Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Eth1 data underflow #540

Closed
paulhauner opened this issue Sep 23, 2019 · 8 comments · Fixed by #977
Closed

Eth1 data underflow #540

paulhauner opened this issue Sep 23, 2019 · 8 comments · Fixed by #977
Assignees
@ackintosh @michaelsproul @paulhauner
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@paulhauner
Copy link
Member

lighthouse/eth2/state_processing/src/per_block_processing.rs

Lines 380 to 383 in 192380c

let expected_deposit_len = std::cmp::min(
T::MaxDeposits::to_u64(),
state.eth1_data.deposit_count - state.eth1_deposit_index,
);

If we accept that state.eth1_data is user-supplied input, I believe this subtraction is an underflow risk.

@michaelsproul, I'm keen to hear your thoughts.
@paulhauner paulhauner added the bug Something isn't working label Sep 23, 2019
@michaelsproul
Copy link
Member

state.eth1_data is decided by majority voting, so the network would have to be pretty screwed for it to take on a malicious value. That said, better to be safe than sorry, we may as well change this to a saturating_sub.

More broadly, I was thinking of writing a clippy lint to detect and ban all plain additions and subtractions, which we could roll out across the types/state_processing crates. The logic being that we almost never want the wrapping behaviour of an overflowing add, and should be explicit (use wrapping_add) where we do.

@paulhauner
Copy link
Member Author

I was thinking of writing a clippy lint to detect and ban all plain additions and subtractions

I'm also keen to give this a go.

@paulhauner paulhauner added the good first issue Good for newcomers label Sep 26, 2019
@pscott
Copy link
Contributor

pscott commented Sep 28, 2019

@michaelsproul would this lint make the cut : https://rust-lang.github.io/rust-clippy/master/#integer_arithmetic ?

@michaelsproul
Copy link
Member

Yeah, it kind of does, I started working with it on Thursday (and fixed a bug rust-lang/rust-clippy#4585). I’m now splitting it into one lint for detecting operations that can overflow, and another for detecting operations that have boundary issues (div or mod by 0, shift by >word size).

bnjjj added a commit to bnjjj/lighthouse that referenced this issue Dec 20, 2019
@bnjjj
Fix some possible underflow, refactor some code and delete useless cl…
85ef158 
…one sigp#540

Signed-off-by: Benjamin Coenen <5719034+bnjjj@users.noreply.github.com>
@bnjjj bnjjj mentioned this issue Dec 20, 2019
Closed
bnjjj added a commit to bnjjj/lighthouse that referenced this issue Dec 27, 2019
@bnjjj
Fix some possible underflow, refactor some code and delete useless cl…
0dfd09b 
…one sigp#540

Signed-off-by: Benjamin Coenen <5719034+bnjjj@users.noreply.github.com>
bnjjj added a commit to bnjjj/lighthouse that referenced this issue Dec 27, 2019
@bnjjj
Fix some possible underflow, refactor some code and delete useless cl…
de054b8 
…one sigp#540

Signed-off-by: Benjamin Coenen <5719034+bnjjj@users.noreply.github.com>
@ackintosh
Copy link
Member

I'm working on this issue, will file a PR to close this. 😃

@ackintosh
Copy link
Member

Hmm... should we return Err immediately if underflow is occurred in the subtraction instead of proceed the process with 0?

It looks a critical error if the underflow (state.eth1_data.deposit_count < state.eth1_deposit_index) is really happened but I'm not sure due to the lack of understanding about the process. 🤔💦

@michaelsproul
Copy link
Member

michaelsproul commented Mar 24, 2020
edited
Loading

On overflow the spec raises an exception, so you're right, we should error here rather than proceeding with 0 (see spec). It'll mean that no blocks can be processed until a manual intervention, but the attack requires ~50% of proposers to be compromised, which gets us into social fork territory anyway.

@ackintosh
Copy link
Member

Thank you for the details! 💡

ackintosh added a commit to ackintosh/lighthouse that referenced this issue Apr 1, 2020
@ackintosh
Fix Eth1 data underflow sigp#540
f55f1c0
@ackintosh ackintosh mentioned this issue Apr 1, 2020
Merged
michaelsproul pushed a commit that referenced this issue Apr 6, 2020
@ackintosh
Fix Eth1 data underflow (#977)
c188227 
* Fix Eth1 data underflow #540

* Refactor: smart transformation from Option to Result

* Add tests for BeaconState::get_outstanding_deposit_len()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ackintosh ackintosh

@michaelsproul michaelsproul

@paulhauner paulhauner

Labels
bug Something isn't working good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
4 participants
@ackintosh @michaelsproul @paulhauner @pscott