|
| 1 | +--- |
| 2 | +title: Disclosure of CPU DoS / stalling due to malicious P2P message (≤ version 0.17.2) |
| 3 | +name: blog-disclose-orphan-dos |
| 4 | +id: en-blog-disclose-orphan-dos |
| 5 | +lang: en |
| 6 | +type: advisory |
| 7 | +layout: post |
| 8 | + |
| 9 | +## If this is a new post, reset this counter to 1. |
| 10 | +version: 1 |
| 11 | + |
| 12 | +## Only true if release announcement or security annoucement. English posts only |
| 13 | +announcement: 1 |
| 14 | + |
| 15 | +excerpt: > |
| 16 | + A node could be stalled for hours when processing the orphans of a specially crafted unconfirmed transaction. |
| 17 | +--- |
| 18 | + |
| 19 | +A node could be stalled for hours when processing the orphans of a specially crafted unconfirmed |
| 20 | +transaction. |
| 21 | + |
| 22 | +This issue is considered **High** severity. |
| 23 | + |
| 24 | +## Details |
| 25 | + |
| 26 | +After accepting a transaction into its mempool, the node would go through its cache of orphan |
| 27 | +transactions to find if this new accepted transaction makes it possible to accept any. This search |
| 28 | +was quadratic: for each output in the newly accepted transaction it would go through all cached |
| 29 | +orphan transactions (limited to 100). By specially crafting the orphan transactions to be invalid |
| 30 | +yet expensive to validate a node could be stalled for several hours. |
| 31 | + |
| 32 | +The stall was fixed by Pieter Wuille in [PR #15644](https://github.com/bitcoin/bitcoin/pull/15644) |
| 33 | +by interrupting the orphan resolution to process new messages when a match is found (whether the |
| 34 | +orphan turns out to be valid or not). |
| 35 | + |
| 36 | +## Attribution |
| 37 | + |
| 38 | +Credits to sec.eine for responsibly disclosing the bug and providing feedback on the fix. |
| 39 | + |
| 40 | +## Timeline |
| 41 | + |
| 42 | +- 2019-03-19 sec.eine reports the issue to Greg Maxwell by email |
| 43 | +- 2019-03-21 Greg Maxwell responds with information about the proposed patch |
| 44 | +- 2019-03-22 sec.eine gives feedback on the patch ("seems solid and [..] doesn't attract attention") |
| 45 | +- 2019-03-22 Pieter Wuille opens PR #15644 |
| 46 | +- 2019-04-01 PR #15644 is merged |
| 47 | +- 2019-05-18 Bitcoin Core version 0.18.0 is released with a fix |
| 48 | +- 2020-07-22 The issue is [partially disclosed](https://bitcoincore.reviews/15644#l-285) during a PR review club |
| 49 | +- 2020-08-01 The last vulnerable Bitcoin Core version (0.17.x) goes EOL |
| 50 | +- 2024-07-03 Public disclosure. |
| 51 | + |
| 52 | +{% include references.md %} |
0 commit comments