Project Information
- Repository: https://github.com/steemit/steem
- Project Name: Steem
Expected behavior
The Steemd process should handle malformed messages arriving from a peer by logging and error and/or terminating the connection.
Actual behavior
A carefully crafted hello_message sent can cause steemd to attempt allocating all available memory, causing it to crash.
How to reproduce
A fuller writeup of how the bug was found can be read at https://steemit.com/software/@fuzz-ai/a-memory-exhaustion-attack-against-the-steem-blockchain
To exploit the bug, a malicious witness connects to a steemd instance over the network (using the peer-to-peer protocol) and participates in the encryption handshake. When sending the normal hello_message, it populates the variant_object field with an ill-formed variant object. On the wire, this is a repeating sequence of the four bytes
06 -- array
80 c0 02 -- of length 655360
The unparse function allocates this length of vector (the maximum allowed) and then recursively populates the first entry with another maximum-length vector. Then the first element of that entry is also a preallocated-vector, etc., for as many levels of depth as permitted by the maximum message size (and the stack size of the thread.) This results in memory usage far exceeding the 2MB maximum message size, up to about 1.3 terabytes, which will likely cause out-of-memory conditions on all but the very largest servers.
This bug was reported to [email protected] and was patched in release 0.20.7.
.
I thought that custom_json ops didn't use the C++ variant type, but just a JSON string. There is a bug in the JSON parser, but not an exploitable one in the way it is used. But I haven't looked at that in detail, it would certainly be good to understand what sort of things somebody could insert using a custom_json operation.
.
Thinking about this a little more, I was worried you might have been right about nested JSON objects, and that deeply-nested JSON objects in the JSON-RPC API could still cause the thread to die because of stack overflow.
The parser does have a check that you can't nest JSON objects or arrays more than 100 deep: https://github.com/steemit/steem/blob/9e83f66c85a2c76bef1a07cef7dd302d2c4be572/libraries/fc/src/io/json.cpp#L442
But I'm not sure it's effective, I can think of one way it might be fooled.
Thank you for your review, @crokkon! Keep up the good work!
Hi @fuzz-ai!
Feel free to join our @steem-ua Discord serverYour post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation! Your post is eligible for our upvote, thanks to our collaboration with @utopian-io!
Congratulations @fuzz-ai! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :
Click here to view your Board of Honor
If you no longer want to receive notifications, reply to this comment with the word
STOPTo support your work, I also upvoted your post!
Congratulations @fuzz-ai! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :
Click here to view your Board of Honor
If you no longer want to receive notifications, reply to this comment with the word
STOPHey, @fuzz-ai!
Thanks for contributing on Utopian.
Congratulations! Your contribution was Staff Picked to receive a maximum vote for the bug-hunting category on Utopian for being of significant value to the project and the open source community.
We’re already looking forward to your next contribution!
Get higher incentives and support Utopian.io!
SteemPlus or Steeditor). Simply set @utopian.pay as a 5% (or higher) payout beneficiary on your contribution post (via
Want to chat? Join us on Discord https://discord.gg/h52nFrV.
Vote for Utopian Witness!