Skip to content

program-runtime: harden native_invoke to take signer seeds#10681

Merged
buffalojoec merged 3 commits intoanza-xyz:masterfrom
buffalojoec:fix-dangerous-native-invoke
Feb 26, 2026
Merged

program-runtime: harden native_invoke to take signer seeds#10681
buffalojoec merged 3 commits intoanza-xyz:masterfrom
buffalojoec:fix-dangerous-native-invoke

Conversation

@buffalojoec
Copy link
Copy Markdown

@buffalojoec buffalojoec commented Feb 19, 2026

Problem

native_invoke takes signers: &[Pubkey], letting any builtin silently vouch for arbitrary addresses as CPI signers. This is a dangerous footgun for anyone who assumes native_invoke builtin CPI dispatch is safe like invoke_signed is for SBPF.

This function originally accepted PDA seeds and performed CPI signer validation internally, rather than leaving it up to the caller.
https://github.com/solana-labs/solana/blob/9e90394583b7791b6d7b3b5e6623c598579078b3/runtime/src/message_processor.rs#L593-L599

Subsequent refactoring changed this to accept a slice of public keys and shifted the onus for CPI signer validation onto the caller program.
PR | Diff | File view

CPI dispatch for builtin programs should not deviate from SBPF dispatch and put the signer onus on the caller programs, but instead should match SBPF CPI dispatch.

Summary of Changes

Return to the original argument for accepting PDA seeds and add documentation, so it's crystal clear what this function is for and how to use it.

Also adds a lot of tests.

@mergify
Copy link
Copy Markdown

mergify Bot commented Feb 19, 2026

The Firedancer team maintains a line-for-line reimplementation of the
native programs, and until native programs are moved to BPF, those
implementations must exactly match their Agave counterparts.
If this PR represents a change to a native program implementation (not
tests), please include a reviewer from the Firedancer team. And please
keep refactors to a minimum.

@buffalojoec buffalojoec requested a review from t-nelson February 19, 2026 12:59
t-nelson
t-nelson reviewed Feb 19, 2026
View reviewed changes
Comment thread program-runtime/src/invoke_context.rs Outdated
Comment thread programs/vote/src/vote_state/mod.rs
@buffalojoec buffalojoec force-pushed the fix-dangerous-native-invoke branch from 52b8dfc to c1f601c Compare February 19, 2026 16:49
@mergify
Copy link
Copy Markdown

mergify Bot commented Feb 19, 2026

If this PR represents a change to the public RPC API:

  1. Make sure it includes a complementary update to rpc-client/ (example)
  2. Open a follow-up PR to update the JavaScript client @solana/kit (example)

Thank you for keeping the RPC clients in sync with the server API @buffalojoec.

@buffalojoec buffalojoec marked this pull request as ready for review February 19, 2026 17:16
@buffalojoec buffalojoec requested a review from a team as a code owner February 19, 2026 17:16
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Feb 19, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 97.32143% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 83.0%. Comparing base (67d3dd1) to head (190c17a).
⚠️ Report is 74 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff            @@
##           master   #10681    +/-   ##
========================================
  Coverage    83.0%    83.0%            
========================================
  Files         849      849            
  Lines      318240   318329    +89     
========================================
+ Hits       264335   264453   +118     
+ Misses      53905    53876    -29
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@buffalojoec buffalojoec force-pushed the fix-dangerous-native-invoke branch from c1f601c to 107c61b Compare February 20, 2026 01:57
@t-nelson
Copy link
Copy Markdown

t-nelson commented Feb 20, 2026

r+ sme. @Lichtso looks like this was introduced by a change you made ages ago, can you review?

@buffalojoec buffalojoec force-pushed the fix-dangerous-native-invoke branch from 107c61b to ff2cfdf Compare February 21, 2026 18:11
buffalojoec
buffalojoec commented Feb 21, 2026
View reviewed changes
Comment thread program-runtime/src/invoke_context.rs Outdated
t-nelson
t-nelson reviewed Feb 23, 2026
View reviewed changes
Copy link
Copy Markdown

@t-nelson t-nelson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

after update/rebase, i'm still r+ sme. merge on @Lichtso approval

@buffalojoec buffalojoec requested a review from Lichtso February 23, 2026 17:03
Lichtso
Lichtso reviewed Feb 23, 2026
View reviewed changes
Comment thread program-runtime/src/invoke_context.rs Outdated
@buffalojoec buffalojoec added this pull request to the merge queue Feb 26, 2026
Merged via the queue into anza-xyz:master with commit 76e33c3 Feb 26, 2026
51 checks passed
@buffalojoec buffalojoec deleted the fix-dangerous-native-invoke branch February 26, 2026 09:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@t-nelson t-nelson t-nelson left review comments

@Lichtso Lichtso Lichtso approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@buffalojoec @codecov-commenter @t-nelson @Lichtso