HomePhabricator

Merge #9980: Fix mem access violation merkleblock

Authored by Pieter Wuille <pieter.wuille@gmail.com> on Jul 17 2017, 18:00.

Description

Merge #9980: Fix mem access violation merkleblock

Summary:
8276e70de Adding assert to avoid a memory access violation inside of PartialMerkleTree::CalcHash() (Chris Stewart)

Pull request description:

Fixing a possible memory access violation in CPartialMerkleTree::CalcHash().

This can happen if we some how a merkle tree with zero txids. I don't think this can happen in practice as we only send merkle block messages on the p2p network as of now -- we cannot receive them.

This was found with #8469, specifically using this [generator](https://github.com/Christewart/bitcoin/blob/rapidcheck/src/test/gen/merkleblock_gen.h#L52-L77) which will cause a memory access violation on [this test case](https://github.com/Christewart/bitcoin/blob/rapidcheck/src/test/merkleblock_properties.cpp#L48).

Tree-SHA512: b95904ec45ea3f082c7722161d93ee06b24c706fbffa909a6e995ed14788aed2830f91b626da6f0347660c45874a0735dab61c9440b59c949c690af4165c83fb

Backport of Core PR9980
https://github.com/bitcoin/bitcoin/pull/9980/files

Reviewer note: This seems like a vulnerability waiting to happen, so I carefully looked over it's usage. Short summary:

  • It cannot be exploited at present.
  • The node does not handle receiving CMerkleBlock, it only contructs and sends them from (and this is the important part) blocks that have been validated.
  • Potential future vectors to attack this assert could include:
    • Invalid block reflection attack if net_processing ever stores an invalid, 0-tx block in most_recent_block
    • Any new code that accepts CMerkleBlock from peers.

Test Plan:
make check
test_runner.py

Reviewers: deadalnix, Fabien, #bitcoin_abc, markblundeberg

Reviewed By: Fabien, #bitcoin_abc, markblundeberg

Subscribers: markblundeberg

Differential Revision: https://reviews.bitcoinabc.org/D3009

Details

Committed
jasonbcoxTue, May 14, 16:53
Pushed
jasonbcoxTue, May 14, 16:53
Reviewer
Restricted Project
Differential Revision
D3009: Merge #9980: Fix mem access violation merkleblock
Parents
rABC965b235866e3: Update disclosure policy standards
Branches
Unknown
Tags
Unknown

Event Timeline

jasonbcox committed rABC0ace84b6fe2e: Merge #9980: Fix mem access violation merkleblock (authored by Pieter Wuille <pieter.wuille@gmail.com>).Tue, May 14, 16:53