Fuzz failure in bitcoin_deserialize_psbt

[apoelstra]

Fuzz CI has failed for the last couple of days with variants of

70736274ff10fc00ff0000000000106dd5f43c0000000001000a000000000000000100c0000000000000000100000000000000f0ffff020000912d201101000a0000000000000a0007ffffffffffffff7e638080808080808080808080808080808080800080808080808080808080808080808080808086fd000000000000000080000000000000004000fd8080000000ffffffffffffffff00000013b13c330249240100000092492400000002924a39000000000029290000004e4992244992244902024924924924924a00001004020000000200f559ee39abe801003330fd3bb1133bb1133b0162737073000074626a700000000000b1130065cd1d010000ff86970000000000000001d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d100c00000000000008080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080808080024924924924924a80808080808080808080808080808080808080808080808080808080808080808080808080808080808080800000000000000000000000fd0000004e0a008000000000fd0000004e0a007370ffffffffff80808080808080808080808080808080808080007462737002000000000000002929292900810000000000008000000000000002ff34

If you plug this into the fuzztest then run RUSTFLAGS=--cfg=fuzzing cargo test in the fuzz/ dir you will get

test tests::duplicate_crash ... FAILED

failures:

---- tests::duplicate_crash stdout ----
thread 'tests::duplicate_crash' panicked at bitcoin/src/consensus/encode.rs:148:5:
assertion `left == right` failed
  left: 7
 right: 15
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

[jamillambert]

I have done a bit of digging and the issue is because of cases that have a compact integer larger than one byte (>252) in the ProprietaryKey.subtype part of the input data.

e.g. Running the below modified section of deserialize_psbt.rs gives an error for case 1 and not case 2.

The value 252 is a ProprietaryKey and case 1 the first 8 values of the number sequence are used as the subtype giving the length of 25 when 33 is expected. Case 2 passes where the only difference is changing the 255 to a 250 in the third line from the bottom of bytes (I added line breaks to make it clear where the problem section is).

    #[test]
    fn crash_case() {
        let bytes: [u8; 112] = [
            112, 115, 98, 116, 255, 1, 0, 55, 143, 207, 143, 207, 0, 1, 0, 0, 11, 0, 0, 4, 146, 73,
            36, 255, 59, 177, 19, 59, 177, 19, 59, 1, 98, 118, 39, 98, 118, 201, 201, 201, 201,
            201, 201, 7, 255, 128, 0, 0, 0, 0, 0, 59, 1, 3, 44, 127, 172, 71, 71, 71, 71, 71, 0, 0,
            1, 0, 1, 1, 1, 1, 1, 1, 34,
            252,
            0, 255,
            1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
            15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 0, 0, 0, 0, 0,
        ];

        let psbt: Result<bitcoin::psbt::Psbt, _> = bitcoin::psbt::Psbt::deserialize(&bytes);
        match psbt {
            Err(_) => {}
            Ok(psbt) => {
                let _ser = bitcoin::psbt::Psbt::serialize(&psbt);
            }
        }
    }

Below is the output of what is passed to encode.rs before the crash, note the values 1 through 8 are used for the subtype and the key values start from 9.
case 1 (crashes):

Output { redeem_script: Some(Script(OP_PUSHBYTES_1 <push past end>)), witness_script: Some(Script(OP_PUSHBYTES_1 <push past end>)), bip32_derivation: {}, tap_internal_key: None, tap_tree: None, tap_key_origins: {}, proprietary: {ProprietaryKey { prefix: [], subtype: 578437695752307201, key: [9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31] }: []}, unknown: {} }

thread 'tests::crash_case' panicked at bitcoin/src/consensus/encode.rs:45:5:
assertion `left == right` failed
  left: 25
 right: 33

Case 2 (no crash) and key values start from 1. Note the subtype is 250.

        let bytes: [u8; 112] = [
            112, 115, 98, 116, 255, 1, 0, 55, 143, 207, 143, 207, 0, 1, 0, 0, 11, 0, 0, 4, 146, 73,
            36, 255, 59, 177, 19, 59, 177, 19, 59, 1, 98, 118, 39, 98, 118, 201, 201, 201, 201,
            201, 201, 7, 255, 128, 0, 0, 0, 0, 0, 59, 1, 3, 44, 127, 172, 71, 71, 71, 71, 71, 0, 0,
            1, 0, 1, 1, 1, 1, 1, 1, 34,
            252,
            0, 250,
            1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
            15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 0, 0, 0, 0, 0,
        ];


Output { redeem_script: Some(Script(OP_PUSHBYTES_1 <push past end>)), witness_script: Some(Script(OP_PUSHBYTES_1 <push past end>)), bip32_derivation: {}, tap_internal_key: None, tap_tree: None, tap_key_origins: {}, proprietary: {ProprietaryKey { prefix: [], subtype: 250, key: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31] }: []}, unknown: {} }

[apoelstra]

Great, thanks for investigating!

While you are poking at this, can you take a quick look to see if 0.32 is affected? If so we definitely need to backport a fix before the upcoming release.

If not I can take a look -- but I am at a conference this week and will be delayed.

[jamillambert]

0.32 does not seem to be affected. The test above passes and the subtype is read as 255, and not interpreted as a compact integer containing the next 8 bytes.

This is the equivalent Psbt.output for case 1 from above in v0.32

Output { redeem_script: Some(Script(OP_PUSHBYTES_1 <push past end>)), witness_script: Some(Script(OP_PUSHBYTES_1 <push past end>)), bip32_derivation: {}, tap_internal_key: None, tap_tree: None, tap_key_origins: {}, proprietary: {ProprietaryKey { prefix: [], subtype: 255, key: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31] }: []}, unknown: {} }

[jamillambert]

I think it was introduced in #2906