-
Notifications
You must be signed in to change notification settings - Fork 35.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
p2p: Avoid prematurely clearing download state for other peers #27608
Conversation
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ReviewsSee the guideline for information on the review process.
If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
6857b1b
to
a9c0ea5
Compare
a9c0ea5
to
52e5207
Compare
Concept ACK. Will start running this when CI checks out. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
first glance, looks right to me. I was literally writing the same code as part of as learn-as-I-go resurrection of #10984
this would be required for any parallel download implementation as well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK 52e5207 (jamesob/ackr/27608.1.sdaftuar.p2p_avoid_prematurely_cl
)
Built, reviewed code locally. Deployed to b-02.slug on https://bmon.info; all
metrics there look normal (peer count, tip connection).
Show signature data
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
ACK 52e52071e01f4e98d87a47e1d5f3c5c3cc6dbaf4 ([`jamesob/ackr/27608.1.sdaftuar.p2p_avoid_prematurely_cl`](https://github.com/jamesob/bitcoin/tree/ackr/27608.1.sdaftuar.p2p_avoid_prematurely_cl))
Built, reviewed code locally. Deployed to b-02.slug on https://bmon.info; all
metrics there look normal (peer count, tip connection).
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEGNRVI1NPYuZCSIrGepNdrbLETwUFAmRalB8ACgkQepNdrbLE
TwXObg//dcajHcXotfGB5mdQGv0a+jXDv1mjXlXr551R1Lv+rhXMbyipB80GNdmu
IqOXGauUUeqnK2dwxwMMgYlJDa92ErQzAOB7vm44m1iNuSStGh9aqupbznl3D2WK
1D3DMiO5+ZfPmMRhGgVPHwr8ydsuJJ3suna6I5SEF4cbET0x6aLfkMrJ0NK11TfY
IUz+1XFpxMNiosUxWroUSUKlkZMI83LqjP9JFFyTwCNrfO3jEYTQRT+BABbTC2yk
k7OWkWBNdoeCSEgVyJ0fOWS5Fr438sL7xpNbWx3MOvU6EC6fV0oLxlE/R6TovQzN
U/s28D/Z/BlEGFYZbW/dB5JkMfllF8sj8SGOL9b/3u7AC6zJI5i3Q6/89f20lhVK
8iD1eo+iM7hdwUnQkgkd4D6Gh3e3GVf1643pVI3ioqWrDRpDrCzThSW4mUKic2vJ
0xDEuqHO/RWsUCoL+6uV3Rw7henmAZsaHzmV6Qf0G4T1apeBq21U7z8YjJmfLDvg
3q1rmvwYciGJzVkLdBHACgdLPpyL+aMDAY22mM3XQqafnNI2hG5qbB/ScueDF0H3
WLHdHkcsymY1pMUVyJc2CX9AiuckxW4vJX/t/D7RawsgO4KW78vkx/igBOI/QJYG
hMDyOm4kKIRhdXbqSZphxDwaFxcX+8wc6WJAUkEB5DbLN0tYx0g=
=6fob
-----END PGP SIGNATURE-----
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK 52e5207
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code review ACK 52e5207
// In case this block came from a different peer than we requested | ||
// from, we can erase the block request now anyway (as we just stored | ||
// this block to disk). | ||
LOCK(cs_main); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Could have moved the lock outside the if..else
and removed the duplicate line in the else
below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code Review ACK 52e5207
@@ -1129,6 +1132,12 @@ void PeerManagerImpl::RemoveBlockRequest(const uint256& hash) | |||
} | |||
|
|||
auto [node_id, list_it] = it->second; | |||
|
|||
if (from_peer && node_id != *from_peer) { | |||
// Block was requested by another peer |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: requested from another peer
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops -- will fix in a followup. Thanks for catching.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"by another peer" reads fine to me?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
peer didn't request, WE requested that peer
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah right, suggested text is also ambiguous....
"Block was requested by us from another peer" ?
Github-Pull: bitcoin#27608 Rebased-From: 52e5207
…or other peers 52e5207 p2p: Avoid prematurely clearing download state for other peers (Suhas Daftuar) Pull request description: Avoid letting one peer send us data that clears out the download request (and related timers etc) from another peer. The exception is if a block is definitely stored to disk, in which case we'll clear the download state (just as we do for compact blocks). ACKs for top commit: jamesob: ACK 52e5207 ([`jamesob/ackr/27608.1.sdaftuar.p2p_avoid_prematurely_cl`](https://github.com/jamesob/bitcoin/tree/ackr/27608.1.sdaftuar.p2p_avoid_prematurely_cl)) instagibbs: ACK 52e5207 fjahr: Code review ACK 52e5207 mzumsande: Code Review ACK 52e5207 Tree-SHA512: 3ee92507edc3303c16c70ca44ba6c28c104afe95196e4b9167032590ed23d4f569f654f8eb8758940bd6536bc9ca810d2a77d2739db386b927e8b3f3cf55cb16
@@ -4400,7 +4414,7 @@ void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type, | |||
// process from some other peer. We do this after calling | |||
// ProcessNewBlock so that a malleated cmpctblock announcement | |||
// can't be used to interfere with block relay. | |||
RemoveBlockRequest(pblock->GetHash()); | |||
RemoveBlockRequest(pblock->GetHash(), std::nullopt); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this block required anymore now that ProcessBlock
will call it for us the first time when it's new?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't we have a race condition where the block is not new
? In any case this function is extremely fast if called twice.
Github-Pull: bitcoin#27608 Rebased-From: 52e5207
post-merge Code review ACK 52e5207 |
Github-Pull: bitcoin#27608 Rebased-From: 52e5207
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
utACK 52e5207
@@ -1164,7 +1173,7 @@ bool PeerManagerImpl::BlockRequested(NodeId nodeid, const CBlockIndex& block, st | |||
} | |||
|
|||
// Make sure it's not listed somewhere already. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This comment could be improved:
// When processing block related messages from our peers,
// we treat requested blocks different from unsolicited ones.
// When making this distinction we only keep track of the
// last peer we requested from.
@@ -4400,7 +4414,7 @@ void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type, | |||
// process from some other peer. We do this after calling | |||
// ProcessNewBlock so that a malleated cmpctblock announcement | |||
// can't be used to interfere with block relay. | |||
RemoveBlockRequest(pblock->GetHash()); | |||
RemoveBlockRequest(pblock->GetHash(), std::nullopt); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't we have a race condition where the block is not new
? In any case this function is extremely fast if called twice.
97f5e28 doc: update release notes for 24.1rc3 (fanquake) 7e9c7ae doc: update manual pages for v24.1rc3 (fanquake) abb9fa0 build: bump version to v24.1rc3 (fanquake) 128da6e net_processing: Boost inv trickle rate (Anthony Towns) a9a861a txmempool: have CompareDepthAndScore sort missing txs first (Anthony Towns) ec7cd33 p2p: Avoid prematurely clearing download state for other peers (Suhas Daftuar) Pull request description: Backports for rc3. Currently: * #27608 * #27610 ACKs for top commit: josibake: ACK 97f5e28 dergoegge: ACK 97f5e28 achow101: ACK 97f5e28 glozow: ACK 97f5e28 brunoerg: ACK 97f5e28 hebasto: ACK 97f5e28, commits were backported locally, got zero diff. Tree-SHA512: 09572285ed1e8169d7e77d12ec438586dab54c86064de85d0e743564e601686f884bf74f2bf8ed1be73bddcd7db6da4277c6dd6b9732e7eca383e108f8f37d58
49a2d66 doc: update manual pages for v25.0rc2 (fanquake) 3ea4a11 build: bump version to v25.0rc2 (fanquake) 7ef71e3 net_processing: Boost inv trickle rate (Anthony Towns) 1adbcd3 txmempool: have CompareDepthAndScore sort missing txs first (Anthony Towns) 9a23079 p2p: Avoid prematurely clearing download state for other peers (Suhas Daftuar) Pull request description: Backports for rc2. Currently: * #27608 * #27610 ACKs for top commit: achow101: ACK 49a2d66 Tree-SHA512: a1a7678e16136636ec8a232d12630529639bae3b577769b5a5fd204dda234a5e588f3d4dfebf4d7abe7111d13cc0714f9ccdea0a858fe821a7146e6a697308d3
We preemptively perform a block mutation check before further processing a block message (similar to early sanity checks on other messsage types). The main reasons for this change are as follows: - `CBlock::GetHash()` is a foot-gun without a prior mutation check, as the hash returned only commits to the header but not to the actual transactions (`CBlock::vtx`) contained in the block. - We have observed attacks that abused mutated blocks in the past, which could have been prevented by simply not processing mutated blocks (e.g. bitcoin#27608).
We preemptively perform a block mutation check before further processing a block message (similar to early sanity checks on other messsage types). The main reasons for this change are as follows: - `CBlock::GetHash()` is a foot-gun without a prior mutation check, as the hash returned only commits to the header but not to the actual transactions (`CBlock::vtx`) contained in the block. - We have observed attacks that abused mutated blocks in the past, which could have been prevented by simply not processing mutated blocks (e.g. bitcoin#27608).
We preemptively perform a block mutation check before further processing a block message (similar to early sanity checks on other messsage types). The main reasons for this change are as follows: - `CBlock::GetHash()` is a foot-gun without a prior mutation check, as the hash returned only commits to the header but not to the actual transactions (`CBlock::vtx`) contained in the block. - We have observed attacks that abused mutated blocks in the past, which could have been prevented by simply not processing mutated blocks (e.g. bitcoin#27608).
We preemptively perform a block mutation check before further processing a block message (similar to early sanity checks on other messsage types). The main reasons for this change are as follows: - `CBlock::GetHash()` is a foot-gun without a prior mutation check, as the hash returned only commits to the header but not to the actual transactions (`CBlock::vtx`) contained in the block. - We have observed attacks that abused mutated blocks in the past, which could have been prevented by simply not processing mutated blocks (e.g. bitcoin#27608).
We preemptively perform a block mutation check before further processing a block message (similar to early sanity checks on other messsage types). The main reasons for this change are as follows: - `CBlock::GetHash()` is a foot-gun without a prior mutation check, as the hash returned only commits to the header but not to the actual transactions (`CBlock::vtx`) contained in the block. - We have observed attacks that abused mutated blocks in the past, which could have been prevented by simply not processing mutated blocks (e.g. bitcoin#27608).
We preemptively perform a block mutation check before further processing a block message (similar to early sanity checks on other messsage types). The main reasons for this change are as follows: - `CBlock::GetHash()` is a foot-gun without a prior mutation check, as the hash returned only commits to the header but not to the actual transactions (`CBlock::vtx`) contained in the block. - We have observed attacks that abused mutated blocks in the past, which could have been prevented by simply not processing mutated blocks (e.g. bitcoin#27608).
We preemptively perform a block mutation check before further processing a block message (similar to early sanity checks on other messsage types). The main reasons for this change are as follows: - `CBlock::GetHash()` is a foot-gun without a prior mutation check, as the hash returned only commits to the header but not to the actual transactions (`CBlock::vtx`) contained in the block. - We have observed attacks that abused mutated blocks in the past, which could have been prevented by simply not processing mutated blocks (e.g. bitcoin#27608).
We preemptively perform a block mutation check before further processing a block message (similar to early sanity checks on other messsage types). The main reasons for this change are as follows: - `CBlock::GetHash()` is a foot-gun without a prior mutation check, as the hash returned only commits to the header but not to the actual transactions (`CBlock::vtx`) contained in the block. - We have observed attacks that abused mutated blocks in the past, which could have been prevented by simply not processing mutated blocks (e.g. bitcoin#27608).
d8087ad [test] IsBlockMutated unit tests (dergoegge) 1ed2c98 Add transaction_identifier::size to allow Span conversion (dergoegge) 1ec6bbe [validation] Cache merkle root and witness commitment checks (dergoegge) 5bf4f5b [test] Add regression test for #27608 (dergoegge) 49257c0 [net processing] Don't process mutated blocks (dergoegge) 2d8495e [validation] Merkle root malleation should be caught by IsBlockMutated (dergoegge) 66abce1 [validation] Introduce IsBlockMutated (dergoegge) e7669e1 [refactor] Cleanup merkle root checks (dergoegge) 95bddb9 [validation] Isolate merkle root checks (dergoegge) Pull request description: This PR proposes to check for mutated blocks early as a defense-in-depth mitigation against attacks leveraging mutated blocks. We introduce `IsBlockMutated` which catches all known forms of block malleation and use it to do an early mutation check whenever we receive a `block` message. We have observed attacks that abused mutated blocks in the past, which could have been prevented by simply not processing mutated blocks (e.g. #27608 for which a regression test is included in this PR). ACKs for top commit: achow101: ACK d8087ad maflcko: ACK d8087ad 🏄 fjahr: Code review ACK d8087ad sr-gi: Code review ACK d8087ad Tree-SHA512: 618ff4ea7f168e10f07504d3651290efbb1bb2ab3b838ffff3527c028caf6c52dedad18d04d3dbc627977479710930e200f2dfae18a08f627efe7e64a57e535f
We preemptively perform a block mutation check before further processing a block message (similar to early sanity checks on other messsage types). The main reasons for this change are as follows: - `CBlock::GetHash()` is a foot-gun without a prior mutation check, as the hash returned only commits to the header but not to the actual transactions (`CBlock::vtx`) contained in the block. - We have observed attacks that abused mutated blocks in the past, which could have been prevented by simply not processing mutated blocks (e.g. bitcoin#27608). Github-Pull: bitcoin#29412 Rebased-From: 49257c0
Github-Pull: bitcoin#29412 Rebased-From: 5bf4f5b
We preemptively perform a block mutation check before further processing a block message (similar to early sanity checks on other messsage types). The main reasons for this change are as follows: - `CBlock::GetHash()` is a foot-gun without a prior mutation check, as the hash returned only commits to the header but not to the actual transactions (`CBlock::vtx`) contained in the block. - We have observed attacks that abused mutated blocks in the past, which could have been prevented by simply not processing mutated blocks (e.g. bitcoin#27608). Github-Pull: bitcoin#29412 Rebased-From: 49257c0
Github-Pull: bitcoin#29412 Rebased-From: 5bf4f5b
c68d4d0 [doc] update manual pages for v26.1rc2 (glozow) bd715bf [build] bump version to v26.1rc2 (glozow) b6d006d update release notes 26.1 (glozow) fce992b fuzz: restrict fopencookie usage to Linux & FreeBSD (fanquake) 40c56a4 test: make sure keypool sizes do not change on `getrawchangeaddress`/`getnewaddress` failures (UdjinM6) 7c82b27 wallet: Avoid updating `ReserveDestination::nIndex` when `GetReservedDestination` fails (UdjinM6) b5419ce p2p: Don't consider blocks mutated if they don't connect to known prev block (Greg Sanders) 0535c25 [test] IsBlockMutated unit tests (dergoegge) 8141498 [validation] Cache merkle root and witness commitment checks (dergoegge) 0c5c596 [test] Add regression test for #27608 (dergoegge) 2473635 [net processing] Don't process mutated blocks (dergoegge) 50c0b61 [validation] Merkle root malleation should be caught by IsBlockMutated (dergoegge) aff368f [validation] Introduce IsBlockMutated (dergoegge) 076c67c [refactor] Cleanup merkle root checks (dergoegge) 97a1d0a [validation] Isolate merkle root checks (dergoegge) 4ac0eb5 test: Drop `x` modifier in `fsbridge::fopen` call for mingw builds (Hennadii Stepanov) Pull request description: Includes: - #29357 - #29412 - #29524 - #29510 - #29529 Also does: - update to release notes - bump to rc2 - manpages - (no changes to bitcoin.conf) ACKs for top commit: achow101: ACK c68d4d0 Tree-SHA512: 2f8c3dd705e3f9f33403b3cc17e8006510ff827d7dbd609b09732a1669964e9b001cfecdc63d8d8daeb8f39c652e1e4ad0aac873d44d259c21803de85688ed2b
We preemptively perform a block mutation check before further processing a block message (similar to early sanity checks on other messsage types). The main reasons for this change are as follows: - `CBlock::GetHash()` is a foot-gun without a prior mutation check, as the hash returned only commits to the header but not to the actual transactions (`CBlock::vtx`) contained in the block. - We have observed attacks that abused mutated blocks in the past, which could have been prevented by simply not processing mutated blocks (e.g. bitcoin#27608).
We preemptively perform a block mutation check before further processing a block message (similar to early sanity checks on other messsage types). The main reasons for this change are as follows: - `CBlock::GetHash()` is a foot-gun without a prior mutation check, as the hash returned only commits to the header but not to the actual transactions (`CBlock::vtx`) contained in the block. - We have observed attacks that abused mutated blocks in the past, which could have been prevented by simply not processing mutated blocks (e.g. bitcoin#27608).
27cfda1 doc: Update release notes for 25.2rc2 (Ava Chow) daba5e2 doc: Update manpages for 25.2rc2 (Ava Chow) 8a0c980 build: Bump to 25.2rc2 (Ava Chow) cf7d3a8 p2p: Don't consider blocks mutated if they don't connect to known prev block (Greg Sanders) 3eaaafa [test] IsBlockMutated unit tests (dergoegge) 0667441 [validation] Cache merkle root and witness commitment checks (dergoegge) de97ecf [test] Add regression test for #27608 (dergoegge) 8cc4b24 [net processing] Don't process mutated blocks (dergoegge) 098f07d [validation] Merkle root malleation should be caught by IsBlockMutated (dergoegge) 8804c36 [validation] Introduce IsBlockMutated (dergoegge) 4f5baac [validation] Isolate merkle root checks (dergoegge) f93be01 test: make sure keypool sizes do not change on `getrawchangeaddress`/`getnewaddress` failures (UdjinM6) 7c08ccf wallet: Avoid updating `ReserveDestination::nIndex` when `GetReservedDestination` fails (UdjinM6) Pull request description: Backport: * #29510 * #29412 * #29524 ACKs for top commit: glozow: utACK 27cfda1 Tree-SHA512: 37feadd65d9ea55c0a92c9d2a6f74f87cafed3bc67f8deeaaafc5b7042f954e55ea34816612e1a49088f4f1906f104e00c7c3bec7affd1c1f48220b57a8769c5
We preemptively perform a block mutation check before further processing a block message (similar to early sanity checks on other messsage types). The main reasons for this change are as follows: - `CBlock::GetHash()` is a foot-gun without a prior mutation check, as the hash returned only commits to the header but not to the actual transactions (`CBlock::vtx`) contained in the block. - We have observed attacks that abused mutated blocks in the past, which could have been prevented by simply not processing mutated blocks (e.g. bitcoin/bitcoin#27608).
Avoid letting one peer send us data that clears out the download request (and related timers etc) from another peer.
The exception is if a block is definitely stored to disk, in which case we'll clear the download state (just as we do for compact blocks).