Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TOB-FUEL-20: Unfair processing of events #1326

Closed
xgreenx opened this issue Aug 28, 2023 · 2 comments
Closed

TOB-FUEL-20: Unfair processing of events #1326

xgreenx opened this issue Aug 28, 2023 · 2 comments
Assignees
@MitchTurner @xgreenx
Labels
audit-report Somehow related to the audit report

Comments

@xgreenx
Copy link
Collaborator

xgreenx commented Aug 28, 2023

Description

The following poll function processes events from Kademlia DHT and mdns in an unfair way. It is possible that events by mdns might not get polled if Kademlia always returns a Poll:Ready(...) result. An attacker might be able to exploit this behavior and block mdns from working correctly by causing Kademlia DHT to always yield a result when polled.

Figure 20.1: Function which polls events from the Kademlia extension and mdns. (fuel-core/crates/services/p2p/src/discovery.rs#160–262)

// gets polled by the swarm
fn poll(
    &mut self,
    cx: &mut Context<'_>,
    params: &mut impl PollParameters,
) -> Poll<NetworkBehaviourAction<Self::OutEvent, Self::ConnectionHandler>> {
    // ...
    // poll Kademlia behaviour
    while let Poll::Ready(kad_action) = self.kademlia.poll(cx, params) {
        match kad_action {
            // ...
            NetworkBehaviourAction::Dial { handler, opts } => {
                return Poll::Ready(NetworkBehaviourAction::Dial { handler, opts })
            }
// ...
_ => {} }
}
    while let Poll::Ready(mdns_event) = self.mdns.poll(cx, params) {
        match mdns_event {
// ...
            NetworkBehaviourAction::ReportObservedAddr { address, score } => {
                return Poll::Ready(NetworkBehaviourAction::ReportObservedAddr {
address,
score, })
}
// ...
_ => {} }
    }
    Poll::Pending
}

Exploit Scenario

An attacker constantly causes a NetworkBehaviourAction::Dial event to be available. This way the mdns might not get its events processed.

Recommendations

Short term, for every invocation of the poll function, switch between first polling Kademlia and mdns.
Long term, deploy metrics which watch poll queues. If an event queue is not polled regularly, then this could cause a situation like a deadlock.
@xgreenx xgreenx added the audit-report Somehow related to the audit report label Aug 28, 2023
This was referenced Aug 28, 2023
Closed
Closed
@xgreenx
Copy link
Collaborator Author

xgreenx commented Aug 29, 2023

Related to the #1065. But maybe p2p implementation of discovery service has the same problem.

@xgreenx
Copy link
Collaborator Author

xgreenx commented Oct 11, 2023

We removed pending_events during work on #1065.

Regarding unfair events for mdns, we decided not to fix it because it is disabled in production. It is mostly used for local development.

Maybe later, we will remove support for MDNS entirly.

@xgreenx xgreenx closed this as completed Oct 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MitchTurner MitchTurner

@xgreenx xgreenx

Labels
audit-report Somehow related to the audit report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MitchTurner @xgreenx