Saat menggabungkan harness process_messages
dengan -fsanitize=integer
dan berhati-hati untuk menggunakan file supresi ubsan, saya mendapatkan crasher berikut:
INFO: Seed: 2176449341
INFO: Loaded 1 modules (204269 inline 8-bit counters): 204269 [0x555d1700aeb0, 0x555d1703cc9d),
INFO: Loaded 1 PC tables (204269 PCs): 204269 [0x555d1703cca0,0x555d1735ab70),
INFO: 7752 files found in /root/qa-assets/fuzz_seed_corpus/process_messages
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 1048576 bytes
INFO: seed corpus: files: 7752 min: 1b max: 3984182b total: 71282676b rss: 81Mb
protocol.h:420:42: runtime error: implicit conversion from type 'int' of value -168430091 (32-bit, signed) to type 'unsigned int' changed the value to 4126537205 (32-bit, unsigned)
#0 0x555d1630b5ff in CInv::IsGenTxMsg() const /root/bitcoin/src/./protocol.h:420:42
#1 0x555d1630b5ff in ProcessMessage(CNode&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, CDataStream&, std::chrono::duration<long, std::ratio<1l, 1000000l> >, CChainParams const&, ChainstateManager&, CTxMemPool&, CConnman&, BanMan*, std::atomic<bool> const&) /root/bitcoin/src/net_processing.cpp:3696:25
#2 0x555d1632d971 in PeerLogicValidation::ProcessMessages(CNode*, std::atomic<bool>&) /root/bitcoin/src/net_processing.cpp:3842:9
#3 0x555d1632fec5 in non-virtual thunk to PeerLogicValidation::ProcessMessages(CNode*, std::atomic<bool>&) /root/bitcoin/src/net_processing.cpp
#4 0x555d162a1f3e in ConnmanTestMsg::ProcessMessagesOnce(CNode&) /root/bitcoin/src/./test/util/net.h:26:56
#5 0x555d162a1f3e in test_one_input(std::vector<unsigned char, std::allocator<unsigned char> > const&) /root/bitcoin/src/test/fuzz/process_messages.cpp:74:21
#6 0x555d16954bd6 in LLVMFuzzerTestOneInput /root/bitcoin/src/test/fuzz/fuzz.cpp:45:5
#7 0x555d16231751 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/bitcoin/src/test/fuzz/process_messages+0x649751)
#8 0x555d16230e95 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/root/bitcoin/src/test/fuzz/process_messages+0x648e95)
#9 0x555d162337b7 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/root/bitcoin/src/test/fuzz/process_messages+0x64b7b7)
#10 0x555d16233b19 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/root/bitcoin/src/test/fuzz/process_messages+0x64bb19)
#11 0x555d162227ee in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/bitcoin/src/test/fuzz/process_messages+0x63a7ee)
#12 0x555d1624b632 in main (/root/bitcoin/src/test/fuzz/process_messages+0x663632)
#13 0x7f247597fb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#14 0x555d161f7569 in _start (/root/bitcoin/src/test/fuzz/process_messages+0x60f569)
SUMMARY: UndefinedBehaviorSanitizer: implicit-integer-sign-change protocol.h:420:42 in
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x6e,0x6f,0x74,0x66,0x6f,0x75,0x6e,0x64,0x0,0x1,0x7f,0x99,0x2,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xa5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0x99,0x99,0x99,0x99,0x99,0x99,0x99,0x99,0x99,0x99,0x99,0x99,0xdc,0x1,0x7c,0x0,0x0,0x0,0x0,0x0,0x0,0xc0,
notfound\x00\x01\x7f\x99\x02\x00\x00\x00\x00\x00\x00\x00\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xa5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\xf5\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\xdc\x01|\x00\x00\x00\x00\x00\x00\xc0
artifact_prefix='./'; Test unit written to ./crash-6d18289c14a3cab8896d942d6c4021b2b6895a1e
Base64: bm90Zm91bmQAAX+ZAgAAAAAAAAClpaWlpaWlpaWlpaWlpaWlpaX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX1mZmZmZmZmZmZmZmZ3AF8AAAAAAAAwA==
Masalah terjadi karena type
adalah int
dan dikonversi dalam perbandingan. Saya merasa type
seharusnya uint32_t
tetapi merasa saya akan membuat masalah untuk melihat apakah ini seharusnya menjadi penindasan :).
https://github.com/bitcoin/bitcoin/blob/a78742830aa35bf57bcb0a4730977a1e5a1876bc/src/protocol.h#L420
Ini terjadi di sini:
https://github.com/bitcoin/bitcoin/blob/6d8543504d8c5bde1d12a3c60407dee44d2c8e11/src/net_processing.cpp#L3719 -L3727
vInv
diisi dengan CInv
dengan type
negatif dan kemudian IsGenTxMsg
disebut sedikit lebih rendah. Hanya untuk lebih presisi sehingga orang tidak perlu pergi mencari.
Temuan yang bagus!
Terima kasih telah mengaburkan dan melaporkan temuan Anda @Crypt-iQ!
Komentar yang paling membantu
Terima kasih telah mengaburkan dan melaporkan temuan Anda @Crypt-iQ!