Skip to content

Commit

Permalink
Adds a feature gate to reject the deployment of programs with unresol…
Browse files Browse the repository at this point in the history
…ved syscall symbols. (solana-labs#21298)
  • Loading branch information
Lichtso committed Nov 17, 2021
1 parent 05ea046 commit ab35bb8
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 6 deletions.
16 changes: 10 additions & 6 deletions programs/bpf_loader/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,8 @@ use solana_sdk::{
entrypoint::{HEAP_LENGTH, SUCCESS},
feature_set::{
add_missing_program_error_mappings, close_upgradeable_program_accounts, fix_write_privs,
reduce_required_deploy_balance, stop_verify_mul64_imm_nonzero,
upgradeable_close_instruction,
reduce_required_deploy_balance, reject_deployment_of_unresolved_syscalls,
stop_verify_mul64_imm_nonzero, upgradeable_close_instruction,
},
ic_logger_msg, ic_msg,
instruction::{AccountMeta, InstructionError},
Expand Down Expand Up @@ -76,6 +76,7 @@ pub fn create_executor(
program_data_offset: usize,
invoke_context: &mut dyn InvokeContext,
use_jit: bool,
reject_unresolved_syscalls: bool,
) -> Result<Arc<BpfExecutor>, InstructionError> {
let syscall_registry = syscalls::register_syscalls(invoke_context).map_err(|e| {
ic_msg!(invoke_context, "Failed to register syscalls: {}", e);
Expand All @@ -86,6 +87,8 @@ pub fn create_executor(
max_call_depth: bpf_compute_budget.max_call_depth,
stack_frame_size: bpf_compute_budget.stack_frame_size,
enable_instruction_tracing: log_enabled!(Trace),
reject_unresolved_syscalls: reject_unresolved_syscalls
&& invoke_context.is_feature_active(&reject_deployment_of_unresolved_syscalls::id()),
verify_mul64_imm_nonzero: !invoke_context
.is_feature_active(&stop_verify_mul64_imm_nonzero::id()), // TODO: Feature gate and then remove me
..Config::default()
Expand Down Expand Up @@ -236,7 +239,8 @@ fn process_instruction_common(
let executor = match invoke_context.get_executor(program_id) {
Some(executor) => executor,
None => {
let executor = create_executor(0, program_data_offset, invoke_context, use_jit)?;
let executor =
create_executor(0, program_data_offset, invoke_context, use_jit, false)?;
invoke_context.add_executor(program_id, executor.clone());
executor
}
Expand Down Expand Up @@ -430,7 +434,7 @@ fn process_loader_upgradeable_instruction(
)?;

// Load and verify the program bits
let executor = create_executor(3, buffer_data_offset, invoke_context, use_jit)?;
let executor = create_executor(3, buffer_data_offset, invoke_context, use_jit, true)?;
invoke_context.add_executor(&new_program_id, executor);

let keyed_accounts = invoke_context.get_keyed_accounts()?;
Expand Down Expand Up @@ -562,7 +566,7 @@ fn process_loader_upgradeable_instruction(
}

// Load and verify the program bits
let executor = create_executor(2, buffer_data_offset, invoke_context, use_jit)?;
let executor = create_executor(2, buffer_data_offset, invoke_context, use_jit, true)?;
invoke_context.add_executor(&new_program_id, executor);

let keyed_accounts = invoke_context.get_keyed_accounts()?;
Expand Down Expand Up @@ -831,7 +835,7 @@ fn process_loader_instruction(
return Err(InstructionError::MissingRequiredSignature);
}

let executor = create_executor(0, 0, invoke_context, use_jit)?;
let executor = create_executor(0, 0, invoke_context, use_jit, true)?;
let keyed_accounts = invoke_context.get_keyed_accounts()?;
let program = keyed_account_at_index(keyed_accounts, 0)?;
invoke_context.add_executor(program.unsigned_key(), executor);
Expand Down
5 changes: 5 additions & 0 deletions sdk/src/feature_set.rs
Original file line number Diff line number Diff line change
Expand Up @@ -255,6 +255,10 @@ pub mod add_compute_budget_program {
solana_sdk::declare_id!("4d5AKtxoh93Dwm1vHXUU3iRATuMndx1c431KgT2td52r");
}

pub mod reject_deployment_of_unresolved_syscalls {
solana_sdk::declare_id!("DqniU3MfvdpU3yhmNF1RKeaM5TZQELZuyFGosASRVUoy");
}

lazy_static! {
/// Map of feature identifiers to user-visible description
pub static ref FEATURE_NAMES: HashMap<Pubkey, &'static str> = [
Expand Down Expand Up @@ -319,6 +323,7 @@ lazy_static! {
(ed25519_program_enabled::id(), "enable builtin ed25519 signature verify program"),
(requestable_heap_size::id(), "Requestable heap frame size"),
(add_compute_budget_program::id(), "Add compute_budget_program"),
(reject_deployment_of_unresolved_syscalls::id(), "Reject deployment of programs with unresolved syscall symbols"),
/*************** ADD NEW FEATURES HERE ***************/
]
.iter()
Expand Down

0 comments on commit ab35bb8

Please sign in to comment.