Fuzz Trophies - bitcoin-core/bitcoin-devwiki GitHub Wiki
A best-effort collection of all vulns found exclusively via fuzzing. That is, the unit and functional tests passed.
This includes vulns found on pull requests. Vulns found on released versions are tracked on https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures.
Unique Id is:
- cve-yyyy-nnn for vulns with assigned CVE (Common Vulnerabilities and Exposures) identifiers
- pull-nnnn for vulns that exist(ed) on the pull request with given id
- master-ffff for vulns that exist on the master branch as of the given commit id
- undisclosed-yyyy-mm-dd for undisclosed vulns that have been reported on that day
Discovery is:
qa-assetsmeans the vuln was triggered by one of the inputs in https://github.com/bitcoin-core/qa-assetsdynamicmeans the vuln was triggered by none of the fuzz inputs in qa-assets, but can be found with an existing fuzz target and enough CPU timemodmeans the vuln was triggered by a fuzz target that isn't publicly available or a fuzz target that is locally modified.
The remaining columns follow the definitions from https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures
| Unique ID | Discovery | Severity | Attack is... | Found by | Flaw |
|---|---|---|---|---|---|
| cve-2017-18350 | qa-assets | DoS | easy | practicalswift | SOCKS5 buffer overflow (details) |
| cve-2018-20586 | mod | log injection | easy | practicalswift | Log injection vulnerability (details) |
| cve-2019-18936 | qa-assets | DoS | easy | practicalswift | DoS in UniValue which is triggerable via RPC interface (details) |
| pull-18808 | qa-assets | DoS | easy | MarcoFalke | Missing nullptr check (details) |
| master-9efd86a | mod | DoS | easy | practicalswift | Assert on untrusted input (details, details) |
| undisclosed-2020-10-09 | mod | Netsplit | Very hard | practicalswift | Undisclosed flaw |
| master-c22daa2e | mod | DoS | easy | dergoegge | Heap-buffer-overflow: missing size sanity check for private keys received from SAM proxy (details) |
| master-ce585a9a | mod | Netsplit | Varies | dergoegge | Assume-utxo snapshot malleation (details, details) |
Non-Exploitable Issues
Issues without Severity
| Unique ID | Discovery | Found by | Flaw |
|---|---|---|---|
| pull-10977 | mod | practicalswift | Use of uninitialized memory (UUM) in RPC command getnetworkinfo (details) |
| pull-13546 | mod | practicalswift | Use of uninitialized memory (UUM) in CWallet::CreateTransaction (details) |
| pull-13712 | qa-assets | practicalswift | Use of uninitialized memory (UUM) in ParseHDKeypath (details) |
| pull-16800 | qa-assets | practicalswift | Multiple Miniscript issues: heap out-of-bounds read, stack depth DoS, assertion failure, unhandled exception (details, details, details) |
| pull-17149 | qa-assets | practicalswift | Multiple PSBT issues: heap use after free, signed integer overflows, etc. (details) |
| pull-17501 | qa-assets | practicalswift | Base58 decoding is done without checking that the input size is reasonable (details) |
| pull-17624 | mod | practicalswift | Use of uninitialized memory (UUM) when receiving a transaction we already have (details) |
| pull-17642 | mod | practicalswift | Use of uninitialized memory (UUM) in RPC command bumpfee (details) |
| pull-17718 | qa-assets | practicalswift | DecodeBase58 is too liberal when decoding (details) |
| pull-18033 | qa-assets | practicalswift | Heap buffer-overflow in GetMappedAS (details) |
| pull-18162 | qa-assets | practicalswift | Use of uninitialized memory (UUM) in FormatISO8601DateTime (details) |
| pull-18242 | qa-assets | practicalswift | Use of uninitialized memory (UUM) in case of invalid P2P command name (details) |
| pull-18261 | qa-assets | practicalswift | Use of uninitialized memory (UUM) in Erlay P2P code (details) |
| pull-18858 | qa-assets | practicalswift | Signed integer overflow in CCoinsViewCache::GetValueIn (details) |
| pull-19237 | qa-assets | practicalswift | Use of uninitialized memory (UUM) in CPubKey deserialization code (details) |
| pull-19930 | qa-assets | guidovranken | Signed integer overflow in SipHasher (details) |
| pull-20135 | qa-assets | practicalswift | Invalid integer negation in abs64 (details) |
| pull-20402 | qa-assets | practicalswift | Invalid integer negation in FormatMoney reachable via RPC call decoderawtransaction (details) |
| pull-20607 | qa-assets | practicalswift | Signed integer overflow in CFeeRate::GetFee reachable via RPC call analyzepsbt (details) |
| pull-20626 | qa-assets | practicalswift | Signed integer overflow in CTxMemPool::PrioritiseTransaction reachable via RPC call prioritisetransaction (details) |
| pull-20867 | qa-assets | darosior | implicit-integer-sign-change in multisig policy (details) |
| pull-20914 | qa-assets | practicalswift | Null pointer derefence in CBlockIndexWorkComparator::operator() reachable via RPC call invalidateblock (details) |
| pull-21043 | mod | Crypt-iQ | Signed integer overflow in version message processing (details) |
A list of bugs found by oss-fuzz can be found here.