add executable checks to verify_instruction (#5326)
This commit is contained in:
parent
4e093525c7
commit
50a991fdf9
|
@ -64,12 +64,15 @@ fn verify_instruction(
|
||||||
pre_program_id: &Pubkey,
|
pre_program_id: &Pubkey,
|
||||||
pre_lamports: u64,
|
pre_lamports: u64,
|
||||||
pre_data: &[u8],
|
pre_data: &[u8],
|
||||||
|
pre_executable: bool,
|
||||||
account: &Account,
|
account: &Account,
|
||||||
) -> Result<(), InstructionError> {
|
) -> Result<(), InstructionError> {
|
||||||
// Verify the transaction
|
// Verify the transaction
|
||||||
|
|
||||||
// Make sure that program_id is still the same or this was just assigned by the system program
|
// Make sure that program_id is still the same or this was just assigned by the system program,
|
||||||
if *pre_program_id != account.owner && !system_program::check_id(&program_id) {
|
// but even the system program can't touch a credit-only account
|
||||||
|
if *pre_program_id != account.owner && (!is_debitable || !system_program::check_id(&program_id))
|
||||||
|
{
|
||||||
return Err(InstructionError::ModifiedProgramId);
|
return Err(InstructionError::ModifiedProgramId);
|
||||||
}
|
}
|
||||||
// For accounts unassigned to the program, the individual balance of each accounts cannot decrease.
|
// For accounts unassigned to the program, the individual balance of each accounts cannot decrease.
|
||||||
|
@ -91,6 +94,17 @@ fn verify_instruction(
|
||||||
if !is_debitable && pre_data != &account.data[..] {
|
if !is_debitable && pre_data != &account.data[..] {
|
||||||
return Err(InstructionError::CreditOnlyDataModified);
|
return Err(InstructionError::CreditOnlyDataModified);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// executable is one-way (false->true) and
|
||||||
|
// only system or the account owner may modify
|
||||||
|
if pre_executable != account.executable
|
||||||
|
&& (!is_debitable
|
||||||
|
|| pre_executable
|
||||||
|
|| *program_id != account.owner && !system_program::check_id(&program_id))
|
||||||
|
{
|
||||||
|
return Err(InstructionError::ExecutableModified);
|
||||||
|
}
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -237,31 +251,30 @@ impl MessageProcessor {
|
||||||
.sum();
|
.sum();
|
||||||
let pre_data: Vec<_> = program_accounts
|
let pre_data: Vec<_> = program_accounts
|
||||||
.iter_mut()
|
.iter_mut()
|
||||||
.map(|a| (a.owner, a.lamports, a.data.clone()))
|
.map(|a| (a.owner, a.lamports, a.data.clone(), a.executable))
|
||||||
.collect();
|
.collect();
|
||||||
|
|
||||||
self.process_instruction(message, instruction, executable_accounts, program_accounts)?;
|
self.process_instruction(message, instruction, executable_accounts, program_accounts)?;
|
||||||
// Verify the instruction
|
// Verify the instruction
|
||||||
for ((pre_program_id, pre_lamports, pre_data), (i, post_account, is_debitable)) in
|
for (
|
||||||
pre_data.iter().zip(
|
(pre_program_id, pre_lamports, pre_data, pre_executable),
|
||||||
program_accounts
|
(i, post_account, is_debitable),
|
||||||
.iter()
|
) in pre_data.iter().zip(program_accounts.iter().enumerate().map(
|
||||||
.enumerate()
|
|(i, program_account)| {
|
||||||
.map(|(i, program_account)| {
|
(
|
||||||
(
|
i,
|
||||||
i,
|
program_account,
|
||||||
program_account,
|
message.is_debitable(instruction.accounts[i] as usize),
|
||||||
message.is_debitable(instruction.accounts[i] as usize),
|
)
|
||||||
)
|
},
|
||||||
}),
|
)) {
|
||||||
)
|
|
||||||
{
|
|
||||||
verify_instruction(
|
verify_instruction(
|
||||||
is_debitable,
|
is_debitable,
|
||||||
&program_id,
|
&program_id,
|
||||||
pre_program_id,
|
pre_program_id,
|
||||||
*pre_lamports,
|
*pre_lamports,
|
||||||
pre_data,
|
pre_data,
|
||||||
|
*pre_executable,
|
||||||
post_account,
|
post_account,
|
||||||
)?;
|
)?;
|
||||||
if !is_debitable {
|
if !is_debitable {
|
||||||
|
@ -361,8 +374,17 @@ mod tests {
|
||||||
ix: &Pubkey,
|
ix: &Pubkey,
|
||||||
pre: &Pubkey,
|
pre: &Pubkey,
|
||||||
post: &Pubkey,
|
post: &Pubkey,
|
||||||
|
is_debitable: bool,
|
||||||
) -> Result<(), InstructionError> {
|
) -> Result<(), InstructionError> {
|
||||||
verify_instruction(true, &ix, &pre, 0, &[], &Account::new(0, 0, post))
|
verify_instruction(
|
||||||
|
is_debitable,
|
||||||
|
&ix,
|
||||||
|
&pre,
|
||||||
|
0,
|
||||||
|
&[],
|
||||||
|
false,
|
||||||
|
&Account::new(0, 0, post),
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
let system_program_id = system_program::id();
|
let system_program_id = system_program::id();
|
||||||
|
@ -370,31 +392,101 @@ mod tests {
|
||||||
let mallory_program_id = Pubkey::new_rand();
|
let mallory_program_id = Pubkey::new_rand();
|
||||||
|
|
||||||
assert_eq!(
|
assert_eq!(
|
||||||
change_program_id(&system_program_id, &system_program_id, &alice_program_id),
|
change_program_id(
|
||||||
|
&system_program_id,
|
||||||
|
&system_program_id,
|
||||||
|
&alice_program_id,
|
||||||
|
true
|
||||||
|
),
|
||||||
Ok(()),
|
Ok(()),
|
||||||
"system program should be able to change the account owner"
|
"system program should be able to change the account owner"
|
||||||
);
|
);
|
||||||
assert_eq!(
|
assert_eq!(
|
||||||
change_program_id(&mallory_program_id, &system_program_id, &alice_program_id),
|
change_program_id(&system_program_id, &system_program_id, &alice_program_id, false),
|
||||||
|
Err(InstructionError::ModifiedProgramId),
|
||||||
|
"system program should not be able to change the account owner of a credit only account"
|
||||||
|
);
|
||||||
|
|
||||||
|
assert_eq!(
|
||||||
|
change_program_id(
|
||||||
|
&mallory_program_id,
|
||||||
|
&system_program_id,
|
||||||
|
&alice_program_id,
|
||||||
|
true
|
||||||
|
),
|
||||||
Err(InstructionError::ModifiedProgramId),
|
Err(InstructionError::ModifiedProgramId),
|
||||||
"malicious Mallory should not be able to change the account owner"
|
"malicious Mallory should not be able to change the account owner"
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn test_verify_instruction_change_data() {
|
fn test_verify_instruction_change_executable() {
|
||||||
fn change_data(program_id: &Pubkey, is_debitable: bool) -> Result<(), InstructionError> {
|
let alice_program_id = Pubkey::new_rand();
|
||||||
let alice_program_id = Pubkey::new_rand();
|
let change_executable = |program_id: &Pubkey,
|
||||||
let account = Account::new(0, 0, &alice_program_id);
|
is_debitable: bool,
|
||||||
|
pre_executable: bool,
|
||||||
|
post_executable: bool|
|
||||||
|
-> Result<(), InstructionError> {
|
||||||
|
let mut account = Account::new(0, 0, &alice_program_id);
|
||||||
|
account.executable = post_executable;
|
||||||
verify_instruction(
|
verify_instruction(
|
||||||
is_debitable,
|
is_debitable,
|
||||||
&program_id,
|
&program_id,
|
||||||
&alice_program_id,
|
&alice_program_id,
|
||||||
0,
|
0,
|
||||||
&[42],
|
&[],
|
||||||
|
pre_executable,
|
||||||
&account,
|
&account,
|
||||||
)
|
)
|
||||||
}
|
};
|
||||||
|
|
||||||
|
let mallory_program_id = Pubkey::new_rand();
|
||||||
|
let system_program_id = system_program::id();
|
||||||
|
|
||||||
|
assert_eq!(
|
||||||
|
change_executable(&system_program_id, true, false, true),
|
||||||
|
Ok(()),
|
||||||
|
"system program should be able to change executable"
|
||||||
|
);
|
||||||
|
assert_eq!(
|
||||||
|
change_executable(&alice_program_id, true, false, true),
|
||||||
|
Ok(()),
|
||||||
|
"alice program should be able to change executable"
|
||||||
|
);
|
||||||
|
assert_eq!(
|
||||||
|
change_executable(&system_program_id, false, false, true),
|
||||||
|
Err(InstructionError::ExecutableModified),
|
||||||
|
"system program can't modify executable of credit-only accounts"
|
||||||
|
);
|
||||||
|
assert_eq!(
|
||||||
|
change_executable(&system_program_id, true, true, false),
|
||||||
|
Err(InstructionError::ExecutableModified),
|
||||||
|
"system program can't reverse executable"
|
||||||
|
);
|
||||||
|
assert_eq!(
|
||||||
|
change_executable(&mallory_program_id, true, false, true),
|
||||||
|
Err(InstructionError::ExecutableModified),
|
||||||
|
"malicious Mallory should not be able to change the account executable"
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_verify_instruction_change_data() {
|
||||||
|
let alice_program_id = Pubkey::new_rand();
|
||||||
|
|
||||||
|
let change_data =
|
||||||
|
|program_id: &Pubkey, is_debitable: bool| -> Result<(), InstructionError> {
|
||||||
|
let account = Account::new(0, 0, &alice_program_id);
|
||||||
|
verify_instruction(
|
||||||
|
is_debitable,
|
||||||
|
&program_id,
|
||||||
|
&alice_program_id,
|
||||||
|
0,
|
||||||
|
&[42],
|
||||||
|
false,
|
||||||
|
&account,
|
||||||
|
)
|
||||||
|
};
|
||||||
|
|
||||||
let system_program_id = system_program::id();
|
let system_program_id = system_program::id();
|
||||||
let mallory_program_id = Pubkey::new_rand();
|
let mallory_program_id = Pubkey::new_rand();
|
||||||
|
@ -404,6 +496,11 @@ mod tests {
|
||||||
Ok(()),
|
Ok(()),
|
||||||
"system program should be able to change the data"
|
"system program should be able to change the data"
|
||||||
);
|
);
|
||||||
|
assert_eq!(
|
||||||
|
change_data(&alice_program_id, true),
|
||||||
|
Ok(()),
|
||||||
|
"alice program should be able to change the data"
|
||||||
|
);
|
||||||
assert_eq!(
|
assert_eq!(
|
||||||
change_data(&mallory_program_id, true),
|
change_data(&mallory_program_id, true),
|
||||||
Err(InstructionError::ExternalAccountDataModified),
|
Err(InstructionError::ExternalAccountDataModified),
|
||||||
|
@ -428,6 +525,7 @@ mod tests {
|
||||||
&alice_program_id,
|
&alice_program_id,
|
||||||
42,
|
42,
|
||||||
&[],
|
&[],
|
||||||
|
false,
|
||||||
&account
|
&account
|
||||||
),
|
),
|
||||||
Err(InstructionError::ExternalAccountLamportSpend),
|
Err(InstructionError::ExternalAccountLamportSpend),
|
||||||
|
@ -440,6 +538,7 @@ mod tests {
|
||||||
&alice_program_id,
|
&alice_program_id,
|
||||||
42,
|
42,
|
||||||
&[],
|
&[],
|
||||||
|
false,
|
||||||
&account
|
&account
|
||||||
),
|
),
|
||||||
Err(InstructionError::CreditOnlyLamportSpend),
|
Err(InstructionError::CreditOnlyLamportSpend),
|
||||||
|
|
|
@ -61,6 +61,9 @@ pub enum InstructionError {
|
||||||
/// An account was referenced more than once in a single instruction
|
/// An account was referenced more than once in a single instruction
|
||||||
DuplicateAccountIndex,
|
DuplicateAccountIndex,
|
||||||
|
|
||||||
|
/// Executable bit on account changed, but shouldn't have
|
||||||
|
ExecutableModified,
|
||||||
|
|
||||||
/// CustomError allows on-chain programs to implement program-specific error types and see
|
/// CustomError allows on-chain programs to implement program-specific error types and see
|
||||||
/// them returned by the Solana runtime. A CustomError may be any type that is represented
|
/// them returned by the Solana runtime. A CustomError may be any type that is represented
|
||||||
/// as or serialized to a u32 integer.
|
/// as or serialized to a u32 integer.
|
||||||
|
|
Loading…
Reference in New Issue