Skip to content

runtime: fix UAF from spad lifetime mismatch in prepare_and_execute_txn #6659

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

runtime: fix UAF from spad lifetime mismatch in prepare_and_execute_txn #6659

wants to merge 1 commit into from
+84 −79

Conversation

two-heart
Copy link
Contributor

fd_runtime_prepare_and_execute_txn wrapped allocations in an internal FD_SPAD_FRAME, so allocations like rollback fee payer were freed before fd_runtime_finalize_txn consumed them

@two-heart
runtime: fix UAF from spad lifetime mismatch in prepare_and_execute_txn
3287b91 
fd_runtime_prepare_and_execute_txn wrapped allocations in an internal FD_SPAD_FRAME, so allocations like rollback fee payer were freed before fd_runtime_finalize_txn consumed them
@two-heart
Copy link
Contributor Author

ASAN report from executing block level fixtures with deep asan:

=================================================================
==993616==ERROR: AddressSanitizer: use-after-poison on address 0x6e9b70896350 at pc 0x5d720f4b5ef2 bp 0x7ffec8bee670 sp 0x7ffec8be
e668
READ of size 8 at 0x6e9b70896350 thread T0
    #0 0x5d720f4b5ef1 in fd_hashes_account_lthash /home/liam/firedancer/src/flamenco/runtime/fd_hashes.c:20:7
    #1 0x5d720f4b8b6f in fd_hashes_update_lthash /home/liam/firedancer/src/flamenco/runtime/fd_hashes.c:75:3
    #2 0x5d720f4ebdf1 in fd_runtime_save_account /home/liam/firedancer/src/flamenco/runtime/fd_runtime.c:1074:3
    #3 0x5d720f4eb487 in fd_runtime_finalize_txn /home/liam/firedancer/src/flamenco/runtime/fd_runtime.c:1126:7
    #4 0x5d720f39ea35 in fd_runtime_fuzz_block_ctx_exec /home/liam/firedancer/src/flamenco/runtime/tests/fd_block_harness.c:493:7
    #5 0x5d720f39ea35 in fd_solfuzz_block_run /home/liam/firedancer/src/flamenco/runtime/tests/fd_block_harness.c:536:15
    #6 0x5d720f39313b in fd_solfuzz_execute_wrapper /home/liam/firedancer/src/flamenco/runtime/tests/fd_solfuzz_private.h:55:20
    #7 0x5d720f39313b in fd_solfuzz_block_fixture /home/liam/firedancer/src/flamenco/runtime/tests/fd_solfuzz_exec.c:316:3
    #8 0x5d720f38f7dc in run_test1 /home/liam/firedancer/src/flamenco/runtime/tests/test_sol_compat.c:66:10
    #9 0x5d720f38f7dc in run_test /home/liam/firedancer/src/flamenco/runtime/tests/test_sol_compat.c:84:14
    #10 0x5d720f38efc8 in visit_sync /home/liam/firedancer/src/flamenco/runtime/tests/test_sol_compat.c:192:12
    #11 0x5d720f38f2bb in recursive_walk1 /home/liam/firedancer/src/flamenco/runtime/tests/test_sol_compat.c:143:12
    #12 0x5d720f38edfc in recursive_walk /home/liam/firedancer/src/flamenco/runtime/tests/test_sol_compat.c:179:12
    #13 0x5d720f38e4c3 in run_single_threaded /home/liam/firedancer/src/flamenco/runtime/tests/test_sol_compat.c:205:14
    #14 0x5d720f38e4c3 in main /home/liam/firedancer/src/flamenco/runtime/tests/test_sol_compat.c:460:5
    #15 0x73f2eb42a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #16 0x73f2eb42a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #17 0x5d720f2b2724 in _start (/home/liam/firedancer/build/linux/clang/icelake/unit-test/test_sol_compat+0xc2724) (BuildId: bdb
bf48b009c58d4cd49dec95d8741aef5e8f65f)

Address 0x6e9b70896350 is a wild pointer inside of access range of size 0x000000000008.
SUMMARY: AddressSanitizer: use-after-poison /home/liam/firedancer/src/flamenco/runtime/fd_hashes.c:20:7 in fd_hashes_account_lthas
h
Shadow bytes around the buggy address:
  0x6e9b70896080: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x6e9b70896100: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x6e9b70896180: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x6e9b70896200: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x6e9b70896280: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x6e9b70896300: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7
  0x6e9b70896380: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x6e9b70896400: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x6e9b70896480: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x6e9b70896500: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x6e9b70896580: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==993616==ABORTING

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@two-heart