-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Forbid bogus account assignment to native_loaders #11928
Conversation
Codecov Report
@@ Coverage Diff @@
## master #11928 +/- ##
=========================================
- Coverage 82.2% 82.1% -0.1%
=========================================
Files 331 331
Lines 78062 78072 +10
=========================================
- Hits 64184 64169 -15
- Misses 13878 13903 +25 |
😬 things just got very real over the weekend, I think the luxury of our past short-cuts aren't really viable anymore |
Actually why bother with this? When we introduce a new BPFLoader, we'll just rewrite the account and preserve whatever lamports are in it |
Newer native loader program accounts (= accounts owned by (this paragraph is based on current impl with the above checking; unconditional overwrite will evade this entirely) So, we must be careful to discern whether to overwrite or not by checking already-existing account is bogus or genuine. The check requires Unless we forbid, we must also consider native loader program accounts are Ultimately, I just want simplicity and consistency between specially-owned accounts (sysvars and native programs) Also, I think fewer abnormal situation will lead to less bugs. Also, if forbidding for native loaders can be optional, why sysvar is forbidden btw? I thought lack of forbid of native loaders was just a oversight. :) |
It's certainly nicer to forbid transfers for completeness. But it doesn't seem strictly necessary, nobody will be able to realistically generate a privatekey for any of these well-known address, so we can be quite sure that they're either unallocated or somebody transferred some SOL to that address, which is effectively a token burn. So I feel like we can just overwrite what ever is in that account regardless of the current content. I'm not opposed to disabling transfers here. I just don't feel strongly either |
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
This stale pull request has been automatically closed. Thank you for your contributions. |
62135f1
to
15c0ebc
Compare
@@ -89,6 +89,13 @@ impl PreAccount { | |||
return Err(InstructionError::ModifiedProgramId); | |||
} | |||
|
|||
if self.owner != post.owner |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- MUST [ ] needs tests for this
will be superseded by #13884 |
Problem
Transactions can assign account to
NativeLoader1111
for no good reason.Summary of Changes
Forbid doing so just like sysvars.
Obviously, this creates dos attack window when upgrading.
Note that, I'm intentionally omitting to gate this change. Considering recent our practices, this should be acceptable? (CC: @mvines )
Alternatively, if this is concerning too much, we can resort to adding
account.executable
to this existing condition:solana/runtime/src/bank.rs
Line 1201 in 5b1aca1
and to-be-pushed new capitalization calculation at #11927.
context
following up: #11750
blocking: #11927(This is not a blocker anymore; as this requires proper gating, I've unblocked #11927).