Merge branch 'composite-query/sec-review' into 'master'

FOLLOW-1027: Composite query: Disallow some syscalls from non-relicated reply + reject callbacks

 

See merge request dfinity-lab/public/ic!11894

Author: Dfinity-skaestle

rs/execution_environment/src/query_handler/tests.rs

@@ -1494,3 +1494,86 @@ fn composite_query_chained_calls() {
         .unwrap();
     assert_eq!(result, WasmResult::Reply(b));
 }
+
+#[test]
+fn composite_query_syscalls_from_reply_reject_callback() {
+    // In this test canister 0 calls canisters 1 and attempts syscalls from reply callback.
+    let mut test = ExecutionTestBuilder::new().with_composite_queries().build();
+
+    // Install two universal canisters
+    let mut canisters = vec![];
+    for _ in 0..2 {
+        canisters.push(test.universal_canister_with_cycles(CYCLES_BALANCE).unwrap());
+    }
+
+    let reply = wasm().reply_data(&[1]).build();
+    let reject = wasm().reject().build();
+
+    let syscalls = vec![
+        (wasm().msg_cycles_available().build(), "cycles_available"),
+        (wasm().msg_cycles_refunded().build(), "cycles_refunded"),
+        (wasm().msg_cycles_accept(42).build(), "cycles_accept"),
+        (wasm().api_global_timer_set(0).build(), "global_timer_set"),
+        (wasm().call_cycles_add(0).build(), "call_cycles_add"),
+        (
+            wasm().call_cycles_add128(0, 0).build(),
+            "call_cycles_add128",
+        ),
+        (
+            wasm().msg_cycles_available128().build(),
+            "cycles_available128",
+        ),
+        (
+            wasm().msg_cycles_refunded128().build(),
+            "cycles_refunded128",
+        ),
+        (
+            wasm().msg_cycles_accept128(4, 2).build(),
+            "cycles_accept128",
+        ),
+        (
+            wasm().certified_data_set(&[42]).build(),
+            "certified_data_set",
+        ),
+    ];
+
+    for (other_side, callback_type) in vec![(reply, "reply"), (reject, "reject")] {
+        for (syscall, label) in &syscalls {
+            let canister_0 = wasm().composite_query(
+                canisters[1],
+                call_args()
+                    .other_side(other_side.clone())
+                    .on_reply(syscall.clone())
+                    .on_reject(syscall.clone()),
+            );
+
+            let output = test.query(
+                UserQuery {
+                    source: user_test_id(2),
+                    receiver: canisters[0],
+                    method_name: "composite_query".to_string(),
+                    method_payload: canister_0.build(),
+                    ingress_expiry: 0,
+                    nonce: None,
+                },
+                Arc::new(test.state().clone()),
+                vec![],
+            );
+            match output {
+                Ok(_) => {
+                    unreachable!(
+                        "{} call should not be allowed from a composite query {} callback",
+                        label, callback_type
+                    )
+                }
+                Err(err) => assert_eq!(
+                    err.code(),
+                    ErrorCode::CanisterContractViolation,
+                    "Incorrect return code for {} {}",
+                    label,
+                    callback_type
+                ),
+            }
+        }
+    }
+}

rs/interfaces/src/execution_environment.rs

@@ -273,7 +273,7 @@ impl ops::Div<i64> for SubnetAvailableMemory {
     }
 }
 
-#[derive(Clone, Debug, Deserialize, Serialize)]
+#[derive(Clone, Debug, Deserialize, Serialize, Eq, PartialEq)]
 pub enum ExecutionMode {
     Replicated,
     NonReplicated,

rs/system_api/src/lib.rs

@@ -1006,22 +1006,30 @@ impl SystemApiImpl {
             }
             | ApiType::RejectCallback {
                 outgoing_request, ..
-            } => match outgoing_request {
-                None => Err(HypervisorError::ContractViolation(format!(
-                    "{} called when no call is under construction.",
-                    method_name
-                ))),
-                Some(request) => {
-                    self.sandbox_safe_system_state
-                        .withdraw_cycles_for_transfer(
-                            self.memory_usage.current_usage,
-                            self.execution_parameters.compute_allocation,
-                            amount,
-                        )?;
-                    request.add_cycles(amount);
-                    Ok(())
+            } => {
+                // Reply and reject callbacks can be executed in non-replicated mode
+                // iff from within a composite query call. Always disallow in that case.
+                if self.execution_parameters.execution_mode == ExecutionMode::NonReplicated {
+                    return Err(self.error_for(method_name));
                 }
-            },
+
+                match outgoing_request {
+                    None => Err(HypervisorError::ContractViolation(format!(
+                        "{} called when no call is under construction.",
+                        method_name
+                    ))),
+                    Some(request) => {
+                        self.sandbox_safe_system_state
+                            .withdraw_cycles_for_transfer(
+                                self.memory_usage.current_usage,
+                                self.execution_parameters.compute_allocation,
+                                amount,
+                            )?;
+                        request.add_cycles(amount);
+                        Ok(())
+                    }
+                }
+            }
         }
     }
 
@@ -1062,9 +1070,17 @@ impl SystemApiImpl {
             }
             | ApiType::RejectCallback {
                 call_context_id, ..
-            } => Ok(self
-                .sandbox_safe_system_state
-                .msg_cycles_available(*call_context_id)),
+            } => {
+                if self.execution_parameters.execution_mode == ExecutionMode::NonReplicated {
+                    // Non-replicated mode means we are handling a composite query.
+                    // Access to this syscall not permitted.
+                    Err(self.error_for(method_name))
+                } else {
+                    Ok(self
+                        .sandbox_safe_system_state
+                        .msg_cycles_available(*call_context_id))
+                }
+            }
         }
     }
 
@@ -1084,7 +1100,15 @@ impl SystemApiImpl {
             }
             | ApiType::RejectCallback {
                 incoming_cycles, ..
-            } => Ok(*incoming_cycles),
+            } => {
+                if self.execution_parameters.execution_mode == ExecutionMode::NonReplicated {
+                    // Execution callback in non-replicated mode means we are handling a composite query.
+                    // Access to this syscall not permitted.
+                    Err(self.error_for(method_name))
+                } else {
+                    Ok(*incoming_cycles)
+                }
+            }
         }
     }
 
@@ -1118,9 +1142,17 @@ impl SystemApiImpl {
             }
             | ApiType::RejectCallback {
                 call_context_id, ..
-            } => Ok(self
-                .sandbox_safe_system_state
-                .msg_cycles_accept(*call_context_id, max_amount)),
+            } => {
+                if self.execution_parameters.execution_mode == ExecutionMode::NonReplicated {
+                    // Non-replicated mode means we are handling a composite query.
+                    // Access to this syscall not permitted.
+                    Err(self.error_for(method_name))
+                } else {
+                    Ok(self
+                        .sandbox_safe_system_state
+                        .msg_cycles_accept(*call_context_id, max_amount))
+                }
+            }
         }
     }
 
@@ -2306,6 +2338,12 @@ impl SystemApi for SystemApiImpl {
             | ApiType::PreUpgrade { .. }
             | ApiType::ReplyCallback { .. }
             | ApiType::RejectCallback { .. } => {
+                // Reply and reject callbacks can be executed in non-replicated mode
+                // iff from within a composite query call. Disallow in that case.
+                if self.execution_parameters.execution_mode == ExecutionMode::NonReplicated {
+                    return Err(self.error_for("ic0_global_timer_set"));
+                }
+
                 let prev_time = self.sandbox_safe_system_state.global_timer().to_time();
                 self.sandbox_safe_system_state
                     .set_global_timer(CanisterTimer::from_time(time));
@@ -2672,6 +2710,12 @@ impl SystemApi for SystemApiImpl {
             | ApiType::ReplyCallback { .. }
             | ApiType::RejectCallback { .. }
             | ApiType::PreUpgrade { .. } => {
+                // Reply and reject callbacks can be executed in non-replicated mode
+                // iff from within a composite query call. Disallow in that case.
+                if self.execution_parameters.execution_mode == ExecutionMode::NonReplicated {
+                    return Err(self.error_for("ic0_certified_data_set"));
+                }
+
                 if size > CERTIFIED_DATA_MAX_LENGTH {
                     return Err(ContractViolation(format!(
                         "ic0_certified_data_set failed because the passed data must be \

rs/universal_canister/lib/src/lib.rs

@@ -17,7 +17,7 @@ use universal_canister::Ops;
 /// `rs/universal_canister`.
 pub const UNIVERSAL_CANISTER_WASM: &[u8] = include_bytes!("universal-canister.wasm");
 pub const UNIVERSAL_CANISTER_WASM_SHA256: [u8; 32] =
-    hex!("cf13dfde0aaf4139933651766943cdb8824b47fe37a099994ab7f524e75f7656");
+    hex!("706a648d859d1a55b5722ebb3a35426928e8231a3c6177f4de6491e86231129b");
 
 /// A succinct shortcut for creating a `PayloadBuilder`, which is used to encode
 /// instructions to be executed by the UC.
@@ -277,6 +277,19 @@ impl PayloadBuilder {
         self
     }
 
+    pub fn call_cycles_add128(mut self, high_amount: u64, low_amount: u64) -> Self {
+        self = self.push_int64(high_amount);
+        self = self.push_int64(low_amount);
+        self.0.push(Ops::CallCyclesAdd128 as u8);
+        self
+    }
+
+    pub fn call_cycles_add(mut self, amount: u64) -> Self {
+        self = self.push_int64(amount);
+        self.0.push(Ops::CallCyclesAdd as u8);
+        self
+    }
+
     pub fn message_payload(mut self) -> Self {
         self.0.push(Ops::MessagePayload as u8);
         self
@@ -433,6 +446,45 @@ impl PayloadBuilder {
         self
     }
 
+    pub fn msg_cycles_available(mut self) -> Self {
+        self.0.push(Ops::CyclesAvailable as u8);
+        self
+    }
+
+    pub fn msg_cycles_available128(mut self) -> Self {
+        self.0.push(Ops::CyclesAvailable128 as u8);
+        self
+    }
+
+    pub fn msg_cycles_refunded(mut self) -> Self {
+        self.0.push(Ops::CyclesRefunded as u8);
+        self
+    }
+
+    pub fn msg_cycles_refunded128(mut self) -> Self {
+        self.0.push(Ops::CyclesRefunded128 as u8);
+        self
+    }
+
+    pub fn msg_cycles_accept(mut self, max_amount: i64) -> Self {
+        self = self.push_int64(max_amount as u64);
+        self.0.push(Ops::AcceptCycles as u8);
+        self
+    }
+
+    pub fn msg_cycles_accept128(mut self, max_amount_hight: i64, max_amount_low: i64) -> Self {
+        self = self.push_int64(max_amount_hight as u64);
+        self = self.push_int64(max_amount_low as u64);
+        self.0.push(Ops::AcceptCycles128 as u8);
+        self
+    }
+
+    pub fn certified_data_set(mut self, data: &[u8]) -> Self {
+        self = self.push_bytes(data);
+        self.0.push(Ops::CertifiedDataSet as u8);
+        self
+    }
+
     /// Loops until the instruction counter is at least the specified amount.
     pub fn instruction_counter_is_at_least(mut self, amount: u64) -> Self {
         self = self.push_int64(amount);