Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

addrman: change internal id counting to int64_t #30568

Merged
merged 2 commits into from
Sep 20, 2024

Conversation

mzumsande
Copy link
Contributor

@mzumsande mzumsande commented Aug 1, 2024

With nIdCount being incremented for each addr received, an attacker could cause an overflow in the past, see https://bitcoincore.org/en/2024/07/31/disclose-addrman-int-overflow/
Even though that attack was made infeasible indirectly by addr rate-limiting (PR #22387), to be on the safe side and prevent any regressions change the nIds used internally to int64_t.
This is being done by first introducing a user-defined type for nIds in the first commit, and then updating it to int64_t (thanks sipa for help with this!).

Note that nId is only used internally, it is not part of the serialization, so peers.dat should not be affected by this.

I assume that the only reason this was not done in the past is to not draw attention to this previously undisclosed issue.

@DrahtBot
Copy link
Contributor

DrahtBot commented Aug 1, 2024

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage

For detailed information about the code coverage, see the test coverage report.

Reviews

See the guideline for information on the review process.

Type Reviewers
ACK naumenkogs, stratospher, achow101
Concept ACK dergoegge, brunoerg, BrandonOdiwuor, hebasto, Christewart
Approach ACK tdb3

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

Conflicts

Reviewers, this pull request conflicts with the following ones:

  • #29536 (fuzz: fuzz connman with non-empty addrman + ASMap by brunoerg)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

@DrahtBot DrahtBot added the P2P label Aug 1, 2024
src/addrman_impl.h Outdated Show resolved Hide resolved
@mzumsande mzumsande marked this pull request as draft August 1, 2024 17:12
@dergoegge
Copy link
Member

Concept ACK

@mzumsande mzumsande force-pushed the 202408_addrman_int branch from a11a6d0 to 153492d Compare August 1, 2024 18:25
@mzumsande mzumsande changed the title addrman: change counter to uint64_t addrman: change internal id counting to int64_t Aug 1, 2024
@mzumsande mzumsande force-pushed the 202408_addrman_int branch 2 times, most recently from d565df5 to e869860 Compare August 1, 2024 19:10
@brunoerg
Copy link
Contributor

brunoerg commented Aug 1, 2024

Concept ACK

@mzumsande
Copy link
Contributor Author

Updated the PR to have a refactor-only commit that introduces a user-defined type for all spots that use nId as an int, and then change that to int64_t in the second commit.

@mzumsande mzumsande marked this pull request as ready for review August 1, 2024 21:59
Copy link
Contributor

@BrandonOdiwuor BrandonOdiwuor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Concept ACK

Copy link
Member

@hebasto hebasto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Concept ACK.

* This used to be int, making it feasible for attackers to cause an overflow,
* see https://bitcoincore.org/en/2024/07/31/disclose-addrman-int-overflow/
*/
using nid_type = int64_t;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good to see that a signed type is used, rather than an unsigned one in the initial version of this PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

interesting pdf, thanks! In this particular case there was no choice because nIds in vvNew and vvTried are initialised to -1.

@@ -188,7 +188,7 @@ void AddrManImpl::Serialize(Stream& s_) const

int nUBuckets = ADDRMAN_NEW_BUCKET_COUNT ^ (1 << 30);
s << nUBuckets;
std::unordered_map<int, int> mapUnkIds;
std::unordered_map<nid_type, int> mapUnkIds;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you'll want std::vector<std::pair<int, nid_type>> bucket_entries; as well in the serializer below (not strictly necessary as the number can't actually overflow an int, but morally, the second pair element is an id). Same with const nid_type entry_index{bucket_entry.second}; that's derived from it (and possibly other places).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, can you explain the "morally" part a bit more?

mapUnkIds maps nid_type to an int, let's call that counter ser_count. ser_count is part of the serialization and is bounded by the limited slots of the addrman tables - even if the internal id would overflow an int, ser_count wouldn't be affected by that.

During deserialization, ser_count is read into int entry_index (which must be int), and then makes it into bucket_entries and later into vvNew. But I'm unsure when is the best step to convert it into an int64_t - why is it better to already do that in the step entry_index -> bucket_entries rather than the way it is now?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume this is about the introduced index mismatch at AddrInfo& info = mapInfo[entry_index];, specifically the keys of mapInfo.

It is technically safe because we always go from a narrower type to the wide one... but that's what is immoral i guess :)

I think it's fine they way this commit works, at most we could add a comment explaining this mismatch.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine with the version on the branch now because Serialise() and Unserialise() are symmetrical. nIndex is written as int into peers.dat in Serialise() and read as int from peers.dat in Unserialise().

Copy link
Contributor

@stratospher stratospher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Concept ACK. if you retouch, there's also:

auto IdsReferToSameAddress = [&](int id, int other_id) EXCLUSIVE_LOCKS_REQUIRED(m_impl->cs, other.m_impl->cs) {

@mzumsande
Copy link
Contributor Author

Concept ACK. if you retouch, there's also:

Good catch, fixed!

Copy link
Contributor

@tdb3 tdb3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Concept ACK.
Briefly reviewed, and will return to review in more detail. Love the approach to introduce nid_type. Makes things safer moving forward.

@Christewart
Copy link
Contributor

Christewart commented Aug 17, 2024

Concept ACK

So presumably test cases are in #22387 to directly test the vuln?

I had a hard time deciphering what is meant to test the new rate limiting logic in #22387 and what test cases were intended to prevent a regression for being introduced in the future that re-introduces this vulnerability.

@stratospher
Copy link
Contributor

I had a hard time deciphering what is meant to test the new rate limiting logic in #22387 and what test cases were intended to prevent a regression for being introduced in the future that re-introduces this vulnerability.

Main thing is to make sure that nId values are distinct. #22387 limits the nId which the addrman can possibly construct(functional tests which test this behaviour). This PR makes the nId space so large (64 bits) that the values are distinct. so even in the absence of the rate limiting mechanism, with this PR the attacker would need to insert > 2**64 addresses to make the node crash.

(you could change the type of nIdCount to int8_t to see the undesirable effects of duplicate nId in action!)

I looked into the assertion crash since I was confused how it happened. Sharing details in case it's helpful to anyone.

32 bit nIdCount could overflow and wrap around if addr messages were spammed (nIdCount would go from 0 to INT32_MAX, then become negative and go from INT32_MIN to 0 and loop again). So nId's aren't distinct anymore. Create() is written with an assumption that every nId it receives is distinct. This line ends up overwriting the nId-> AddrInfo map without checking if it exists. This can lead to corruptions and assertion failures.

An example scenario:

  • suppose AddrInfo1 with nId=36 is inserted into a bucket-position in vvNew(new table) and mapInfo now contains nId=36 -> AddrInfo1 mapping
  • when nId=36 happens again (because nId wraps around due to overflow) and another address AddrInfo2 is inserted into the new table, there is no clean deletion of existing nId in vvNew /mapAddr and the nId=36 in vvNew means AddrInfo2 now.
  • It's also possible that we don't want to insert AddrInfo2 into new table and nId=36 address can get deleted later.
  • when the same bucket-position happens again, and we want to rewrite it's contents(nId=36) which meant the overwritten old address -> that info isn't present in mapInfo and nRefCount = 0 (because it got deleted!)
  • this will cause an assertion failure like the one below and the node crashes.
bitcoind: addrman.cpp:494: void AddrManImpl::ClearNew(int, int): Assertion `infoDelete.nRefCount > 0' failed.
Aborted (core dumped)

Copy link
Contributor

@tdb3 tdb3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approach ACK
Reviewed a bit more. Just nits.

@@ -258,7 +265,7 @@ class AddrManImpl
*
* @return int The nid of the entry. If the addrman position is empty or not found, returns -1.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: The return type in the Doxygen content could be adjusted.

-     *  @return  int The nid of the entry. If the addrman position is empty or not found, returns -1.
+     *  @return  nid_type The nid of the entry. If the addrman position is empty or not found, returns -1.
      * */
     nid_type GetEntry(bool use_tried, size_t bucket, size_t position) const EXCLUSIVE_LOCKS_REQUIRED(cs);

nit / thinking out loud: Returning -1 is a remnant of the previous type being a plain int. To keep with the theme of using the user-defined nid_type, would it be worth creating a macro (or constexpr, or similar) to name the invalid case (e.g. INVALID_NID = -1)? Not sure, as I'm not seeing a need to adjust nid_type to anything more complicated than int64_t, and GetEntry() in this case is just indicating empty/not found.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed the return type.

Yes, also not sure about INVALID_NID - I don't really see why we would want to change it from -1 to another value, but happy to add it if others like it... I'll keep this thread open for a while.

mzumsande and others added 2 commits August 30, 2024 16:59
This makes it easier to track which spots refer to an nId
(as opposed to, for example, bucket index etc. which also use int)

Co-authored-by: Pieter Wuille <pieter@wuille.net>
With nId being incremented for each addr received,
an attacker could cause an overflow in the past.
(https://bitcoincore.org/en/2024/07/31/disclose-addrman-int-overflow/)
Even though that attack was made infeasible by
rate-limiting (PR bitcoin#22387), to be on the safe side change the
type to an int64_t.
@mzumsande
Copy link
Contributor Author

1ded29d to 51f7668:
Rebased and fixed doxygen comment.

So presumably test cases are in #22387 to directly test the vuln?

No, there is no test case that directly tests the vulnerability. For that, we'd need to add approximately 2 * INT_MAX addrs to addrman (see the explanation by @stratospher above) - which I think would be too slow to be practical for the test suite. However, one simple way to recreate the vulnerability (with this branch) is to locally change nid_type to int8_t - if you then run a node, it will crash quickly.

@naumenkogs
Copy link
Member

ACK 51f7668

The reasoning in the original post makes sense, this is an improvement. I reviewed the code visually.

@stratospher
Copy link
Contributor

ACK 51f7668. I think it's a good change to make the nId space large(64 bits) so that the nId values are distinct.

@achow101
Copy link
Member

ACK 51f7668

@achow101 achow101 merged commit 0d81b3d into bitcoin:master Sep 20, 2024
16 checks passed
@mzumsande mzumsande deleted the 202408_addrman_int branch October 1, 2024 17:31
TheCharlatan added a commit to TheCharlatan/rust-bitcoinkernel that referenced this pull request Nov 2, 2024
…47757ea3b

1047757ea3b kernel: Add pure kernel bitcoin-chainstate
c568fdf75fd kernel: Add block index utility functions to C header
0f1da1dcba5 kernel: Add function to read block undo data from disk to C header
45af559c9f6 kernel: Add functions to read block from disk to C header
2a7f8a8240c kernel: Add function for copying  block data to C header
b19f5336c03 kernel: Add functions for the block validation state to C header
9c0ffa913f4 kernel: Add validation interface to C header
a93318c6152 kernel: Add interrupt function to C header
51053f33720 kernel: Add import blocks function to C header
6b0ada2af42 kernel: Add chainstate load options for in-memory dbs in C header
34427bfa9c7 kernel: Add options for reindexing in C header
ca57311c969 kernel: Add block validation to C header
44156d84838 Kernel: Add chainstate loading to kernel C header
2cee46cdcc1 kernel: Add chainstate manager object to C header
7102c7ae45e kernel: Add notifications context option to C header
ed628a2a3c4 kerenl: Add chain params context option to C header
27643297ff7 kernel: Add kernel library context object
2ba22cf3f90 kernel: Add logging to kernel library C header
873874c03e9 kernel: Introduce initial kernel C header API
d94adc7270b Merge bitcoin/bitcoin#29702: fees: Remove CLIENT_VERSION serialization
7290bc61c00 Merge bitcoin/bitcoin#31078: build: Fix kernel static lib component install
68f29b24907 Merge bitcoin/bitcoin#31141: doc: Make list of targets in depends README consistent
e9b95665eea Merge bitcoin/bitcoin#31046: init: Some small chainstate load improvements
b8c821cc1ea Merge bitcoin/bitcoin#30724: test: add test for specifying custom pidfile via `-pid`
a0c9595810c doc: Make list of targets in depends README consistent
fa1c5cc9df1 fees: Log non-fatal errors as [warning], instead of info-level
ffe4261cb06 Merge bitcoin/bitcoin#30935: ci: Approximate MAKEJOBS in image build phase
28ce159bc32 Merge bitcoin/bitcoin#30183: rpc: net: follow-ups for #30062
684873931b3 Merge bitcoin/bitcoin#26334: Add Signet and testnet4 launch shortcuts for Windows
9b0e2598089 Merge bitcoin/bitcoin#31121: guix: Enable CET for `glibc` package
d9f8dc64534 Merge bitcoin/bitcoin#31097: validation: Improve input script check error reporting
a16917fb598 rpc, net: improve `mapped_as` doc for getrawaddrman/getpeerinfo
563c4d29268 Merge bitcoin/bitcoin#31105: Update libmultiprocess library
0e9f20625a1 Merge bitcoin/bitcoin#31063: lint: commit-script-check.sh: echo to stderr
e8f72aefd20 Merge bitcoin/bitcoin#29877: tracing: explicitly cast block_connected duration to nanoseconds
86e2a6b749c [test] A non-standard transaction which is also consensus-invalid should return the consensus error
4d3da08d1b9 guix: Enable CET for `glibc` package
a38603456e9 Merge bitcoin/bitcoin#31100: doc: remove dependency install instructions from win docs
90b405516f7 Update libmultiprocess library
479715e9db0 Merge bitcoin/bitcoin#30996: doc: update signet documentation related to build directories
99e041f86fd Merge bitcoin/bitcoin#31099: doc: drop macOS LLVM install instructions
21e2f06a1cc Merge bitcoin/bitcoin#31067: test: Print CompletedProcess object on error
184f12c1542 doc: remove dependency install instructions from win docs
dea9fb9a8b8 Merge bitcoin/bitcoin#30093: optimization: reserve memory allocation for transaction inputs/outputs
79aa8280b2e doc: drop LLVM install instructions
2123c94448e Merge bitcoin/bitcoin#30527: Bump python minimum supported version to 3.10
538ccaed004 Merge bitcoin/bitcoin#31048: build: Bump minimum supported macOS to 13.0
f859ff8a4e9 [validation] Improve script check error reporting
ddddbac9c10 fees: Pin required version to 149900
fa5126adcb1 fees: Pin "version that wrote" to 0
0ca1d1bf69c Merge bitcoin/bitcoin#31092: doc: fuzz: remove Honggfuzz NetDriver instructions
d823ba6e20b doc: fuzz: remove Honggfuzz NetDriver instructions
15563d3388e Merge bitcoin/bitcoin#30859: doc: cmake: prepend "build" to functional/test_runner.py
2ac5ba24bf0 Merge bitcoin/bitcoin#31083: doc: add doxygen for m_args in tests
a0e089a71dc build: Bump minimum supported macOS to 13.0
1fe1b3ba8e9 doc: doxygen comment for m_args usage in tests
82e16e69832 cmake: Refactor install kernel dependencies
42e62779873 build: Add static libraries to Kernel install component
e64b2f1a16e doc: cmake: prepend and explain "build/" where needed
48cf3da6360 Merge bitcoin/bitcoin#30970: build: Add missing USDT header dependency to kernel
d8b835cf18c Merge bitcoin/bitcoin#31070: contrib: fix typos in check-deps.sh
da8824ba301 Fix typos in check-deps.sh
fa43c4f93ca test: Print CompletedProcess object on error
489e5aa3a29 Merge bitcoin/bitcoin#30857: cluster mempool: extend DepGraph functionality
9f45062b9b0 Merge bitcoin/bitcoin#30937: build: scripted-diff: drop config/ subdir for bitcoin-config.h
882f736d0a6 doc: lint: correct outdated comment (s/Makefile.am/CMakeLists.txt/)
1786be7b4a5 scripted-diff: drop config/ subdir for bitcoin-config.h, rename to bitcoin-build-config.h
0c2c3bb3f5c Merge bitcoin/bitcoin#30955: Mining interface: getCoinbaseMerklePath() and submitSolution()
9909a34d794 Merge bitcoin/bitcoin#30992: doc: update IBD requirements in doc/README.md
fac6cfe5ac0 lint: commit-script-check.sh: echo to stderr
5fb94550638 Merge bitcoin/bitcoin#31058: refactor: include the proper header rather than forward-declaring RemovalReasonToString
e569eb8d917 Merge bitcoin/bitcoin#30885: scripted-diff: Modernize nLocalServices naming
31cc5006c3d init: Return fatal failure on snapshot validation failure
8f1246e8338 init: Improve chainstate init db error messages
5837e3463fe Merge bitcoin/bitcoin#30967: refactor: Replace g_genesis_wait_cv with m_tip_block_cv
ca2e4ba352c refactor: include the proper header rather than forward-declaring RemovalReasonToString
a9f6a57b691 Merge bitcoin/bitcoin#30920: test: Remove 0.16.3 test from wallet_backwards_compatibility.py
fa71bedf860 ci: Approximate MAKEJOBS in image build phase
03696bb1bd5 Merge bitcoin/bitcoin#31045: ci: Add missing -DWERROR=ON to test-each-commit
56093565bbe Merge bitcoin/bitcoin#31018: test: Treat exclude list warning as failure in CI
bb47b5a6576 Merge bitcoin/bitcoin#31038: test: Fix copy-paste in wallet/test/db_tests ostream operator
3fecf36c7b3 Merge bitcoin/bitcoin#31056: ci: Double ctest timeout
3c4a9419dbe Merge bitcoin/bitcoin#31013: depends: For mingw cross compile use -gcc-posix to prevent library conflict
5d5cc021ce3 Merge bitcoin/bitcoin#31051: test: remove unused code from `script_tests`
caf44e500eb Merge bitcoin/bitcoin#31008: depends: Print ready-to-use `--toolchain` option for CMake invocation
fa5ebc99207 ci: Double ctest timeout
0b3ec8c59b2 clusterlin: remove Cluster type
1c24c625105 clusterlin: merge two DepGraph fuzz tests into simulation test
0606e66fdbb clusterlin: add DepGraph::RemoveTransactions and support for holes in DepGraph
75b5d42419e clusterlin: make DepGraph::AddDependency support multiple dependencies at once
abf50649d13 clusterlin: simplify DepGraphFormatter::Ser
eaab55ffc81 clusterlin: rework DepGraphFormatter::Unser
5901cf7100a clusterlin: abstract out DepGraph::GetReduced{Parents,Children}
e0287bc4b2d test: remove unused code from script_tests
62e45167221 Merge bitcoin/bitcoin#31026: ci: set a ctest test timeout of 1200 (20 minutes)
cd093049dda init: Remove incorrect comment about shutdown condition
635e9f85d76 init: Remove misleading log line when user chooses not to retry
fa1cffacae6 ci: Install missing nproc in macos task
faf7a2bccc7 ci: Add missing -DWERROR=ON to test-each-commit
56aad83307e ci: set a ctest timeout of 1200 (20 minutes)
1b707146717 Merge bitcoin-core/gui#840: qt6: Handle different signatures of `QANEF::nativeEventFilter`
720ce880a35 init: Improve comment describing chainstate load retry behaviour
baea842ff18 init: Remove unneeded argument for mempool_opts checks
ec58dfe8f74 Merge bitcoin/bitcoin#31010: cmake: Avoid hardcoding Qt's major version in Find module / variable names
5fe6878b5f7 Merge bitcoin-core/gui#836: Fix display issues for IPv6 proxy setup in Options Dialog  (UI only, no functionality impact)
f50557f5d36 test: Fix copy-paste in db_tests ostream operator
5ea335a97f8 Merge bitcoin/bitcoin#30793: rpc: add getorphantxs
76e2e8aabd8 Merge bitcoin/bitcoin#31035: doc: Archive 28.0 release notes
f019fcec412 doc: Archive 28.0 release notes
80761afced1 qt6: Handle different signatures of `QANEF::nativeEventFilter`
51c698161b5 Merge bitcoin-core/gui#837: qt6: Fix linking when configured with `-DENABLE_WALLET=OFF`
4be785b3e33 Merge bitcoin-core/gui#839: qt6, test: Handle deprecated code
f117f3f7473 Merge bitcoin-core/gui#838: qt6: Handle deprecated `QLocale::nativeCountryName`
5625840c11d qt6, test: Handle deprecated `QVERIFY_EXCEPTION_THROWN`
772928a13c2 Merge bitcoin/bitcoin#30982: docs: Add instructions on how to self-sign bitcoin-core binaries for macOS
27709f51ee0 docs: Add instructions on how to self-sign bitcoin-core binaries for macOS
cfb59da4b3b Merge bitcoin/bitcoin#30980: fuzz: fix bug in p2p_headers_presync harness
dda2613239b Merge bitcoin/bitcoin#30929: log: Enforce trailing newline
e0ae9c14c4e Merge bitcoin/bitcoin#31011: refactor: move util/pcp and util/netif to common/
98c1536852d test: add getorphantxs tests
93f48fceb7d test: add tx_in_orphanage()
34a9c10e8cd rpc: add getorphantxs
f511ff3654d refactor: move verbosity parsing to rpc/util
36a6d4b0078 doc: update IBD requirements in doc/README.md
fa6d14eacb2 test: Treat exclude list warning as failure in CI
6a370435526 Merge bitcoin/bitcoin#31007: doc: add testnet4 section header for config file
70910eb2ecb Merge bitcoin/bitcoin#31016: test: add missing sync to feature_fee_estimation.py
532491faf1a net: add GetOrphanTransactions() to PeerManager
91b65adff2a refactor: add OrphanTxBase for external use
a1576edab35 test: add missing sync to feature_fee_estimation.py
ae56b3230b2 depends: For mingw cross compile use -gcc-posix to prevent library conflict
fd38711217c ci: make CI job fail when check-deps.sh script fails
d51edecddcb common: move pcp.cpp and netif.cpp files from util to common library since they depend on netaddress.cpp
61cdb1c9d83 doc: add testnet4 section header for config file
deacf3c7cd6 cmake: Avoid hardcoding Qt's major version in Find module
605926da0ab depends: Print ready-to-use `--toolchain` option for CMake invocation
fa2b7d8d6b3 Remove redundant unterminated-logprintf tidy check
bbbb2e43ee9 log: Enforce trailing newline, Remove redundant m_started_new_line
fa22e5c430a refactor: Remove dead code that assumed tip == nullptr
fa2e4439652 refactor: Replace g_genesis_wait_cv with m_tip_block_cv
fa7f52af1a4 refactor: Use wait_for predicate to check for interrupt
5ca28ef28bc refactor: Split up NodeContext shutdown_signal and shutdown_request
fad8e7fba7b bugfix: Mark m_tip_block_cv as guarded by m_tip_block_mutex
fa18586c29d refactor: Add missing GUARDED_BY(m_tip_block_mutex)
fa4c0750331 doc: Clarify waitTipChanged docs
fc642c33ef2 Merge bitcoin/bitcoin#30718: test: switch MiniWallet padding unit from weight to vsize
d7f956a309e Merge bitcoin/bitcoin#30968: init: Remove retry for loop
c33eb2360e2 Merge bitcoin/bitcoin#30043: net: Replace libnatpmp with built-in PCP+NATPMP implementation
f3c74c4a7e1 Merge bitcoin/bitcoin#30989: guix: Drop no longer needed `PATH` modification
5c7cacf649a ci: Remove natpmp build option and libnatpmp dependency
7e7ec984da5 doc: Remove mention of natpmp build options
061c3e32a26 depends: Drop natpmp and associated option from depends
20a18bf6aa3 build: Drop libnatpmp from build system
7b04709862f qt: Changes for built-in PCP+NAT-PMP
52f8ef66c61 net: Replace libnatpmp with built-in NATPMP+PCP implementation in mapport
97c97177cdb net: Add PCP and NATPMP implementation
cb750b4b405 qt6, test: Use `qWarning()` instead of `QWARN()` macro
9123a286e97 qt6: Handle deprecated `QLocale::nativeCountryName`
940edd6ac24 test: refactor: introduce and use `TRUC_CHILD_MAX_VSIZE` constant
c16ae717689 test: switch MiniWallet padding unit from weight to vsize
a647d4400d5 doc: update signet documentation related to build directories
f1daa80521e guix: Drop no longer needed `PATH` modification
d812cf11896 Merge bitcoin/bitcoin#30879: test: re-bucket long-running tests
18d4c43cab4 Merge bitcoin/bitcoin#30921: test: generalize HasReason and use it in FailFmtWithError
d7fcc91416a Merge bitcoin/bitcoin#30974: ci: Inline PACKAGE_MANAGER_INSTALL
29d00a1cee1 Merge bitcoin/bitcoin#30940: depends: Fix build with `MULTIPROCESS=1` in Guix environment
89a8e9b732f Merge bitcoin/bitcoin#30979: contrib: Update asmap link in seeds readme
fafd1a0f648 ci: Inline PACKAGE_MANAGER_INSTALL
36ad9516dbd Merge bitcoin/bitcoin#30981: ci: add timestamps to cirrus jobs
fa7c2838a5f Merge bitcoin/bitcoin#30948: test: Add missing sync_mempools() to fill_mempool()
f951f1fab25 ci: add timestamps to cirrus jobs
f158993fd55 contrib: Update asmap link in seeds readme
d5af7d28f47 Merge bitcoin/bitcoin#30976: depends, doc: Drop package-specific note about CMake
a7498cc7e26 Fix bug in p2p_headers_presync harness
4cf84b344de depends, doc: No need to specify general requirement
e13da501db9 Merge bitcoin/bitcoin#30973: doc: fix `loadtxoutset` example
513b7136c79 Merge bitcoin/bitcoin#30961: ci: add `LLVM_SYMBOLIZER_PATH` to Valgrind fuzz job
286725168ae doc: fix loadtxoutset example
525e9dcba0b Add submitSolution to BlockTemplate interface
47b4875ef05 Add getCoinbaseMerklePath() to Mining interface
63d6ad7c89c Move BlockMerkleBranch back to merkle.{h,cpp}
65f6e7078b1 Merge bitcoin/bitcoin#30510: multiprocess: Add IPC wrapper for Mining interface
da612cea032 Merge bitcoin/bitcoin#30962: validation: Disable CheckForkWarningConditions for background chainstate
e9d60af9889 refactor: Replace init retry for loop with if statement
c1d8870ea41 refactor: Move most of init retry for loop to a function
ccd10fdb97f build: Add missing USDT header dependency to kernel
781c01f5806 init: Check mempool arguments in AppInitParameterInteractions
39219fe145e Merge bitcoin/bitcoin#30946: doc: correct the zmq automatic build info
06e7e836329 doc: correct the zmq automatic build info
a9773b6215e Merge bitcoin/bitcoin#30963: doc: Adjust links in OSS-Fuzz section
fa6c1946d23 doc: Adjust links in OSS-Fuzz section
c0a0c72b4d6 validation: Disable CheckForkWarningConditions for background chainstate
c1832584bfd ci: add LLVM_SYMBOLIZER_PATH to Valgrind fuzz job
393f323bd60 Merge bitcoin/bitcoin#30952: test: Use shell builtins in run_command test case
faf801515f8 test: Add missing sync_mempools() to fill_mempool()
fa48be6f023 test: Refactor fill_mempool to extract send_batch helper
1a332817665 doc: multiprocess documentation improvements
90a5786bba4 Merge bitcoin/bitcoin#30678: wallet: Write best block to disk before backup
d043950ba24 multiprocess: Add serialization code for BlockValidationState
33c2eee285e multiprocess: Add IPC wrapper for Mining interface
06882f84017 multiprocess: Add serialization code for vector<char>
095286f790a multiprocess: Add serialization code for CTransaction
69dfeb18761 multiprocess: update common-types.h to use C++20 concepts
206c6e78eec build: Make bitcoin_ipc_test depend on bitcoin_ipc
070e6a32d5f depends: Update libmultiprocess library for cmake headers target
dabc74e86c3 Merge bitcoin/bitcoin#30409: Introduce waitTipChanged() mining interface, replace RPCNotifyBlockChange, drop CRPCSignals & g_best_block
7bd3ee62f6d test: Use shell builtins in run_command test case
f5a2000579b test: re-bucket long-running tests
06b4c339e89 depends: Fix reproducibility when building with `MULTIPROCESS=1`
04e4d52420a test: add test for specifying custom pidfile via `-pid`
b832ffe0446 refactor: introduce default pid file name constant in tests
d8e3afc3352 depends: Fix build with `MULTIPROCESS=1` in Guix environment
f20fe33e94c test: Add basic balance coverage to wallet_assumeutxo.py
d72df63d169 net: Use GetLocalAddresses in Discover
e02030432b7 net: Add netif utility
754e4254388 crypto: Add missing WriteBE16 function
33adc7521cc Merge bitcoin/bitcoin#30765: refactor: Allow `CScript`'s `operator<<` to accept spans, not just vectors
0894748316c Merge bitcoin/bitcoin#30918: fuzz: Add check in `p2p_headers_presync` that chain work never exceeds minimum work
f57a6754ed6 Merge bitcoin/bitcoin#30826: fuzz: reduce number of iterations in `crypto_aeadchacha20poly1305` target
48c20dbd86c Merge bitcoin/bitcoin#30794: interpreter: use int32_t instead of int type for risczero compile
4148e60909e Merge bitcoin/bitcoin#30679: fix: handle invalid `-rpcbind` port earlier
a8a2628b7a9 Merge bitcoin/bitcoin#30828: interfaces: #30697 follow ups
0d81b3ddedc Merge bitcoin/bitcoin#30568: addrman: change internal id counting to int64_t
c985a34b9c3 Merge bitcoin/bitcoin#26990: cli: Improve error message on multiwallet cli-side commands
037b101e808 test: Add coverage for best block locator write in wallet_backup
31c0df03890 wallet: migration, write best locator before unloading wallet
7e3dbe4180c wallet: Write best block to disk before backup
79f20fa1b1e Merge bitcoin/bitcoin#30561: refactor: move `SignSignature` helpers to test utils
284bd17309a add check that chainwork doesn't exceed minimum work
9aa5d1c3fcd add clarification in comment
197aa249551 Merge bitcoin/bitcoin#30856: build: drop obj/ subdirectory for generated build.h
7025942687f build: drop superfluous `HAVE_BUILD_INFO` define
0dd662510c5 build: drop obj/ subdir for generated build.h, rename to bitcoin-build-info.h
84cd6478c42 Merge bitcoin/bitcoin#30927: Follow-up after AutoFile position caching: remove unused code
caac06f784c streams: reorder/document functions
67a3d590768 streams: remove unused code
2db926f49c8 Merge bitcoin/bitcoin#30889: log: Use ConstevalFormatString
fee4cba4847 gui: Fix proxy details display in Options Dialog
9ba56884f62 Merge bitcoin/bitcoin#30869: ci: Print inner env, Make ccache config more flexible
6c3c619b35c test: generalize HasReason and use it in FailFmtWithError
ab0b5706b25 Merge bitcoin/bitcoin#30875: doc: fixed inconsistencies in documentation between autotools to cmake change
fd08fded63a Merge bitcoin/bitcoin#30639: ci: Use clang-19 in msan tasks
5be34bacf6d qt: Fix linking when configured with `-DENABLE_WALLET=OFF`
a9964c04447 doc: Updating docs from autotools to cmake
fae44c83da9 test: Remove 0.16.3 test from wallet_backwards_compatibility.py
69409bc6e55 Merge bitcoin/bitcoin#30908: doc: remove Eclipser fuzzing documentation
6b97882ab53 Merge bitcoin/bitcoin#30915: ci: Use `ninja` to build in macOS native CI job
e6994efe08b fix: increase rpcbind check robustness
d38e3aed89e fix: handle invalid rpcbind port earlier
83b67f2e6d5 refactor: move host/port checking
73c243965ab test: add tests for invalid rpcbind ports
54227e681a4 rpc, cli: improve error message on multiwallet mode
735436df8ce Remove outdated Eclipser fuzzing documentation
ccccb67851b ci: Use clang-19 in msan tasks
facbcd4cef8 log: Use ConstevalFormatString
d01b85bfecb ci: Use `ninja` to build in macOS native CI job
6fc46927971 Merge bitcoin/bitcoin#29624: doc: update NeedsRedownload() and nStatus comment
2a0949f0977 Merge bitcoin/bitcoin#30888: build: optimize .h generation in GenerateHeaderFrom{Raw,Json}.cmake
bdbc90f29ac Merge bitcoin/bitcoin#30902: Remove Autotools packages from CI (and depends doc)
a95e742b692 Merge bitcoin/bitcoin#30913: ci: Use macos-14 GHA image (x86_64-apple-darwin22.6.0 -> arm64-apple-darwin23.6.0)
225718eda89 Merge bitcoin/bitcoin#30438: guix: (explicitly) build Linux GCC with `--enable-cet`
fab932b4211 ci: Remove incorrectly hardcoded HOST in mac_native task
af9f9878934 doc: update NeedsRedownload() comment
fa8f35d7865 ci: Use macos-14 GHA image
7942951e3fc Remove unused g_best_block
e3a560ca68d rpc: use waitTipChanged for longpoll
460687a09c2 Remove unused CRPCSignals
dca923150e3 Replace RPCNotifyBlockChange with waitTipChanged()
2a40ee11219 rpc: check for negative timeout arg in waitfor*
de7c855b3af rpc: recommend -rpcclienttimeout=0 for waitfor*
77ec072925a rpc: fix waitfornewblock description
285fe9fb51c rpc: add test for waitforblock and waitfornewblock
b94b27cf05c Add waitTipChanged to Mining interface
7eccdaf1608 node: Track last block that received a blockTip notification
ebb8215f236 Rename getTipHash() to getTip() and return BlockRef
89a8f74bbbb refactor: rename BlockKey to BlockRef
9f1aa88d4d9 Merge bitcoin/bitcoin#30884: streams: cache file position within AutoFile
06329eb1348 Merge bitcoin/bitcoin#29436: net: call `Select` with reachable networks in `ThreadOpenConnections`
e983ed41d9f Merge bitcoin/bitcoin#30410: rpc, rest: Improve block rpc error handling, check header before attempting to read block data.
fce9e065c16 Merge bitcoin/bitcoin#28358: Drop -dbcache limit
8d000b85dd4 Merge bitcoin/bitcoin#30868: refactor: add clang-tidy `modernize-use-starts-ends-with` check
3f66642820b Merge bitcoin/bitcoin#30440: Have createNewBlock() return a BlockTemplate interface
2bf721e76a5 Merge bitcoin/bitcoin#30661: fuzz: Test headers pre-sync through p2p
c38e9993de7 Merge bitcoin/bitcoin#30286: cluster mempool: optimized candidate search
fa99e4521b6 ci: Allow CCACHE_DIR bind mount
37679b856ce Merge bitcoin/bitcoin#30899: qt: Translations update
fc7b507e9a5 tidy: add clang-tidy `modernize-use-starts-ends-with` check
7a8a6a06676 doc: Fix comment in `contrib/devtools/check-deps.sh` script
712d105e093 depends, doc: Do not install Autotools packages
b786449e663 ci: Do not install Autotools packages
a240e150e83 streams: remove AutoFile::Get() entirely
ae052957614 qt: Translations update
6a1aa510e31 rpc: check block index before reading block / undo data
6cbf2e5f819 rpc: Improve gettxoutproof error when only header is available.
69fc867ea19 test: add coverage to getblock and getblockstats
5290cbd5850 rpc: Improve getblock / getblockstats error when only header is available.
e5b537bbdfb rest: improve error when only header of a block is available.
e624a9bef16 streams: cache file position within AutoFile
89bf11b8072 guix: build Linux GCC with --enable-cet
a93c171faa7 Drop unneeded nullptr check from CreateNewBlock()
dd87b6dff35 Have createNewBlock return BlockTemplate interface
fae9b60c4ff test: Use LogPrintStr to test m_log_sourcelocations
33381ea530a scripted-diff: Modernize nLocalServices to m_local_services
2a581144f28 build: Minimize I/O operations in GenerateHeaderFromJson.cmake
aa003d1568b build: Minimize I/O operations in GenerateHeaderFromRaw.cmake
9ad2fe7e69e clusterlin: only start/use search when enough iterations left
bd044356edb clusterlin: improve heuristic to decide split transaction (optimization)
71f26293988 clusterlin: include topological pot subsets automatically (optimization)
e20fda77a2d clusterlin: reduce computation of unnecessary pot sets (optimization)
6060a948caf clusterlin bench: add example hard cluster benchmarks
2965fbf203f clusterlin: track upper bound potential set for work items (optimization)
9e43e4ce109 clusterlin: use feerate-sorted depgraph in SearchCandidateFinder
b80e6dfe780 clusterlin: add reordering support for DepGraph
85a285a3061 clusterlin: separate initial search entries per component (optimization)
e4faea9ca79 clusterlin bench: have low/high iter benchmarks instead of per-iter
fa39b1ca638 doc: move-only logging warning
fa252da0b9c ci: Remove hardcoded CCACHE_DIR in cirrus
fa146904e19 ci: Bump default CCACHE_MAXSIZE to 500M
aaaa7cf8bad cirrus: Drop CCACHE_NOHASHDIR
fa7ca182a9b ci: Print inner env
84663291275 chain: simplify `deleteRwSettings` code and improve it's doc
f8d91f49c70 chain: dont check for null settings value in `overwriteRwSetting`
df601993f2d chain: ensure `updateRwSetting` doesn't update to a null settings
5e190cd11f6 Replace CScript _hex_v_u8 appends with _hex
cac846c2fbf Allow CScript's operator<< to accept spans, not just vectors
c78d8ff4cb8 prevector: avoid GCC bogus warnings in insert method
e4e3b44e9cc net: call `Select` with reachable networks in `ThreadOpenConnections`
829becd990b addrman: change `Select` to support multiple networks
f698636ec86 net: add `All()` in `ReachableNets`
a97f43d63a6 fuzz: Add harness for p2p headers sync
c8e2eeeffb4 chain: uniformly use `SettingsAction` enum in settings methods
f482d0e366a fuzz: reduce number of iterations in `crypto_aeadchacha20poly1305` target
1e9e735670f chain: move new settings safely in `overwriteRwSetting`
1c409004c80 test: remove wallet context from `write_wallet_settings_concurrently`
58499b00d0a refactor: move `SignSignature` helpers to test utils
cd0edf26c07 tracing: cast block_connected duration to nanoseconds
cfd03de965a Add Testnet4 launch shortcut for Windows
77b2923f871 Add Signet launch shortcut for Windows
bc52cda1f3c fix use int32_t instead of int type for risczero compile with (-march=rv32i, -mabi=ilp32)
a0eaa4749fe Add FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION in PoW check
a3f6f5acd89 build: Automatically define FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION for fuzz builds
0c02d4b2bdb net_processing: Make MAX_HEADERS_RESULTS a PeerManager option
51f7668d31e addrman: change nid_type from int to int64_t
051ba3290e3 addrman, refactor: introduce user-defined type for internal nId
bdad0243be8 rpc, net: getrawaddrman "mapped_as" follow-ups
fa1b139d17d Bump python minimum supported version to 3.10
ec585f11c38 Reserve space for transaction inputs in CreateTransactionInternal
c76aaaf9003 Reserve space for transaction outputs in CreateTransactionInternal
bb3b980dfd9 validation: drop maximum -dbcache
REVERT: e70e527ef21 kernel: Add pure kernel bitcoin-chainstate
REVERT: ed9a8a54d3c kernel: Add block index utility functions to C header
REVERT: 6338dd45b55 kernel: Add function to read block undo data from disk to C header
REVERT: a2ac0c1e7c9 kernel: Add functions to read block from disk to C header
REVERT: 170060c3372 kernel: Add function for copying  block data to C header
REVERT: 0f8c00bba07 kernel: Add functions for the block validation state to C header
REVERT: 41dba7d2603 kernel: Add validation interface to C header
REVERT: 877cf01f22c kernel: Add interrupt function to C header
REVERT: f77c2b90422 kernel: Add import blocks function to C header
REVERT: 254e17dbeab kernel: Add chainstate load options for in-memory dbs in C header
REVERT: 8baa06d318f kernel: Add options for reindexing in C header
REVERT: 0243ed8a200 kernel: Add block validation to C header
REVERT: 36fbab87e9e Kernel: Add chainstate loading to kernel C header
REVERT: b249e93f295 kernel: Add chainstate manager object to C header
REVERT: 2546745a393 kernel: Add notifications context option to C header
REVERT: 2578746e87f kerenl: Add chain params context option to C header
REVERT: 21107de0ca7 kernel: Add kernel library context object
REVERT: 83cc65c4911 kernel: Add logging to kernel library C header
REVERT: 2f47169f91e kernel: Introduce initial kernel C header API

git-subtree-dir: libbitcoinkernel-sys/bitcoin
git-subtree-split: 1047757ea3b4b78b51d7338ea44e2123851143fe
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request Nov 4, 2024
This makes it easier to track which spots refer to an nId
(as opposed to, for example, bucket index etc. which also use int)

Co-authored-by: Pieter Wuille <pieter@wuille.net>

Github-Pull: bitcoin#30568
Rebased-From: 051ba32
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request Nov 4, 2024
With nId being incremented for each addr received,
an attacker could cause an overflow in the past.
(https://bitcoincore.org/en/2024/07/31/disclose-addrman-int-overflow/)
Even though that attack was made infeasible by
rate-limiting (PR bitcoin#22387), to be on the safe side change the
type to an int64_t.

Github-Pull: bitcoin#30568
Rebased-From: 051ba32
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request Dec 2, 2024
With nId being incremented for each addr received,
an attacker could cause an overflow in the past.
(https://bitcoincore.org/en/2024/07/31/disclose-addrman-int-overflow/)
Even though that attack was made infeasible by
rate-limiting (PR bitcoin#22387), to be on the safe side change the
type to an int64_t.

Github-Pull: bitcoin#30568
Rebased-From: 51f7668
fanquake added a commit that referenced this pull request Dec 4, 2024
8fef83a doc: update manual pages for 28.1rc1 (fanquake)
df77646 build: bump version to 28.1rc1 (fanquake)
9add853 doc: update release notes for 28.1rc1 (fanquake)
1025090 build: disable compiling fuzz/utxo_snapshot.cpp with MSVC (fanquake)
446f5d2 refactor: Drop deprecated space in operator""_mst (MarcoFalke)
9976162 addrman: change nid_type from int to int64_t (Martin Zumsande)
1d0411d addrman, refactor: introduce user-defined type for internal nId (Martin Zumsande)
7fec638 depends: For mingw cross compile use -gcc-posix to prevent library conflict (laanwj)
f998ac6 key: clear out secret data in `DecodeExtKey` (Sebastian Falbesoner)
0773560 ci: add LLVM_SYMBOLIZER_PATH to Valgrind fuzz job (fanquake)
b917334 test: add missing sync to feature_fee_estimation.py (Martin Zumsande)
f072721 doc: add testnet4 section header for config file (Marnix)
6643fd2 doc: Archive 28.0 release notes (Ava Chow)

Pull request description:

  Backports:
  * #30568
  * #31007
  * #31013
  * #31016
  * #31035
  * #31166

  Contains:
  * A commit to do the same as #31307.

ACKs for top commit:
  willcl-ark:
    ACK 8fef83a

Tree-SHA512: 58f0c6cb9e5b7ac17ad20141acdc5423dbe8e79cc3a2cf1c4e503d289b75940632c9838c64e3ac733b1a55e65723fc1071ccdd9a860a710256cc88e29f42ccdb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.