From 2d8dacb72bb04e38f21d23f6af183f8136ffe0ce Mon Sep 17 00:00:00 2001
From: Jack May <jack@solana.com>
Date: Wed, 30 Dec 2020 18:13:37 -0800
Subject: [PATCH] Gate CPI authorized programs (#14361)

---
 programs/bpf_loader/src/syscalls.rs | 9 ++++++---
 sdk/src/feature_set.rs              | 5 +++++
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/programs/bpf_loader/src/syscalls.rs b/programs/bpf_loader/src/syscalls.rs
index 4462c13c0c..857ee62556 100644
--- a/programs/bpf_loader/src/syscalls.rs
+++ b/programs/bpf_loader/src/syscalls.rs
@@ -17,8 +17,9 @@ use solana_sdk::{
     bpf_loader_upgradeable::{self, UpgradeableLoaderState},
     entrypoint::{MAX_PERMITTED_DATA_INCREASE, SUCCESS},
     feature_set::{
-        pubkey_log_syscall_enabled, ristretto_mul_syscall_enabled, sha256_syscall_enabled,
-        sol_log_compute_units_syscall, try_find_program_address_syscall_enabled,
+        limit_cpi_loader_invoke, pubkey_log_syscall_enabled, ristretto_mul_syscall_enabled,
+        sha256_syscall_enabled, sol_log_compute_units_syscall,
+        try_find_program_address_syscall_enabled,
     },
     hash::{Hasher, HASH_BYTES},
     instruction::{AccountMeta, Instruction, InstructionError},
@@ -1424,7 +1425,9 @@ fn call<'a>(
     let (message, callee_program_id, program_id_index) =
         MessageProcessor::create_message(&instruction, &keyed_account_refs, &signers)
             .map_err(SyscallError::InstructionError)?;
-    check_authorized_program(&callee_program_id)?;
+    if invoke_context.is_feature_active(&limit_cpi_loader_invoke::id()) {
+        check_authorized_program(&callee_program_id)?;
+    }
     let (mut accounts, mut account_refs) = syscall.translate_accounts(
         &message.account_keys,
         program_id_index,
diff --git a/sdk/src/feature_set.rs b/sdk/src/feature_set.rs
index db62179def..ba324cd314 100644
--- a/sdk/src/feature_set.rs
+++ b/sdk/src/feature_set.rs
@@ -122,6 +122,10 @@ pub mod max_cpi_instruction_size_ipv6_mtu {
     solana_sdk::declare_id!("5WLtuUJA5VVA1Cc28qULPfGs8anhoBev8uNqaaXeasnf");
 }
 
+pub mod limit_cpi_loader_invoke {
+    solana_sdk::declare_id!("xGbcW7EEC7zMRJ6LaJCob65EJxKryWjwM4rv8f57SRM");
+}
+
 lazy_static! {
     /// Map of feature identifiers to user-visible description
     pub static ref FEATURE_NAMES: HashMap<Pubkey, &'static str> = [
@@ -154,6 +158,7 @@ lazy_static! {
         (warp_testnet_timestamp::id(), "warp testnet timestamp to current #14210"),
         (stake_program_v3::id(), "solana_stake_program v3"),
         (max_cpi_instruction_size_ipv6_mtu::id(), "Max cross-program invocation size 1280"),
+        (limit_cpi_loader_invoke::id(), "Loader not authorized via CPI"),
         /*************** ADD NEW FEATURES HERE ***************/
     ]
     .iter()