Fix CPI duplicate account privilege escalation (#22752)

* Adds TEST_DUPLICATE_PRIVILEGE_ESCALATION_SIGNER and TEST_DUPLICATE_PRIVILEGE_ESCALATION_WRITABLE. * Moves CPI privilege verification out of deduplication loop.
2022-01-28 00:52:02 +01:00
parent fa51e5b704
commit a71f05f86c
5 changed files with 115 additions and 28 deletions
--- a/programs/bpf/rust/invoke/src/instructions.rs
+++ b/programs/bpf/rust/invoke/src/instructions.rs
@ -19,6 +19,8 @@ pub const TEST_EXECUTABLE_LAMPORTS: u8 = 16;
 pub const TEST_CALL_PRECOMPILE: u8 = 17;
 pub const ADD_LAMPORTS: u8 = 18;
 pub const TEST_RETURN_DATA_TOO_LARGE: u8 = 19;
+pub const TEST_DUPLICATE_PRIVILEGE_ESCALATION_SIGNER: u8 = 20;
+pub const TEST_DUPLICATE_PRIVILEGE_ESCALATION_WRITABLE: u8 = 21;

 pub const MINT_INDEX: usize = 0;
 pub const ARGUMENT_INDEX: usize = 1;
--- a/programs/bpf/rust/invoke/src/processor.rs
+++ b/programs/bpf/rust/invoke/src/processor.rs
@ -426,7 +426,6 @@ fn process_instruction(

            // Writable privilege escalation will always fail the whole transaction
            invoked_instruction.accounts[0].is_writable = true;
-
            invoke(&invoked_instruction, accounts)?;
        }
        TEST_PPROGRAM_NOT_EXECUTABLE => {
@ -638,6 +637,40 @@ fn process_instruction(
        TEST_RETURN_DATA_TOO_LARGE => {
            set_return_data(&[1u8; 1028]);
        }
+        TEST_DUPLICATE_PRIVILEGE_ESCALATION_SIGNER => {
+            msg!("Test duplicate privilege escalation signer");
+            let mut invoked_instruction = create_instruction(
+                *accounts[INVOKED_PROGRAM_INDEX].key,
+                &[
+                    (accounts[DERIVED_KEY3_INDEX].key, false, false),
+                    (accounts[DERIVED_KEY3_INDEX].key, false, false),
+                    (accounts[DERIVED_KEY3_INDEX].key, false, false),
+                ],
+                vec![VERIFY_PRIVILEGE_ESCALATION],
+            );
+            invoke(&invoked_instruction, accounts)?;
+
+            // Signer privilege escalation will always fail the whole transaction
+            invoked_instruction.accounts[1].is_signer = true;
+            invoke(&invoked_instruction, accounts)?;
+        }
+        TEST_DUPLICATE_PRIVILEGE_ESCALATION_WRITABLE => {
+            msg!("Test duplicate privilege escalation writable");
+            let mut invoked_instruction = create_instruction(
+                *accounts[INVOKED_PROGRAM_INDEX].key,
+                &[
+                    (accounts[DERIVED_KEY3_INDEX].key, false, false),
+                    (accounts[DERIVED_KEY3_INDEX].key, false, false),
+                    (accounts[DERIVED_KEY3_INDEX].key, false, false),
+                ],
+                vec![VERIFY_PRIVILEGE_ESCALATION],
+            );
+            invoke(&invoked_instruction, accounts)?;
+
+            // Writable privilege escalation will always fail the whole transaction
+            invoked_instruction.accounts[1].is_writable = true;
+            invoke(&invoked_instruction, accounts)?;
+        }
        _ => panic!(),
    }