Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Fix]: integer overflow in JumpTable.SubStr #3496

Merged
merged 14 commits into from
Dec 19, 2024

Conversation

nan01ab
Copy link
Contributor

@nan01ab nan01ab commented Sep 21, 2024

Description

Fix integer overflow in JumpTable.SubStr

Fixes #3495

Type of change

  • Optimization (the change is only an optimization)
  • Style (the change is only a code style for better maintenance or standard purpose)
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

@nan01ab nan01ab changed the title fix: integer overflow in JumpTable.SubStr [Fix]: integer overflow in JumpTable.SubStr Sep 21, 2024
Copy link
Member

@cschuchardt88 cschuchardt88 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shargon why isn't there a vm limit in this

src/Neo.VM/JumpTable/JumpTable.Splice.cs Show resolved Hide resolved
src/Neo.VM/JumpTable/JumpTable.Splice.cs Outdated Show resolved Hide resolved
"0x0a",
"0x00010203040506070809",
"PUSHINT32",
"0x7FFFFFFF",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd also add some tests for INT64, like:

                byte(opcode.PUSHINT64), 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F,
                byte(opcode.PUSH2),

It'll fail (in NeoGo it's at instruction 22 (SUBSTR): not an int32), but just to make sure.

src/Neo.VM/JumpTable/JumpTable.Splice.cs Show resolved Hide resolved
@Jim8y Jim8y changed the base branch from master to HF_Echidna September 27, 2024 01:24
@shargon
Copy link
Member

shargon commented Sep 27, 2024

Rebase needed

@shargon shargon added Hardfork Waiting-Hardfork Bug Used to tag confirmed bugs Critical Issues (bugs) that need to be fixed ASAP and removed Hardfork labels Sep 27, 2024
shargon
shargon previously approved these changes Nov 7, 2024
Copy link
Member

@shargon shargon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we don't need a HF, previously could be a DoS but not difference in the execution. Isn't it? @roman-khimov

@roman-khimov
Copy link
Contributor

That's the question of "can we arrange a set of parameters that would fail with the new code, but succeed with the old one". This requires some probing. I'm not exactly sure of Rent details and how this can be related to machine memory available (I can malloc() more memory than I have physically), also how Slice() reacts to negative count.

I'd include it into Echidna for safety reasons, but if we can prove it can't be exploited to change execution result then OK, it can go without a HF.

@nan01ab
Copy link
Contributor Author

nan01ab commented Nov 14, 2024

I think we don't need a HF, previously could be a DoS but not difference in the execution. Isn't it? @roman-khimov

I agree. Don't need a HF

cschuchardt88
cschuchardt88 previously approved these changes Nov 14, 2024
@Jim8y Jim8y changed the base branch from HF_Echidna to master November 20, 2024 02:31
@Jim8y Jim8y dismissed cschuchardt88’s stale review November 20, 2024 02:31

The base branch was changed.

@Jim8y Jim8y dismissed shargon’s stale review November 20, 2024 02:31

The base branch was changed.

@Jim8y Jim8y changed the base branch from master to HF_Echidna November 20, 2024 02:32
Copy link
Member

@shargon shargon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If doesn't use HF should go to master

@Jim8y
Copy link
Contributor

Jim8y commented Nov 21, 2024

If doesn't use HF should go to master

it was merged with hardfork prs,,,,lets discuss it in the meeting.

@cschuchardt88
Copy link
Member

This is the already the default behavior in dotnet https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/language#checkforoverflowunderflow

@roman-khimov
Copy link
Contributor

The default value for this option is false, that is, overflow checking is disabled.

https://dotnetfiddle.net/I7RINu

@cschuchardt88
Copy link
Member

The default value for this option is false, that is, overflow checking is disabled.

https://dotnetfiddle.net/I7RINu

my bad -- integral-type arithmetic operations and conversions are executed in an unchecked context and Constant expressions are evaluated by default in a checked context.

/// <param name="instruction">The instruction being executed.</param>
/// <remarks>Pop 3, Push 1</remarks>
[MethodImpl(MethodImplOptions.AggressiveInlining)]
private static void VulnerableSubStr(ExecutionEngine engine, Instruction instruction)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think is not required, but you think that it is, here is the solution, jump table allow it :)

@@ -399,13 +407,42 @@ internal override void UnloadContext(ExecutionContext context)
/// <returns>The engine instance created.</returns>
public static ApplicationEngine Create(TriggerType trigger, IVerifiable container, DataCache snapshot, Block persistingBlock = null, ProtocolSettings settings = null, long gas = TestModeGas, IDiagnostic diagnostic = null)
{
var index = persistingBlock?.Index ?? NativeContract.Ledger.CurrentIndex(snapshot);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shargon
Object reference not set to an instance of an object.

on test Neo.UnitTests.SmartContract.UT_NotifyEventArgs.TestIssue3300

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Snapshot is null?

Copy link
Member

@cschuchardt88 cschuchardt88 Nov 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could be snapshot or GetInteroperable<HashIndexState>()

public uint CurrentIndex(DataCache snapshot)
{
return snapshot[CreateStorageKey(Prefix_CurrentBlock)].GetInteroperable<HashIndexState>().Index;
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If is snapshot we can return 0, otherwise we should fix the test

Copy link
Member

@cschuchardt88 cschuchardt88 Nov 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this work for CurrentIndex?

snapshot?[CreateStorageKey(Prefix_CurrentBlock)]?.GetInteroperable<HashIndexState>()?.Index ?? 0; 

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should not change the logic in native contracts for this

.gitignore Outdated Show resolved Hide resolved
@NGDAdmin NGDAdmin merged commit f91b680 into neo-project:HF_Echidna Dec 19, 2024
3 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug Used to tag confirmed bugs Critical Issues (bugs) that need to be fixed ASAP Hardfork Need Update
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Bug]: integer overflow in JumpTable.SubStr
6 participants