Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Merged by Bors] - Verify that previous ATX points to correct ATX when handling incoming ATXs #5927

Closed
wants to merge 35 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
4587585
Increase supported number of ATXs to 4.5 Mio (#5896) (#5898)
fasmat Apr 29, 2024
02b3127
Avoid pulling poet proof multiple times in 1:N setups (#5911)
poszu May 6, 2024
8d35429
Avoid repeated searching for positioning ATX in 1:N (#5904)
poszu Apr 30, 2024
93423ad
Merge pull request #5915 from spacemeshos/backport/1.5/5904
poszu May 7, 2024
c1f9fb7
Merge remote-tracking branch 'origin/v1.5' into backport/1.5/5911
poszu May 7, 2024
12df191
Merge pull request #5914 from spacemeshos/backport/1.5/5911
poszu May 7, 2024
93d3375
Release v1.5.2 (#5916)
poszu May 7, 2024
47ac04a
Use .netrc in docker release workflow (#5918)
fasmat May 7, 2024
9aff88d
Verify that previous ATX points to correct ATX when handling incoming…
fasmat May 7, 2024
0d2e5c3
Fix store malfeasant ATX (#5929)
fasmat May 13, 2024
2db9908
Check identity exists when validating malfeasance proofs (#5930)
fasmat May 13, 2024
1dd3a96
Merge commit 'e99a5fe3bf5a3367634d280e117e00ffb07f98e5' into cve-fix-…
fasmat May 13, 2024
3be30e8
Merge commit '5ab40c2' into cve-fix-integration
fasmat May 13, 2024
a8256a8
Merge commit '649a479' into cve-fix-integration
fasmat May 13, 2024
406c0b2
Merge remote-tracking branch 'origin/develop' into cve-fix-integration
fasmat May 17, 2024
543e0d7
Merge remote-tracking branch 'origin/develop' into cve-fix-integration
fasmat May 17, 2024
f2bb52b
Fix typo
fasmat May 17, 2024
01c16de
Fix failing tests
fasmat May 17, 2024
001e8fa
Fix tests
fasmat May 17, 2024
1c46f93
More tests and fixes
fasmat May 17, 2024
1a67ec9
Remove requirement for existing identity in InvalidPostIndex
fasmat May 18, 2024
604c88b
Fix linter complaints
fasmat May 18, 2024
6346ea9
Fix illogical test
fasmat May 20, 2024
48d8736
Review findings
fasmat May 20, 2024
c6f6944
Fix changelog
fasmat May 20, 2024
8f77eeb
Merge remote-tracking branch 'origin/develop' into cve-fix-integration
fasmat May 20, 2024
9cc6da6
Merge remote-tracking branch 'origin/develop' into cve-fix-integration
fasmat May 20, 2024
ff2391b
Merge remote-tracking branch 'origin/develop' into cve-fix-integration
fasmat May 21, 2024
de6d502
Add comment explaining the sql query
fasmat May 21, 2024
aa38582
Review feedback for malfeasance verification
fasmat May 21, 2024
2072236
Add comment
fasmat May 21, 2024
8b3e6d1
Review feedback
fasmat May 21, 2024
79fa07c
Review feedback
fasmat May 21, 2024
82ed939
Merge remote-tracking branch 'origin/develop' into cve-fix-integration
fasmat May 21, 2024
ff55625
Merge remote-tracking branch 'origin/develop' into cve-fix-integration
fasmat May 21, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions .github/workflows/systest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,13 @@ jobs:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}

- uses: extractions/netrc@v2
with:
machine: github.com
username: ${{ secrets.GH_ACTION_TOKEN_USER }}
password: ${{ secrets.GH_ACTION_TOKEN }}
if: vars.GOPRIVATE

- name: Push go-spacemesh build to docker hub
run: make dockerpush

Expand All @@ -103,6 +110,13 @@ jobs:
shell: bash
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

- uses: extractions/netrc@v2
with:
machine: github.com
username: ${{ secrets.GH_ACTION_TOKEN_USER }}
password: ${{ secrets.GH_ACTION_TOKEN }}
if: vars.GOPRIVATE

- name: Build tests docker image
run: make -C systest docker

Expand Down
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,10 @@ Upgrading to this version requires going through v1.5.x first. Removed migration
deprecated inlined activeset as invalid. go-spacemesh references the active set via hash since v1.3.0, and has been
pruning the data of old ballots since then as well.

* [#5927](https://github.com/spacemeshos/go-spacemesh/pull/5927) Fixed vulnerability in the way a node handles incoming
ATXs. This vulnerability allows an attacker to claim rewards for a full tick amount although they should not be
eligible for them.

## Release v1.5.4

### Improvements
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ RUN make get-libs
COPY go.mod .
COPY go.sum .

RUN go mod download
RUN --mount=type=secret,id=mynetrc,dst=/root/.netrc go mod download

# Here we copy the rest of the source code
COPY . .
Expand Down
11 changes: 9 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -154,9 +154,11 @@ list-versions:

dockerbuild-go:
DOCKER_BUILDKIT=1 docker build \
--secret id=mynetrc,src=$(HOME)/.netrc \
--build-arg VERSION=${VERSION} \
-t go-spacemesh:$(SHA) \
-t $(DOCKER_HUB)/$(DOCKER_IMAGE_REPO):$(DOCKER_IMAGE_VERSION) .
-t $(DOCKER_HUB)/$(DOCKER_IMAGE_REPO):$(DOCKER_IMAGE_VERSION) \
.
.PHONY: dockerbuild-go

dockerpush: dockerbuild-go dockerpush-only
Expand All @@ -171,7 +173,12 @@ endif
.PHONY: dockerpush-only

dockerbuild-bs:
DOCKER_BUILDKIT=1 docker build -t go-spacemesh-bs:$(SHA) -t $(DOCKER_HUB)/$(DOCKER_IMAGE_REPO)-bs:$(DOCKER_IMAGE_VERSION) -f ./bootstrap.Dockerfile .
DOCKER_BUILDKIT=1 docker build \
--secret id=mynetrc,src=$(HOME)/.netrc \
-t go-spacemesh-bs:$(SHA) \
-t $(DOCKER_HUB)/$(DOCKER_IMAGE_REPO)-bs:$(DOCKER_IMAGE_VERSION) \
-f ./bootstrap.Dockerfile \
.
.PHONY: dockerbuild-bs

dockerpush-bs: dockerbuild-bs dockerpush-bs-only
Expand Down
2 changes: 1 addition & 1 deletion activation/handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,7 @@ func (h *Handler) HandleSyncedAtx(ctx context.Context, expHash types.Hash32, pee

// HandleGossipAtx handles the atx gossip data channel.
func (h *Handler) HandleGossipAtx(ctx context.Context, peer p2p.Peer, msg []byte) error {
proof, err := h.handleAtx(ctx, types.Hash32{}, peer, msg)
proof, err := h.handleAtx(ctx, types.EmptyHash32, peer, msg)
if err != nil && !errors.Is(err, errMalformedData) && !errors.Is(err, errKnownAtx) {
h.log.WithContext(ctx).With().Warning("failed to process atx gossip",
log.Stringer("sender", peer),
Expand Down
12 changes: 5 additions & 7 deletions activation/handler_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -227,9 +227,8 @@ func testHandler_PostMalfeasanceProofs(t *testing.T, synced bool) {

sig, err := signing.NewEdSigner()
require.NoError(t, err)
nodeID := sig.NodeID()

_, err = identities.GetMalfeasanceProof(atxHdlr.cdb, nodeID)
_, err = identities.GetMalfeasanceProof(atxHdlr.cdb, sig.NodeID())
require.ErrorIs(t, err, sql.ErrNotFound)

atx := newInitialATXv1(t, goldenATXID)
Expand Down Expand Up @@ -314,7 +313,7 @@ func TestHandler_ProcessAtxStoresNewVRFNonce(t *testing.T) {
require.NoError(t, err)
require.Equal(t, types.VRFPostIndex(*atx1.VRFNonce), got)

atx2 := newChainedActivationTxV1(t, goldenATXID, atx1, atx1.ID())
atx2 := newChainedActivationTxV1(t, atx1, atx1.ID())
nonce2 := types.VRFPostIndex(456)
atx2.VRFNonce = (*uint64)(&nonce2)
atx2.Sign(sig)
Expand All @@ -336,7 +335,7 @@ func TestHandler_HandleGossipAtx(t *testing.T) {
first := newInitialATXv1(t, goldenATXID)
first.Sign(sig)

second := newChainedActivationTxV1(t, goldenATXID, first, first.ID())
second := newChainedActivationTxV1(t, first, first.ID())
second.Sign(sig)

// the poet is missing
Expand Down Expand Up @@ -639,7 +638,7 @@ func TestHandler_AtxWeight(t *testing.T) {
require.Equal(t, leaves/tickSize, stored1.TickHeight())
require.Equal(t, (leaves/tickSize)*units, stored1.GetWeight())

atx2 := newChainedActivationTxV1(t, goldenATXID, atx1, atx1.ID())
atx2 := newChainedActivationTxV1(t, atx1, atx1.ID())
atx2.Sign(sig)
buf = codec.MustEncode(atx2)

Expand Down Expand Up @@ -740,7 +739,6 @@ func newInitialATXv1(

func newChainedActivationTxV1(
t testing.TB,
goldenATXID types.ATXID,
prev *wire.ActivationTxV1,
pos types.ATXID,
) *wire.ActivationTxV1 {
Expand All @@ -751,7 +749,7 @@ func newChainedActivationTxV1(
NIPostChallengeV1: wire.NIPostChallengeV1{
PrevATXID: prev.ID(),
PublishEpoch: prev.PublishEpoch + 1,
PositioningATXID: prev.ID(),
PositioningATXID: pos,
},
NIPost: newNIPosV1tWithPoet(t, poetRef.Bytes()),
Coinbase: prev.Coinbase,
Expand Down
Loading
Loading