diff --git a/programs/bpf_loader/src/lib.rs b/programs/bpf_loader/src/lib.rs index 73547d922b..7c43147023 100644 --- a/programs/bpf_loader/src/lib.rs +++ b/programs/bpf_loader/src/lib.rs @@ -33,7 +33,8 @@ use { entrypoint::{HEAP_LENGTH, SUCCESS}, feature_set::{ add_missing_program_error_mappings, close_upgradeable_program_accounts, - fix_write_privs, reduce_required_deploy_balance, requestable_heap_size, + fix_write_privs, reduce_required_deploy_balance, + reject_deployment_of_unresolved_syscalls, requestable_heap_size, stop_verify_mul64_imm_nonzero, upgradeable_close_instruction, }, ic_logger_msg, ic_msg, @@ -78,6 +79,7 @@ pub fn create_executor( program_data_offset: usize, invoke_context: &mut dyn InvokeContext, use_jit: bool, + reject_unresolved_syscalls: bool, ) -> Result, InstructionError> { let syscall_registry = syscalls::register_syscalls(invoke_context).map_err(|e| { ic_msg!(invoke_context, "Failed to register syscalls: {}", e); @@ -88,6 +90,8 @@ pub fn create_executor( max_call_depth: bpf_compute_budget.max_call_depth, stack_frame_size: bpf_compute_budget.stack_frame_size, enable_instruction_tracing: log_enabled!(Trace), + reject_unresolved_syscalls: reject_unresolved_syscalls + && invoke_context.is_feature_active(&reject_deployment_of_unresolved_syscalls::id()), verify_mul64_imm_nonzero: !invoke_context .is_feature_active(&stop_verify_mul64_imm_nonzero::id()), // TODO: Feature gate and then remove me ..Config::default() @@ -238,7 +242,8 @@ fn process_instruction_common( let executor = match invoke_context.get_executor(program_id) { Some(executor) => executor, None => { - let executor = create_executor(0, program_data_offset, invoke_context, use_jit)?; + let executor = + create_executor(0, program_data_offset, invoke_context, use_jit, false)?; invoke_context.add_executor(program_id, executor.clone()); executor } @@ -432,7 +437,7 @@ fn process_loader_upgradeable_instruction( )?; // Load and verify the program bits - let executor = create_executor(3, buffer_data_offset, invoke_context, use_jit)?; + let executor = create_executor(3, buffer_data_offset, invoke_context, use_jit, true)?; invoke_context.add_executor(&new_program_id, executor); let keyed_accounts = invoke_context.get_keyed_accounts()?; @@ -564,7 +569,7 @@ fn process_loader_upgradeable_instruction( } // Load and verify the program bits - let executor = create_executor(2, buffer_data_offset, invoke_context, use_jit)?; + let executor = create_executor(2, buffer_data_offset, invoke_context, use_jit, true)?; invoke_context.add_executor(&new_program_id, executor); let keyed_accounts = invoke_context.get_keyed_accounts()?; @@ -833,7 +838,7 @@ fn process_loader_instruction( return Err(InstructionError::MissingRequiredSignature); } - let executor = create_executor(0, 0, invoke_context, use_jit)?; + let executor = create_executor(0, 0, invoke_context, use_jit, true)?; let keyed_accounts = invoke_context.get_keyed_accounts()?; let program = keyed_account_at_index(keyed_accounts, 0)?; invoke_context.add_executor(program.unsigned_key(), executor); diff --git a/sdk/src/feature_set.rs b/sdk/src/feature_set.rs index fe6d843a76..4d50d42717 100644 --- a/sdk/src/feature_set.rs +++ b/sdk/src/feature_set.rs @@ -261,6 +261,10 @@ pub mod spl_token_v3_3_0_release { solana_sdk::declare_id!("Ftok2jhqAqxUWEiCVRrfRs9DPppWP8cgTB7NQNKL88mS"); } +pub mod reject_deployment_of_unresolved_syscalls { + solana_sdk::declare_id!("DqniU3MfvdpU3yhmNF1RKeaM5TZQELZuyFGosASRVUoy"); +} + lazy_static! { /// Map of feature identifiers to user-visible description pub static ref FEATURE_NAMES: HashMap = [ @@ -326,6 +330,7 @@ lazy_static! { (requestable_heap_size::id(), "Requestable heap frame size"), (add_compute_budget_program::id(), "Add compute_budget_program"), (spl_token_v3_3_0_release::id(), "spl-token v3.3.0 release"), + (reject_deployment_of_unresolved_syscalls::id(), "Reject deployment of programs with unresolved syscall symbols"), /*************** ADD NEW FEATURES HERE ***************/ ] .iter()