Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Two critical VM issues (denial of service attacks) #2738

Open
bbarwik opened this issue Aug 28, 2024 · 1 comment
Open

Two critical VM issues (denial of service attacks) #2738

bbarwik opened this issue Aug 28, 2024 · 1 comment
Assignees
@kristovatlas
Labels
🐞 bug Something isn't working 🌟 must have 🌟 Mandatory work needed to complete a project

Comments

@bbarwik
Copy link

bbarwik commented Aug 28, 2024
edited
Loading

Two critical VM issues (denial of service attacks)

Hey everyone, I am a Web3 cybersecurity researcher working for Hacken specializing in layer 1 protocols and virtual machines. I met with the Gno team during Web3 Summit in Berlin where they introduced me to your project. I promised to check it out because it sounded very interesting to me. I spent a day playing with your project and virtual machine and managed to find two ways to crash it.

Critical issues

  1. Crashing VM due to out-of-memory error by allocating a huge slice:
package main
func main() {
    buffer := make([]int, 1_000_000_000_000)
    buffer[1] = 1
}
  1. Crashing VM by creating very deep structure which is very CPU-intensive to process:
func init() {
    var x interface{}    
    for {
        x = [1]interface{}{x}    
   }
}

or alternatively:

package main
func main() {
    var x interface{}    
    for i := 0; i < 10000; i++ {
        x = [1]interface{}{x}    
    }
    for i := 0; i < 10000; i++ {
        println(x)   
    }
}

I used the following test to reproduce these issues: crash_test.go.zip. You should put it in gno.land/pkg/sdk/vm and run it there with go test -v -run TestVMCrash.

Next steps

I highly recommend introducing Fuzzing in your project and undergoing a full audit before launching your product.

Feel free to contact me here or by sending an email to b.barwikowski@hacken.io if you need any help.
@deelawn
Copy link
Contributor

deelawn commented Sep 9, 2024

I'll take a stab at solving the first issue listed here

  1. Crashing VM due to out-of-memory error by allocating a huge slice:

@deelawn deelawn mentioned this issue Sep 10, 2024
Merged
7 tasks
@zivkovicmilos zivkovicmilos added 🌟 must have 🌟 Mandatory work needed to complete a project 🐞 bug Something isn't working labels Sep 11, 2024
thehowl pushed a commit that referenced this issue Sep 12, 2024
@deelawn
fix(gnovm): count slice allocations before performing memory allocati…
d7407f5 
…ons (#2781)

<!-- please provide a detailed description of the changes made in this
pull request. -->
This is to fix the first issue mentioned in #2738.

In short, when allocating and reallocating slices' underlying arrays,
the VM was building the `TypedValue` slice before making the necessary
VM allocations. It is important the VM allocations be done before the
`TypedValue` allocations to ensure the values being allocated won't
exceed the VM's limit. In extreme cases, unchecked allocations resulted
in the VM hanging as it tried to allocate massive `TypedValue` slices in
the go runtime.
<details><summary>Contributors' checklist...</summary>

- [x] Added new tests, or not needed, or not feasible
- [x] Provided an example (e.g. screenshot) to aid review or the PR is
self-explanatory
- [x] Updated the official documentation or not needed
- [x] No breaking changes were made, or a `BREAKING CHANGE: xxx` message
was included in the description
- [x] Added references to related issues and PRs
- [x] Provided any useful hints for running manual tests
- [x] Added new benchmarks to [generated
graphs](https://gnoland.github.io/benchmarks), if any. More info
[here](https://github.com/gnolang/gno/blob/master/.benchmarks/README.md).
</details>
@Kouteki Kouteki mentioned this issue Sep 16, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kristovatlas kristovatlas

Labels
🐞 bug Something isn't working 🌟 must have 🌟 Mandatory work needed to complete a project
Projects
🚀 main.gno.land launch 🚀
Status: TODO
🧙‍♂️gno.land core team
Status: Triage
Milestone
No milestone
Development

No branches or pull requests
4 participants
@deelawn @kristovatlas @zivkovicmilos @bbarwik