-
Notifications
You must be signed in to change notification settings - Fork 293
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EOF: limit validated container size to MAX_INITCODE_SIZE #930
Conversation
fe1e32d
to
28f5f83
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #930 +/- ##
==========================================
- Coverage 94.30% 94.27% -0.03%
==========================================
Files 142 142
Lines 16113 16123 +10
==========================================
+ Hits 15195 15200 +5
- Misses 918 923 +5
Flags with carried forward coverage won't be shown. Click here to find out more.
|
@@ -579,6 +582,10 @@ EOFValidationError validate_eof1(evmc_revision rev, bytes_view main_container) n | |||
bytes_view bytes; | |||
bool referenced_by_eofcreate = false; | |||
}; | |||
|
|||
if (main_container.size() > MAX_INITCODE_SIZE) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An interesting case come up, concerning this piece: Should this check be done here (top-level validate_eof
) or in validate_header
.
An expectation would be to have the logic of validate_header
protected against oversized containers. It has been since creation txs moved to the public API of eof.hpp, so, in principle, it should also contain the check as one of the first.
OTOH, this would be wasteful, as we'd be repeating the check for all subcontainers, which are always smaller than top-level. Also validate_header
bare is only ever called in host.cpp
during the process of validating a creation tx data (to be precise - to discover the split between container and calldata) - but there it is protected by the transaction-level MAX_INITCODE_SIZE check.
Let me know if you have any thoughts on this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it mean the validate_header
doesn't work correctly on its own?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it mean the
validate_header
doesn't work correctly on its own?
Only guaranteed for containers which have its size under the limit. In other words - checking size is outside of validate_header
's responsibility.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this is now the validate_header()
precondition then add an assert in the validate_header()
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, I reworked the comment and assertion in validate_header
. I think this is good now, thx!
f36adca
to
e22b44a
Compare
Converted to draft b/c testing something on the CI front, |
7a0ffdc
to
e99bc18
Compare
e99bc18
to
2ba1458
Compare
NOTE in a previous version I mistakenly added overflow checks for offsets (which accumulate section sizes). On second look, these weren't necessary, since a single check is done in I have force pushed a version without these. Now codecov complains only about new lines with error message handling |
2ba1458
to
d55f69d
Compare
@@ -771,8 +784,7 @@ std::variant<EOF1Header, EOFValidationError> validate_header( | |||
container_offsets.emplace_back(static_cast<uint16_t>(offset)); | |||
offset += container_size; | |||
} | |||
// NOTE: assertion always satisfied only as long as initcode limits apply (48K). | |||
assert(offset <= std::numeric_limits<uint16_t>::max()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should keep the assert.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks still removed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean I would still keep it even if it's checked in validate_section_headers()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah it moved up a bit and changed form, but the outcome is still the same (I think, please double check if in doubt) - the cast is safe.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
assert(container.size() <= MAX_INITCODE_SIZE);
checks that container size is checked outside validate_header()
and validate_section_headers()
check that declared containers sizes sum doesn't exceed container size, so the cast is safe, but I would still keep the assertion here (to prevent future errors in case validate_section_headers()
is changed).
Also currently it's incosistent, you removed this assertion, but kept another one at line 776.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also currently it's incosistent, you removed this assertion, but kept another one at line 776.
ouch, right, completely missed that.
OK on keeping the assertion, but I guess just one assertion at the end (the removed one) will be enough?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
like 537d394 for example
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would keep the one in code_size
loop, too. If something goes wrong, it's easier to debug when it's detected early.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
okay, then let's keep all, one for each cast to uint16 (one was missing originally)
@@ -579,6 +582,10 @@ EOFValidationError validate_eof1(evmc_revision rev, bytes_view main_container) n | |||
bytes_view bytes; | |||
bool referenced_by_eofcreate = false; | |||
}; | |||
|
|||
if (main_container.size() > MAX_INITCODE_SIZE) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it mean the validate_header
doesn't work correctly on its own?
ec4b1f7
to
8251d34
Compare
The 2 failed EEST cases are already failing for the base 1.0.4 release + |
537d394
to
91f9a88
Compare
ipsilon/eof#125 / ethereum/EIPs#8670