aboutsummaryrefslogtreecommitdiff
path: root/src/crypto/tree-hash.c
diff options
context:
space:
mode:
authorRiccardo Spagni <ric@spagni.net>2014-09-06 21:57:37 +0200
committerRiccardo Spagni <ric@spagni.net>2014-09-06 21:57:37 +0200
commit3c2b74215b7c2d78f2bdcb46883eb104916be985 (patch)
tree16d8fcae07e2d617406565e05d96a8e44b6e8d19 /src/crypto/tree-hash.c
parentOverride for block hashing for block 202612 (diff)
parentfix checkpoints (diff)
downloadmonero-e028ec8d3544681d076f88b3482a3972775ebcec.tar.xz
Merge pull request #121 from fluffypony/masterv0.8.8.3
Fix tree_hash, patch for bad block 202612
Diffstat (limited to 'src/crypto/tree-hash.c')
-rw-r--r--src/crypto/tree-hash.c54
1 files changed, 48 insertions, 6 deletions
diff --git a/src/crypto/tree-hash.c b/src/crypto/tree-hash.c
index a1c21d72b..573f44643 100644
--- a/src/crypto/tree-hash.c
+++ b/src/crypto/tree-hash.c
@@ -35,7 +35,43 @@
#include "hash-ops.h"
+/// Quick check if this is power of two (use on unsigned types; in this case for size_t only)
+bool ispowerof2_size_t(size_t x) {
+ return x && !(x & (x - 1));
+}
+
+/***
+* Round to power of two, for count>=3 and for count being not too large (as reasonable for tree hash calculations)
+*/
+size_t tree_hash_cnt(size_t count) {
+ assert( count >= 3); // cases for 0,1,2 are handled elsewhere
+ // Round down the count size: fun(2**n)= 2**(n-1) to round down to power of two
+ size_t tmp = count - 1;
+ size_t jj = 1;
+ for (jj=1 ; tmp != 0 ; ++jj) {
+ tmp /= 2; // dividing by 2 until to get how many powers of 2 fits size_to tmp
+ }
+ size_t cnt = 1 << (jj-2); // cnt is the count, but rounded down to power of two
+ // printf("count=%zu cnt=%zu jj=%zu tmp=%zu \n" , count,cnt,jj,tmp);
+ assert( cnt > 0 ); assert( cnt >= count/2 ); assert( cnt <= count );
+ assert( ispowerof2_size_t( cnt ));
+ return cnt;
+}
+
void tree_hash(const char (*hashes)[HASH_SIZE], size_t count, char *root_hash) {
+// The blockchain block at height 202612 http://monerochain.info/block/bbd604d2ba11ba27935e006ed39c9bfdd99b76bf4a50654bc1e1e61217962698
+// contained 514 transactions, that triggered bad calculation of variable "cnt" in the original version of this function
+// as from CryptoNote code.
+//
+// This bug applies to all CN altcoins.
+//
+// Mathematical bug here was first published on 14:45:34 (GMT+2) 2014-09-04 by Rafal Freeman <rfree>
+// https://github.com/rfree2monero/bitmonero/commit/b417abfb7a297d09f1bbb6de29030f8de9952ac8
+// and soon also applied to CryptoNote (15:10 GMT+2), and BoolBerry used not fully correct work around:
+// the work around of sizeof(size_t)*8 or <<3 as used before in 2 coins and in BBL later was blocking
+// exploitation on normal platforms, how ever we strongly recommend the following fix because it removes
+// mistake in mathematical formula.
+
assert(count > 0);
if (count == 1) {
memcpy(root_hash, hashes, HASH_SIZE);
@@ -43,24 +79,30 @@ void tree_hash(const char (*hashes)[HASH_SIZE], size_t count, char *root_hash) {
cn_fast_hash(hashes, 2 * HASH_SIZE, root_hash);
} else {
size_t i, j;
- size_t cnt = count - 1;
+
+ size_t cnt = tree_hash_cnt( count );
+ size_t max_size_t = (size_t) -1; // max allowed value of size_t
+ assert( cnt < max_size_t/2 ); // reasonable size to avoid any overflows. /2 is extra; Anyway should be limited much stronger by logical code
+ // as we have sane limits on transactions counts in blockchain rules
+
char (*ints)[HASH_SIZE];
- for (i = 1; i < sizeof(size_t); i <<= 1) {
- cnt |= cnt >> i;
- }
- cnt &= ~(cnt >> 1);
- ints = alloca(cnt * HASH_SIZE);
+ size_t ints_size = cnt * HASH_SIZE;
+ ints = alloca(ints_size); memset( ints , 0 , ints_size); // allocate, and zero out as extra protection for using uninitialized mem
+
memcpy(ints, hashes, (2 * cnt - count) * HASH_SIZE);
+
for (i = 2 * cnt - count, j = 2 * cnt - count; j < cnt; i += 2, ++j) {
cn_fast_hash(hashes[i], 64, ints[j]);
}
assert(i == count);
+
while (cnt > 2) {
cnt >>= 1;
for (i = 0, j = 0; j < cnt; i += 2, ++j) {
cn_fast_hash(ints[i], 64, ints[j]);
}
}
+
cn_fast_hash(ints[0], 64, root_hash);
}
}