc4dee2a8e8f2291996a4aaf. Also built & ran tests locally.
fjahr:
Code review ACK 3004d5a12d09d94bfc4dee2a8e8f2291996a4aaf . Only nit style change and pure virtual destructor added since my last review.
ryanofsky:
Code review ACK 3004d5a12d09d94bfc4dee2a8e8f2291996a4aaf. Just whitespace change and pure virtual destructor added since last review.
Tree-SHA512: 511de1fb380a18bec1944ea82b513b6192df632ee08bb16344a2df3c40811a88f3872f04df24bc93a41643c96c48f376a04551840fd804a961490d6c702c3d36
Backport of Core [[bitcoin/bitcoin#15921 | PR15921]] and [[bitcoin/bitcoin#17624 | PR17624]] (small fix to 15921)
Followup to [[bitcoin/bitcoin#15141 | PR15141]]
Some differences reviewers will encounter:
1. RejectCodes (such as REJECT_INVALID) do not appear in the original PR due to an out-of-order backport, but we currently still support them, so it was retained.
2. Some files (notably tests) contain refactors not present in the original PR. This is due to a few out-of-order backports but otherwise harmless.
Depends on D6923, D6929, D6930
Test Plan: `ninja check check-functional-extended`
Reviewers: #bitcoin_abc, deadalnix
Reviewed By: #bitcoin_abc, deadalnix
Subscribers: deadalnix
Differential Revision: https://reviews.bitcoinabc.org/D6860
sidhujag
pushed a commit
to syscoin-core/syscoin
that referenced
this pull request
Nov 10, 2020
…al tests under Valgrind 5db506b tests: Add option --valgrind to run nodes under valgrind in the functional tests (practicalswift) Pull request description: What is better than fixing bugs? Fixing entire bug classes of course! :) Add option `--valgrind` to run the functional tests under Valgrind. Regular functional testing under Valgrind would have caught many of the uninitialized reads we've seen historically. Let's kill this bug class once and for all: let's never use an uninitialized value ever again. Or at least not one that would be triggered by running the functional tests! :) My hope is that this addition will make it super-easy to run the functional tests under Valgrind and thus increase the probability of people making use of it :) Hopefully `test/functional/test_runner.py --valgrind` will become a natural part of the pre-release QA process. **Usage:** ``` $ test/functional/test_runner.py --help … --valgrind run nodes under the valgrind memory error detector: expect at least a ~10x slowdown, valgrind 3.14 or later required ``` **Live demo:** First, let's re-introduce a memory bug by reverting the recent P2P uninitialized read bug fix from PR bitcoin#17624 ("net: Fix an uninitialized read in ProcessMessage(…, "tx", …) when receiving a transaction we already have"). ``` $ git diff diff --git a/src/consensus/validation.h b/src/consensus/validation.h index 3401eb64c..940adea33 100644 --- a/src/consensus/validation.h +++ b/src/consensus/validation.h @@ -114,7 +114,7 @@ inline ValidationState::~ValidationState() {}; class TxValidationState : public ValidationState { private: - TxValidationResult m_result = TxValidationResult::TX_RESULT_UNSET; + TxValidationResult m_result; public: bool Invalid(TxValidationResult result, const std::string &reject_reason="", ``` Second, let's test as normal without Valgrind: ``` $ test/functional/p2p_segwit.py -l INFO 2019-11-28T09:30:42.810000Z TestFramework (INFO): Initializing test directory /tmp/bitcoin_func_test__fc8q3qo … 2019-11-28T09:31:57.187000Z TestFramework (INFO): Subtest: test_non_standard_witness_blinding (Segwit active = True) … 2019-11-28T09:32:08.265000Z TestFramework (INFO): Tests successful ``` Third, let's test with `--valgrind` and see if the test fail (as we expect) when the unitialized value is used: ``` $ test/functional/p2p_segwit.py -l INFO --valgrind 2019-11-28T09:32:33.018000Z TestFramework (INFO): Initializing test directory /tmp/bitcoin_func_test_gtjecx2l … 2019-11-28T09:40:36.702000Z TestFramework (INFO): Subtest: test_non_standard_witness_blinding (Segwit active = True) 2019-11-28T09:40:37.813000Z TestFramework (ERROR): Assertion failed ConnectionRefusedError: [Errno 111] Connection refused ``` ACKs for top commit: MarcoFalke: ACK 5db506b jonatack: ACK 5db506b Tree-SHA512: 2eaecacf4da166febad88b2a8ee6d7ac2bcd38d4c1892ca39516b6343e8f8c8814edf5eaf14c90f11a069a0389d24f0713076112ac284de987e72fc5f6cc3795
PastaPastaPasta
pushed a commit
to PastaPastaPasta/dash
that referenced
this pull request
Jun 4, 2021
…al tests under Valgrind 5db506b tests: Add option --valgrind to run nodes under valgrind in the functional tests (practicalswift) Pull request description: What is better than fixing bugs? Fixing entire bug classes of course! :) Add option `--valgrind` to run the functional tests under Valgrind. Regular functional testing under Valgrind would have caught many of the uninitialized reads we've seen historically. Let's kill this bug class once and for all: let's never use an uninitialized value ever again. Or at least not one that would be triggered by running the functional tests! :) My hope is that this addition will make it super-easy to run the functional tests under Valgrind and thus increase the probability of people making use of it :) Hopefully `test/functional/test_runner.py --valgrind` will become a natural part of the pre-release QA process. **Usage:** ``` $ test/functional/test_runner.py --help … --valgrind run nodes under the valgrind memory error detector: expect at least a ~10x slowdown, valgrind 3.14 or later required ``` **Live demo:** First, let's re-introduce a memory bug by reverting the recent P2P uninitialized read bug fix from PR bitcoin#17624 ("net: Fix an uninitialized read in ProcessMessage(…, "tx", …) when receiving a transaction we already have"). ``` $ git diff diff --git a/src/consensus/validation.h b/src/consensus/validation.h index 3401eb64c..940adea33 100644 --- a/src/consensus/validation.h +++ b/src/consensus/validation.h @@ -114,7 +114,7 @@ inline ValidationState::~ValidationState() {}; class TxValidationState : public ValidationState { private: - TxValidationResult m_result = TxValidationResult::TX_RESULT_UNSET; + TxValidationResult m_result; public: bool Invalid(TxValidationResult result, const std::string &reject_reason="", ``` Second, let's test as normal without Valgrind: ``` $ test/functional/p2p_segwit.py -l INFO 2019-11-28T09:30:42.810000Z TestFramework (INFO): Initializing test directory /tmp/bitcoin_func_test__fc8q3qo … 2019-11-28T09:31:57.187000Z TestFramework (INFO): Subtest: test_non_standard_witness_blinding (Segwit active = True) … 2019-11-28T09:32:08.265000Z TestFramework (INFO): Tests successful ``` Third, let's test with `--valgrind` and see if the test fail (as we expect) when the unitialized value is used: ``` $ test/functional/p2p_segwit.py -l INFO --valgrind 2019-11-28T09:32:33.018000Z TestFramework (INFO): Initializing test directory /tmp/bitcoin_func_test_gtjecx2l … 2019-11-28T09:40:36.702000Z TestFramework (INFO): Subtest: test_non_standard_witness_blinding (Segwit active = True) 2019-11-28T09:40:37.813000Z TestFramework (ERROR): Assertion failed ConnectionRefusedError: [Errno 111] Connection refused ``` ACKs for top commit: MarcoFalke: ACK 5db506b jonatack: ACK 5db506b Tree-SHA512: 2eaecacf4da166febad88b2a8ee6d7ac2bcd38d4c1892ca39516b6343e8f8c8814edf5eaf14c90f11a069a0389d24f0713076112ac284de987e72fc5f6cc3795 # Conflicts: # test/functional/test_framework/test_framework.py # test/functional/test_framework/test_node.py
vijaydasmp
pushed a commit
to vijaydasmp/dash
that referenced
this pull request
Apr 1, 2022
…al tests under Valgrind 5db506b tests: Add option --valgrind to run nodes under valgrind in the functional tests (practicalswift) Pull request description: What is better than fixing bugs? Fixing entire bug classes of course! :) Add option `--valgrind` to run the functional tests under Valgrind. Regular functional testing under Valgrind would have caught many of the uninitialized reads we've seen historically. Let's kill this bug class once and for all: let's never use an uninitialized value ever again. Or at least not one that would be triggered by running the functional tests! :) My hope is that this addition will make it super-easy to run the functional tests under Valgrind and thus increase the probability of people making use of it :) Hopefully `test/functional/test_runner.py --valgrind` will become a natural part of the pre-release QA process. **Usage:** ``` $ test/functional/test_runner.py --help … --valgrind run nodes under the valgrind memory error detector: expect at least a ~10x slowdown, valgrind 3.14 or later required ``` **Live demo:** First, let's re-introduce a memory bug by reverting the recent P2P uninitialized read bug fix from PR bitcoin#17624 ("net: Fix an uninitialized read in ProcessMessage(…, "tx", …) when receiving a transaction we already have"). ``` $ git diff diff --git a/src/consensus/validation.h b/src/consensus/validation.h index 3401eb64c..940adea33 100644 --- a/src/consensus/validation.h +++ b/src/consensus/validation.h @@ -114,7 +114,7 @@ inline ValidationState::~ValidationState() {}; class TxValidationState : public ValidationState { private: - TxValidationResult m_result = TxValidationResult::TX_RESULT_UNSET; + TxValidationResult m_result; public: bool Invalid(TxValidationResult result, const std::string &reject_reason="", ``` Second, let's test as normal without Valgrind: ``` $ test/functional/p2p_segwit.py -l INFO 2019-11-28T09:30:42.810000Z TestFramework (INFO): Initializing test directory /tmp/bitcoin_func_test__fc8q3qo … 2019-11-28T09:31:57.187000Z TestFramework (INFO): Subtest: test_non_standard_witness_blinding (Segwit active = True) … 2019-11-28T09:32:08.265000Z TestFramework (INFO): Tests successful ``` Third, let's test with `--valgrind` and see if the test fail (as we expect) when the unitialized value is used: ``` $ test/functional/p2p_segwit.py -l INFO --valgrind 2019-11-28T09:32:33.018000Z TestFramework (INFO): Initializing test directory /tmp/bitcoin_func_test_gtjecx2l … 2019-11-28T09:40:36.702000Z TestFramework (INFO): Subtest: test_non_standard_witness_blinding (Segwit active = True) 2019-11-28T09:40:37.813000Z TestFramework (ERROR): Assertion failed ConnectionRefusedError: [Errno 111] Connection refused ``` ACKs for top commit: MarcoFalke: ACK 5db506b jonatack: ACK 5db506b Tree-SHA512: 2eaecacf4da166febad88b2a8ee6d7ac2bcd38d4c1892ca39516b6343e8f8c8814edf5eaf14c90f11a069a0389d24f0713076112ac284de987e72fc5f6cc3795
vijaydasmp
pushed a commit
to vijaydasmp/dash
that referenced
this pull request
Apr 2, 2022
…al tests under Valgrind 5db506b tests: Add option --valgrind to run nodes under valgrind in the functional tests (practicalswift) Pull request description: What is better than fixing bugs? Fixing entire bug classes of course! :) Add option `--valgrind` to run the functional tests under Valgrind. Regular functional testing under Valgrind would have caught many of the uninitialized reads we've seen historically. Let's kill this bug class once and for all: let's never use an uninitialized value ever again. Or at least not one that would be triggered by running the functional tests! :) My hope is that this addition will make it super-easy to run the functional tests under Valgrind and thus increase the probability of people making use of it :) Hopefully `test/functional/test_runner.py --valgrind` will become a natural part of the pre-release QA process. **Usage:** ``` $ test/functional/test_runner.py --help … --valgrind run nodes under the valgrind memory error detector: expect at least a ~10x slowdown, valgrind 3.14 or later required ``` **Live demo:** First, let's re-introduce a memory bug by reverting the recent P2P uninitialized read bug fix from PR bitcoin#17624 ("net: Fix an uninitialized read in ProcessMessage(…, "tx", …) when receiving a transaction we already have"). ``` $ git diff diff --git a/src/consensus/validation.h b/src/consensus/validation.h index 3401eb64c..940adea33 100644 --- a/src/consensus/validation.h +++ b/src/consensus/validation.h @@ -114,7 +114,7 @@ inline ValidationState::~ValidationState() {}; class TxValidationState : public ValidationState { private: - TxValidationResult m_result = TxValidationResult::TX_RESULT_UNSET; + TxValidationResult m_result; public: bool Invalid(TxValidationResult result, const std::string &reject_reason="", ``` Second, let's test as normal without Valgrind: ``` $ test/functional/p2p_segwit.py -l INFO 2019-11-28T09:30:42.810000Z TestFramework (INFO): Initializing test directory /tmp/bitcoin_func_test__fc8q3qo … 2019-11-28T09:31:57.187000Z TestFramework (INFO): Subtest: test_non_standard_witness_blinding (Segwit active = True) … 2019-11-28T09:32:08.265000Z TestFramework (INFO): Tests successful ``` Third, let's test with `--valgrind` and see if the test fail (as we expect) when the unitialized value is used: ``` $ test/functional/p2p_segwit.py -l INFO --valgrind 2019-11-28T09:32:33.018000Z TestFramework (INFO): Initializing test directory /tmp/bitcoin_func_test_gtjecx2l … 2019-11-28T09:40:36.702000Z TestFramework (INFO): Subtest: test_non_standard_witness_blinding (Segwit active = True) 2019-11-28T09:40:37.813000Z TestFramework (ERROR): Assertion failed ConnectionRefusedError: [Errno 111] Connection refused ``` ACKs for top commit: MarcoFalke: ACK 5db506b jonatack: ACK 5db506b Tree-SHA512: 2eaecacf4da166febad88b2a8ee6d7ac2bcd38d4c1892ca39516b6343e8f8c8814edf5eaf14c90f11a069a0389d24f0713076112ac284de987e72fc5f6cc3795
vijaydasmp
pushed a commit
to vijaydasmp/dash
that referenced
this pull request
Apr 3, 2022
…al tests under Valgrind 5db506b tests: Add option --valgrind to run nodes under valgrind in the functional tests (practicalswift) Pull request description: What is better than fixing bugs? Fixing entire bug classes of course! :) Add option `--valgrind` to run the functional tests under Valgrind. Regular functional testing under Valgrind would have caught many of the uninitialized reads we've seen historically. Let's kill this bug class once and for all: let's never use an uninitialized value ever again. Or at least not one that would be triggered by running the functional tests! :) My hope is that this addition will make it super-easy to run the functional tests under Valgrind and thus increase the probability of people making use of it :) Hopefully `test/functional/test_runner.py --valgrind` will become a natural part of the pre-release QA process. **Usage:** ``` $ test/functional/test_runner.py --help … --valgrind run nodes under the valgrind memory error detector: expect at least a ~10x slowdown, valgrind 3.14 or later required ``` **Live demo:** First, let's re-introduce a memory bug by reverting the recent P2P uninitialized read bug fix from PR bitcoin#17624 ("net: Fix an uninitialized read in ProcessMessage(…, "tx", …) when receiving a transaction we already have"). ``` $ git diff diff --git a/src/consensus/validation.h b/src/consensus/validation.h index 3401eb64c..940adea33 100644 --- a/src/consensus/validation.h +++ b/src/consensus/validation.h @@ -114,7 +114,7 @@ inline ValidationState::~ValidationState() {}; class TxValidationState : public ValidationState { private: - TxValidationResult m_result = TxValidationResult::TX_RESULT_UNSET; + TxValidationResult m_result; public: bool Invalid(TxValidationResult result, const std::string &reject_reason="", ``` Second, let's test as normal without Valgrind: ``` $ test/functional/p2p_segwit.py -l INFO 2019-11-28T09:30:42.810000Z TestFramework (INFO): Initializing test directory /tmp/bitcoin_func_test__fc8q3qo … 2019-11-28T09:31:57.187000Z TestFramework (INFO): Subtest: test_non_standard_witness_blinding (Segwit active = True) … 2019-11-28T09:32:08.265000Z TestFramework (INFO): Tests successful ``` Third, let's test with `--valgrind` and see if the test fail (as we expect) when the unitialized value is used: ``` $ test/functional/p2p_segwit.py -l INFO --valgrind 2019-11-28T09:32:33.018000Z TestFramework (INFO): Initializing test directory /tmp/bitcoin_func_test_gtjecx2l … 2019-11-28T09:40:36.702000Z TestFramework (INFO): Subtest: test_non_standard_witness_blinding (Segwit active = True) 2019-11-28T09:40:37.813000Z TestFramework (ERROR): Assertion failed ConnectionRefusedError: [Errno 111] Connection refused ``` ACKs for top commit: MarcoFalke: ACK 5db506b jonatack: ACK 5db506b Tree-SHA512: 2eaecacf4da166febad88b2a8ee6d7ac2bcd38d4c1892ca39516b6343e8f8c8814edf5eaf14c90f11a069a0389d24f0713076112ac284de987e72fc5f6cc3795
kwvg
pushed a commit
to kwvg/dash
that referenced
this pull request
Apr 5, 2022
…al tests under Valgrind 5db506b tests: Add option --valgrind to run nodes under valgrind in the functional tests (practicalswift) Pull request description: What is better than fixing bugs? Fixing entire bug classes of course! :) Add option `--valgrind` to run the functional tests under Valgrind. Regular functional testing under Valgrind would have caught many of the uninitialized reads we've seen historically. Let's kill this bug class once and for all: let's never use an uninitialized value ever again. Or at least not one that would be triggered by running the functional tests! :) My hope is that this addition will make it super-easy to run the functional tests under Valgrind and thus increase the probability of people making use of it :) Hopefully `test/functional/test_runner.py --valgrind` will become a natural part of the pre-release QA process. **Usage:** ``` $ test/functional/test_runner.py --help … --valgrind run nodes under the valgrind memory error detector: expect at least a ~10x slowdown, valgrind 3.14 or later required ``` **Live demo:** First, let's re-introduce a memory bug by reverting the recent P2P uninitialized read bug fix from PR bitcoin#17624 ("net: Fix an uninitialized read in ProcessMessage(…, "tx", …) when receiving a transaction we already have"). ``` $ git diff diff --git a/src/consensus/validation.h b/src/consensus/validation.h index 3401eb64c..940adea33 100644 --- a/src/consensus/validation.h +++ b/src/consensus/validation.h @@ -114,7 +114,7 @@ inline ValidationState::~ValidationState() {}; class TxValidationState : public ValidationState { private: - TxValidationResult m_result = TxValidationResult::TX_RESULT_UNSET; + TxValidationResult m_result; public: bool Invalid(TxValidationResult result, const std::string &reject_reason="", ``` Second, let's test as normal without Valgrind: ``` $ test/functional/p2p_segwit.py -l INFO 2019-11-28T09:30:42.810000Z TestFramework (INFO): Initializing test directory /tmp/bitcoin_func_test__fc8q3qo … 2019-11-28T09:31:57.187000Z TestFramework (INFO): Subtest: test_non_standard_witness_blinding (Segwit active = True) … 2019-11-28T09:32:08.265000Z TestFramework (INFO): Tests successful ``` Third, let's test with `--valgrind` and see if the test fail (as we expect) when the unitialized value is used: ``` $ test/functional/p2p_segwit.py -l INFO --valgrind 2019-11-28T09:32:33.018000Z TestFramework (INFO): Initializing test directory /tmp/bitcoin_func_test_gtjecx2l … 2019-11-28T09:40:36.702000Z TestFramework (INFO): Subtest: test_non_standard_witness_blinding (Segwit active = True) 2019-11-28T09:40:37.813000Z TestFramework (ERROR): Assertion failed ConnectionRefusedError: [Errno 111] Connection refused ``` ACKs for top commit: MarcoFalke: ACK 5db506b jonatack: ACK 5db506b Tree-SHA512: 2eaecacf4da166febad88b2a8ee6d7ac2bcd38d4c1892ca39516b6343e8f8c8814edf5eaf14c90f11a069a0389d24f0713076112ac284de987e72fc5f6cc3795
kwvg
pushed a commit
to kwvg/dash
that referenced
this pull request
Apr 5, 2022
…al tests under Valgrind 5db506b tests: Add option --valgrind to run nodes under valgrind in the functional tests (practicalswift) Pull request description: What is better than fixing bugs? Fixing entire bug classes of course! :) Add option `--valgrind` to run the functional tests under Valgrind. Regular functional testing under Valgrind would have caught many of the uninitialized reads we've seen historically. Let's kill this bug class once and for all: let's never use an uninitialized value ever again. Or at least not one that would be triggered by running the functional tests! :) My hope is that this addition will make it super-easy to run the functional tests under Valgrind and thus increase the probability of people making use of it :) Hopefully `test/functional/test_runner.py --valgrind` will become a natural part of the pre-release QA process. **Usage:** ``` $ test/functional/test_runner.py --help … --valgrind run nodes under the valgrind memory error detector: expect at least a ~10x slowdown, valgrind 3.14 or later required ``` **Live demo:** First, let's re-introduce a memory bug by reverting the recent P2P uninitialized read bug fix from PR bitcoin#17624 ("net: Fix an uninitialized read in ProcessMessage(…, "tx", …) when receiving a transaction we already have"). ``` $ git diff diff --git a/src/consensus/validation.h b/src/consensus/validation.h index 3401eb64c..940adea33 100644 --- a/src/consensus/validation.h +++ b/src/consensus/validation.h @@ -114,7 +114,7 @@ inline ValidationState::~ValidationState() {}; class TxValidationState : public ValidationState { private: - TxValidationResult m_result = TxValidationResult::TX_RESULT_UNSET; + TxValidationResult m_result; public: bool Invalid(TxValidationResult result, const std::string &reject_reason="", ``` Second, let's test as normal without Valgrind: ``` $ test/functional/p2p_segwit.py -l INFO 2019-11-28T09:30:42.810000Z TestFramework (INFO): Initializing test directory /tmp/bitcoin_func_test__fc8q3qo … 2019-11-28T09:31:57.187000Z TestFramework (INFO): Subtest: test_non_standard_witness_blinding (Segwit active = True) … 2019-11-28T09:32:08.265000Z TestFramework (INFO): Tests successful ``` Third, let's test with `--valgrind` and see if the test fail (as we expect) when the unitialized value is used: ``` $ test/functional/p2p_segwit.py -l INFO --valgrind 2019-11-28T09:32:33.018000Z TestFramework (INFO): Initializing test directory /tmp/bitcoin_func_test_gtjecx2l … 2019-11-28T09:40:36.702000Z TestFramework (INFO): Subtest: test_non_standard_witness_blinding (Segwit active = True) 2019-11-28T09:40:37.813000Z TestFramework (ERROR): Assertion failed ConnectionRefusedError: [Errno 111] Connection refused ``` ACKs for top commit: MarcoFalke: ACK 5db506b jonatack: ACK 5db506b Tree-SHA512: 2eaecacf4da166febad88b2a8ee6d7ac2bcd38d4c1892ca39516b6343e8f8c8814edf5eaf14c90f11a069a0389d24f0713076112ac284de987e72fc5f6cc3795
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix an uninitialized read in
ProcessMessage(…, "tx", …)when receiving a transaction we already have.The uninitialized value is read and used on L2526 in the case of
AlreadyHave(inv) == true.Proof of concept being run against a
bitcoindbuilt with MemorySanitizer (-fsanitize=memory):Proof of concept being run against a
bitcoindrunning under Valgrind (valgrind --exit-on-first-error):Proof of concept script:
Note that the transaction in the proof of concept is the simplest possible, but really any transaction can be used. It does not have to be a valid transaction.
This bug was introduced in #15921 ("validation: Tidy up ValidationState interface") which was merged in to
master28 days ago.Luckily this bug was caught before being part of any Bitcoin Core release :)