Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Instruction limits aren't enforced throughout cross program invocations #11556

Closed
hendrikhofstadt opened this issue Aug 11, 2020 · 2 comments · Fixed by #11717
Closed

Instruction limits aren't enforced throughout cross program invocations #11556

hendrikhofstadt opened this issue Aug 11, 2020 · 2 comments · Fixed by #11717
Labels
security Pull requests that address a security vulnerability
Milestone
v1.3.4

Comments

@hendrikhofstadt
Copy link
Contributor

hendrikhofstadt commented Aug 11, 2020
edited
Loading

Problem

When a program invokes another BPF program via CPI, the instruction counter is not carried over. Since Solana currently allows 5 layers of call depth, this allows for instructions that take extremely long to compute and can overwhelm message processing and take the network down.

Proposed Solution

Enforce instruction limits on CPI calls to other BPF programs. Potentially also limit the number of CPIs to non-BPF programs (to prevent spam of system instructions).
@jackcmay
Copy link
Contributor

Limits are enforced, its just that they are very high and additive when doing cross-program invocations :-)

As @aeyakovenko suggested switching to a max of ~25ms total for each top-level instruction is probably reasonable.

@mvines mvines added this to the v1.2.22 milestone Aug 14, 2020
@mvines
Copy link
Member

mvines commented Aug 14, 2020

Consider limiting the depth of the CPI stack as well, perhaps to 1 for now

@mvines mvines modified the milestones: v1.2.22, v1.3.4 Aug 15, 2020
@jackcmay jackcmay mentioned this issue Aug 19, 2020
Merged
@leoluk leoluk added the security Pull requests that address a security vulnerability label Sep 11, 2020
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 5, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
security Pull requests that address a security vulnerability
Projects
None yet
Milestone
v1.3.4
4 participants
@leoluk @mvines @hendrikhofstadt @jackcmay