Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improperly formatted rpc-curl-calls crashes the beacon-node [a security concern] #9246

Closed
ahadda5 opened this issue Jul 22, 2021 · 2 comments 路 Fixed by #9264
Closed

Improperly formatted rpc-curl-calls crashes the beacon-node [a security concern] #9246

ahadda5 opened this issue Jul 22, 2021 · 2 comments 路 Fixed by #9264
Assignees
@rkapka
Labels
Bug Something isn't working Priority: High High priority item

Comments

@ahadda5
Copy link
Contributor

ahadda5 commented Jul 22, 2021
edited

馃悶 Bug Report

Description

Calling rpc endpoints using curl with the wrong format/params causes the beacon-chain to crash.

This is a security concern. A bad actor can invoke a "DDOS-style" attack shutting beacon-nodes at will with rather minimal effort by just sending improperly formatted curl commands.

馃敩 Minimal Reproduction

Run a beacon node (or interop for less cpu-resouces)

  • bazel run //beacon-chain
  • This will start gRPC at the default localhost 3500 (127.0.0.1:3500)
  • In another terminal call > curl -X POST --data '{"jsonrpc":"2.0","method":"ListAccountRequest","params":"PageSize:5"}' 127.0.0.1:3500

This is a no such proto request.

  • Immediately the beacon-chain will shut down with a goroutine stack limit fatal error.

Note that a rpc curl call like this will be accepted and responded to .
curl -X GET "http://localhost:3500/eth/v1alpha1/validators/balances" -H "application/json"^C

馃敟 Error


runtime: goroutine stack exceeds 1000000000-byte limit
runtime: sp=0xc02527c340 stack=[0xc02527c000, 0xc04527c000]
fatal error: stack overflow

runtime stack:
runtime.throw(0x1916ffc, 0xe)
        GOROOT/src/runtime/panic.go:1117 +0x72
runtime.newstack()
        GOROOT/src/runtime/stack.go:1069 +0x7ed
runtime.morestack()
        GOROOT/src/runtime/asm_amd64.s:458 +0x8f

goroutine 241 [running]:
runtime.rawstringtmp(0xc02527c488, 0xa, 0x0, 0x0, 0x0, 0x0, 0x0)
        GOROOT/src/runtime/string.go:126 +0xad fp=0xc02527c350 sp=0xc02527c348 pc=0x47622d
runtime.concatstrings(0xc02527c488, 0xc02527c430, 0x2, 0x2, 0x0, 0x0)
        GOROOT/src/runtime/string.go:50 +0xc5 fp=0xc02527c3e8 sp=0xc02527c350 pc=0x475c45
runtime.concatstring2(0xc02527c488, 0xc0021c2660, 0x9, 0xc0021c2655, 0x1, 0x0, 0x0)
        GOROOT/src/runtime/string.go:59 +0x47 fp=0xc02527c428 sp=0xc02527c3e8 pc=0x475ec7
net/http.(*ServeMux).shouldRedirectRLocked(0xc002b3bac0, 0xc0021c2660, 0x9, 0xc0021c2655, 0x1, 0x4)
        GOROOT/src/net/http/server.go:2347 +0x94 fp=0xc02527c4e8 sp=0xc02527c428 pc=0x78e534
net/http.(*ServeMux).redirectToPathSlash(0xc002b3bac0, 0xc0021c2660, 0x9, 0xc0021c2655, 0x1, 0xc00446db90, 0xc0020c6b88, 0x2)
        GOROOT/src/net/http/server.go:2333 +0x6b fp=0xc02527c538 sp=0xc02527c4e8 pc=0x78e32b
net/http.(*ServeMux).Handler(0xc002b3bac0, 0xc002f51400, 0x78ea1c, 0xc002b3bac0, 0xc0021c2660, 0x9)
        GOROOT/src/net/http/server.go:2404 +0x10d fp=0xc02527c690 sp=0xc02527c538 pc=0x78e82d
net/http.(*ServeMux).ServeHTTP(0xc002b3bac0, 0x1c8c8e8, 0xc00217e380, 0xc002f51400)
        GOROOT/src/net/http/server.go:2447 +0x17b fp=0xc02527c6f0 sp=0xc02527c690 pc=0x78f07b
github.com/rs/cors.(*Cors).Handler.func1(0x1c8c8e8, 0xc00217e380, 0xc002f51400)
        external/com_github_rs_cors/cors.go:219 +0x1b9 fp=0xc02527c748 sp=0xc02527c6f0 pc=0x13553d9
net/http.HandlerFunc.ServeHTTP(0xc0001577a0, 0x1c8c8e8, 0xc00217e380, 0xc002f51400)
        GOROOT/src/net/http/server.go:2069 +0x44 fp=0xc02527c770 sp=0xc02527c748 pc=0x78d124
github.com/prysmaticlabs/prysm/beacon-chain/gateway.DefaultConfig.func1(0x1c6ea60, 0xc0001577a0, 0x1c8c8e8, 0xc00217e380, 0xc002f51400)
        beacon-chain/gateway/helpers.go:69 +0x4f fp=0xc02527c7a0 sp=0xc02527c770 pc=0x13aae6f
github.com/prysmaticlabs/prysm/shared/gateway.(*Gateway).Start.func1(0x1c8c8e8, 0xc00217e380, 0xc002f51400)
        shared/gateway/gateway.go:135 +0x59 fp=0xc02527c7d8 sp=0xc02527c7a0 pc=0x13a9c99
net/http.HandlerFunc.ServeHTTP(0xc000157800, 0x1c8c8e8, 0xc00217e380, 0xc002f51400)
        GOROOT/src/net/http/server.go:2069 +0x44 fp=0xc02527c800 sp=0xc02527c7d8 pc=0x78d124
net/http.(*ServeMux).ServeHTTP(0xc002b3bac0, 0x1c8c8e8, 0xc00217e380, 0xc002f51400)
        GOROOT/src/net/http/server.go:2448 +0x1ad fp=0xc02527c860 sp=0xc02527c800 pc=0x78f0ad
github.com/rs/cors.(*Cors).Handler.func1(0x1c8c8e8, 0xc00217e380, 0xc002f51400)
        external/com_github_rs_cors/cors.go:219 +0x1b9 fp=0xc02527c8b8 sp=0xc02527c860 pc=0x13553d9
net/http.HandlerFunc.ServeHTTP(0xc0001577a0, 0x1c8c8e8, 0xc00217e380, 0xc002f51400)
        GOROOT/src/net/http/server.go:2069 +0x44 fp=0xc02527c8e0 sp=0xc02527c8b8 pc=0x78d124
github.com/prysmaticlabs/prysm/beacon-chain/gateway.DefaultConfig.func1(0x1c6ea60, 0xc0001577a0, 0x1c8c8e8, 0xc00217e380, 0xc002f51400)
        beacon-chain/gateway/helpers.go:69 +0x4f fp=0xc02527c910 sp=0xc02527c8e0 pc=0x13aae6f
github.com/prysmaticlabs/prysm/shared/gateway.(*Gateway).Start.func1(0x1c8c8e8, 0xc00217e380, 0xc002f51400)
        shared/gateway/gateway.go:135 +0x59 fp=0xc02527c948 sp=0xc02527c910 pc=0x13a9c99
net/http.HandlerFunc.ServeHTTP(0xc000157800, 0x1c8c8e8, 0xc00217e380, 0xc002f51400)
        GOROOT/src/net/http/server.go:2069 +0x44 fp=0xc02527c970 sp=0xc02527c948 pc=0x78d124
net/http.(*ServeMux).ServeHTTP(0xc002b3bac0, 0x1c8c8e8, 0xc00217e380, 0xc002f51400)
        GOROOT/src/net/http/server.go:2448 +0x1ad fp=0xc02527c9d0 sp=0xc02527c970 pc=0x78f0ad
github.com/rs/cors.(*Cors).Handler.func1(0x1c8c8e8, 0xc00217e380, 0xc002f51400)
        external/com_github_rs_cors/cors.go:219 +0x1b9 fp=0xc02527ca28 sp=0xc02527c9d0 pc=0x13553d9
net/http.HandlerFunc.ServeHTTP(0xc0001577a0, 0x1c8c8e8, 0xc00217e380, 0xc002f51400)
        GOROOT/src/net/http/server.go:2069 +0x44 fp=0xc02527ca50 sp=0xc02527ca28 pc=0x78d124
github.com/prysmaticlabs/prysm/beacon-chain/gateway.DefaultConfig.func1(0x1c6ea60, 0xc0001577a0, 0x1c8c8e8, 0xc00217e380, 0xc002f51400)
        beacon-chain/gateway/helpers.go:69 +0x4f fp=0xc02527ca80 sp=0xc02527ca50 pc=0x13aae6f
github.com/prysmaticlabs/prysm/shared/gateway.(*Gateway).Start.func1(0x1c8c8e8, 0xc00217e380, 0xc002f51400)
        shared/gateway/gateway.go:135 +0x59 fp=0xc02527cab8 sp=0xc02527ca80 pc=0x13a9c99
net/http.HandlerFunc.ServeHTTP(0xc000157800, 0x1c8c8e8, 0xc00217e380, 0xc002f51400)
        GOROOT/src/net/http/server.go:2069 +0x44 fp=0xc02527cae0 sp=0xc02527cab8 pc=0x78d124
net/http.(*ServeMux).ServeHTTP(0xc002b3bac0, 0x1c8c8e8, 0xc00217e380, 0xc002f51400)
        GOROOT/src/net/http/server.go:2448 +0x1ad fp=0xc02527cb40 sp=0xc02527cae0 pc=0x78f0ad

馃實 Your Environment

Operating System:

Ubuntu 20.04
8 GB RAM

What version of Prysm are you running? (Which release)

latest develop.
@ahadda5 ahadda5 changed the title Improper format rpc-curl-calls crashes the beacon-node [a security concern] Improperly formatted rpc-curl-calls crashes the beacon-node [a security concern] Jul 22, 2021
@nisdas
Copy link
Member

nisdas commented Jul 22, 2021
edited

@ahadda5 To clarify, the beacon node should never be exposed to untrusted parties. The beacon node's rpc host always binds to the localhost by default. Otherwise there are multiple types of DOS possibilities here if access is possible by untrusted parties(not counting this particular issue). On this particular bug, it seems that this might have been introduced by some recent gateway changes.

cc @rkapka

@nisdas nisdas added the Bug Something isn't working label Jul 22, 2021
@prestonvanloon prestonvanloon added the Priority: High High priority item label Jul 22, 2021
@rkapka rkapka mentioned this issue Jul 23, 2021
Merged
@ybstaked ybstaked mentioned this issue Jul 26, 2021
Closed
@prestonvanloon prestonvanloon mentioned this issue Aug 3, 2021
Closed
@prestonvanloon
Copy link
Member

Fixed in v1.4.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rkapka rkapka

Labels
Bug Something isn't working Priority: High High priority item
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Do not require a handler function in the gateway prysmaticlabs/prysm
4 participants
@prestonvanloon @ahadda5 @rkapka @nisdas