Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signed integer overflow in CTxMemPool::PrioritiseTransaction(…) reachable via RPC call prioritisetransaction #20626

Closed
practicalswift opened this issue Dec 11, 2020 · 6 comments · Fixed by #23418
Closed

Signed integer overflow in CTxMemPool::PrioritiseTransaction(…) reachable via RPC call prioritisetransaction #20626

practicalswift opened this issue Dec 11, 2020 · 6 comments · Fixed by #23418

Comments

@practicalswift
Copy link
Contributor

practicalswift commented Dec 11, 2020
edited

While fuzzing the RPC interface I stumbled upon a signed integer overflow in CTxMemPool::PrioritiseTransaction(…) which is reachable via the following two prioritisetransaction RPC calls:

$ ./autogen.sh
$ CC=clang CXX=clang++ ./configure --with-sanitizers=address,undefined
$ make
$ UBSAN_OPTIONS="print_stacktrace=1" src/bitcoind &
$ src/bitcoin-cli prioritisetransaction cafebabecafebabecafebabecafebabecafebabecafebabecafebabecafebabe 0 -9123456789123456789
$ src/bitcoin-cli prioritisetransaction cafebabecafebabecafebabecafebabecafebabecafebabecafebabecafebabe 0 -9123456789123456789
txmempool.cpp:832:15: runtime error: signed integer overflow: -9123456789123456789 + -9123456789123456789 cannot be represented in type 'long'
    #0 0x5581f3e69c3c in CTxMemPool::PrioritiseTransaction(uint256 const&, long const&) src/txmempool.cpp:832:15
    #1 0x5581f3c93852 in prioritisetransaction()::$_6::operator()(RPCHelpMan const&, JSONRPCRequest const&) const src/rpc/mining.cpp:470:36
…

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior txmempool.cpp:832:15

Nothing high priority of course, but still worth fixing :)
@mjdietzx
Copy link
Contributor

Huh, I haven't been able to reproduce this. Tried with the build steps you list, but didn't see any errors:

$ src/bitcoin-cli prioritisetransaction cafebabecafebabecafebabecafebabecafebabecafebabecafebabecafebabe 0 -9123456789123456789
true
$ src/bitcoin-cli prioritisetransaction cafebabecafebabecafebabecafebabecafebabecafebabecafebabecafebabe 0 -9123456789123456789
true

Also, should I be able to write a failing functional test? I've tried a few different things with no errors. ie:

txid = wallet.send_self_transfer(from_node=self.nodes[0])['txid']
self.nodes[0].prioritisetransaction(txid=txid, fee_delta=-9123456789123456789)
self.nodes[0].prioritisetransaction(txid=txid, fee_delta=-9123456789123456789)

or:

txid = wallet.send_self_transfer(from_node=self.nodes[0])['txid']
self.nodes[0].prioritisetransaction(txid='cafebabecafebabecafebabecafebabecafebabecafebabecafebabecafebabe', fee_delta=-9123456789123456789)
self.nodes[0].prioritisetransaction(txid='cafebabecafebabecafebabecafebabecafebabecafebabecafebabecafebabe', fee_delta=-9123456789123456789)

prioritisetransaction returns True with no errors in both of those cases

@practicalswift
Copy link
Contributor Author

@mjdietzx Oh, that's weird! I just re-tried against current master using the commands below and was able to reproduce. Could you re-try using the commands below? What version of Clang are you using?

$ git clone https://github.com/bitcoin/bitcoin
$ cd bitcoin/
$ ./autogen.sh
$ CC=clang CXX=clang++ ./configure --with-sanitizers=address,undefined --disable-wallet
$ make
$ UBSAN_OPTIONS="print_stacktrace=1" src/bitcoind -regtest &
$ src/bitcoin-cli -regtest prioritisetransaction cafebabecafebabecafebabecafebabecafebabecafebabecafebabecafebabe 0 -9123456789123456789
$ src/bitcoin-cli -regtest prioritisetransaction cafebabecafebabecafebabecafebabecafebabecafebabecafebabecafebabe 0 -9123456789123456789
txmempool.cpp:832:15: runtime error: signed integer overflow: -8723795798198180713 + -9123456789123456789 cannot be represented in type 'long'

@jonatack
Copy link
Contributor

Reproduced on current master @ 7b97563

$ clang --version
clang version 9.0.1-15+b1 
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
debug log output

2021-01-12T23:52:08Z PrioritiseTransaction: cafebabecafebabecafebabecafebabecafebabecafebabecafebabecafebabe feerate += -91234567891.23456789
txmempool.cpp:832:15: runtime error: signed integer overflow: -9123456789123456789 + -9123456789123456789 cannot be represented in type 'long'
    #0 0x5624c3cb287c in CTxMemPool::PrioritiseTransaction(uint256 const&, long const&) /home/jon/projects/bitcoin/bitcoin/src/txmempool.cpp:832:15
    #1 0x5624c3a69eb8 in prioritisetransaction()::$_6::operator()(RPCHelpMan const&, JSONRPCRequest const&) const /home/jon/projects/bitcoin/bitcoin/src/rpc/mining.cpp:470:36
    #2 0x5624c3a69eb8 in UniValue std::__invoke_impl<UniValue, prioritisetransaction()::$_6&, RPCHelpMan const&, JSONRPCRequest const&>(std::__invoke_other, prioritisetransaction()::$_6&, RPCHelpMan const&, JSONRPCRequest const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:60:14
    #3 0x5624c3a69a88 in std::enable_if<is_invocable_r_v<UniValue, prioritisetransaction()::$_6&, RPCHelpMan const&, JSONRPCRequest const&>, UniValue>::type std::__invoke_r<UniValue, prioritisetransaction()::$_6&, RPCHelpMan const&, JSONRPCRequest const&>(prioritisetransaction()::$_6&, RPCHelpMan const&, JSONRPCRequest const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:113:9
    #4 0x5624c3a696af in std::_Function_handler<UniValue (RPCHelpMan const&, JSONRPCRequest const&), prioritisetransaction()::$_6>::_M_invoke(std::_Any_data const&, RPCHelpMan const&, JSONRPCRequest const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/std_function.h:291:9
    #5 0x5624c3966ff8 in std::function<UniValue (RPCHelpMan const&, JSONRPCRequest const&)>::operator()(RPCHelpMan const&, JSONRPCRequest const&) const /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/std_function.h:622:14
    #6 0x5624c3965f88 in RPCHelpMan::HandleRequest(JSONRPCRequest const&) /home/jon/projects/bitcoin/bitcoin/src/./rpc/util.h:342:16
    #7 0x5624c3a09034 in CRPCCommand::CRPCCommand(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, RPCHelpMan (*)(), std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >)::'lambda'(JSONRPCRequest const&, UniValue&, bool)::operator()(JSONRPCRequest const&, UniValue&, bool) const /home/jon/projects/bitcoin/bitcoin/src/./rpc/server.h:110:91
    #8 0x5624c3a08d97 in bool std::__invoke_impl<bool, CRPCCommand::CRPCCommand(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, RPCHelpMan (*)(), std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >)::'lambda'(JSONRPCRequest const&, UniValue&, bool)&, JSONRPCRequest const&, UniValue&, bool>(std::__invoke_other, CRPCCommand::CRPCCommand(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, RPCHelpMan (*)(), std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >)::'lambda'(JSONRPCRequest const&, UniValue&, bool)&, JSONRPCRequest const&, UniValue&, bool&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:60:14
    #9 0x5624c3a08b82 in std::enable_if<is_invocable_r_v<bool, CRPCCommand::CRPCCommand(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, RPCHelpMan (*)(), std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >)::'lambda'(JSONRPCRequest const&, UniValue&, bool)&, JSONRPCRequest const&, UniValue&, bool>, bool>::type std::__invoke_r<bool, CRPCCommand::CRPCCommand(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, RPCHelpMan (*)(), std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >)::'lambda'(JSONRPCRequest const&, UniValue&, bool)&, JSONRPCRequest const&, UniValue&, bool>(CRPCCommand::CRPCCommand(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, RPCHelpMan (*)(), std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >)::'lambda'(JSONRPCRequest const&, UniValue&, bool)&, JSONRPCRequest const&, UniValue&, bool&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:113:9
    #10 0x5624c3a086f7 in std::_Function_handler<bool (JSONRPCRequest const&, UniValue&, bool), CRPCCommand::CRPCCommand(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, RPCHelpMan (*)(), std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >)::'lambda'(JSONRPCRequest const&, UniValue&, bool)>::_M_invoke(std::_Any_data const&, JSONRPCRequest const&, UniValue&, bool&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/std_function.h:291:9
    #11 0x5624c37fe486 in std::function<bool (JSONRPCRequest const&, UniValue&, bool)>::operator()(JSONRPCRequest const&, UniValue&, bool) const /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/std_function.h:622:14
    #12 0x5624c3ba61ec in ExecuteCommand(CRPCCommand const&, JSONRPCRequest const&, UniValue&, bool) /home/jon/projects/bitcoin/bitcoin/src/rpc/server.cpp:466:20
    #13 0x5624c3ba5ac0 in CRPCTable::execute(JSONRPCRequest const&) const /home/jon/projects/bitcoin/bitcoin/src/rpc/server.cpp:449:17
    #14 0x5624c3ef9471 in HTTPReq_JSONRPC(util::Ref const&, HTTPRequest*) /home/jon/projects/bitcoin/bitcoin/src/httprpc.cpp:201:40
    #15 0x5624c3ef8b9e in StartHTTPRPC(util::Ref const&)::$_0::operator()(HTTPRequest*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const /home/jon/projects/bitcoin/bitcoin/src/httprpc.cpp:297:81
    #16 0x5624c3ef8b9e in bool std::__invoke_impl<bool, StartHTTPRPC(util::Ref const&)::$_0&, HTTPRequest*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&>(std::__invoke_other, StartHTTPRPC(util::Ref const&)::$_0&, HTTPRequest*&&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:60:14
    #17 0x5624c3ef897e in std::enable_if<is_invocable_r_v<bool, StartHTTPRPC(util::Ref const&)::$_0&, HTTPRequest*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&>, bool>::type std::__invoke_r<bool, StartHTTPRPC(util::Ref const&)::$_0&, HTTPRequest*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&>(StartHTTPRPC(util::Ref const&)::$_0&, HTTPRequest*&&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:113:9
    #18 0x5624c3ef84ee in std::_Function_handler<bool (HTTPRequest*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&), StartHTTPRPC(util::Ref const&)::$_0>::_M_invoke(std::_Any_data const&, HTTPRequest*&&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/std_function.h:291:9
    #19 0x5624c3f1d640 in std::function<bool (HTTPRequest*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)>::operator()(HTTPRequest*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/std_function.h:622:14
    #20 0x5624c3f1d258 in HTTPWorkItem::operator()() /home/jon/projects/bitcoin/bitcoin/src/httpserver.cpp:49:9
    #21 0x5624c3f27cbc in WorkQueue<HTTPClosure>::Run() /home/jon/projects/bitcoin/bitcoin/src/httpserver.cpp:108:13
    #22 0x5624c3f0deb3 in HTTPWorkQueueRun(WorkQueue<HTTPClosure>*, int) /home/jon/projects/bitcoin/bitcoin/src/httpserver.cpp:336:12
    #23 0x5624c3f2e880 in void std::__invoke_impl<void, void (*)(WorkQueue<HTTPClosure>*, int), WorkQueue<HTTPClosure>*, int>(std::__invoke_other, void (*&&)(WorkQueue<HTTPClosure>*, int), WorkQueue<HTTPClosure>*&&, int&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:60:14
    #24 0x5624c3f2e70e in std::__invoke_result<void (*)(WorkQueue<HTTPClosure>*, int), WorkQueue<HTTPClosure>*, int>::type std::__invoke<void (*)(WorkQueue<HTTPClosure>*, int), WorkQueue<HTTPClosure>*, int>(void (*&&)(WorkQueue<HTTPClosure>*, int), WorkQueue<HTTPClosure>*&&, int&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:95:14
    #25 0x5624c3f2e4d5 in void std::thread::_Invoker<std::tuple<void (*)(WorkQueue<HTTPClosure>*, int), WorkQueue<HTTPClosure>*, int> >::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/thread:264:13
    #26 0x5624c3f2deb5 in std::thread::_Invoker<std::tuple<void (*)(WorkQueue<HTTPClosure>*, int), WorkQueue<HTTPClosure>*, int> >::operator()() /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/thread:271:11
    #27 0x5624c3f2deb5 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (*)(WorkQueue<HTTPClosure>*, int), WorkQueue<HTTPClosure>*, int> > >::_M_run() /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/thread:215:13
    #28 0x7fc51f0c9ecf  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xceecf)
    #29 0x7fc51f34fea6 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8ea6)
    #30 0x7fc51edc2dee in clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior txmempool.cpp:832:15 in 
2021-01-12T23:52:19Z PrioritiseTransaction: cafebabecafebabecafebabecafebabecafebabecafebabecafebabecafebabe feerate += -91234567891.23456789

@maflcko
Copy link
Member

maflcko commented Jan 14, 2021

Fixed in #20383

@practicalswift practicalswift mentioned this issue Apr 4, 2021
Merged
maflcko pushed a commit to maflcko/bitcoin-core that referenced this issue Apr 5, 2021
Merge bitcoin#21599: test: Replace file level integer overflow suppre…
824eea5 
…ssion with function level suppression

585854a test: Replace blanket UBSan signed integer overflow suppression for txmempool.cpp with specific suppression (practicalswift)

Pull request description:

  Replace file level (`txmempool.cpp`) signed integer overflow suppression with function level suppression (`CTxMemPool::PrioritiseTransaction`). The suppression was added yesterday in bitcoin#21586.

  Rationale: To avoid risk hiding other signed integer overflows in `txmempool.cpp`.

  Obviously it would be better if this signed integer overflow fixed instead of suppressed - see details bitcoin#20626. Any taker? :)

  To hit the issue via fuzzing:

  ```
  $ UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1:report_error_type=1" FUZZ=validation_load_mempool src/test/fuzz/fuzz
  INFO: Seed: 1184244493
  INFO: Loaded 1 modules   (634418 inline 8-bit counters): 634418 [0x55a09fdfbf98, 0x55a09fe96dca),
  INFO: Loaded 1 PC tables (634418 PCs): 634418 [0x55a09fe96dd0,0x55a0a08450f0),
  INFO:     1264 files found in mempool/
  INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 1040698 bytes
  INFO: seed corpus: files: 1264 min: 1b max: 1040698b total: 15997133b rss: 197Mb
  txmempool.cpp:847:15: runtime error: signed integer overflow: -7211388903327006720 + -7211353718954917888 cannot be represented in type 'long'
      #0 0x55a09c3ce2d8 in CTxMemPool::PrioritiseTransaction(uint256 const&, long const&) /home/thomas/bitcoin/src/txmempool.cpp:847:15
  ```

ACKs for top commit:
  JeremyRubin:
    utACK 585854a
  hebasto:
    ACK 585854a, I have reviewed the code and it looks OK, I agree it can be merged.

Tree-SHA512: 5a343f028c1e1a1aba3b51a0eced605849184891ffafecb3cd2b424c6cfea01afd7c2672274936b0bac646075ec066408a570bf6b34bc9b87399a53ce20d8a23
@maflcko
Copy link
Member

maflcko commented Apr 6, 2021

Looks like fuzzing with -ftrapv will currently fail due to this

@maflcko
Copy link
Member

maflcko commented May 10, 2021

See also https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34146

@maflcko maflcko mentioned this issue May 10, 2021
Closed
@maflcko maflcko mentioned this issue Nov 2, 2021
Merged
maflcko pushed a commit that referenced this issue Jun 27, 2022
Merge #23418: Fix signed integer overflow in prioritisetransaction RPC
dde7205 
fa07f84 Fix signed integer overflow in prioritisetransaction RPC (MarcoFalke)
fa52cf8 refactor: Replace feeDelta by m_modified_fee (MarcoFalke)

Pull request description:

  Signed integer overflow is UB in theory, but not in practice. Still,
  it would be nice to avoid this UB to allow Bitcoin Core to be
  compiled with sanitizers such as `-ftrapv` or ubsan.

  It is impossible to predict when and if an overflow occurs, since
  the overflow caused by a prioritisetransaction RPC might only be
  later hit when descendant txs are added to the mempool.
  Since it is impossible to predict reliably, leave it up to the user
  to use the RPC endpoint responsibly, considering their mempool
  limits and usage patterns.

  Fixes: #20626
  Fixes: #20383
  Fixes: #19278
  Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34146 / https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47132

  ## Steps to reproduce

  Build the code without the changes in this pull.

  Make sure to pass the sanitizer flag:

  ```
  ./autogen.sh && ./configure --with-sanitizers=signed-integer-overflow && make clean && make -j $(nproc)
  ```

  ### Reproduce on RPC

  ```
  ./src/bitcoind -chain=regtest -noprinttoconsole &
  ./src/bitcoin-cli -chain=regtest prioritisetransaction 00000000deadbeef00000000deadbeef00000000deadbeef00000000deadbeef 0 9123456789123456789
  ./src/bitcoin-cli -chain=regtest prioritisetransaction 00000000deadbeef00000000deadbeef00000000deadbeef00000000deadbeef 0 9123456789123456789
  |> txmempool.cpp:920:15: runtime error: signed integer overflow: 9123456789123456789 + 9123456789123456789 cannot be represented in type 'long int'

  ./src/bitcoin-cli -chain=regtest stop
  ```

  ### By fuzzing

  ```
  wget https://github.com/bitcoin/bitcoin/files/8921302/clusterfuzz-testcase-minimized-validation_load_mempool-5599531390074880.bin.txt
  FUZZ=validation_load_mempool ./src/test/fuzz/fuzz ./clusterfuzz-testcase-minimized-validation_load_mempool-5599531390074880.bin.txt
  |> txmempool.cpp:920:15: runtime error: signed integer overflow: 7214801925397553184 + 2314885530818453536 cannot be represented in type 'long int'
  |> validation_load_mempool: succeeded against 1 files in 0s.

ACKs for top commit:
  vasild:
    ACK fa07f84
  dunxen:
    ACK fa07f84
  LarryRuane:
    ACK fa07f84

Tree-SHA512: 4a357950af55a49c9113da0a50c2e743c5b752f0514dd8d16cd92bfde2f77dd0ef56aa98452626df6f7f7a5b51d1227021f6bc94091201a179f0d488ee32a0df
sidhujag pushed a commit to syscoin/syscoin that referenced this issue Jun 27, 2022
Merge bitcoin#23418: Fix signed integer overflow in prioritisetransac…
758481e 
…tion RPC

fa07f84 Fix signed integer overflow in prioritisetransaction RPC (MarcoFalke)
fa52cf8 refactor: Replace feeDelta by m_modified_fee (MarcoFalke)

Pull request description:

  Signed integer overflow is UB in theory, but not in practice. Still,
  it would be nice to avoid this UB to allow Bitcoin Core to be
  compiled with sanitizers such as `-ftrapv` or ubsan.

  It is impossible to predict when and if an overflow occurs, since
  the overflow caused by a prioritisetransaction RPC might only be
  later hit when descendant txs are added to the mempool.
  Since it is impossible to predict reliably, leave it up to the user
  to use the RPC endpoint responsibly, considering their mempool
  limits and usage patterns.

  Fixes: bitcoin#20626
  Fixes: bitcoin#20383
  Fixes: bitcoin#19278
  Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34146 / https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47132

  ## Steps to reproduce

  Build the code without the changes in this pull.

  Make sure to pass the sanitizer flag:

  ```
  ./autogen.sh && ./configure --with-sanitizers=signed-integer-overflow && make clean && make -j $(nproc)
  ```

  ### Reproduce on RPC

  ```
  ./src/bitcoind -chain=regtest -noprinttoconsole &
  ./src/bitcoin-cli -chain=regtest prioritisetransaction 00000000deadbeef00000000deadbeef00000000deadbeef00000000deadbeef 0 9123456789123456789
  ./src/bitcoin-cli -chain=regtest prioritisetransaction 00000000deadbeef00000000deadbeef00000000deadbeef00000000deadbeef 0 9123456789123456789
  |> txmempool.cpp:920:15: runtime error: signed integer overflow: 9123456789123456789 + 9123456789123456789 cannot be represented in type 'long int'

  ./src/bitcoin-cli -chain=regtest stop
  ```

  ### By fuzzing

  ```
  wget https://github.com/bitcoin/bitcoin/files/8921302/clusterfuzz-testcase-minimized-validation_load_mempool-5599531390074880.bin.txt
  FUZZ=validation_load_mempool ./src/test/fuzz/fuzz ./clusterfuzz-testcase-minimized-validation_load_mempool-5599531390074880.bin.txt
  |> txmempool.cpp:920:15: runtime error: signed integer overflow: 7214801925397553184 + 2314885530818453536 cannot be represented in type 'long int'
  |> validation_load_mempool: succeeded against 1 files in 0s.

ACKs for top commit:
  vasild:
    ACK fa07f84
  dunxen:
    ACK fa07f84
  LarryRuane:
    ACK fa07f84

Tree-SHA512: 4a357950af55a49c9113da0a50c2e743c5b752f0514dd8d16cd92bfde2f77dd0ef56aa98452626df6f7f7a5b51d1227021f6bc94091201a179f0d488ee32a0df
@bitcoin bitcoin locked and limited conversation to collaborators Oct 30, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix signed integer overflow in prioritisetransaction RPC maflcko/bitcoin-core
5 participants
@jonatack @maflcko @mjdietzx @practicalswift and others