EOF: limit validated container size to MAX_INITCODE_SIZE #930
Conversation
pdobacz
force-pushed
the
max-initcode-size
branch
from
fe1e32d
to
28f5f83
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #930 +/- ##
==========================================
- Coverage 94.30% 94.27% -0.03%
==========================================
Files 142 142
Lines 16113 16123 +10
==========================================
+ Hits 15195 15200 +5
- Misses 918 923 +5
Flags with carried forward coverage won't be shown. Click here to find out more.
|
| @@ -579,6 +582,10 @@ EOFValidationError validate_eof1(evmc_revision rev, bytes_view main_container) n | |||
| bytes_view bytes; | |||
| bool referenced_by_eofcreate = false; | |||
| }; | |||
|
|
|||
| if (main_container.size() > MAX_INITCODE_SIZE) | |||
There was a problem hiding this comment.
An interesting case come up, concerning this piece: Should this check be done here (top-level validate_eof) or in validate_header.
An expectation would be to have the logic of validate_header protected against oversized containers. It has been since creation txs moved to the public API of eof.hpp, so, in principle, it should also contain the check as one of the first.
OTOH, this would be wasteful, as we'd be repeating the check for all subcontainers, which are always smaller than top-level. Also validate_header bare is only ever called in host.cpp during the process of validating a creation tx data (to be precise - to discover the split between container and calldata) - but there it is protected by the transaction-level MAX_INITCODE_SIZE check.
Let me know if you have any thoughts on this
There was a problem hiding this comment.
Does it mean the validate_header doesn't work correctly on its own?
There was a problem hiding this comment.
Does it mean the
validate_headerdoesn't work correctly on its own?
Only guaranteed for containers which have its size under the limit. In other words - checking size is outside of validate_header's responsibility.
There was a problem hiding this comment.
If this is now the validate_header() precondition then add an assert in the validate_header().
There was a problem hiding this comment.
ok, I reworked the comment and assertion in validate_header. I think this is good now, thx!
pdobacz
force-pushed
the
max-initcode-size
branch
2 times, most recently
from
f36adca
to
e22b44a
Compare
|
Converted to draft b/c testing something on the CI front, |
pdobacz
force-pushed
the
max-initcode-size
branch
2 times, most recently
from
7a0ffdc
to
e99bc18
Compare
pdobacz
force-pushed
the
max-initcode-size
branch
from
e99bc18
to
2ba1458
Compare
|
NOTE in a previous version I mistakenly added overflow checks for offsets (which accumulate section sizes). On second look, these weren't necessary, since a single check is done in I have force pushed a version without these. Now codecov complains only about new lines with error message handling |
pdobacz
force-pushed
the
max-initcode-size
branch
from
2ba1458
to
d55f69d
Compare
| @@ -771,8 +784,7 @@ std::variant<EOF1Header, EOFValidationError> validate_header( | |||
| container_offsets.emplace_back(static_cast<uint16_t>(offset)); | |||
| offset += container_size; | |||
| } | |||
| // NOTE: assertion always satisfied only as long as initcode limits apply (48K). | |||
| assert(offset <= std::numeric_limits<uint16_t>::max()); | |||
There was a problem hiding this comment.
I think we should keep the assert.
There was a problem hiding this comment.
I mean I would still keep it even if it's checked in validate_section_headers()
There was a problem hiding this comment.
ah it moved up a bit and changed form, but the outcome is still the same (I think, please double check if in doubt) - the cast is safe.
There was a problem hiding this comment.
assert(container.size() <= MAX_INITCODE_SIZE); checks that container size is checked outside validate_header() and validate_section_headers() check that declared containers sizes sum doesn't exceed container size, so the cast is safe, but I would still keep the assertion here (to prevent future errors in case validate_section_headers() is changed).
Also currently it's incosistent, you removed this assertion, but kept another one at line 776.
There was a problem hiding this comment.
Also currently it's incosistent, you removed this assertion, but kept another one at line 776.
ouch, right, completely missed that.
OK on keeping the assertion, but I guess just one assertion at the end (the removed one) will be enough?
There was a problem hiding this comment.
like 537d394 for example
There was a problem hiding this comment.
I would keep the one in code_size loop, too. If something goes wrong, it's easier to debug when it's detected early.
There was a problem hiding this comment.
okay, then let's keep all, one for each cast to uint16 (one was missing originally)
| @@ -579,6 +582,10 @@ EOFValidationError validate_eof1(evmc_revision rev, bytes_view main_container) n | |||
| bytes_view bytes; | |||
| bool referenced_by_eofcreate = false; | |||
| }; | |||
|
|
|||
| if (main_container.size() > MAX_INITCODE_SIZE) | |||
There was a problem hiding this comment.
Does it mean the validate_header doesn't work correctly on its own?
pdobacz
force-pushed
the
max-initcode-size
branch
from
ec4b1f7
to
8251d34
Compare
|
The 2 failed EEST cases are already failing for the base 1.0.4 release + |
pdobacz
force-pushed
the
max-initcode-size
branch
from
537d394
to
91f9a88
Compare
ipsilon/eof#125 / ethereum/EIPs#8670