Block/tx consensus decoding bug

[sanket1729]

Our current decoding does a very rough approximation of the size of the vector before allocating it.

In the impl_vec! macro here:

rust-bitcoin/src/consensus/encode.rs

Lines 560 to 565 in 50d9394

	let len = VarInt::consensus_decode(&mut d)?.0;
	let byte_size = (len as usize)
	.checked_mul(mem::size_of::<$type>())
	.ok_or(self::Error::ParseFailed("Invalid length"))?;
	if byte_size > MAX_VEC_SIZE {
	return Err(self::Error::OversizedVectorAllocation { requested: byte_size, max: MAX_VEC_SIZE })

In #340, we introduced a very strict constant for the message size. In the current decoding code, we are assuming that the decoded memory size in rust would be less than the consensus serialized block size (4Mb). From a superficial look, it looks like bitcoin core also has some slack space here by allowing 5Mb (See: https://github.com/bitcoin/bitcoin/blob/833add0f48b0fad84d7b8cf9373a349e7aef20b4/src/serialize.h#L34)

We are using mem::size_of which is architecture-dependent and a very rough way to do the size check. This works fine in most cases for Vec<Transaction> mem::sizeof(&Transaction) is 56 bytes(two 4 bytes and 2 vectors with 24 bytes each) on 64 machines. And most transactions would be more than 56 bytes.

When dealing with Vec<TxOuts>/Vec<TxIns, I am fairly certain that there are some valid blocks that rust-bitcoin cannot decode.
As an extreme example, I am fairly certain that if we create a Block with just a single big transaction, one input(no witness), and all outputs with all empty script pubkeys, this will crash.

All the examples that I can come up with would like not to happen in practice, but it is still good to fix the bug in case someone does a malicious deliberate attack.

Overall, I think we should

1. Come with better logic to estimate size before decoding.
2. Cut some slack and increase the limit to a higher limit. I am really not sure what the number here should be as it depends on the exact way we estimate

[sanket1729]

Pinging @TheBlueMatt because he was the author of #340.

[TheBlueMatt]

Ah good catch. Yea, interesting question - if we know that the user has a pre-allocated buffer they're reading from, we would/should just drop the error and just pass a small number of Vec::with_capacity (this is what Bitcoin Core and LDK do). Sadly, presumably that's not guaranteed to be the case, at least for users streaming files off disk. One easy solution would be to add a length-limiting-reader at the top level of consensus decodes - eg block would create a Read wrapper that limits the read to 4MB and just refuses to read after that.

[apoelstra]

We actually do do this -- immediately after we do the broken "N * size_of < MAX_VEC_SIZE" check, we do reader = reader.take(MAX_VEC_SIZE) or something like that.

Maybe we could just delete the length check (or use it as a maximum value to pass to Vec::with_capacity) and then trust that take will protect us from DoS?

[dpc]

That take() there is possibly leaving some perf. on the table. Since decoding is recursive, and every time we descend deeper, we wrap the reader again. So when parsing whole Block, once we descend deep into parsing tree into things like fields on the inputs, we work with Take<Take<Take<...>>>. Each level of Take::read is doing some extra stuff: https://doc.rust-lang.org/src/std/io/mod.rs.html#2561 needlessly, for every layer, over and over. I don't know if Rust can somehow optimize it out, but I doubt it.

I guess what we really care about is only enforcing the limit once - on the top level reader. We don't ever want to go through more than 4MB when decoding, no matter what it was.

So I think the best way to approach it would be to have:

        impl Decodable for Vec<$type> {
            #[inline]

            /// Like `consensus_decode` but expecting the caller to take care of overflow
            /// protection by wrapping reader into appropriate `Take`
            fn consensus_decode_no_overflow_check<D: io::Read>(mut d: Take<D>) -> Result<Self, Error> {
                let len = VarInt::consensus_decode(&mut d)?.0;
                // in case len is lying, don't overallocate too many elements
                // if len is higher than MAX_DECODE_CAPACITY legitimately,
                // it will cause a very tiny perf hit (reallocate), which should be very rare
                let mut ret = Vec::with_capacity(cmp::min(MAX_DECODE_CAPACITY, len as usize));

                for _ in 0..len {
                    // NOT `consensus_decode` because we don't want recursive `Take`
                    ret.push(Decodable::consensus_decode_no_overflow_check(&mut d)?);
                }
                Ok(ret)
            }

            #[inline]
            fn consensus_decode<D: io::Read>(mut d: D) -> Result<Self, Error> {
                Self::consensus_decode_no_overflow_check(d.take(MAX_VEC_SIZE as u64))
            }
        }

I haven't dig much deeper here ,and I'm assuming that Take limiting the input, will end with decoding error that will propagate all the way up.

[apoelstra]

Nice, great observation. You're probably right that Rust is putting a gazillion redundant checks in, and not optimizing these out. It wouldn't surprise me if this was measurable for some data structures. Though FWIW these checks are only added when deserializing Vecs and I don't know if we ever even have a Vec<Vec<Vec in our code, let alone something deeper.

If there's a reasonably ergonomic fix we should definitely do it. But if it involves renaming 1000s of consensus_decode calls IMHO that's too much, unless we can measure a performance difference.

[dpc]

Yeah, I just came to post that I realized that Take<Take<_>> (ins/out in tx in block) seems like the max and only two levels, so only doubling, not tripling of these checks in reads. Unless someone added their own Take before calling it (out of caution, or to enforce the max block size - I might have missed it, but I don't see any documentation on Decodablethat is guarantees not reading more than certain amount of bytes, so I think it's possible some code will add it sometimes. Stating it as a part of API guarantee is probably a good idea.). Or if someone was decoding Vec<Block> from concatenated blocks or something (does it ever happen? probably not).

It also occurred to me that consensus_decode_no_overflow_check should take not Take<D> but just D. Less type enforcement but If someone has everything already in a Vec<_> and checked its length to not be huge (or even just MAX_VEC_SIZE), they don't really need to pay any of Take tax - they could just call consensus_decode_no_overflow_check directly.

Oh, and consensus_decode_no_overflow_check is probably a bad name, because implementations of consensus_decode_no_overflow_check can't simply ignore overflow check. They still need be mindful of not over-allocating (by eg. capping the with_capacity), but can rely on D not feeding them data forever. Maybe consensus_decode_from_bounded_reader or something like that.

There could then be some default functions like:

trait Decodable {
 // ... 
 
  fn from_bytes(bytes: &[u8])  -> Result<Self, Error> {
    // check `size()` once, forward to `consensus_decode_no_overflow_check`
  }
}

But if it involves renaming 1000s of consensus_decode calls IMHO that's too much, unless we can measure a performance difference.

At least the user's code should not need to change. All the outside code still calls consensus_decode. Both internal, external calls stay the same. The change is purely in implementations of Decodoable which are usually macroized anyway.

consensus_decode could now be a default implementation on the trait itself, so all types (macros that they use to derive) would implement consensus_decode_from_bounded_reader instead of consensus_decode, and that's kind of it.