This repository was archived by the owner on Jan 22, 2025. It is now read-only.
Return error if Transaction contains writable executable or ProgramData accounts#19629
Merged
CriesofCarrots merged 7 commits intosolana-labs:masterfrom Sep 8, 2021
Merged
Conversation
Contributor
|
Last 3 commits look good so far! |
jstarry
reviewed
Sep 3, 2021
CriesofCarrots
force-pushed
the
cpi-writable-program-tx
branch
2 times, most recently
from
bcffe21 to
26184e8
Compare
KeKo6988
approved these changes
Sep 4, 2021
CriesofCarrots
force-pushed
the
cpi-writable-program-tx
branch
from
26184e8 to
e6a1ea2
Compare
CriesofCarrots
force-pushed
the
cpi-writable-program-tx
branch
from
e6a1ea2 to
bb85c6b
Compare
Contributor
Author
|
Ready for final review! |
sakridge
reviewed
Sep 7, 2021
jackcmay
reviewed
Sep 7, 2021
jackcmay
reviewed
Sep 7, 2021
CriesofCarrots
force-pushed
the
cpi-writable-program-tx
branch
from
9321e88 to
b77314d
Compare
jackcmay
reviewed
Sep 7, 2021
| return Err(TransactionError::InvalidProgramForExecution); | ||
| // If a ProgramData account is present, it should only be writable | ||
| // if the bpf_loader_upgradeable account is also present | ||
| if let Ok(UpgradeableLoaderState::ProgramData { .. }) = |
Contributor
There was a problem hiding this comment.
Would it be more efficient to first check the books and then deserialize?
Contributor
There was a problem hiding this comment.
Could we skip the deserialization altogether and disallow writes to any account owned by the upgradeable loader? The only time a program other than the upgradeable loader can write to one of these accounts is if they top up the lamports which doesn't seem useful anyways.
CriesofCarrots
force-pushed
the
cpi-writable-program-tx
branch
from
b77314d to
11224c1
Compare
added 2 commits
September 7, 2021 14:44
CriesofCarrots
force-pushed
the
cpi-writable-program-tx
branch
from
11224c1 to
a9fdc52
Compare
jackcmay
reviewed
Sep 7, 2021
jstarry
reviewed
Sep 7, 2021
| return Err(TransactionError::InvalidProgramForExecution); | ||
| // If a ProgramData account is present, it should only be writable | ||
| // if the bpf_loader_upgradeable account is also present | ||
| if let Ok(UpgradeableLoaderState::ProgramData { .. }) = |
Contributor
There was a problem hiding this comment.
Could we skip the deserialization altogether and disallow writes to any account owned by the upgradeable loader? The only time a program other than the upgradeable loader can write to one of these accounts is if they top up the lamports which doesn't seem useful anyways.
Contributor
|
Adding more lamports might be necessary when we add support for realloc... |
Contributor
|
True, do you think the bpf loader program could be responsible for that? |
Contributor
|
I think so, the current plan is continue funding the account via the buffer account, so realloc to larger ProgramData account would require a larger buffer account with a larger associated number of tokens |
Contributor
Author
|
I'm not clear, @jackcmay , are you saying the upgradeable-loader program need to be present to do that sort of realloc? |
Contributor
|
In order for a program to be realloc'd larger, the ProgramData account's balance will have to increase in order to still be rent-exempt. The question was who/how transfers those lamports. The current plan is for the larger buffer account to ferry along those lamports which means the upgradeable loader will always exist for all program reallocs. aka, we can probably skip deserialization as Justin suggested. |
…sent; remove is_upgradeable_loader_present exception for all other executables
CriesofCarrots
force-pushed
the
cpi-writable-program-tx
branch
from
283554b to
9a5213e
Compare
Contributor
Author
Codecov Report
@@ Coverage Diff @@
## master #19629 +/- ##
========================================
Coverage 82.5% 82.5%
========================================
Files 468 468
Lines 131847 132036 +189
========================================
+ Hits 108774 109036 +262
+ Misses 23073 23000 -73 |
mergify Bot
pushed a commit
that referenced
this pull request
Sep 8, 2021
…ta accounts (#19629) * Return error if Transaction locks an executable as writable * Return error if a ProgramData account is writable but the upgradable loader isn't present * Remove unreachable clause * Fixup bpf tests * Review comments * Add new TransactionError * Disallow writes to any upgradeable-loader account when loader not present; remove is_upgradeable_loader_present exception for all other executables (cherry picked from commit 38bbb77) # Conflicts: # programs/bpf/tests/programs.rs # runtime/src/accounts.rs # runtime/src/bank.rs # sdk/src/transaction.rs # storage-proto/proto/transaction_by_addr.proto # storage-proto/src/convert.rs
mergify Bot
pushed a commit
that referenced
this pull request
Sep 8, 2021
…ta accounts (#19629) * Return error if Transaction locks an executable as writable * Return error if a ProgramData account is writable but the upgradable loader isn't present * Remove unreachable clause * Fixup bpf tests * Review comments * Add new TransactionError * Disallow writes to any upgradeable-loader account when loader not present; remove is_upgradeable_loader_present exception for all other executables (cherry picked from commit 38bbb77) # Conflicts: # programs/bpf/tests/programs.rs # runtime/src/accounts.rs # runtime/src/bank.rs # sdk/src/transaction.rs # storage-proto/proto/transaction_by_addr.proto # storage-proto/src/convert.rs
mergify Bot
added a commit
that referenced
this pull request
Sep 9, 2021
…ta accounts (backport #19629) (#19729) * Return error if Transaction contains writable executable or ProgramData accounts (#19629) * Return error if Transaction locks an executable as writable * Return error if a ProgramData account is writable but the upgradable loader isn't present * Remove unreachable clause * Fixup bpf tests * Review comments * Add new TransactionError * Disallow writes to any upgradeable-loader account when loader not present; remove is_upgradeable_loader_present exception for all other executables (cherry picked from commit 38bbb77) # Conflicts: # programs/bpf/tests/programs.rs # runtime/src/accounts.rs # runtime/src/bank.rs # sdk/src/transaction.rs # storage-proto/proto/transaction_by_addr.proto # storage-proto/src/convert.rs * Fix conflicts Co-authored-by: Tyera Eulberg <teulberg@gmail.com> Co-authored-by: Tyera Eulberg <tyera@solana.com>
mergify Bot
added a commit
that referenced
this pull request
Sep 9, 2021
…ta accounts (backport #19629) (#19730) * Return error if Transaction contains writable executable or ProgramData accounts (#19629) * Return error if Transaction locks an executable as writable * Return error if a ProgramData account is writable but the upgradable loader isn't present * Remove unreachable clause * Fixup bpf tests * Review comments * Add new TransactionError * Disallow writes to any upgradeable-loader account when loader not present; remove is_upgradeable_loader_present exception for all other executables (cherry picked from commit 38bbb77) # Conflicts: # programs/bpf/tests/programs.rs # runtime/src/accounts.rs # runtime/src/bank.rs # sdk/src/transaction.rs # storage-proto/proto/transaction_by_addr.proto # storage-proto/src/convert.rs * Fix conflicts Co-authored-by: Tyera Eulberg <teulberg@gmail.com> Co-authored-by: Tyera Eulberg <tyera@solana.com>
dankelleher
pushed a commit
to identity-com/solana
that referenced
this pull request
Nov 24, 2021
…ta accounts (solana-labs#19629) * Return error if Transaction locks an executable as writable * Return error if a ProgramData account is writable but the upgradable loader isn't present * Remove unreachable clause * Fixup bpf tests * Review comments * Add new TransactionError * Disallow writes to any upgradeable-loader account when loader not present; remove is_upgradeable_loader_present exception for all other executables
frits-metalogix
added a commit
to identity-com/solana
that referenced
this pull request
Nov 24, 2021
…rogramData accounts (solana-labs#19629)" This reverts commit 737475e.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Accounts marked executable can only be written to if being upgraded (ie. if the UpgradeableLoader is present in the transaction). As of #19593, we're demoting top-level program ids incorrectly marked as writable, but we can't detect other executables until the accounts are loaded.
Similarly, ProgramData accounts can only be written if the UpgradeableLoader is present in the transaction, but we can't identify these accounts until they are loaded.
Summary of Changes
Return
InvalidAccountIndexerror to fail these types of Transactions and release the write lock quickly. Open to creating a new error type, if this seems significant enough.Needs rebase on #19593
@jackcmay @jstarry , the last 3 commits are ready for review