[Fix]: integer overflow in JumpTable.SubStr #3496
[Fix]: integer overflow in JumpTable.SubStr #3496NGDAdmin merged 14 commits intoneo-project:HF_Echidnafrom nan01ab:fix.overflow-in-substr
Fix]: integer overflow in JumpTable.SubStr #3496Conversation
JumpTable.SubStr Fix]: integer overflow in JumpTable.SubStr
cschuchardt88
left a comment
There was a problem hiding this comment.
@shargon why isn't there a vm limit in this
| "0x0a", | ||
| "0x00010203040506070809", | ||
| "PUSHINT32", | ||
| "0x7FFFFFFF", |
There was a problem hiding this comment.
I'd also add some tests for INT64, like:
byte(opcode.PUSHINT64), 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F,
byte(opcode.PUSH2),
It'll fail (in NeoGo it's at instruction 22 (SUBSTR): not an int32), but just to make sure.
|
Rebase needed |
shargon
left a comment
There was a problem hiding this comment.
I think we don't need a HF, previously could be a DoS but not difference in the execution. Isn't it? @roman-khimov
|
That's the question of "can we arrange a set of parameters that would fail with the new code, but succeed with the old one". This requires some probing. I'm not exactly sure of I'd include it into Echidna for safety reasons, but if we can prove it can't be exploited to change execution result then OK, it can go without a HF. |
I agree. Don't need a HF |
16a9c29 to
0457ccd
Compare
shargon
left a comment
There was a problem hiding this comment.
If doesn't use HF should go to master
it was merged with hardfork prs,,,,lets discuss it in the meeting. |
|
This is the already the default behavior in dotnet https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/language#checkforoverflowunderflow |
|
my bad -- integral-type |
| /// <param name="instruction">The instruction being executed.</param> | ||
| /// <remarks>Pop 3, Push 1</remarks> | ||
| [MethodImpl(MethodImplOptions.AggressiveInlining)] | ||
| private static void VulnerableSubStr(ExecutionEngine engine, Instruction instruction) |
There was a problem hiding this comment.
I think is not required, but you think that it is, here is the solution, jump table allow it :)
| /// <returns>The engine instance created.</returns> | ||
| public static ApplicationEngine Create(TriggerType trigger, IVerifiable container, DataCache snapshot, Block persistingBlock = null, ProtocolSettings settings = null, long gas = TestModeGas, IDiagnostic diagnostic = null) | ||
| { | ||
| var index = persistingBlock?.Index ?? NativeContract.Ledger.CurrentIndex(snapshot); |
There was a problem hiding this comment.
@shargon
Object reference not set to an instance of an object.
on test Neo.UnitTests.SmartContract.UT_NotifyEventArgs.TestIssue3300
There was a problem hiding this comment.
Could be snapshot or GetInteroperable<HashIndexState>()
neo/src/Neo/SmartContract/Native/LedgerContract.cs
Lines 119 to 122 in eb96d14
There was a problem hiding this comment.
If is snapshot we can return 0, otherwise we should fix the test
There was a problem hiding this comment.
Would this work for CurrentIndex?
snapshot?[CreateStorageKey(Prefix_CurrentBlock)]?.GetInteroperable<HashIndexState>()?.Index ?? 0; There was a problem hiding this comment.
We should not change the logic in native contracts for this
* add hardofork HF_Echidna * Add entries to `Designation` event (#3397) * Add entries to Designation event * Change to HF_Echidna * Add UT * Add count * [Neo Core StdLib] Add Base64url (#3453) * add base64url * active in * update placehold hf height * fix hf issue and move methods to proper place. * fix test * use identifymodel instead. * add hardofork HF_Echidna * Add entries to `Designation` event (#3397) * Add entries to Designation event * Change to HF_Echidna * Add UT * Add count * [Neo Core StdLib] Add Base64url (#3453) * add base64url * active in * update placehold hf height * fix hf issue and move methods to proper place. * fix test * use identifymodel instead. * add hardofork HF_Echidna * Add entries to `Designation` event (#3397) * Add entries to Designation event * Change to HF_Echidna * Add UT * Add count * [Neo Core StdLib] Add Base64url (#3453) * add base64url * active in * update placehold hf height * fix hf issue and move methods to proper place. * fix test * use identifymodel instead. * format * Fixed typo * Added back #3397 * Fixed tests * fixed global.json * Update src/Neo/Neo.csproj * Update src/Neo/Neo.csproj * [`Fix`]: integer overflow in `JumpTable.SubStr ` (#3496) * fix: int overflow in SubStr * fix: int overflow in SubStr * format * Versioning change * Clean * Rename * Show change * Space * remove duplicated lines in gitignroe --------- Co-authored-by: Jimmy <jinghui@wayne.edu> Co-authored-by: Shargon <shargon@gmail.com> * Fix NEO callstates (#3599) * Allow callstates to use HF * Rename to method * Other rename * Change the way * Reduce changes * Reduce changes * Adapt name always * Avoid string when only is lower the first char * UT * Test all * Update src/Neo/ProtocolSettings.cs Co-authored-by: Christopher Schuchardt <cschuchardt88@gmail.com> * Update src/Neo/ProtocolSettings.cs Co-authored-by: Christopher Schuchardt <cschuchardt88@gmail.com> * Reuse Load from stream * Unify * Fix default logic * Change ContractMethod to allowMultiple * Use LowerInvariant * Move CheckingHardfork * Remove optional arg * Fix build * Avoid file not found error --------- Co-authored-by: Christopher Schuchardt <cschuchardt88@gmail.com> * fix tests error (#3636) * fux build error * Update src/Neo/SmartContract/ApplicationEngine.cs --------- Co-authored-by: Shargon <shargon@gmail.com> * NeoToken: accept candidate registration via onNEP17Payment (#3597) Solves two problems: * inability to estimate GAS needed for registerCandidate in a regular way because of its very high fee (more than what normal RPC servers allow) * inability to have MaxBlockSystemFee lower than the registration price which is very high on its own (more than practically possible to execute) Fixes #3552. Signed-off-by: Roman Khimov <roman@nspcc.ru> * specify the argument exception information. * Fix Ut (#3635) * NeoToken: add NEP-27 to supported standards list starting from Echidna (#3643) #3597 introduces `onNEP17Payment` handler to native NeoToke contract starting from Echidna hardfork. We need to update the list of supported standards respectively. Signed-off-by: Anna Shaleva <shaleva.ann@nspcc.ru> * ut: fix HF_Echidna unit tests (#3646) * Fix UT * Update src/Neo/ProtocolSettings.cs Co-authored-by: nan01ab <yjcc201374@outlook.com> * Update src/Neo/ProtocolSettings.cs Co-authored-by: nan01ab <yjcc201374@outlook.com> * Update src/Neo/ProtocolSettings.cs Co-authored-by: Christopher Schuchardt <cschuchardt88@gmail.com> --------- Co-authored-by: Jimmy <jinghui@wayne.edu> Co-authored-by: nan01ab <yjcc201374@outlook.com> Co-authored-by: Christopher Schuchardt <cschuchardt88@gmail.com> * [Core Add] Add support to Ed25519 (#3507) * fix unnecessary change * Clean using --------- Co-authored-by: Fernando Diaz Toledano <shargon@gmail.com> * Fix `HF_Echidna` comments (#3679) * Fix obsolete * Fix https://github.com/neo-project/neo/pull/3454/files#r1912152270 * Fix comment * Update RoleManagement.cs * Unset HF_Echidna * Revert getTransaction * Revert verifyWithECDsa * format --------- Signed-off-by: Roman Khimov <roman@nspcc.ru> Signed-off-by: Anna Shaleva <shaleva.ann@nspcc.ru> Co-authored-by: Shargon <shargon@gmail.com> Co-authored-by: Christopher Schuchardt <cschuchardt88@gmail.com> Co-authored-by: nan01ab <yjcc201374@outlook.com> Co-authored-by: Roman Khimov <roman@nspcc.ru> Co-authored-by: Anna Shaleva <shaleva.ann@nspcc.ru> Co-authored-by: Vitor Nazário Coelho <vncoelho@gmail.com>
Description
Fix integer overflow in
JumpTable.SubStrFixes #3495
Type of change
Checklist: