Avoid triggering undefined behaviour (std::memset(nullptr, 0, 0)) if an invalid string is passed to DecodeSecret(...) #14242

pull practicalswift wants to merge 1 commits into bitcoin:master from practicalswift:ub-in-DecodeSecret changing 2 files +3 −2
  1. practicalswift commented at 2:33 PM on September 17, 2018: contributor

    Avoid triggering undefined behaviour (std::memset(nullptr, 0, 0)) if an invalid string is passed to DecodeSecret(...).

    Background reading: memcpy (and friends) with NULL pointers

    Steps to reproduce:

    ./configure --with-sanitizers=undefined && make check && ./test/functional/test_runner.py
  2. practicalswift commented at 2:34 PM on September 17, 2018: contributor

    Introduced in PR #11372 (119b0f85e2). Friendly ping @sipa – would you mind reviewing? :-)

  3. MarcoFalke commented at 4:30 PM on September 17, 2018: member

    Shouldn't memory_cleanse be more robust in handling zero-length data?

  4. practicalswift commented at 7:16 PM on September 17, 2018: contributor

    @MarcoFalke Sure! Added a commit. Please re-review :-)

  5. in src/key_io.cpp:147 in ae17de59d2 outdated 
     141 | @@ -142,7 +142,9 @@ CKey DecodeSecret(const std::string& str)
 142 |              key.Set(data.begin() + privkey_prefix.size(), data.begin() + privkey_prefix.size() + 32, compressed);
 143 |          }
 144 |      }
 145 | -    memory_cleanse(data.data(), data.size());
 146 | +    if (data.data()) {
 147 | +        memory_cleanse(data.data(), data.size());
 148 | +    }
    MarcoFalke commented at 10:59 PM on September 17, 2018:

    This check is no longer needed?

    fingera commented at 6:10 AM on September 20, 2018:

    Notes If size() is 0, data() may or may not return a null pointer. https://en.cppreference.com/w/cpp/container/vector/data

  6. promag commented at 12:15 AM on September 18, 2018: member

    Shouldn't memory_cleanse be more robust in handling zero-length data? @MarcoFalke the same for memset?

    -0 ae17de5 because it changes memory_cleanse invariant.

    IMO should avoid the call to memory_cleanse.

  7. practicalswift force-pushed on Sep 18, 2018
  8. practicalswift commented at 4:35 AM on September 18, 2018: contributor

    @MarcoFalke I think @promag has a good point. Now reverted to the original version.

  9. practicalswift commented at 4:35 AM on September 18, 2018: contributor

    @promag Thanks for reviewing. Now updated. Please re-review :-)

  10. practicalswift cross-referenced this on Sep 18, 2018 from issue build: Run functional tests and benchmarks under the undefined behaviour sanitizer (UBSan) by practicalswift
  11. practicalswift cross-referenced this on Sep 20, 2018 from issue functional tests fail --with-sanitizers=undefined by MarcoFalke
  12. MarcoFalke referenced this in commit 1ba5583646 on Nov 5, 2018
  13. MarcoFalke commented at 8:11 PM on November 5, 2018: member

    Could remove the suppression from the file in contrib?

  14. bitcoin deleted a comment on Nov 5, 2018
  15. practicalswift force-pushed on Nov 6, 2018
  16. practicalswift commented at 11:26 PM on November 6, 2018: contributor

    @MarcoFalke Good point! Added commit 1cab4bb7e09c9d68e104460b67e5804848cd3c2e which removes UBSan suppression.

    Please re-review :-)

  17. DrahtBot commented at 9:48 PM on November 8, 2018: contributor

    <!--e57a25ab6845829454e8d69fc972939a-->

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    <!--174a7506f384e20aa4161008e828411d-->

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    • #14239 (Avoid dividing by zero (undefined behaviour) in EstimateMedianVal (policy)/ConnectTip (validation)/CreateTransaction (wallet) by practicalswift)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  18. practicalswift cross-referenced this on Nov 16, 2018 from issue fix an undefined behavior in uint::SetHex by kazcw
  19. DrahtBot added the label Needs rebase on Nov 23, 2018
  20. practicalswift commented at 3:58 PM on November 23, 2018: contributor

    Rebased!

  21. practicalswift force-pushed on Nov 23, 2018
  22. DrahtBot removed the label Needs rebase on Nov 23, 2018
  23. in src/key_io.cpp:145 in f094aeb539 outdated 
     141 | @@ -142,7 +142,9 @@ CKey DecodeSecret(const std::string& str)
 142 |              key.Set(data.begin() + privkey_prefix.size(), data.begin() + privkey_prefix.size() + 32, compressed);
 143 |          }
 144 |      }
 145 | -    memory_cleanse(data.data(), data.size());
 146 | +    if (data.data()) {
    luke-jr commented at 7:10 PM on December 19, 2018:

    We don't need to memory_cleanse if data.size() is zero, right?

    MarcoFalke commented at 7:33 PM on December 19, 2018:

    C.f. ae17de5

    practicalswift commented at 4:03 PM on January 5, 2019:

    Now calling memory_cleanse only if data.data() != nullptr and data.size() > 0.

  24. practicalswift force-pushed on Jan 5, 2019
  25. practicalswift commented at 4:03 PM on January 5, 2019: contributor

    @luke-jr @promag @MarcoFalke Would you mind re-reviewing? :-)

  26. practicalswift commented at 7:58 PM on January 15, 2019: contributor

    @MarcoFalke Could this one get a release milestone? :-)

  27. MarcoFalke added this to the milestone 0.18.0 on Jan 15, 2019
  28. in src/key_io.cpp:145 in 524a876548 outdated 
     141 | @@ -142,7 +142,9 @@ CKey DecodeSecret(const std::string& str)
 142 |              key.Set(data.begin() + privkey_prefix.size(), data.begin() + privkey_prefix.size() + 32, compressed);
 143 |          }
 144 |      }
 145 | -    memory_cleanse(data.data(), data.size());
 146 | +    if (data.data() != nullptr && data.size() > 0) {
    laanwj commented at 4:22 PM on February 6, 2019:

    seems like an !data.empty() check would be enough here?

  29. laanwj added the label Refactoring on Feb 6, 2019
  30. promag commented at 3:19 PM on February 7, 2019: member

    Agree with @laanwj, also (nit) could squash.

    utACK 524a876 otherwise.

  31. Avoid triggering undefined behaviour (std::memset(nullptr, 0, 0)) if an invalid string is passed to DecodeSecret(...) d855e4cac8
  32. practicalswift force-pushed on Feb 7, 2019
  33. practicalswift commented at 9:31 PM on February 7, 2019: contributor

    @laanwj @promag Good points. Fixed and squashed. Please re-review :-)

  34. promag commented at 9:33 PM on February 7, 2019: member

    utACK d855e4ca.

  35. laanwj merged this on Feb 8, 2019
  36. laanwj closed this on Feb 8, 2019
  37. laanwj referenced this in commit 6fc656a410 on Feb 8, 2019
  38. jasonbcox referenced this in commit 4210ed4fcc on Sep 13, 2019
  39. UdjinM6 referenced this in commit 4d691cbfd9 on Dec 25, 2020
  40. UdjinM6 referenced this in commit 2fbc0e0e8d on Dec 25, 2020
  41. UdjinM6 referenced this in commit 5cf45844d8 on Jan 8, 2021
  42. practicalswift deleted the branch on Apr 10, 2021
  43. pravblockc referenced this in commit a390bab2d5 on Aug 10, 2021
  44. pravblockc cross-referenced this on Aug 10, 2021 from issue Backports v0.18: PR's #14242, 15351 and 14519 by pravblockc
  45. pravblockc referenced this in commit 95e4d27ffd on Aug 14, 2021
  46. PastaPastaPasta referenced this in commit 1197a1f392 on Aug 16, 2021
  47. PastaPastaPasta referenced this in commit 857fae9277 on Aug 16, 2021
  48. pravblockc referenced this in commit eab19ffa5c on Aug 17, 2021
  49. pravblockc referenced this in commit 9341b3c0e6 on Aug 17, 2021
  50. PastaPastaPasta referenced this in commit 009f0059b9 on Aug 17, 2021
  51. PastaPastaPasta referenced this in commit b98e643250 on Aug 18, 2021
  52. pravblockc referenced this in commit 02bbb4228f on Aug 18, 2021
  53. pravblockc referenced this in commit 7ac0213b1e on Aug 19, 2021
  54. PastaPastaPasta referenced this in commit c4697213b2 on Aug 21, 2021
  55. gades referenced this in commit d9cea62049 on Apr 1, 2022
  56. gades referenced this in commit 7c4d74079c on Apr 20, 2022
  57. bitcoin locked this on Aug 18, 2022
Contributors
practicalswiftMarcoFalkefingerapromagDrahtBotluke-jrlaanwj
Labels
Refactoring

Milestone
0.18.0

Linked (view graph)
#11372 Address encoding cleanup#14059 functional tests fail --with-sanitizers=undefined#14252 build: Run functional tests and benchmarks under the undefined behaviour sanitizer (UBSan)#14734 fix an undefined behavior in uint::SetHex#31166 key: clear out secret data in `DecodeExtKey`
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-20 06:54 UTC