From 81f6dd86b785dc78d80bf1291295c1b51d919d37 Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Mon, 14 Dec 2020 21:00:49 +0100 Subject: [PATCH 01/10] Merge #20594: Fix getauxval calls in randomenv.cpp 836a3dc02c72f917db5be386b9b4787a59d48610 Avoid weak-linked getauxval support on non-linux platforms (like macOS) (Jonas Schnelli) 41a413b31746cc749f3c64ed8070cea9cc6cfdbe Define correct symbols for getauxval (Jonas Schnelli) Pull request description: PR #20358 made use of the two preprocessor symbols `HAVE_STRONG_GETAUXVAL` as well as `HAVE_WEAK_GETAUXVAL`. These symbols have not been defined in configure.ac. They where only passed selective as CRC32 CPPFLAGS in https://github.com/bitcoin/bitcoin/blob/master/src/Makefile.crc32c.include#L16. PR #20358 would have broken the macOS build since `getauxval` is not supported on macOS (but weak-linking does pass). This PR defines the two symbols correctly and reduces calls to `getauxval` to linux. ACKs for top commit: laanwj: Code review ACK 836a3dc02c72f917db5be386b9b4787a59d48610 jonatack: utACK 836a3dc02c72f917db5be386b9b4787a59d48610 Tree-SHA512: 6527f4a617b937f4c368a3cb1c162f1ac38a6f5e6341295554961eaf322906e9b27398a6f7b00819854ceebb5c828d3e6ce0a779edd769adc4053ce8beda3739 --- configure.ac | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index dbb8d03f5e..b3b2c3cd93 100644 --- a/configure.ac +++ b/configure.ac @@ -1050,18 +1050,20 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ ]], [[ getauxval(AT_HWCAP); ]])], - [ AC_MSG_RESULT(yes); HAVE_STRONG_GETAUXVAL=1 ], + [ AC_MSG_RESULT(yes); HAVE_STRONG_GETAUXVAL=1; AC_DEFINE(HAVE_STRONG_GETAUXVAL, 1, [Define this symbol to build code that uses getauxval)]) ], [ AC_MSG_RESULT(no); HAVE_STRONG_GETAUXVAL=0 ] ) AC_MSG_CHECKING(for weak getauxval support in the compiler) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + #ifdef __linux__ unsigned long getauxval(unsigned long type) __attribute__((weak)); #define AT_HWCAP 16 + #endif ]], [[ getauxval(AT_HWCAP); ]])], - [ AC_MSG_RESULT(yes); HAVE_WEAK_GETAUXVAL=1 ], + [ AC_MSG_RESULT(yes); HAVE_WEAK_GETAUXVAL=1; AC_DEFINE(HAVE_WEAK_GETAUXVAL, 1, [Define this symbol to build code that uses getauxval (weak linking)]) ], [ AC_MSG_RESULT(no); HAVE_WEAK_GETAUXVAL=0 ] ) From f01f7603ce22c55ed524a60a42e09833d09f953e Mon Sep 17 00:00:00 2001 From: MarcoFalke Date: Sun, 3 Jan 2021 18:26:56 +0100 Subject: [PATCH 02/10] Merge #20781: fuzz: remove no-longer-necessary packages from fuzzbuzz config 0dade9154d2e5d4b1725fbe27720d54396c4db1d fuzz: remove no-longer-necessary packages from fuzzbuzz config (fanquake) Pull request description: I take it this is actively being used, given [comments in #20560](https://github.com/bitcoin/bitcoin/pull/20560#issuecomment-743747317); so remove old dependencies from setup. ACKs for top commit: practicalswift: ACK 0dade9154d2e5d4b1725fbe27720d54396c4db1d Tree-SHA512: 781466776575e6051d0dddf4101bd057e484648f63e8e967240fefbf4b5832cacda6f6543708a0c368214a1efe0d60d371da78d7a920646cb93f1a4752aaf639 --- .fuzzbuzz.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.fuzzbuzz.yml b/.fuzzbuzz.yml index d44ac27eb9..533bafbd94 100644 --- a/.fuzzbuzz.yml +++ b/.fuzzbuzz.yml @@ -5,7 +5,7 @@ environment: - CXXFLAGS=-fcoverage-mapping -fno-omit-frame-pointer -fprofile-instr-generate -gline-tables-only -O1 setup: - sudo apt-get update - - sudo apt-get install -y autoconf bsdmainutils clang git libboost-all-dev libboost-program-options-dev libc++1 libc++abi1 libc++abi-dev libc++-dev libclang1 libclang-dev libdb5.3++ libevent-dev libllvm-ocaml-dev libomp5 libomp-dev libprotobuf-dev libqt5core5a libqt5dbus5 libqt5gui5 libssl-dev libtool llvm llvm-dev llvm-runtime pkg-config protobuf-compiler qttools5-dev qttools5-dev-tools software-properties-common + - sudo apt-get install -y autoconf bsdmainutils clang git libboost-all-dev libc++1 libc++abi1 libc++abi-dev libc++-dev libclang1 libclang-dev libdb5.3++ libevent-dev libllvm-ocaml-dev libomp5 libomp-dev libqt5core5a libqt5dbus5 libqt5gui5 libtool llvm llvm-dev llvm-runtime pkg-config qttools5-dev qttools5-dev-tools software-properties-common - ./autogen.sh - CC=clang CXX=clang++ ./configure --enable-fuzz --with-sanitizers=address,fuzzer,undefined - make From 66d6e52d1323eb0d303aeb070744994d19e0e619 Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Sat, 9 Jan 2021 09:00:08 +0100 Subject: [PATCH 03/10] Merge #20741: doc: Update 'Secure string handling' 7117d7503f39f06b74c84777ec4db5d456a8086f Update 'Secure string handling' (Prayank) Pull request description: - Add information about possible path traversal attack - [wallet_name](https://bitcoincore.org/en/doc/0.20.0/rpc/wallet/createwallet/) (string): _The name for the new wallet. If this is a 'path', the wallet will be created at the 'path' location._ Fixes https://github.com/bitcoin/bitcoin/issues/20128 (Not really fixing it but workaround) This PR is an alternative to https://github.com/bitcoin/bitcoin/pull/20393 ACKs for top commit: michaelfolkson: ACK 7117d7503f39f06b74c84777ec4db5d456a8086f RiccardoMasutti: ACK https://github.com/bitcoin/bitcoin/commit/7117d7503f39f06b74c84777ec4db5d456a8086f benthecarman: ACK 7117d7503f39f06b74c84777ec4db5d456a8086f Tree-SHA512: 0d6c4f8db5feba848bbb583e87a99e6c4b655deaa2b566164e2632acc1aabf470d4626d2dc4b82c4997effc30d9b474d860d0e0d3e896648c5cc9bfdb623da6d --- doc/JSON-RPC-interface.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/doc/JSON-RPC-interface.md b/doc/JSON-RPC-interface.md index 4e7ca3f642..f220d78f02 100644 --- a/doc/JSON-RPC-interface.md +++ b/doc/JSON-RPC-interface.md @@ -88,13 +88,14 @@ RPC interface will be abused. - **Secure string handling:** The RPC interface does not guarantee any escaping of data beyond what's necessary to encode it as JSON, although it does usually provide serialized data using a hex - representation of the bytes. If you use RPC data in your programs or - provide its data to other programs, you must ensure any problem - strings are properly escaped. For example, multiple websites have - been manipulated because they displayed decoded hex strings that - included HTML `