Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deserialization fixes #735

Merged
merged 19 commits into from
Apr 3, 2022
Merged

Deserialization fixes #735

merged 19 commits into from
Apr 3, 2022

Conversation

ljedrz
Copy link
Collaborator

@ljedrz ljedrz commented Apr 3, 2022

While running fuzz tests for the snarkOS network layer, I detected a few deserialization-related vulnerabilities that needed to be patched; I planned to finalize them and release the results on Monday, but seeing the extra weekend changes, I decided to be proactive about it and provide the results I have already.

Most of these are either overallocations or unwraps, which will cause a crash when deserializing broken/malicious network messages.

Feel free to adjust the numbers I used, depending on the expected maximum values. I initially thought using Vec::try_reserve or tweaking the allocator would be preferable, but in the end I believe we should instead be imposing limits on a per-case basis.

Supersedes https://github.com/AleoHQ/snarkVM/pull/592 and https://github.com/AleoHQ/snarkVM/pull/609.

ljedrz added 11 commits April 3, 2022 11:25
@ljedrz
fix: don't crash in Transaction::read_le
2f640ad 
Signed-off-by: ljedrz <[email protected]>
@ljedrz
fix: don't crash in Ciphertext::read_le
3934dc8 
Signed-off-by: ljedrz <[email protected]>
@ljedrz
fix: don't crash in Vec<T>::deserialize(_uncompressed)
2422c28 
Signed-off-by: ljedrz <[email protected]>
@ljedrz
fix: don't crash in PoSWProof::verify
cb358e2 
Signed-off-by: ljedrz <[email protected]>
@ljedrz
fix: don't crash in Transition::read_le
944c384 
Signed-off-by: ljedrz <[email protected]>
@ljedrz
fix: don't crash in Event::read_le
5fd192f 
Signed-off-by: ljedrz <[email protected]>
@ljedrz
fix: don't crash in Transition::read_le (cont)
c632cfd 
Signed-off-by: ljedrz <[email protected]>
@ljedrz
fix: don't crash in Execution::read_le
4d0902d 
Signed-off-by: ljedrz <[email protected]>
@ljedrz
fix: don't crash in MerklePath::read_le
dacc3a4 
Signed-off-by: ljedrz <[email protected]>
@ljedrz
fix: don't crash in Operation::read_le
d001f95 
Signed-off-by: ljedrz <[email protected]>
@ljedrz
fix: don't crash in MerklePath::read_le (cont)
a31795a 
Signed-off-by: ljedrz <[email protected]>
@ljedrz ljedrz added the bug Something isn't working label Apr 3, 2022
@ljedrz ljedrz requested a review from howardwu April 3, 2022 10:16
@howardwu
Copy link
Member

howardwu commented Apr 3, 2022

Thanks for catching these Lukasz! Looks like we should redesign our serialization infrastructure to account for this.

@howardwu
Copy link
Member

howardwu commented Apr 3, 2022

Alright, this should handle the serialization cases that were caught.

@howardwu howardwu merged commit e5f98da into ProvableHQ:testnet3 Apr 3, 2022
@howardwu howardwu mentioned this pull request Apr 3, 2022
Closed
@ljedrz ljedrz deleted the testnet3_crash_fixes branch April 3, 2022 19:10
@ljedrz
Copy link
Collaborator Author

ljedrz commented Apr 3, 2022
edited
Loading

I can confirm that the fuzzing artifacts still pass with the additional changes 👍; I'll run the tests a bit more tomorrow just to be safe.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@howardwu howardwu howardwu approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ljedrz @howardwu