Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] A malicious validator can broadcast invalid BatchCertificate or Propose that cause other validators stack overflow #2935

Open
feezybabee opened this issue Dec 20, 2023 · 5 comments · May be fixed by #2956
Open

[Bug] A malicious validator can broadcast invalid BatchCertificate or Propose that cause other validators stack overflow #2935

feezybabee opened this issue Dec 20, 2023 · 5 comments · May be fixed by #2956
Labels
bug Incorrect or unexpected behavior

Comments

@feezybabee
Copy link

https://hackerone.com/reports/2279584

Summary:

The Primary recursively fetch certificates from other peer upon receiving new Propose and BatchCertificate . Although it will check the certificate before storing into db, the check is at end of the recursion.

A malicious validator can create fake certificate that contains other fake certificate at the same round. Then the recursion will never ends and lead to stack overflow. The call stack will be like this:

sync_with_certificate_from_peer
    sync_with_batch_header_from_peer
        sync_with_certificate_from_peer
             ....

The attacker can crash all other validator in this way.

Steps To Reproduce:

See the commit: Gooong@3e7c686

  1. Clone the repo above
  2. Run ./devnet.sh
  3. Wait round 5
  4. Check the log and we will find some node crashed: fatal runtime error: stack overflow

Proof-of-Concept (PoC)

How this bug can be exploited:

The attacker just broadcast fake certificate. This will cause all other validator continously crash and shutdown the network.

Supporting Material/References:

See the attachment

Impact

Cause validators crash and shutdown the network.

Fix suggestions:

Strictly check certificate before the recursion.
@feezybabee feezybabee added the bug Incorrect or unexpected behavior label Dec 20, 2023
@feezybabee
Copy link
Author

Is this a duplicate of https://github.com/AleoHQ/snarkOS/issues/2883?

@niklaslong
Copy link
Collaborator

This is a different, #2883 is mostly about deserialisation, here the root cause is recursively fetching certificates from peers.

@niklaslong niklaslong self-assigned this Dec 21, 2023
@niklaslong
Copy link
Collaborator

I haven't yet been able to reproduce this bug with a single malicious validator in a cluster of 4. @feezybabee, were you running 4 malicious nodes at the same time?

@randomsleep
Copy link
Contributor

I can reproduce it with a single malicious validator in 4 nodes. @niklaslong Make sure to start the malicious validator before round 5. Also, use the same snarkOS version.

@niklaslong
Copy link
Collaborator

Reproduced, looking at a fix now.

joske referenced this issue in eqlabs/snarkOS Dec 26, 2023
@joske
fix: limit outstanding certificate requests
09c3046 
fixes https://github.com/AleoHQ/snarkOS/issues/2935
joske referenced this issue in eqlabs/snarkOS Dec 27, 2023
@joske
fix: limit outstanding certificate requests
bdf752c 
fixes https://github.com/AleoHQ/snarkOS/issues/2935
@joske joske linked a pull request Dec 27, 2023 that will close this issue
Open
joske referenced this issue in eqlabs/snarkOS Dec 27, 2023
@joske
fix: limit outstanding certificate requests
90c00f1 
fixes https://github.com/AleoHQ/snarkOS/issues/2935
joske referenced this issue in eqlabs/snarkOS Dec 27, 2023
@joske
fix: limit outstanding certificate requests
4ca197f 
fixes https://github.com/AleoHQ/snarkOS/issues/2935
joske referenced this issue in eqlabs/snarkOS Dec 28, 2023
@joske
fix: limit outstanding certificate requests
2449336 
fixes https://github.com/AleoHQ/snarkOS/issues/2935
joske referenced this issue in eqlabs/snarkOS Jan 10, 2024
@joske
fix: limit outstanding certificate requests
bc38a11 
fixes https://github.com/AleoHQ/snarkOS/issues/2935
@niklaslong niklaslong removed their assignment Jan 11, 2024
joske referenced this issue in eqlabs/snarkOS Jan 15, 2024
@joske
fix: limit outstanding certificate requests
a2b4a21 
fixes https://github.com/AleoHQ/snarkOS/issues/2935
joske referenced this issue in eqlabs/snarkOS Jan 16, 2024
@joske
fix: limit outstanding certificate requests
85e5009 
fixes https://github.com/AleoHQ/snarkOS/issues/2935
joske referenced this issue in eqlabs/snarkOS Jan 29, 2024
@joske
fix: limit outstanding certificate requests
2345670 
fixes https://github.com/AleoHQ/snarkOS/issues/2935
joske referenced this issue in eqlabs/snarkOS Feb 8, 2024
@joske
fix: limit outstanding certificate requests
94eee2e 
fixes https://github.com/AleoHQ/snarkOS/issues/2935
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Incorrect or unexpected behavior
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: limit outstanding certificate requests eqlabs/snarkOS
3 participants
@niklaslong @feezybabee @randomsleep