-
Notifications
You must be signed in to change notification settings - Fork 35.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
addrman serialize: nNew was wrong, oh ow #22450
Comments
Another win for fuzzing, oh wow. |
cc @vasild |
Fuzzer rulez! |
The repositioning/rebucketing approach of I don't know the exact bug that leads to this internal addrman inconsistency, but this loop seems suspect to me:
If the same I2P address appears in multiple new buckets, then the first time this loop finds that address, it'll update the port and reposition it in that bucket. Any subsequent times that the address is encountered, it will already have had its port updated so the inner loop will
I'm not sure whether this is the exact cause of this assert, but it seems like it could at least lead to inconsistencies. That's always a risk when reaching into the internal data structures of a complex class like addrman. |
More crashes:
|
This is what the fuzzed addrman data produces at the end of
After
After
Later TODO:
I considered this approach and ditched it for some reason, but I do not remember why :/ It could have been that deleting an entry has to be done again by fiddling directly with the internal structures and was about as complicated as the current code. Will look at this again. |
Maybe related: #22362 |
Just for reference, attaching the fuzzer input to reproduce the problem that is reported in the OP/description of this issue. clusterfuzz-testcase-minimized-addrman_deserialize-5090634410098688.log |
In `CAddrMan::ResetI2PPorts()`, if an I2P address is found in two or more "new" buckets, our first encounter of it would change the port to 0 and re-position it within that "new" bucket. The `CAddrInfo` object is shared between all occurrences of an address in all "new" buckets. So subsequent encounters of that address will see the `CAddrInfo` already with port 0 and will skip re-positioning. To fix that, check and re-position if necessary even for I2P entries with port 0. Fixes bitcoin#22450 (comment)
Fix pending at #22455 |
Reproduced on my old laptop with the addrman_deserialize fuzzer
|
…g unserialization 816f29e addrman: detect on-disk corrupted nNew and nTried during unserialization (Vasil Dimov) Pull request description: Negative `nNew` or `nTried` are not possible during normal operation. So, if we read such values during unserialize, report addrman corruption. Fixes #22450 ACKs for top commit: MarcoFalke: cr ACK 816f29e jonatack: ACK 816f29e lsilva01: Code Review ACK 816f29e. This change provides a more accurate description of the error. Tree-SHA512: 01bdd72d2d86a0ef770a319fee995fd1e147b24a8db84ddb8cd121688e7f94fed73fddc0084758e7183c4f8d08e971f0b1b224f5adb10928a5aa4dbbc8709d74
Negative `nNew` or `nTried` are not possible during normal operation. So, if we read such values during unserialize, report addrman corruption. Fixes bitcoin/bitcoin#22450
Negative `nNew` or `nTried` are not possible during normal operation. So, if we read such values during unserialize, report addrman corruption. Fixes bitcoin/bitcoin#22450
Negative `nNew` or `nTried` are not possible during normal operation. So, if we read such values during unserialize, report addrman corruption. Fixes bitcoin#22450
…d during unserialization 816f29e addrman: detect on-disk corrupted nNew and nTried during unserialization (Vasil Dimov) Pull request description: Negative `nNew` or `nTried` are not possible during normal operation. So, if we read such values during unserialize, report addrman corruption. Fixes bitcoin#22450 ACKs for top commit: MarcoFalke: cr ACK 816f29e jonatack: ACK 816f29e lsilva01: Code Review ACK bitcoin@816f29e. This change provides a more accurate description of the error. Tree-SHA512: 01bdd72d2d86a0ef770a319fee995fd1e147b24a8db84ddb8cd121688e7f94fed73fddc0084758e7183c4f8d08e971f0b1b224f5adb10928a5aa4dbbc8709d74
Negative `nNew` or `nTried` are not possible during normal operation. So, if we read such values during unserialize, report addrman corruption. Fixes bitcoin/bitcoin#22450
…d during unserialization 816f29e addrman: detect on-disk corrupted nNew and nTried during unserialization (Vasil Dimov) Pull request description: Negative `nNew` or `nTried` are not possible during normal operation. So, if we read such values during unserialize, report addrman corruption. Fixes bitcoin#22450 ACKs for top commit: MarcoFalke: cr ACK 816f29e jonatack: ACK 816f29e lsilva01: Code Review ACK bitcoin@816f29e. This change provides a more accurate description of the error. Tree-SHA512: 01bdd72d2d86a0ef770a319fee995fd1e147b24a8db84ddb8cd121688e7f94fed73fddc0084758e7183c4f8d08e971f0b1b224f5adb10928a5aa4dbbc8709d74
…d during unserialization 816f29e addrman: detect on-disk corrupted nNew and nTried during unserialization (Vasil Dimov) Pull request description: Negative `nNew` or `nTried` are not possible during normal operation. So, if we read such values during unserialize, report addrman corruption. Fixes bitcoin#22450 ACKs for top commit: MarcoFalke: cr ACK 816f29e jonatack: ACK 816f29e lsilva01: Code Review ACK bitcoin@816f29e. This change provides a more accurate description of the error. Tree-SHA512: 01bdd72d2d86a0ef770a319fee995fd1e147b24a8db84ddb8cd121688e7f94fed73fddc0084758e7183c4f8d08e971f0b1b224f5adb10928a5aa4dbbc8709d74
…d during unserialization 816f29e addrman: detect on-disk corrupted nNew and nTried during unserialization (Vasil Dimov) Pull request description: Negative `nNew` or `nTried` are not possible during normal operation. So, if we read such values during unserialize, report addrman corruption. Fixes bitcoin#22450 ACKs for top commit: MarcoFalke: cr ACK 816f29e jonatack: ACK 816f29e lsilva01: Code Review ACK bitcoin@816f29e. This change provides a more accurate description of the error. Tree-SHA512: 01bdd72d2d86a0ef770a319fee995fd1e147b24a8db84ddb8cd121688e7f94fed73fddc0084758e7183c4f8d08e971f0b1b224f5adb10928a5aa4dbbc8709d74
…d during unserialization 816f29e addrman: detect on-disk corrupted nNew and nTried during unserialization (Vasil Dimov) Pull request description: Negative `nNew` or `nTried` are not possible during normal operation. So, if we read such values during unserialize, report addrman corruption. Fixes bitcoin#22450 ACKs for top commit: MarcoFalke: cr ACK 816f29e jonatack: ACK 816f29e lsilva01: Code Review ACK bitcoin@816f29e. This change provides a more accurate description of the error. Tree-SHA512: 01bdd72d2d86a0ef770a319fee995fd1e147b24a8db84ddb8cd121688e7f94fed73fddc0084758e7183c4f8d08e971f0b1b224f5adb10928a5aa4dbbc8709d74
…d during unserialization 816f29e addrman: detect on-disk corrupted nNew and nTried during unserialization (Vasil Dimov) Pull request description: Negative `nNew` or `nTried` are not possible during normal operation. So, if we read such values during unserialize, report addrman corruption. Fixes bitcoin#22450 ACKs for top commit: MarcoFalke: cr ACK 816f29e jonatack: ACK 816f29e lsilva01: Code Review ACK bitcoin@816f29e. This change provides a more accurate description of the error. Tree-SHA512: 01bdd72d2d86a0ef770a319fee995fd1e147b24a8db84ddb8cd121688e7f94fed73fddc0084758e7183c4f8d08e971f0b1b224f5adb10928a5aa4dbbc8709d74
Negative `nNew` or `nTried` are not possible during normal operation. So, if we read such values during unserialize, report addrman corruption. Fixes bitcoin/bitcoin#22450
Made observable by the fuzz tests in commit e0a2b39
Crash in
bitcoin/src/addrman.h
Line 261 in d8f1e13
OSS-Fuzz reproducer: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36208
Can be reproduced locally in a few CPU hours via
FUZZ=addrman_deserialize ./src/test/fuzz/fuzz -use_value_profile=1
(using the qa-assets seed as starting point).The text was updated successfully, but these errors were encountered: