Back to Vulnerability database

Out-of-bounds read when importing corrupt blockchain with monero-blockchain-import

ID Submit date Publish date Author Score
1 10.29.2018 10.29.2018 Florian Kohnhäuser (ovrflow) 2.7


It is possible to trigger an out-of-bounds read in monero-blockchain-import when importing a corrupt blockchain and not verifying blocks and transitions during import (--verify 0).

Using a corrupt importfile, the attacker has full control over bufferblock in importfromfile (blockchain_import.cpp).

As txs as well as blk originate from the bootstrap::blockpackage bp generated in blockchainimport, they can be set to arbitrary values by the attacker. In particular, if bp is crafted such that bp.txs.size() > bp.block.txhashes.size(), then an out-of-bounds memory corruption happens in the for loop when accessing blk.txhashes.

Since there is no actual tx, adding the tx will fail, and that should be it. Since this is local, there is no information leak.