Include rent_epoch and executable into account hash #7415
Conversation
| *byte = (INPUT_LEN - i) as u8; | ||
| } | ||
|
|
||
| //UNSAFE: forcibly cast the special byte pattern to actual account fields. |
There was a problem hiding this comment.
My first UNSAFE here. :) Is there any better way to archive similar test result?
There was a problem hiding this comment.
Neat idea. An unsafe in a test is less concerning to me
There was a problem hiding this comment.
An unsafe in a test is less concerning to me
Thx! This will be a precedent for the follow-up PRs, in which we need more of these crafted binaries to protect validator from crashing from external data. :)
| Self::hash_account_data(slot, account.lamports, &account.data, pubkey) | ||
| Self::hash_account_data( | ||
| slot, | ||
| account.lamports, |
There was a problem hiding this comment.
lamports and rent_epoch are both u64. So interchanging them caused no compile error. Spent some time to figure out why hashes are different. ;) So I added another assertion covering that kind of bug.
| hasher.hash(&data); | ||
|
|
||
| if executable { |
There was a problem hiding this comment.
Note to myself: when sanitizing executable in follow up PR, check the upper 7-bit are cleared.
There was a problem hiding this comment.
Reply to myself: yeah, I've done this correctly at #7464
| }; | ||
| let account = stored_account.clone_account(); | ||
| let expected_account_hash = | ||
| Hash::from_str("GGTsxvxwnMsNfN6yYbBVQaRgvbVLfxeWnGXNyB8iXDyE").unwrap(); |
There was a problem hiding this comment.
Out of my pure laziness, I've skipped to calculate this test vector by hand. :p
| StoredMeta, | ||
| AccountMeta, | ||
| [u8; ACCOUNT_DATA_LEN], | ||
| usize, // for StoredAccount::offset |
There was a problem hiding this comment.
I wanted to write this like typeof(StoredAccount::offset) but it seems I can't...
Codecov Report
@@ Coverage Diff @@
## master #7415 +/- ##
========================================
- Coverage 70.7% 67.9% -2.8%
========================================
Files 245 244 -1
Lines 55227 56868 +1641
========================================
- Hits 39054 38640 -414
- Misses 16173 18228 +2055 |
|
@danpaul000 Really FYI, this breaks an ABI, #6123. Can ignore this mention because I'm pretty sure there are plenty of other PRs in the master with imcompatible ABI. |
|
CI passed, proving there were no existing unit test for the code changed in this PR because I didn't need to touch any existing tests... ;) |
ryoqun
changed the title
Breaking ABI between 0.21 and 0.22 is ok, that's gonna happen elsewhere too. But after 0.22 ships we're going to try to be much more careful about this |
| @@ -31,6 +33,8 @@ pub struct StoredMeta { | |||
| pub data_len: u64, | |||
| } | |||
|
|
|||
| /// This struct will be backed by mmaped and snapshotted data files. | |||
| /// So the data layout must be stable and consistent across the entire cluster! | |||
There was a problem hiding this comment.
Rather than comments, I wonder if we should define an attribute to start clearly structs that are part of the Solana ABI, like #[solana_abi]. One day this'll then allow us to programmatically find all these structs and compare their values between release to flag ABI changes.
This is totally out of scope of this PR but if that sounds good, @ryoqun do you want to think about this more and make a design proposal for how we might start to track ABI changes
There was a problem hiding this comment.
Heh, let's talk about ABI compat! That task looks interesting to me! I'll give it a try!
This reminds of my rookie days when I found an ABI-related bug: #6388 Always, these are pesky bugs.. Hopefully, I can find good solution!
runtime/src/accounts_db.rs
Outdated
| @@ -191,6 +191,8 @@ pub struct AccountStorageEntry { | |||
| /// any accounts in it | |||
| /// status corresponding to the storage, lets us know that | |||
| /// the append_vec, once maxed out, then emptied, can be reclaimed | |||
| /// Currently serialized count isn't used at all. Rather, we recalculate it | |||
There was a problem hiding this comment.
I don't quite understand this comment
There was a problem hiding this comment.
Oops, I've forgot to comment about this. You're right. No wonder to be confused.
First, this comment isn't related to this PR at all.
I added this comment to properly document the current implementation reality, which have changed over the course of prior snapshot stability PRs. I'm sure @sakridge can understand this comment, who shares the needed context.
Specifically this comment is referring to this change
@sakridge what do you think fixing this before strict ABI audit thing will be under the effect? Or, at the least, we should create an issue. After all, it seems we can reconstruct this information when ingesting snapshots without problems.
There was a problem hiding this comment.
Yea, we can create an issue and we can move this comment out of this PR.
| *byte = (INPUT_LEN - i) as u8; | ||
| } | ||
|
|
||
| //UNSAFE: forcibly cast the special byte pattern to actual account fields. |
There was a problem hiding this comment.
Neat idea. An unsafe in a test is less concerning to me
| } | ||
|
|
||
| pub fn hash_account_data(slot: Slot, lamports: u64, data: &[u8], pubkey: &Pubkey) -> Hash { | ||
| pub fn hash_account_data( |
There was a problem hiding this comment.
What do you think about passing the entire account: &Account into this function rather than the 4 account fields?
There was a problem hiding this comment.
Thought about the same, too! But there is a reason for the status quo: This function should be accessible from the other code path (no Accounts there): https://github.com/solana-labs/solana/pull/7415/files#diff-2099c5256db4eb5975c8834af38f6456R810
Of course, we can always normalize to Account by stored_account.clone_account(), but performance might be affected or rustc is clever enough?
There was a problem hiding this comment.
Oh ok. I think the current code is fine then, probably not worth getting fancy yet. Maybe when we add the 5th or 6th account field later :)
|
From this old comment:
Is there any remaining concern about this comment from the old PR, still applicable to the current situation? I naively thought that |
| rent_epoch: Epoch, | ||
| data: &[u8], | ||
| pubkey: &Pubkey, | ||
| ) -> Hash { | ||
| if lamports == 0 { |
hash should be the last thing, after all account updates, including deduction and distribution of rent |
mergify
bot
dismissed stale reviews from rob-solana and sakridge
Pull request has been modified.
|
Merging this because I got approvals (They got removed by this tiny commit, though) |
| @@ -2103,4 +2130,56 @@ pub mod tests { | |||
|
|
|||
| Ok(()) | |||
| } | |||
|
|
|||
| #[test] | |||
| fn test_hash_stored_account() { | |||
Problem
rent_epochandexecutableisn't included into the account hash calculation, thereby not into the bank hash too. This means those fields are falsifiable by malicious validator.From git history, it seems that the two weren't included just due to oversight.
Summary of Changes
Include the two into the account hash calculation. Also, add rather a peculiar test for any future account's modification to be paired with account hash calculation update...
Part of #7167