Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit notifications #2747

Merged
merged 10 commits into from
May 24, 2022
Merged

Limit notifications #2747

merged 10 commits into from
May 24, 2022

Conversation

erikzhang
Copy link
Member

@erikzhang erikzhang commented May 20, 2022
edited
Loading

Added some restrictions to System.Runtime.Notify.

1. Recursive references in notifications are not allowed.
2. Sending Buffer, InteropInterface and Pointer in notifications is not allowed.

Notifications are deep copied as immutable.

roman-khimov
roman-khimov reviewed May 21, 2022
View reviewed changes
src/neo/SmartContract/ApplicationEngine.Runtime.cs Outdated
foreach (var (_, v) in map)
queue.Enqueue(v);
break;
case VM.Types.Buffer:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think Buffer should be forbidden, it's very close to ByteString in its essence and depending on the compiler can be used in various circumstances. Notifications are size-limited anyway, so having some 32-byte Buffer there doesn't differ much from 32-byte ByteString.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To execute Notify we need to do a DeepCopy, to execute GetNotifications we need to do a DeepCopy again. I think allowing Buffer will severely impact performance and lead to attacks. The contract can easily convert Buffer to ByteString through a CONVERT instruction.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The copy is only done in SendNotification(), so if the buffer is huge we won't get there anyway because of MaxNotificationSize limitation. So if any buffer is emitted, it won't be large and I doubt it would make any difference from ByteString of the same size. I mostly fear that contracts can emit buffers without knowing it, it all totally depends on the compiler in absence of #1879.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to DeepCopy when executing GetNotifications. Otherwise, the contract who received the notifications can modify them. One attack mode is to send a few hundred notifications containing Buffers and then call GetNotifications to force automatic DeepCopy of all Buffers each time.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to DeepCopy when executing GetNotifications

Yep, #1707.

force automatic DeepCopy of all Buffers

Glancing over VM code I see that ByteString is not really copied during DeepCopy, so yes, there is a difference. Maybe if we charge per-element in #2748 that'd be irrelevant, though.

src/neo/SmartContract/ApplicationEngine.Runtime.cs Outdated Show resolved Hide resolved
shargon
shargon reviewed May 22, 2022
View reviewed changes
Copy link
Member

@shargon shargon left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wait for #2748, maybe in #2748 we should increase System.Runtime.Notify too

shargon
shargon previously approved these changes May 22, 2022
View reviewed changes
src/neo/SmartContract/ApplicationEngine.Runtime.cs Outdated Show resolved Hide resolved
@erikzhang erikzhang mentioned this pull request May 22, 2022
Merged
@erikzhang
Copy link
Member Author

Wait for neo-project/neo-vm#473

@erikzhang
Copy link
Member Author

Merge?

@erikzhang erikzhang merged commit 3b58adf into master May 24, 2022
@erikzhang erikzhang deleted the limit-notifications branch May 24, 2022 23:48
@roman-khimov roman-khimov mentioned this pull request May 25, 2022
Closed
ixje added a commit to CityOfZion/neo-mamba that referenced this pull request Jul 5, 2022
@ixje
limit notifications neo-project/neo#2747
fbd688d
@ixje ixje mentioned this pull request Jul 5, 2022
Merged
ixje added a commit to CityOfZion/neo-mamba that referenced this pull request Jul 5, 2022
@ixje
limit notifications neo-project/neo#2747 (#171)
fce8862
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@devhawk devhawk devhawk left review comments

@Jim8y Jim8y Jim8y left review comments

@roman-khimov roman-khimov roman-khimov left review comments

@shargon shargon shargon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@erikzhang @devhawk @shargon @Jim8y @roman-khimov