-
Notifications
You must be signed in to change notification settings - Fork 36.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
validation: Increase robustness when loading malformed mempool.dat files (LoadMempool) #20089
validation: Increase robustness when loading malformed mempool.dat files (LoadMempool) #20089
Conversation
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Concept ACK, change looks good.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK, seems fine to add checks against disk corruption
6166a9f
to
5693d5a
Compare
review ACK 5693d5a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code Review ACK 5693d5a 🩺
As a potential follow-up, would it also make sense to notify the user in case the file is malformed (which is most likely caused by disk corruption), with a warning?
@theStack Now printing a log message. Please re-review :) |
89ab5c2
to
875a2c3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code Review re-ACK 875a2c3
review ACK 875a2c3 |
Could someone restart Cirrus please? :) |
* Like MoneyRange(...), but allows for negative money amounts. | ||
*/ | ||
inline bool FeeDeltaRange(const CAmount fee_delta) { | ||
return fee_delta >= -MAX_MONEY && fee_delta <= MAX_MONEY; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fee deltas outside MAX_MONEY
are valid and have at least a conceptual use case (consider that fee rate is divided by transaction size: a larger transaction would need >MAX_MONEY
feerate to go before a MAX_MONEY
smaller tx).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@luke-jr What is the valid fee delta range in your opinion?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure this is actionable unless we can establish what the valid range should be.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not a feerate, but an absolute amount in satoshis
875a2c3
to
f044456
Compare
f044456
to
8953ff9
Compare
…t file with a malformed time field ee11a41 Avoid signed integer overflow when loading a mempool.dat file with a malformed time field (practicalswift) Pull request description: Avoid signed integer overflow when loading a `mempool.dat` file with a malformed time field. Avoid the following signed integer overflow: ``` $ xxd -p -r > mempool.dat-crash-1 <<EOF 0100000000000000000000000004000000000000000000000000ffffffff ffffff7f00000000000000000000000000 EOF $ cp mempool.dat-crash-1 ~/.bitcoin/regtest/mempool.dat $ UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1:report_error_type=1" src/bitcoind -regtest validation.cpp:5079:23: runtime error: signed integer overflow: 9223372036854775807 + 1209600 cannot be represented in type 'long' #0 0x5618d335197f in LoadMempool(CTxMemPool&) src/validation.cpp:5079:23 #1 0x5618d3350df3 in CChainState::LoadMempool(ArgsManager const&) src/validation.cpp:4217:9 #2 0x5618d2b9345f in ThreadImport(ChainstateManager&, std::vector<boost::filesystem::path, std::allocator<boost::filesystem::path> >, ArgsManager const&) src/init.cpp:762:33 #3 0x5618d2b92162 in AppInitMain(util::Ref const&, NodeContext&, interfaces::BlockAndHeaderTipInfo*)::$_14::operator()() const src/init.cpp:1881:9 ``` This PR was broken out from PR #20089. Hopefully this PR is trivial to review. Fixes a subset of #19278. ACKs for top commit: MarcoFalke: review ACK ee11a41 Crypt-iQ: crACK ee11a41 Tree-SHA512: 227ab95cd7d22f62f3191693b455eacfa8e36534961bee12c622fc9090957cfb29992eabafa74d806a336e03385aa8f98b7ce734f04b0b400e33aa187d353337
…pool.dat file with a malformed time field ee11a41 Avoid signed integer overflow when loading a mempool.dat file with a malformed time field (practicalswift) Pull request description: Avoid signed integer overflow when loading a `mempool.dat` file with a malformed time field. Avoid the following signed integer overflow: ``` $ xxd -p -r > mempool.dat-crash-1 <<EOF 0100000000000000000000000004000000000000000000000000ffffffff ffffff7f00000000000000000000000000 EOF $ cp mempool.dat-crash-1 ~/.bitcoin/regtest/mempool.dat $ UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1:report_error_type=1" src/bitcoind -regtest validation.cpp:5079:23: runtime error: signed integer overflow: 9223372036854775807 + 1209600 cannot be represented in type 'long' #0 0x5618d335197f in LoadMempool(CTxMemPool&) src/validation.cpp:5079:23 #1 0x5618d3350df3 in CChainState::LoadMempool(ArgsManager const&) src/validation.cpp:4217:9 #2 0x5618d2b9345f in ThreadImport(ChainstateManager&, std::vector<boost::filesystem::path, std::allocator<boost::filesystem::path> >, ArgsManager const&) src/init.cpp:762:33 #3 0x5618d2b92162 in AppInitMain(util::Ref const&, NodeContext&, interfaces::BlockAndHeaderTipInfo*)::$_14::operator()() const src/init.cpp:1881:9 ``` This PR was broken out from PR bitcoin#20089. Hopefully this PR is trivial to review. Fixes a subset of bitcoin#19278. ACKs for top commit: MarcoFalke: review ACK ee11a41 Crypt-iQ: crACK ee11a41 Tree-SHA512: 227ab95cd7d22f62f3191693b455eacfa8e36534961bee12c622fc9090957cfb29992eabafa74d806a336e03385aa8f98b7ce734f04b0b400e33aa187d353337
…pool.dat file with a malformed time field ee11a41 Avoid signed integer overflow when loading a mempool.dat file with a malformed time field (practicalswift) Pull request description: Avoid signed integer overflow when loading a `mempool.dat` file with a malformed time field. Avoid the following signed integer overflow: ``` $ xxd -p -r > mempool.dat-crash-1 <<EOF 0100000000000000000000000004000000000000000000000000ffffffff ffffff7f00000000000000000000000000 EOF $ cp mempool.dat-crash-1 ~/.bitcoin/regtest/mempool.dat $ UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1:report_error_type=1" src/bitcoind -regtest validation.cpp:5079:23: runtime error: signed integer overflow: 9223372036854775807 + 1209600 cannot be represented in type 'long' #0 0x5618d335197f in LoadMempool(CTxMemPool&) src/validation.cpp:5079:23 #1 0x5618d3350df3 in CChainState::LoadMempool(ArgsManager const&) src/validation.cpp:4217:9 #2 0x5618d2b9345f in ThreadImport(ChainstateManager&, std::vector<boost::filesystem::path, std::allocator<boost::filesystem::path> >, ArgsManager const&) src/init.cpp:762:33 #3 0x5618d2b92162 in AppInitMain(util::Ref const&, NodeContext&, interfaces::BlockAndHeaderTipInfo*)::$_14::operator()() const src/init.cpp:1881:9 ``` This PR was broken out from PR bitcoin#20089. Hopefully this PR is trivial to review. Fixes a subset of bitcoin#19278. ACKs for top commit: MarcoFalke: review ACK ee11a41 Crypt-iQ: crACK ee11a41 Tree-SHA512: 227ab95cd7d22f62f3191693b455eacfa8e36534961bee12c622fc9090957cfb29992eabafa74d806a336e03385aa8f98b7ce734f04b0b400e33aa187d353337
…pool.dat file with a malformed time field ee11a41 Avoid signed integer overflow when loading a mempool.dat file with a malformed time field (practicalswift) Pull request description: Avoid signed integer overflow when loading a `mempool.dat` file with a malformed time field. Avoid the following signed integer overflow: ``` $ xxd -p -r > mempool.dat-crash-1 <<EOF 0100000000000000000000000004000000000000000000000000ffffffff ffffff7f00000000000000000000000000 EOF $ cp mempool.dat-crash-1 ~/.bitcoin/regtest/mempool.dat $ UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1:report_error_type=1" src/bitcoind -regtest validation.cpp:5079:23: runtime error: signed integer overflow: 9223372036854775807 + 1209600 cannot be represented in type 'long' #0 0x5618d335197f in LoadMempool(CTxMemPool&) src/validation.cpp:5079:23 #1 0x5618d3350df3 in CChainState::LoadMempool(ArgsManager const&) src/validation.cpp:4217:9 #2 0x5618d2b9345f in ThreadImport(ChainstateManager&, std::vector<boost::filesystem::path, std::allocator<boost::filesystem::path> >, ArgsManager const&) src/init.cpp:762:33 #3 0x5618d2b92162 in AppInitMain(util::Ref const&, NodeContext&, interfaces::BlockAndHeaderTipInfo*)::$_14::operator()() const src/init.cpp:1881:9 ``` This PR was broken out from PR bitcoin#20089. Hopefully this PR is trivial to review. Fixes a subset of bitcoin#19278. ACKs for top commit: MarcoFalke: review ACK ee11a41 Crypt-iQ: crACK ee11a41 Tree-SHA512: 227ab95cd7d22f62f3191693b455eacfa8e36534961bee12c622fc9090957cfb29992eabafa74d806a336e03385aa8f98b7ce734f04b0b400e33aa187d353337
Increase robustness when loading malformed
mempool.dat
files.Avoids the following three signed integer overflows when loading malformed
mempool.dat
files:Fixes #19278.