-
Notifications
You must be signed in to change notification settings - Fork 36.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix OOM when deserializing UTXO entries with invalid length #7933
Conversation
87f71d9
to
236e132
Compare
I think this needs a test (that fails without this, and succeeds with it). Or are we talking about 'insane lengths' of such magnitude that would result in a very long running test case? |
The test (without fix) would use 2 GB+ RAM, and segfault. With fix, it will
work fine. I'll add one.
|
Maybe we can cap it off before that happens? |
Previously disk corruption would cause an assert instead of an exception.
Added a test, and included #7936 (the test fails without). |
utACK 1e44169 |
Can confirm the test fails:
|
utACK 1e44169 |
1e44169 Add tests for CCoins deserialization (Pieter Wuille) 5d0434d Fix OOM bug: UTXO entries with invalid script length (Pieter Wuille) 4bf631e CDataStream::ignore Throw exception instead of assert on negative nSize. (Patrick Strateman) 4f87af6 Treat overly long scriptPubKeys as unspendable (Pieter Wuille) f8e6fb1 Introduce constant for maximum CScript length (Pieter Wuille)
…ializing_utxo, r=daira Upstream: fix out of memory problem when deserializing utxo bitcoin/bitcoin#7933
…lid length 1e44169 Add tests for CCoins deserialization (Pieter Wuille) 5d0434d Fix OOM bug: UTXO entries with invalid script length (Pieter Wuille) 4bf631e CDataStream::ignore Throw exception instead of assert on negative nSize. (Patrick Strateman) 4f87af6 Treat overly long scriptPubKeys as unspendable (Pieter Wuille) f8e6fb1 Introduce constant for maximum CScript length (Pieter Wuille)
9f0868a [Tests] Add tests for CCoins deserialization (random-zebra) 5006d45 CDataStream::ignore Throw exception instead of assert on negative nSize (random-zebra) b8bc0d5 [Bug] Fix OOM when deserializing UTXO entries with invalid length (random-zebra) 0657a13 [Script] Treat overly long scriptPubKeys as unspendable (random-zebra) 4bfc161 [Script] Introduce constant for maximum CScript length (random-zebra) Pull request description: ref: bitcoin#7933 ACKs for top commit: furszy: Good, tests passing 👍 , ACK 9f0868a Warrows: ACK 9f0868a Tree-SHA512: 9f978d55cc2564ff905642fe624df43f502a297fbc966480164556328091933a9d6eb861bf287f1d07edb1d0e363d0a63ce76df7f01f01b9e73f69ba87a5576f
9f0868a [Tests] Add tests for CCoins deserialization (random-zebra) 5006d45 CDataStream::ignore Throw exception instead of assert on negative nSize (random-zebra) b8bc0d5 [Bug] Fix OOM when deserializing UTXO entries with invalid length (random-zebra) 0657a13 [Script] Treat overly long scriptPubKeys as unspendable (random-zebra) 4bfc161 [Script] Introduce constant for maximum CScript length (random-zebra) Pull request description: ref: bitcoin/bitcoin#7933 ACKs for top commit: furszy: Good, tests passing 👍 , ACK 9f0868a Warrows: ACK 9f0868a Tree-SHA512: 9f978d55cc2564ff905642fe624df43f502a297fbc966480164556328091933a9d6eb861bf287f1d07edb1d0e363d0a63ce76df7f01f01b9e73f69ba87a5576f
9f0868a [Tests] Add tests for CCoins deserialization (random-zebra) 5006d45 CDataStream::ignore Throw exception instead of assert on negative nSize (random-zebra) b8bc0d5 [Bug] Fix OOM when deserializing UTXO entries with invalid length (random-zebra) 0657a13 [Script] Treat overly long scriptPubKeys as unspendable (random-zebra) 4bfc161 [Script] Introduce constant for maximum CScript length (random-zebra) Pull request description: ref: bitcoin/bitcoin#7933 ACKs for top commit: furszy: Good, tests passing 👍 , ACK 9f0868a Warrows: ACK 9f0868a Tree-SHA512: 9f978d55cc2564ff905642fe624df43f502a297fbc966480164556328091933a9d6eb861bf287f1d07edb1d0e363d0a63ce76df7f01f01b9e73f69ba87a5576f
9f0868a [Tests] Add tests for CCoins deserialization (random-zebra) 5006d45 CDataStream::ignore Throw exception instead of assert on negative nSize (random-zebra) b8bc0d5 [Bug] Fix OOM when deserializing UTXO entries with invalid length (random-zebra) 0657a13 [Script] Treat overly long scriptPubKeys as unspendable (random-zebra) 4bfc161 [Script] Introduce constant for maximum CScript length (random-zebra) Pull request description: ref: bitcoin/bitcoin#7933 ACKs for top commit: furszy: Good, tests passing 👍 , ACK 9f0868a Warrows: ACK 9f0868a Tree-SHA512: 9f978d55cc2564ff905642fe624df43f502a297fbc966480164556328091933a9d6eb861bf287f1d07edb1d0e363d0a63ce76df7f01f01b9e73f69ba87a5576f
Thanks to @pstratem for finding this.
The normal vector deserializer reads data in chunks of at most 5 MB, preventing OOM when insane vector lengths are encoded. This protection is not present in CScriptCompressor's specialized deserializer, however, resulting in a potential OOM when very large length descriptors exist, as the target CScript is resized before attempting to read that much data.
However, CScripts have a maximum length above which they're always invalid. We can treat scriptPubKeys with such lengths as unspendable, preventing them from going into the UTXO set even, and skipping them when deserializing.
Note that none of this is exposed to the network, as the P2P code uses normal (pre)vectors, which do have this OOM protection directly in serialize.h.