Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Two critical VM issues (denial of service attacks) #2738

Open
bbarwik opened this issue Aug 28, 2024 · 2 comments
Open

Two critical VM issues (denial of service attacks) #2738

bbarwik opened this issue Aug 28, 2024 · 2 comments
Assignees
@petar-dambovaliev
Labels
🐞 bug Something isn't working in focus Core team is prioritizing this work 📦 🤖 gnovm Issues or PRs gnovm related
Milestone
🚀 Mainnet launch

Comments

@bbarwik
Copy link

bbarwik commented Aug 28, 2024
edited
Loading

Two critical VM issues (denial of service attacks)

Hey everyone, I am a Web3 cybersecurity researcher working for Hacken specializing in layer 1 protocols and virtual machines. I met with the Gno team during Web3 Summit in Berlin where they introduced me to your project. I promised to check it out because it sounded very interesting to me. I spent a day playing with your project and virtual machine and managed to find two ways to crash it.

Critical issues

  1. Crashing VM due to out-of-memory error by allocating a huge slice:
package main
func main() {
    buffer := make([]int, 1_000_000_000_000)
    buffer[1] = 1
}
  1. Crashing VM by creating very deep structure which is very CPU-intensive to process:
func init() {
    var x interface{}    
    for {
        x = [1]interface{}{x}    
   }
}

or alternatively:

package main
func main() {
    var x interface{}    
    for i := 0; i < 10000; i++ {
        x = [1]interface{}{x}    
    }
    for i := 0; i < 10000; i++ {
        println(x)   
    }
}

I used the following test to reproduce these issues: crash_test.go.zip. You should put it in gno.land/pkg/sdk/vm and run it there with go test -v -run TestVMCrash.

Next steps

I highly recommend introducing Fuzzing in your project and undergoing a full audit before launching your product.

Feel free to contact me here or by sending an email to [email protected] if you need any help.
@deelawn
Copy link
Contributor

deelawn commented Sep 9, 2024

I'll take a stab at solving the first issue listed here

  1. Crashing VM due to out-of-memory error by allocating a huge slice:

@deelawn deelawn mentioned this issue Sep 10, 2024
Merged
7 tasks
@zivkovicmilos zivkovicmilos added 🌟 must have 🌟 🐞 bug Something isn't working labels Sep 11, 2024
thehowl pushed a commit that referenced this issue Sep 12, 2024
@deelawn
fix(gnovm): count slice allocations before performing memory allocati…
d7407f5 
…ons (#2781)

<!-- please provide a detailed description of the changes made in this
pull request. -->
This is to fix the first issue mentioned in #2738.

In short, when allocating and reallocating slices' underlying arrays,
the VM was building the `TypedValue` slice before making the necessary
VM allocations. It is important the VM allocations be done before the
`TypedValue` allocations to ensure the values being allocated won't
exceed the VM's limit. In extreme cases, unchecked allocations resulted
in the VM hanging as it tried to allocate massive `TypedValue` slices in
the go runtime.
<details><summary>Contributors' checklist...</summary>

- [x] Added new tests, or not needed, or not feasible
- [x] Provided an example (e.g. screenshot) to aid review or the PR is
self-explanatory
- [x] Updated the official documentation or not needed
- [x] No breaking changes were made, or a `BREAKING CHANGE: xxx` message
was included in the description
- [x] Added references to related issues and PRs
- [x] Provided any useful hints for running manual tests
- [x] Added new benchmarks to [generated
graphs](https://gnoland.github.io/benchmarks), if any. More info
[here](https://github.com/gnolang/gno/blob/master/.benchmarks/README.md).
</details>
@Kouteki Kouteki mentioned this issue Sep 16, 2024
Open
@thehowl thehowl mentioned this issue Oct 8, 2024
Open
@Kouteki Kouteki added this to the 🚀 Mainnet launch milestone Oct 16, 2024
@Kouteki Kouteki added 📦 🤖 gnovm Issues or PRs gnovm related and removed 🌟 must have 🌟 labels Oct 16, 2024
@Kouteki
Copy link
Contributor

Kouteki commented Oct 21, 2024

First issue has been fixed.

The second issue needs to be triaged to determine if it poses a critical threat for the chain at launch.

@Kouteki Kouteki assigned thehowl and unassigned kristovatlas Oct 21, 2024
@Kouteki Kouteki moved this from Triage to Backlog in 🧙‍♂️gno.land core team Oct 22, 2024
@Kouteki Kouteki moved this from Backlog to Todo in 🧙‍♂️gno.land core team Oct 28, 2024
@thehowl thehowl added the in focus Core team is prioritizing this work label Nov 6, 2024
@Kouteki Kouteki assigned petar-dambovaliev and unassigned thehowl Nov 29, 2024
@Kouteki Kouteki moved this from Todo to In Progress in 🧙‍♂️gno.land core team Nov 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@petar-dambovaliev petar-dambovaliev

Labels
🐞 bug Something isn't working in focus Core team is prioritizing this work 📦 🤖 gnovm Issues or PRs gnovm related
Projects
🧙‍♂️gno.land core team
Status: In Progress
🚀 main.gno.land launch 🚀
Status: TODO
Milestone
🚀 Mainnet launch
Development

No branches or pull requests
7 participants
@deelawn @thehowl @kristovatlas @Kouteki @zivkovicmilos @petar-dambovaliev @bbarwik