math/big: panic during block validation

[tuxcanfly]

panic: math/big: mismatched montgomery number lengths

goroutine 142 [running]:
math/big.nat.montgomery(0x0, 0x0, 0x0, 0xc820f56240, 0x2, 0x11, 0xc8206c9810, 0x4, 0xe, 0xc820017c80, ...)
        /usr/local/go/src/math/big/nat.go:234 +0x424
math/big.nat.expNNMontgomery(0xc820438a00, 0xc, 0x10, 0xc820f56240, 0x2, 0x11, 0xc820011400, 0x4, 0x8, 0xc820017c80, ...)
        /usr/local/go/src/math/big/nat.go:1126 +0x67f
math/big.nat.expNN(0xc820438a00, 0xc, 0x10, 0xc820438980, 0xc, 0x10, 0xc820011400, 0x4, 0x8, 0xc820017c80, ...)
        /usr/local/go/src/math/big/nat.go:952 +0x584
math/big.(*Int).Exp(0xc820f995c0, 0xc8208b5468, 0xc8200139a0, 0xc820013860, 0xc8205cbe75)
        /usr/local/go/src/math/big/int.go:420 +0x121
github.com/btcsuite/btcd/btcec.decompressPoint(0x103d820, 0xc820f995a0, 0x1, 0x22, 0x0, 0x0)
        /home/tuxcanfly/Work/go/src/github.com/btcsuite/btcd/btcec/pubkey.go:40 +0xe3
github.com/btcsuite/btcd/btcec.ParsePubKey(0xc8205cbe74, 0x21, 0x23, 0x103d820, 0x103d820, 0x0, 0x0)
        /home/tuxcanfly/Work/go/src/github.com/btcsuite/btcd/btcec/pubkey.go:94 +0x3bc
github.com/btcsuite/btcd/txscript.opcodeCheckMultiSig(0xc820ec8080, 0xc820426360, 0x0, 0x0)
        /home/tuxcanfly/Work/go/src/github.com/btcsuite/btcd/txscript/opcode.go:2141 +0x10dc
github.com/btcsuite/btcd/txscript.(*Engine).executeOpcode(0xc820426360, 0xc820ec8080, 0x0, 0x0)
        /home/tuxcanfly/Work/go/src/github.com/btcsuite/btcd/txscript/engine.go:156 +0x1bf
github.com/btcsuite/btcd/txscript.(*Engine).Step(0xc820426360, 0xb8f8c8, 0x0, 0x0)
        /home/tuxcanfly/Work/go/src/github.com/btcsuite/btcd/txscript/engine.go:269 +0x101
github.com/btcsuite/btcd/txscript.(*Engine).Execute(0xc820426360, 0x0, 0x0)
        /home/tuxcanfly/Work/go/src/github.com/btcsuite/btcd/txscript/engine.go:344 +0x133
github.com/btcsuite/btcd/blockchain.(*txValidator).validateHandler(0xc82183bad0)
        /home/tuxcanfly/Work/go/src/github.com/btcsuite/btcd/blockchain/scriptval.go:102 +0xa69
created by github.com/btcsuite/btcd/blockchain.(*txValidator).Validate
        /home/tuxcanfly/Work/go/src/github.com/btcsuite/btcd/blockchain/scriptval.go:144 +0xc6

Seeing this on go version go1.5.3 linux/amd64 with latest btcd on testnet. Seems to be an instance of golang/go#13973

[rickw]

I just downgraded to go1.4.2 to keep my node from crashing.

[davecgh]

I'd suggest 1.5.2 if you really want to be sure. I should note though that nobody else has seen this, so we're not sure yet if it's just a one-off hardware error that caused it.

[rickw]

The bug in math/big was reported on the go project as well with other crypto software. I'm running on an Intel NUC with i3-3217U CPU @ 1.80GHz 16GB RAM and a 256GB SSD. I'll change to 1.5.2 thanks.

[jrick]

I would not recommend 1.5.2. That version also has bugs in the big.Int.Exp function, but your program will silently continue with incorrect results. Panicking is better here.

That bug was also the cause of CVE-2015-8618, and while I don't believe it will affect btcd, other Go programs may be vulnerable if you install it system wide.

[csibbitt]

@jrick Is there an officially suggested version of golang for btcd? I'm going to PR some of my own docker work into @Roasbeef 's Dockerfile and want to get the right version. The README currently just says "1.3 or newer". FWIW been running 1.6 without any panics.

[jrick]

I've also been running tip (1.6) without any issue, but mostly just to make sure there won't be any surprises when it is released. But I wouldn't recommend that to most users unless they are prepared to encounter and then report any bugs. I also have not compared the 1.6 big.Int code against 1.5.3 to know if there is any difference and whether this bug will appear there either.

I think the safest version to use in production right now is, unfortunately, 1.4.3.

[jrick]

Also, I believe @davecgh mentioned that he and @jimmysong are working on other code that would remove all of the big.Int usage in btcec, and that this issue wouldn't affect block processing for us after. Is that correct?

[jrick]

I'd also be willing to add a recover in the signature verification code so we could do something nicer here than just quitting the process. In particular, we should get the transaction being verified and the previous inputs. This should help with creating a reproducible test case that we can send to the Go devs.

[davecgh]

In addition to being able to fix this by changing the Go version, this will be fixed under all Go versions by #621 once it's finalized and merged.

[carryforward]

+1 I am also seeing this error.

go version go1.5.3 linux/amd64

This panic I know happened on testnet. I saw it happen on my mainnet chain too.

Here is the testnet panic http://pastebin.com/vWZjv75K

[davecgh]

For reference, Go 1.6 was just released and this issue is fixed with it.

That said, I'm going to leave this open until #621 is finalized and merged because that will not only provide the associated speed enhancements, it will fix it under all Go versions since it will remove the dependency on the Go runtime's math/big package for EC math entirely.