Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix unaligned read of short_vec pubkey_size in sigverify #6388

Merged
merged 3 commits into from
Oct 16, 2019

Conversation

ryoqun
Copy link
Member

@ryoqun ryoqun commented Oct 16, 2019

(This is split from #6236 as requested by @sakridge !)

Problem

sigverify's deserialization is wrong in a corner case; most of time it works as intended.

In short, this old code incorrectly reads bytes serialized from MessageHeader (three of u8s) as the length (ShortU16) of short_vec. (Moderate pun intended... :).

So, if MessageHeader.required_num_sigs are above 0x7f (according to the comment of Short16), pubkey_size will be 2 and subsequent offset calculation gets bogus, resulting in false negative results of sigverify. This have been working because most of time MessageHeader.required_num_sigs is very small compared to the 0x7f.

From https://github.com/solana-labs/solana/pull/6236/files#r333704395

Solution

Shift the offset correctly, taking size_of MessageHeader into account.

@mvines mvines added the CI Pull Request is ready to enter CI label Oct 16, 2019
@solana-grimes solana-grimes removed the CI Pull Request is ready to enter CI label Oct 16, 2019
@codecov
Copy link

codecov bot commented Oct 16, 2019

Codecov Report

Merging #6388 into master will increase coverage by 4.7%.
The diff coverage is 96.4%.

@@           Coverage Diff            @@
##           master   #6388     +/-   ##
========================================
+ Coverage    72.7%   77.4%   +4.7%     
========================================
  Files         219     209     -10     
  Lines       45244   40004   -5240     
========================================
- Hits        32901   30972   -1929     
+ Misses      12343    9032   -3311

CriesofCarrots
CriesofCarrots previously approved these changes Oct 16, 2019
Copy link
Contributor

@CriesofCarrots CriesofCarrots left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One nit, but lgtm
:shipit:


let message = Message {
header: MessageHeader {
num_required_signatures: required_num_sigs as u8,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't need this cast

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice nits! 082fd71

@mergify mergify bot dismissed CriesofCarrots’s stale review October 16, 2019 17:19

Pull request has been modified.

@ryoqun
Copy link
Member Author

ryoqun commented Oct 16, 2019

One nit, but lgtm
:shipit:

yay!

@ryoqun ryoqun requested a review from CriesofCarrots October 16, 2019 17:22
@mvines mvines added the automerge Merge this Pull Request automatically once CI passes label Oct 16, 2019
@solana-grimes solana-grimes merged commit f4c5da3 into solana-labs:master Oct 16, 2019
@mvines
Copy link
Member

mvines commented Oct 16, 2019

@ryoqun thanks!

@sakridge
Copy link
Member

Yes looks good. Thanks for splitting it out into this commit, it was much easier to understand the change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
automerge Merge this Pull Request automatically once CI passes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants