Skip to content

Fuzz Trophies

Niklas Gögge edited this page Oct 24, 2024 · 14 revisions

A best-effort collection of all vulns found exclusively via fuzzing. That is, the unit and functional tests passed.

This includes vulns found on pull requests. Vulns found on released versions are tracked on https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures.

Unique Id is:

  • cve-yyyy-nnn for vulns with assigned CVE (Common Vulnerabilities and Exposures) identifiers
  • pull-nnnn for vulns that exist(ed) on the pull request with given id
  • master-ffff for vulns that exist on the master branch as of the given commit id
  • undisclosed-yyyy-mm-dd for undisclosed vulns that have been reported on that day

Discovery is:

  • qa-assets means the vuln was triggered by one of the inputs in https://github.com/bitcoin-core/qa-assets
  • dynamic means the vuln was triggered by none of the fuzz inputs in qa-assets, but can be found with an existing fuzz target and enough CPU time
  • mod means the vuln was triggered by a fuzz target that isn't publicly available or a fuzz target that is locally modified.

The remaining columns follow the definitions from https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures

Unique ID Discovery Severity Attack is... Found by Flaw
cve-2017-18350 qa-assets DoS easy practicalswift SOCKS5 buffer overflow (details)
cve-2018-20586 mod log injection easy practicalswift Log injection vulnerability (details)
cve-2019-18936 qa-assets DoS easy practicalswift DoS in UniValue which is triggerable via RPC interface (details)
pull-18808 qa-assets DoS easy MarcoFalke Missing nullptr check (details)
master-9efd86a mod DoS easy practicalswift Assert on untrusted input (details, details)
undisclosed-2020-10-09 mod Netsplit Very hard practicalswift Time data integer overflow details
master-c22daa2e mod DoS easy dergoegge Heap-buffer-overflow: missing size sanity check for private keys received from SAM proxy (details)
master-ce585a9a mod Netsplit Varies dergoegge Assume-utxo snapshot malleation (details, details)
cve-2024-35202 mod DoS easy dergoegge Remotely reachable assertion crash (details)

Non-Exploitable Issues

Issues without Severity

Unique ID Discovery Found by Flaw
pull-10977 mod practicalswift Use of uninitialized memory (UUM) in RPC command getnetworkinfo (details)
pull-13546 mod practicalswift Use of uninitialized memory (UUM) in CWallet::CreateTransaction (details)
pull-13712 qa-assets practicalswift Use of uninitialized memory (UUM) in ParseHDKeypath (details)
pull-16800 qa-assets practicalswift Multiple Miniscript issues: heap out-of-bounds read, stack depth DoS, assertion failure, unhandled exception (details, details, details)
pull-17149 qa-assets practicalswift Multiple PSBT issues: heap use after free, signed integer overflows, etc. (details)
pull-17501 qa-assets practicalswift Base58 decoding is done without checking that the input size is reasonable (details)
pull-17624 mod practicalswift Use of uninitialized memory (UUM) when receiving a transaction we already have (details)
pull-17642 mod practicalswift Use of uninitialized memory (UUM) in RPC command bumpfee (details)
pull-17718 qa-assets practicalswift DecodeBase58 is too liberal when decoding (details)
pull-18033 qa-assets practicalswift Heap buffer-overflow in GetMappedAS (details)
pull-18162 qa-assets practicalswift Use of uninitialized memory (UUM) in FormatISO8601DateTime (details)
pull-18242 qa-assets practicalswift Use of uninitialized memory (UUM) in case of invalid P2P command name (details)
pull-18261 qa-assets practicalswift Use of uninitialized memory (UUM) in Erlay P2P code (details)
pull-18858 qa-assets practicalswift Signed integer overflow in CCoinsViewCache::GetValueIn (details)
pull-19237 qa-assets practicalswift Use of uninitialized memory (UUM) in CPubKey deserialization code (details)
pull-19930 qa-assets guidovranken Signed integer overflow in SipHasher (details)
pull-20135 qa-assets practicalswift Invalid integer negation in abs64 (details)
pull-20402 qa-assets practicalswift Invalid integer negation in FormatMoney reachable via RPC call decoderawtransaction (details)
pull-20607 qa-assets practicalswift Signed integer overflow in CFeeRate::GetFee reachable via RPC call analyzepsbt (details)
pull-20626 qa-assets practicalswift Signed integer overflow in CTxMemPool::PrioritiseTransaction reachable via RPC call prioritisetransaction (details)
pull-20867 qa-assets darosior implicit-integer-sign-change in multisig policy (details)
pull-20914 qa-assets practicalswift Null pointer derefence in CBlockIndexWorkComparator::operator() reachable via RPC call invalidateblock (details)
pull-21043 mod Crypt-iQ Signed integer overflow in version message processing (details)

A list of bugs found by oss-fuzz can be found here.