Disclosure of CVE-2024-35202
Before Bitcoin Core v25.0, an attacker could remotely crash Bitcoin Core
nodes by triggering an assertion in the blocktxn message handling logic.
This issue is considered High severity.
Details
When receiving a block announcement via a cmpctblock message, Bitcoin Core
attempts to reconstruct the announced block using the transactions in its own
mempool as well as other available transactions. If reconstruction fails due to
missing transactions it will request them from the announcing peer via a
getblocktxn message. In response a blocktxn message is expected, which should
contain the requested transactions.
The compact block protocol employs shortened transaction identifiers to reduce
bandwidth. These short-ids are 6 byte in size, resulting in a small chance for
collisions (i.e. transaction A has the same short-id as transaction B) upon
block reconstruction. Collisions will be detected as the merkle root computed
from the reconstructed set of transactions will not match the merkle root from
the block announcement. Peers should not be punished for collisions as they may
happen spuriously, therefore they are handled by falling back to requesting the
full block.
Bitcoin Core will create an instance of PartiallyDownloadedBlock
whenever a new compact block is received. If missing transactions are
requested, the instance is persisted until the corresponding blocktxn message
is processed. Upon receiving the blocktxn message,
PartiallyDownloadedBlock::FillBlock is called, attempting to
reconstruct the full block. In the collision case described above, the full
block is requested but the PartiallyDownloadedBlock instance as
well as the other state related to the underlying block request is left
untouched. This leaves room for a second blocktxn message for the same block to
be processed and trigger FillBlock to be called again. This
violates the assumption (documented as an assert statement) that
FillBlock can only be called once and causes the node to crash.
An attacker does not need to get lucky by triggering a collision, as the
collision handling logic can easily be triggered by simply including
transactions in the blocktxn message that are not committed to in the block’s
merkle root.
Attribution
Credit goes to Niklas Gögge for discovering and disclosing the vulnerability,
as well as fixing the issue in https://github.com/bitcoin/bitcoin/pull/26898.
Timeline
2022-10-05 - Niklas Gögge reports the issue to the Bitcoin Core security mailing list.
2023-01-24 - PR #26898 containing the fix is merged.
2023-05-25 - Bitcoin Core 25.0 is released with the fix.
2024-10-09 - Public disclosure.
https://bitcoincore.org/en/2024/10/08/disclose-blocktxn-crash/
#Eenentwintig #Nieuws #News #BitcoinNews
EenentwintigNews / Eenentwintig Nieuwsfeed
npub10e…g0kj9
2024-10-09 18:00:19
Author Public Key
npub10en2rrs3t9qvgyxjj7c8ku8cmypvmrvrzzthpyd4zzqpwqfdkl7qqg0kj9Seen on
wss://relay.damus.ioPublished at
2024-10-09 18:00:19Event JSON
{
"id": "92688ad1aeffc957671e83da43a333a93aca15641dc7c9431ebdbac7f3a1a2bf",
"pubkey": "7e66a18e115940c410d297b07b70f8d902cd8d8310977091b5108017012db7fc",
"created_at": 1728496819,
"kind": 1,
"tags": [],
"content": "Disclosure of CVE-2024-35202\n\nBefore Bitcoin Core v25.0, an attacker could remotely crash Bitcoin Core\nnodes by triggering an assertion in the blocktxn message handling logic.\nThis issue is considered High severity.\nDetails\nWhen receiving a block announcement via a cmpctblock message, Bitcoin Core\nattempts to reconstruct the announced block using the transactions in its own\nmempool as well as other available transactions. If reconstruction fails due to\nmissing transactions it will request them from the announcing peer via a\ngetblocktxn message. In response a blocktxn message is expected, which should\ncontain the requested transactions.\nThe compact block protocol employs shortened transaction identifiers to reduce\nbandwidth. These short-ids are 6 byte in size, resulting in a small chance for\ncollisions (i.e. transaction A has the same short-id as transaction B) upon\nblock reconstruction. Collisions will be detected as the merkle root computed\nfrom the reconstructed set of transactions will not match the merkle root from\nthe block announcement. Peers should not be punished for collisions as they may\nhappen spuriously, therefore they are handled by falling back to requesting the\nfull block.\nBitcoin Core will create an instance of PartiallyDownloadedBlock\nwhenever a new compact block is received. If missing transactions are\nrequested, the instance is persisted until the corresponding blocktxn message\nis processed. Upon receiving the blocktxn message,\nPartiallyDownloadedBlock::FillBlock is called, attempting to\nreconstruct the full block. In the collision case described above, the full\nblock is requested but the PartiallyDownloadedBlock instance as\nwell as the other state related to the underlying block request is left\nuntouched. This leaves room for a second blocktxn message for the same block to\nbe processed and trigger FillBlock to be called again. This\nviolates the assumption (documented as an assert statement) that\nFillBlock can only be called once and causes the node to crash.\nAn attacker does not need to get lucky by triggering a collision, as the\ncollision handling logic can easily be triggered by simply including\ntransactions in the blocktxn message that are not committed to in the block’s\nmerkle root.\nAttribution\nCredit goes to Niklas Gögge for discovering and disclosing the vulnerability,\nas well as fixing the issue in https://github.com/bitcoin/bitcoin/pull/26898.\nTimeline\n2022-10-05 - Niklas Gögge reports the issue to the Bitcoin Core security mailing list.\n2023-01-24 - PR #26898 containing the fix is merged.\n2023-05-25 - Bitcoin Core 25.0 is released with the fix.\n2024-10-09 - Public disclosure.\n\nhttps://bitcoincore.org/en/2024/10/08/disclose-blocktxn-crash/\n\n#Eenentwintig #Nieuws #News #BitcoinNews",
"sig": "0db94238efb9672326e055e14245371f4e7389d02fcfc68884df777bb0101f533876af767d658373d1d930ca3862718ec8a6da7408e5b16543d3626cc9065677"
}