Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure that account info address is not in an account #3044

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Ensure that account info address is not in an account #3044

wants to merge 1 commit into from

Conversation

seanyoung
Copy link

Problem

Summary of Changes

Fixes #

@mergify Mergify
Copy link

mergify bot commented Oct 1, 2024

The Firedancer team maintains a line-for-line reimplementation of the
native programs, and until native programs are moved to BPF, those
implementations must exactly match their Agave counterparts.
If this PR represents a change to a native program implementation (not
tests), please include a reviewer from the Firedancer team. And please
keep refactors to a minimum.

@seanyoung seanyoung marked this pull request as ready for review October 1, 2024 17:36
Lichtso
Lichtso reviewed Oct 2, 2024
View reviewed changes
programs/bpf_loader/src/syscalls/cpi.rs Outdated
// In the same vein as the other check_account_info_pointer() checks, we don't lock
// this pointer to a specific address but we don't want it to be inside accounts, or
// callees might be able to write to the pointed memory.
if direct_mapping && account_infos_addr >= ebpf::MM_INPUT_START {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should check the end of the slice, not the beginning.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True. This is also done in some other places, I'll fix those up too.

I suppose this would be hard to exploit but might as well do it right.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually I couldn't not find any others

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I've re-writtten this. It looks a bit like an open-coded llvm gep :) Let me know if there is a better way of doing this.

@Lichtso
Copy link

Lichtso commented Oct 2, 2024
edited
Loading

This check will become unreachable I think:

agave/programs/bpf_loader/src/syscalls/cpi.rs

Line 324 in 77789fc

// In the same vein as the other check_account_info_pointer() checks, we don't lock this

Because SolAccountInfo::data_len is not indirect, it is embedded in the array. Thus, if the entire array is checked in this PR, then the data len check in the C variant of the invoke syscall will be redundant.

@seanyoung seanyoung force-pushed the batten-down-account-info branch 3 times, most recently from 5c5ec13 to e6a5e5e Compare October 3, 2024 10:24
@seanyoung
Copy link
Author

This check will become unreachable I think:

agave/programs/bpf_loader/src/syscalls/cpi.rs

Line 324 in 77789fc

// In the same vein as the other check_account_info_pointer() checks, we don't lock this

Because SolAccountInfo::data_len is not indirect, it is embedded in the array. Thus, if the entire array is checked in this PR, then the data len check in the C variant of the invoke syscall will be redundant.

I agree, nice catch. Removed.

Lichtso
Lichtso previously approved these changes Oct 3, 2024
View reviewed changes
@alessandrod
Copy link

This check will become unreachable I think:

agave/programs/bpf_loader/src/syscalls/cpi.rs

Line 324 in 77789fc

// In the same vein as the other check_account_info_pointer() checks, we don't lock this

Because SolAccountInfo::data_len is not indirect, it is embedded in the array. Thus, if the entire array is checked in this PR, then the data len check in the C variant of the invoke syscall will be redundant.

I agree, nice catch. Removed.

how was the test not failing on this tho then if you were putting SolAccountInfos inside accounts?

@seanyoung
Copy link
Author

how was the test not failing on this tho then if you were putting SolAccountInfos inside accounts?

The test is working on sol_invoke_signed_rust() which uses AccountInfo, sol_invoke_signed_c() uses SolAccountInfo.

Come to think it, let me check if we have coverage for that.

@seanyoung
Copy link
Author

Come to think it, let me check if we have coverage for that.

I couldn't find an explicit test, so I've added one.

@seanyoung
Copy link
Author

@Lichtso could I have another review please, thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Lichtso Lichtso Lichtso approved these changes

@alessandrod alessandrod Awaiting requested review from alessandrod

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@seanyoung @Lichtso @alessandrod