Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GnoVM] Gas system doesn't catch infinite loops #3612

Open
leohhhn opened this issue Jan 26, 2025 · 1 comment
Open

[GnoVM] Gas system doesn't catch infinite loops #3612

leohhhn opened this issue Jan 26, 2025 · 1 comment
Assignees
@petar-dambovaliev
Labels
in focus Core team is prioritizing this work security Security-sensitive issue
Milestone
🚀 Mainnet beta la...

Comments

@leohhhn
Copy link
Contributor

leohhhn commented Jan 26, 2025

Description

Credit to @odeke-em, #3417

package hello

func main() {
  for {}
  println("hello world")
}

An ABCI query or a MsgCall call to this Render function will make the node non-responsive until the caller's context deadline is exceeded, posing a DOS attack vector. With gnokey, the terminal hangs until the gnokey context is exceeded, and with gnoweb, the page trying to render the realm also hangs, until gnoweb's builtin timeout kicks in and reports an internal problem.

This is obviously not caught with the gas system in either cases.

cc @thehowl @piux2
@leohhhn leohhhn changed the title {GnoVM] Gas system doesn't catch infinite loops [GnoVM] Gas system doesn't catch infinite loops Jan 26, 2025
@kristovatlas kristovatlas added the security Security-sensitive issue label Jan 27, 2025
@Kouteki Kouteki moved this from Triage to Todo in 🧙‍♂️gno.land core team Jan 27, 2025
@Kouteki Kouteki added the in focus Core team is prioritizing this work label Jan 27, 2025
@n2p5
Copy link
Contributor

n2p5 commented Jan 27, 2025

Random thought here, and a bit of a continuation of a conversation with @mvertes that he and I had in October. If feels like something like the eBPF verifier pattern could be really useful for us.

https://docs.ebpf.io/linux/concepts/verifier/

for context eBPF allows users to extend core kernel functionality, so runtime safety measures (like no infinite loops) are part of the verification process.

@kristovatlas kristovatlas mentioned this issue Jan 27, 2025
Closed
@kristovatlas kristovatlas added this to the 🚀 Mainnet beta launch milestone Jan 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@petar-dambovaliev petar-dambovaliev

Labels
in focus Core team is prioritizing this work security Security-sensitive issue
Projects
🧙‍♂️gno.land core team
Status: Todo
Milestone
🚀 Mainnet beta launch
Development

No branches or pull requests
5 participants
@n2p5 @kristovatlas @Kouteki @petar-dambovaliev @leohhhn