Adds a feature gate to reject the deployment of programs with unresolved syscall symbols. (#21298)

2021-11-16 18:21:16 +01:00
parent ae497715cc
commit 0661aa67ed
2 changed files with 15 additions and 2 deletions
--- a/programs/bpf_loader/src/lib.rs
+++ b/programs/bpf_loader/src/lib.rs
@@ -31,7 +31,8 @@ use solana_sdk::{
    clock::Clock,
    entrypoint::{HEAP_LENGTH, SUCCESS},
    feature_set::{
-        do_support_realloc, reduce_required_deploy_balance, requestable_heap_size,
+        do_support_realloc, reduce_required_deploy_balance,
+        reject_deployment_of_unresolved_syscalls, requestable_heap_size,
        stop_verify_mul64_imm_nonzero,
    },
    ic_logger_msg, ic_msg,
@@ -74,6 +75,7 @@ pub fn create_executor(
    programdata_offset: usize,
    invoke_context: &mut dyn InvokeContext,
    use_jit: bool,
+    reject_unresolved_syscalls: bool,
 ) -> Result<Arc<BpfExecutor>, InstructionError> {
    let syscall_registry = syscalls::register_syscalls(invoke_context).map_err(|e| {
        ic_msg!(invoke_context, "Failed to register syscalls: {}", e);
@@ -84,6 +86,8 @@ pub fn create_executor(
        max_call_depth: compute_budget.max_call_depth,
        stack_frame_size: compute_budget.stack_frame_size,
        enable_instruction_tracing: log_enabled!(Trace),
+        reject_unresolved_syscalls: reject_unresolved_syscalls
+            && invoke_context.is_feature_active(&reject_deployment_of_unresolved_syscalls::id()),
        verify_mul64_imm_nonzero: !invoke_context
            .is_feature_active(&stop_verify_mul64_imm_nonzero::id()), // TODO: Feature gate and then remove me
        ..Config::default()
@@ -271,6 +275,7 @@ fn process_instruction_common(
                    program_data_offset,
                    invoke_context,
                    use_jit,
+                    false,
                )?;
                let program_id = invoke_context.get_caller()?;
                invoke_context.add_executor(program_id, executor.clone());
@@ -475,6 +480,7 @@ fn process_loader_upgradeable_instruction(
                buffer_data_offset,
                invoke_context,
                use_jit,
+                true,
            )?;
            invoke_context.add_executor(&new_program_id, executor);

@@ -619,6 +625,7 @@ fn process_loader_upgradeable_instruction(
                buffer_data_offset,
                invoke_context,
                use_jit,
+                true,
            )?;
            invoke_context.add_executor(&new_program_id, executor);

@@ -872,7 +879,8 @@ fn process_loader_instruction(
                return Err(InstructionError::MissingRequiredSignature);
            }

-            let executor = create_executor(first_instruction_account, 0, invoke_context, use_jit)?;
+            let executor =
+                create_executor(first_instruction_account, 0, invoke_context, use_jit, true)?;
            let keyed_accounts = invoke_context.get_keyed_accounts()?;
            let program = keyed_account_at_index(keyed_accounts, first_instruction_account)?;
            invoke_context.add_executor(program.unsigned_key(), executor);