From 9dac39a308713a44b39eaa08525fdbe4e494c9c1 Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Mon, 31 Aug 2020 17:13:32 +0900
Subject: [PATCH 1/2] Forbid bogus account assignment to native_loaders

---
 runtime/src/system_instruction_processor.rs | 24 ++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/runtime/src/system_instruction_processor.rs b/runtime/src/system_instruction_processor.rs
index 9fa9f2a3aaf26f..4be1fed34b55e6 100644
--- a/runtime/src/system_instruction_processor.rs
+++ b/runtime/src/system_instruction_processor.rs
@@ -4,7 +4,7 @@ use solana_sdk::{
     account_utils::StateMut,
     instruction::InstructionError,
     keyed_account::{from_keyed_account, get_signers, next_keyed_account, KeyedAccount},
-    nonce,
+    native_loader, nonce,
     nonce_keyed_account::NonceKeyedAccount,
     process_instruction::InvokeContext,
     program_utils::limited_deserialize,
@@ -102,8 +102,8 @@ fn assign(
         return Err(InstructionError::MissingRequiredSignature);
     }
 
-    // guard against sysvars being made
-    if sysvar::check_id(&owner) {
+    // guard against sysvars and native loader programs being made
+    if sysvar::check_id(&owner) || native_loader::check_id(&owner) {
         debug!("Assign: program id {} invalid", owner);
         return Err(SystemError::InvalidProgramId.into());
     }
@@ -913,6 +913,24 @@ mod tests {
         );
     }
 
+    #[test]
+    fn test_assign_to_native_loader() {
+        let new_owner = native_loader::id();
+
+        let from = solana_sdk::pubkey::new_rand();
+        let mut from_account = Account::new(100, 0, &system_program::id());
+
+        assert_eq!(
+            assign(
+                &mut from_account,
+                &from.into(),
+                &new_owner,
+                &[from].iter().cloned().collect::<HashSet<_>>(),
+            ),
+            Err(SystemError::InvalidProgramId.into())
+        );
+    }
+
     #[test]
     fn test_process_bogus_instruction() {
         // Attempt to assign with no accounts

From 15c0ebc7f2a0285777e4c930b00c9c62b5dc25cf Mon Sep 17 00:00:00 2001
From: Ryo Onodera <ryoqun@gmail.com>
Date: Mon, 30 Nov 2020 19:28:40 +0900
Subject: [PATCH 2/2] Forbid bogus account assignments in MessageProcessor too

---
 runtime/src/message_processor.rs | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/runtime/src/message_processor.rs b/runtime/src/message_processor.rs
index 23b43b73fd1c97..27fe7c6458b8d2 100644
--- a/runtime/src/message_processor.rs
+++ b/runtime/src/message_processor.rs
@@ -89,6 +89,13 @@ impl PreAccount {
             return Err(InstructionError::ModifiedProgramId);
         }
 
+        if self.owner != post.owner
+            && (solana_sdk::native_loader::check_id(&post.owner)
+                || solana_sdk::sysvar::check_id(&post.owner))
+        {
+            return Err(InstructionError::ModifiedProgramId);
+        }
+
         // An account not assigned to the program cannot have its balance decrease.
         if *program_id != self.owner // line coverage used to get branch coverage
          && self.lamports > post.lamports