Forbid bogus account assignment to native_loaders #11928
Conversation
Codecov Report
@@ Coverage Diff @@
## master #11928 +/- ##
=========================================
- Coverage 82.2% 82.1% -0.1%
=========================================
Files 331 331
Lines 78062 78072 +10
=========================================
- Hits 64184 64169 -15
- Misses 13878 13903 +25 |
😬 things just got very real over the weekend, I think the luxury of our past short-cuts aren't really viable anymore |
|
Actually why bother with this? When we introduce a new BPFLoader, we'll just rewrite the account and preserve whatever lamports are in it |
Newer native loader program accounts (= accounts owned by (this paragraph is based on current impl with the above checking; unconditional overwrite will evade this entirely) So, we must be careful to discern whether to overwrite or not by checking already-existing account is bogus or genuine. The check requires Unless we forbid, we must also consider native loader program accounts are Ultimately, I just want simplicity and consistency between specially-owned accounts (sysvars and native programs) Also, I think fewer abnormal situation will lead to less bugs. Also, if forbidding for native loaders can be optional, why sysvar is forbidden btw? I thought lack of forbid of native loaders was just a oversight. :) |
It's certainly nicer to forbid transfers for completeness. But it doesn't seem strictly necessary, nobody will be able to realistically generate a privatekey for any of these well-known address, so we can be quite sure that they're either unallocated or somebody transferred some SOL to that address, which is effectively a token burn. So I feel like we can just overwrite what ever is in that account regardless of the current content. I'm not opposed to disabling transfers here. I just don't feel strongly either |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
stale
bot
added
the
stale
|
This stale pull request has been automatically closed. Thank you for your contributions. |
stale
bot
removed
the
stale
ryoqun
force-pushed
the
forbid-native-loader-assignment
branch
from
62135f1
to
15c0ebc
Compare
| @@ -89,6 +89,13 @@ impl PreAccount { | |||
| return Err(InstructionError::ModifiedProgramId); | |||
| } | |||
|
|
|||
| if self.owner != post.owner | |||
There was a problem hiding this comment.
- MUST [ ] needs tests for this
|
will be superseded by #13884 |
Problem
Transactions can assign account to
NativeLoader1111for no good reason.Summary of Changes
Forbid doing so just like sysvars.
Obviously, this creates dos attack window when upgrading.
Note that, I'm intentionally omitting to gate this change. Considering recent our practices, this should be acceptable? (CC: @mvines )
Alternatively, if this is concerning too much, we can resort to adding
account.executableto this existing condition:solana/runtime/src/bank.rs
Line 1201 in 5b1aca1
and to-be-pushed new capitalization calculation at #11927.
context
following up: #11750
blocking: #11927(This is not a blocker anymore; as this requires proper gating, I've unblocked #11927).