Skip to content

wallet: Fix use-after-free in WalletBatch::EraseRecords#29176

Merged
achow101 merged 1 commit intobitcoin:masterfrom
maflcko:2401-wallet-fix-a-bug-
Jan 4, 2024
Merged

wallet: Fix use-after-free in WalletBatch::EraseRecords#29176
achow101 merged 1 commit intobitcoin:masterfrom
maflcko:2401-wallet-fix-a-bug-

Conversation

@maflcko
Copy link
Member

@maflcko maflcko commented Jan 4, 2024

Creating a copy of the pointer to the underlying data of the stream is not enough to copy the data.

Currently this happens to work sometimes, because the stream may not immediately free unused memory. However, there is no guarantee by the stream interface to always behave this way. Also, if vector::clear is called on the underlying memory, any pointers to it are invalid.

Fix this, by creating a full copy of all bytes.

@DrahtBot
Copy link
Contributor

DrahtBot commented Jan 4, 2024
edited
Loading

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage

For detailed information about the code coverage, see the test coverage report.

Reviews

See the guideline for information on the review process.

Type Reviewers
ACK achow101

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

@DrahtBot DrahtBot added the Wallet label Jan 4, 2024
@maflcko
Copy link
Member Author

maflcko commented Jan 4, 2024

I believe this bug existed since the code was written in commit 22401f1.

If one wants to trigger the bug in any c++ standard library, forcing a clear to also shrink may work:

diff --git a/src/streams.h b/src/streams.h
index bc04a2babd..26320db602 100644
--- a/src/streams.h
+++ b/src/streams.h
@@ -10,6 +10,7 @@
 #include <span.h>
 #include <support/allocators/zeroafterfree.h>
 #include <util/overflow.h>
+#include <util/vector.h>
 
 #include <algorithm>
 #include <assert.h>
@@ -227,7 +228,7 @@ public:
         memcpy(dst.data(), &vch[m_read_pos], dst.size());
         if (next_read_pos.value() == vch.size()) {
             m_read_pos = 0;
-            vch.clear();
+            ClearShrink(vch);//.clear();
             return;
         }
         m_read_pos = next_read_pos.value();

This should then crash tests, such as:

./test/functional/test_runner.py --valgrind wallet_migration
valgrind ./src/test/test_bitcoin -t walletdb_tests  --catch_system_errors=no

An alternative would be to assert early when a clear happened:

diff --git a/src/wallet/walletdb.cpp b/src/wallet/walletdb.cpp
index 9820c7c0ee..dbdd4181c4 100644
--- a/src/wallet/walletdb.cpp
+++ b/src/wallet/walletdb.cpp
@@ -1406,4 +1406,8 @@ bool WalletBatch::EraseRecords(const std::unordered_set<std::string>& types)
         std::string type;
         key >> type;
+        if(key.size()==0){
+         std::cout << type << std::endl;
+         assert(key.size());
+        }
 
         if (types.count(type) > 0) {

This shows that the violating keys are:

  • hdchain for the unit test walletdb_tests
  • flags for wallet_migration.py

@achow101
Copy link
Member

achow101 commented Jan 4, 2024

ACK faebf1d

@achow101 achow101 merged commit d84f736 into bitcoin:master Jan 4, 2024
@maflcko maflcko deleted the 2401-wallet-fix-a-bug- branch January 4, 2024 15:21
@fanquake fanquake mentioned this pull request Jan 4, 2024
Merged
@fanquake
Copy link
Member

fanquake commented Jan 4, 2024

Backported to 26.x in #29011.

fanquake pushed a commit to fanquake/bitcoin that referenced this pull request Jan 4, 2024
@fanquake
wallet: Fix use-after-free in WalletBatch::EraseRecords
ccf00b1 
Github-Pull: bitcoin#29176
Rebased-From: faebf1d
glozow added a commit that referenced this pull request Jan 9, 2024
@glozow
Merge #29011: [26.x] Backports
04edf9f 
7b79e54 doc: update release notes for 26.x (fanquake)
ccf00b1 wallet: Fix use-after-free in WalletBatch::EraseRecords (MarcoFalke)
40252e1 ci: Set `HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK` to avoid failures (Hennadii Stepanov)
b06b14e rpc: getwalletinfo, return wallet 'birthtime' (furszy)
1283401 test: coverage for wallet birth time interaction with -reindex (furszy)
0fa47e2 wallet: fix legacy spkm default birth time (furszy)
84f4a6c wallet: birth time update during tx scanning (furszy)
074296d refactor: rename FirstKeyTimeChanged to MaybeUpdateBirthTime (furszy)
35039ac fuzz: disable BnB when SFFO is enabled (furszy)
903b462 test: add coverage for BnB-SFFO restriction (furszy)
05d0576 wallet: create tx, log resulting coin selection info (furszy)
5493ebb wallet: skip BnB when SFFO is active (Murch)
b15e2e2 test: add regression test for the getrawtransaction segfault (Martin Zumsande)
5097bb3 rpc: fix getrawtransaction segfault (Martin Zumsande)
81e744a ci: Use Ubuntu 24.04 Noble for asan (MarcoFalke)
69e53d1 ci: Use Ubuntu 24.04 Noble for tsan,tidy,fuzz (MarcoFalke)
d2c80b6 doc: Missing additions to 26.0 release notes (fanquake)
8dc2c75 doc: add historical release notes for 26.0 (fanquake)

Pull request description:

  Backports for `26.x`. Currently:
  * #28920
  * #28992
  * #28994
  * #29003
  * #29023
  * #29080
  * #29176

ACKs for top commit:
  TheCharlatan:
    ACK 7b79e54
  glozow:
    ACK 7b79e54, matches mine

Tree-SHA512: 898aec76ed3ad35e0edd0980af5bcc21bd60003bbf69e0b4f473ed2aa38c4e3b360b930bc3747cf798195906a8f9fe66417524f5e5ef40fa68f1c1aaceebdeb0
achow101 pushed a commit to achow101/bitcoin that referenced this pull request Feb 21, 2024
@achow101
wallet: Fix use-after-free in WalletBatch::EraseRecords
cf0f43e 
Github-Pull: bitcoin#29176
Rebased-From: faebf1d
@achow101 achow101 mentioned this pull request Feb 21, 2024
Merged
@achow101
Copy link
Member

achow101 commented Feb 21, 2024

Backported to 25.x in #29464

fanquake added a commit that referenced this pull request Feb 26, 2024
@fanquake
Merge #29464: [25.2] Final backports and changes for 25.2rc1
1ce5acc 
9f13dc1 doc: Update release notes for 25.2rc1 (Ava Chow)
a27662b doc: update manpages for 25.2rc1 (Ava Chow)
65c6171 build: Bump to 25.2rc1 (Ava Chow)
cf0f43e wallet: Fix use-after-free in WalletBatch::EraseRecords (MarcoFalke)
6acfc43 Use only Span{} constructor for byte-like types where possible (MarcoFalke)
b40d107 util: Allow std::byte and char Span serialization (MarcoFalke)

Pull request description:

  Backport:

  * #29176
  * #27927

  #29176 does not cleanly backport, and it also requires 27927 to work. Both are still fairly simple backports.

  Also does the rest of the version bump tasks for 25.2rc1.

ACKs for top commit:
  fanquake:
    ACK 9f13dc1

Tree-SHA512: 9d9dbf415f8559410eba9a431b61a8fc94216898d2d1fd8398e1f7a22a04790faade810e65324c7a797456b33396c3a58f991e81319aaaa63d3ab441e5e20dbc
backpacker69 pushed a commit to peercoin/peercoin that referenced this pull request Jun 14, 2024
@backpacker69
wallet: Fix use-after-free in WalletBatch::EraseRecords
83a55ab 
Github-Pull: bitcoin/bitcoin#29176
Rebased-From: faebf1df2afe207f5d2d4f73f50ac66824fe34bb
@bitcoin bitcoin locked and limited conversation to collaborators Feb 20, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

Wallet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@maflcko @DrahtBot @achow101 @fanquake