Skip to content

Fix (and test) panic when our counterparty uses a bogus funding tx #890

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

Conversation

TheBlueMatt
Copy link
Collaborator

During the block API refactor, we started calling
Channel::force_shutdown when a channel is closed due to a bogus
funding tx. However, we still set the channel's state to Shutdown
prior to doing so, leading to an assertion in force_shutdown (that
the channel is not already closed).

This removes the state-set call and adds a (long-overdue) test for
this case.

@codecov
Copy link

codecov bot commented Apr 21, 2021

Codecov Report

Merging #890 (bf5a08e) into main (e6c9228) will increase coverage by 0.75%.
The diff coverage is 88.88%.

❗ Current head bf5a08e differs from pull request most recent head eb42caf. Consider uploading reports for the commit eb42caf to get more accurate results
Impacted file tree graph

@@            Coverage Diff             @@
##             main     #890      +/-   ##
==========================================
+ Coverage   90.23%   90.98%   +0.75%     
==========================================
  Files          57       57              
  Lines       29207    33281    +4074     
==========================================
+ Hits        26355    30282    +3927     
- Misses       2852     2999     +147     
Impacted Files Coverage Δ
lightning/src/ln/channel.rs 87.44% <ø> (+0.20%) ⬆️
lightning/src/ln/channelmanager.rs 86.64% <77.50%> (+3.52%) ⬆️
lightning/src/ln/functional_tests.rs 96.51% <100.00%> (-0.32%) ⬇️
lightning/src/ln/chanmon_update_fail_tests.rs 97.50% <0.00%> (-0.14%) ⬇️
lightning/src/routing/router.rs 96.21% <0.00%> (+0.42%) ⬆️
lightning-invoice/src/ser.rs 84.53% <0.00%> (+0.89%) ⬆️
lightning/src/chain/channelmonitor.rs 96.76% <0.00%> (+1.30%) ⬆️
lightning/src/chain/chainmonitor.rs 96.41% <0.00%> (+1.59%) ⬆️
... and 3 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e6c9228...eb42caf. Read the comment docs.

@TheBlueMatt TheBlueMatt added this to the 0.0.14 milestone Apr 21, 2021
Copy link

@ariard ariard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I had a look on this and the crash you're describing was there before #838 ?

IIUC, before this PR, in case of bogus transaction we set up ShutdownComplete in Channel::block_connected (now Channel::transactions_confirmed) failure path. Once the function return to ChannelManager::block_connected (now ChannelManager::do_chain_event), the error is processed and Channel::force_shutdown would have been called triggering the crash.

//
// Previously, all other major lightning implementations had failed to properly sanitize
// funding transactions from their counterparties, leading to a multi-implementation critical
// security vulnerability (though we always sanitized properly, we've previously had
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe add reference to CVE-2019-12998+

@TheBlueMatt
Copy link
Collaborator Author

So I had a look on this and the crash you're describing was there before #838 ?

Ouch, huh. That's entirely possible, I just assumed. Updated the commit message.

@TheBlueMatt TheBlueMatt force-pushed the 2021-04-fix-chan-shutdown-crash branch from 1fe1559 to bf5a08e Compare April 23, 2021 20:28
Copy link
Contributor

@jkczyz jkczyz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Last commit could be squashed as a fixup.

@TheBlueMatt
Copy link
Collaborator Author

So I had a look on this and the crash you're describing was there before #838 ?

I don't think this is true. Looking at 0.0.13, if we get an Err back from chan.block_connected we push an error message and then we return false. We don't ever call force_shutdown, so there is no assertion. I believe this code hunk caused it - 60b962a#diff-645d12c7269d09caab57d2e0c1fd34f672ee259994c86ad4bad7f4da9183671cR3364.

During the block API refactor, we started calling
Channel::force_shutdown when a channel is closed due to a bogus
funding tx. However, we still set the channel's state to Shutdown
prior to doing so, leading to an assertion in force_shutdown (that
the channel is not already closed).

This removes the state-set call and adds a (long-overdue) test for
this case.

Fixes: 60b962a
@TheBlueMatt TheBlueMatt force-pushed the 2021-04-fix-chan-shutdown-crash branch from bf5a08e to eb42caf Compare April 23, 2021 22:53
@TheBlueMatt
Copy link
Collaborator Author

Squashed without changes and reverted to the previous commit message, with a Fixes tag pointing to the specific commit.

Copy link

@ariard ariard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review ACK eb42caf

I don't think this is true. Looking at 0.0.13, if we get an Err back from chan.block_connected we push an error message and then we return false. We don't ever call force_shutdown, so there is no assertion. I believe this code hunk caused it - 60b962a#diff-645d12c7269d09caab57d2e0c1fd34f672ee259994c86ad4bad7f4da9183671cR3364.

Yep after verification I was wrong, we did move the force_shutdown call in the Err branch in #838. Bug wasn't there before.

@TheBlueMatt TheBlueMatt merged commit 36570f4 into lightningdevkit:main Apr 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants