Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle potential error from newBlockRangeBatcher #13344

Merged
merged 1 commit into from
Dec 15, 2023
Merged

Handle potential error from newBlockRangeBatcher #13344

merged 1 commit into from
Dec 15, 2023

Conversation

jtraglia
Copy link
Contributor

@jtraglia jtraglia commented Dec 14, 2023
edited
Loading

What type of PR is this?

Bug fix

What does this PR do? Why is it needed?

This is a really interesting bug that I'm surprised errcheck didn't identify. The error from newBlockRangeBatcher isn't checked. This could actually be exploited to crash Prysm with a nil pointer dereference.

prysm/beacon-chain/sync/rpc_blob_sidecars_by_range.go

Lines 93 to 97 in 1123df7

batcher, err := newBlockRangeBatcher(rp, s.cfg.beaconDB, s.rateLimiter, s.cfg.chain.IsCanonical, ticker)
var batch blockBatch
wQuota := params.BeaconNetworkConfig().MaxRequestBlobSidecars
for batch, ok = batcher.next(ctx, stream); ok; batch, ok = batcher.next(ctx, stream) {

Details

If an attacker sends a BlobSidecarsByRange request with the start slot greater than the current slot, it will return a rangeParams with size: 0.

prysm/beacon-chain/sync/rpc_blob_sidecars_by_range.go

Lines 149 to 153 in 1123df7

// Peers may overshoot the current slot when in initial sync, so we don't want to penalize them by treating the
// request as an error. So instead we return a set of params that acts as a noop.
if rp.start > current {
return rangeParams{start: current, end: current, size: 0}, nil
}

When newBlockRangeBatcher gets this, it will return nil, someErr which doesn't get checked:

prysm/beacon-chain/sync/block_batcher.go

Lines 45 to 47 in 45a2746

if rp.size == 0 {
return nil, fmt.Errorf("invalid batch size of %d", rp.size)
}

Then it will nil pointer dereference when batcher.next() is called:

prysm/beacon-chain/sync/rpc_blob_sidecars_by_range.go

Lines 93 to 97 in 1123df7

batcher, err := newBlockRangeBatcher(rp, s.cfg.beaconDB, s.rateLimiter, s.cfg.chain.IsCanonical, ticker)
var batch blockBatch
wQuota := params.BeaconNetworkConfig().MaxRequestBlobSidecars
for batch, ok = batcher.next(ctx, stream); ok; batch, ok = batcher.next(ctx, stream) {

This is not exploitable until the Deneb hardfork. The RPC handler is only registered at that epoch.

prysm/beacon-chain/sync/rpc.go

Lines 53 to 55 in 8aaab86

if currEpoch >= params.BeaconConfig().DenebForkEpoch {
s.registerRPCHandlersDeneb()
}

@jtraglia jtraglia requested a review from a team as a code owner December 14, 2023 20:56
@jtraglia jtraglia requested review from potuz, rkapka and nisdas December 14, 2023 20:56
@kasey kasey enabled auto-merge December 14, 2023 22:10
@prestonvanloon
Copy link
Member

Upstream issue kisielk/errcheck#7

@kasey kasey added this pull request to the merge queue Dec 15, 2023
@prestonvanloon prestonvanloon mentioned this pull request Dec 15, 2023
Merged
Merged via the queue into prysmaticlabs:develop with commit 97dfec8 Dec 15, 2023
17 checks passed
@jtraglia jtraglia deleted the handle-batcher-err branch December 15, 2023 13:53
@jtraglia jtraglia mentioned this pull request Jan 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prestonvanloon prestonvanloon prestonvanloon approved these changes

@kasey kasey kasey approved these changes

@potuz potuz Awaiting requested review from potuz potuz is a code owner automatically assigned from prysmaticlabs/core-team

@rkapka rkapka Awaiting requested review from rkapka rkapka is a code owner automatically assigned from prysmaticlabs/core-team

@nisdas nisdas Awaiting requested review from nisdas nisdas is a code owner automatically assigned from prysmaticlabs/core-team

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jtraglia @prestonvanloon @kasey