Bitcoin: Peringatan UBSan saat fuzzing dengan -fsanitize=integer

Dibuat pada 7 Agu 2020  ·  3Komentar  ·  Sumber: bitcoin/bitcoin

Saat menggabungkan harness process_messages dengan -fsanitize=integer dan berhati-hati untuk menggunakan file supresi ubsan, saya mendapatkan crasher berikut:

INFO: Seed: 2176449341
INFO: Loaded 1 modules   (204269 inline 8-bit counters): 204269 [0x555d1700aeb0, 0x555d1703cc9d), 
INFO: Loaded 1 PC tables (204269 PCs): 204269 [0x555d1703cca0,0x555d1735ab70), 
INFO:     7752 files found in /root/qa-assets/fuzz_seed_corpus/process_messages
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 1048576 bytes
INFO: seed corpus: files: 7752 min: 1b max: 3984182b total: 71282676b rss: 81Mb
protocol.h:420:42: runtime error: implicit conversion from type 'int' of value -168430091 (32-bit, signed) to type 'unsigned int' changed the value to 4126537205 (32-bit, unsigned)
    #0 0x555d1630b5ff in CInv::IsGenTxMsg() const /root/bitcoin/src/./protocol.h:420:42
    #1 0x555d1630b5ff in ProcessMessage(CNode&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, CDataStream&, std::chrono::duration<long, std::ratio<1l, 1000000l> >, CChainParams const&, ChainstateManager&, CTxMemPool&, CConnman&, BanMan*, std::atomic<bool> const&) /root/bitcoin/src/net_processing.cpp:3696:25
    #2 0x555d1632d971 in PeerLogicValidation::ProcessMessages(CNode*, std::atomic<bool>&) /root/bitcoin/src/net_processing.cpp:3842:9
    #3 0x555d1632fec5 in non-virtual thunk to PeerLogicValidation::ProcessMessages(CNode*, std::atomic<bool>&) /root/bitcoin/src/net_processing.cpp
    #4 0x555d162a1f3e in ConnmanTestMsg::ProcessMessagesOnce(CNode&) /root/bitcoin/src/./test/util/net.h:26:56
    #5 0x555d162a1f3e in test_one_input(std::vector<unsigned char, std::allocator<unsigned char> > const&) /root/bitcoin/src/test/fuzz/process_messages.cpp:74:21
    #6 0x555d16954bd6 in LLVMFuzzerTestOneInput /root/bitcoin/src/test/fuzz/fuzz.cpp:45:5
    #7 0x555d16231751 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/bitcoin/src/test/fuzz/process_messages+0x649751)
    #8 0x555d16230e95 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/root/bitcoin/src/test/fuzz/process_messages+0x648e95)
    #9 0x555d162337b7 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/root/bitcoin/src/test/fuzz/process_messages+0x64b7b7)
    #10 0x555d16233b19 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/root/bitcoin/src/test/fuzz/process_messages+0x64bb19)
    #11 0x555d162227ee in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/bitcoin/src/test/fuzz/process_messages+0x63a7ee)
    #12 0x555d1624b632 in main (/root/bitcoin/src/test/fuzz/process_messages+0x663632)
    #13 0x7f247597fb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #14 0x555d161f7569 in _start (/root/bitcoin/src/test/fuzz/process_messages+0x60f569)

SUMMARY: UndefinedBehaviorSanitizer: implicit-integer-sign-change protocol.h:420:42 in 
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x6e,0x6f,0x74,0x66,0x6f,0x75,0x6e,0x64,0x0,0x1,0x7f,0x99,0x2,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0x99,0x99,0x99,0x99,0x99,0x99,0x99,0x99,0x99,0x99,0x99,0x99,0xdc,0x1,0x7c,0x0,0x0,0x0,0x0,0x0,0x0,0xc0,
notfound\x00\x01\x7f\x99\x02\x00\x00\x00\x00\x00\x00\x00\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\xdc\x01|\x00\x00\x00\x00\x00\x00\xc0
artifact_prefix='./'; Test unit written to ./crash-6d18289c14a3cab8896d942d6c4021b2b6895a1e
Base64: bm90Zm91bmQAAX+ZAgAAAAAAAAClpaWlpaWlpaWlpaWlpaWlpaX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX1mZmZmZmZmZmZmZmZ3AF8AAAAAAAAwA==

Masalah terjadi karena type adalah int dan dikonversi dalam perbandingan. Saya merasa type seharusnya uint32_t tetapi merasa saya akan membuat masalah untuk melihat apakah ini seharusnya menjadi penindasan :).
https://github.com/bitcoin/bitcoin/blob/a78742830aa35bf57bcb0a4730977a1e5a1876bc/src/protocol.h#L420

Tests
Sumber
picture Crypt-iQ
👍1

Komentar yang paling membantu

Terima kasih telah mengaburkan dan melaporkan temuan Anda @Crypt-iQ!

picture practicalswift pada 27 Agu 2020
👍2

Semua 3 komentar

Ini terjadi di sini:
https://github.com/bitcoin/bitcoin/blob/6d8543504d8c5bde1d12a3c60407dee44d2c8e11/src/net_processing.cpp#L3719 -L3727

vInv diisi dengan CInv dengan type negatif dan kemudian IsGenTxMsg disebut sedikit lebih rendah. Hanya untuk lebih presisi sehingga orang tidak perlu pergi mencari.

Crypt-iQ picture Crypt-iQ pada 8 Agu 2020
👍1

Temuan yang bagus!

jonatack picture jonatack pada 25 Agu 2020
🚀1

Terima kasih telah mengaburkan dan melaporkan temuan Anda @Crypt-iQ!

practicalswift picture practicalswift pada 27 Agu 2020
👍2
Apakah halaman ini membantu?
0 / 5 - 0 peringkat

Masalah terkait

MattyAB picture MattyAB  ·  3Komentar
askmike picture askmike  ·  3Komentar
renepickhardt picture renepickhardt  ·  3Komentar
gorazdko picture gorazdko  ·  3Komentar
rebroad picture rebroad  ·  3Komentar