CVE-2024-38365 public disclosure (btcd `FindAndDelete` bug)

ariard · October 11, 2024, 7:08pm

and additional padding data.

bitcoin/bitcoin/blob/48cf3da636089873ba7280e0d5b22eb81811d194/src/script/interpreter.cpp#L329


      
          
          static bool EvalChecksigPreTapscript(const valtype& vchSig, const valtype& vchPubKey, CScript::const_iterator pbegincodehash, CScript::const_iterator pend, unsigned int flags, const BaseSignatureChecker& checker, SigVersion sigversion, ScriptError* serror, bool& fSuccess)
          {
              assert(sigversion == SigVersion::BASE || sigversion == SigVersion::WITNESS_V0);
          
              // Subset of script starting at the most recent codeseparator
              CScript scriptCode(pbegincodehash, pend);
          
              // Drop the signature in pre-segwit scripts but not segwit scripts
              if (sigversion == SigVersion::BASE) {
                  int found = FindAndDelete(scriptCode, CScript() << vchSig);
                  if (found > 0 && (flags & SCRIPT_VERIFY_CONST_SCRIPTCODE))
                      return set_error(serror, SCRIPT_ERR_SIG_FINDANDDELETE);
              }
          
              if (!CheckSignatureEncoding(vchSig, flags, serror) || !CheckPubKeyEncoding(vchPubKey, flags, sigversion, serror)) {
                  //serror is set
                  return false;
              }
              fSuccess = checker.CheckECDSASignature(vchSig, vchPubKey, scriptCode, sigversion);

In my understanding of the bug, there is feeding of the two consensus-nodes, with the following scriptCode, where the ECDSA sig and the "noise dummy data must match the length declared in pushed bytes.


  1-byte        1-byte       ECDSA sig-bytes   "noise" dummy data-bytes

OP_PUSHDATA1 <bytes pushed> <signature> <padding data>

One should note that ECDSA sig length is malleable.

The non-upgraded, pre-0.24.2 btcd peers should remove the whole data push containing the consensus valid signatures, before it’s verified by the script interpreter. While bitcoind peers can accept the valid signatures. I’m unsure that you really need public key recovery to achieve that chain fork as a trick. I believe one has OP_PICK, OP_ROLL and other stack inspection opcodes available, that can be committed in the scriptCode.