Skip to content

Commit

Permalink
Verify that previous ATX points to correct ATX when handling incoming…
Browse files Browse the repository at this point in the history
… ATXs (#5927)

## Motivation

This integrates the changes from the CVE fix into the main development branch.

Closes #5692



Co-authored-by: Bartosz Różański <bartek.roza@gmail.com>
  • Loading branch information
fasmat and poszu committed May 21, 2024
1 parent 241fc33 commit 5e6551a
Show file tree
Hide file tree
Showing 36 changed files with 1,428 additions and 272 deletions.
14 changes: 14 additions & 0 deletions .github/workflows/systest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,13 @@ jobs:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}

- uses: extractions/netrc@v2
with:
machine: github.com
username: ${{ secrets.GH_ACTION_TOKEN_USER }}
password: ${{ secrets.GH_ACTION_TOKEN }}
if: vars.GOPRIVATE

- name: Push go-spacemesh build to docker hub
run: make dockerpush

Expand All @@ -103,6 +110,13 @@ jobs:
shell: bash
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

- uses: extractions/netrc@v2
with:
machine: github.com
username: ${{ secrets.GH_ACTION_TOKEN_USER }}
password: ${{ secrets.GH_ACTION_TOKEN }}
if: vars.GOPRIVATE

- name: Build tests docker image
run: make -C systest docker

Expand Down
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,10 @@ Upgrading to this version requires going through v1.5.x first. Removed migration
Ensure that your key file in `data/identities` is named `local.key` if you run a supervised node or with the change
the node will not start.

* [#5927](https://github.com/spacemeshos/go-spacemesh/pull/5927) Fixed vulnerability in the way a node handles incoming
ATXs. This vulnerability allows an attacker to claim rewards for a full tick amount although they should not be
eligible for them.

## Release v1.5.3

### Improvements
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ RUN make get-libs
COPY go.mod .
COPY go.sum .

RUN go mod download
RUN --mount=type=secret,id=mynetrc,dst=/root/.netrc go mod download

# Here we copy the rest of the source code
COPY . .
Expand Down
11 changes: 9 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -154,9 +154,11 @@ list-versions:

dockerbuild-go:
DOCKER_BUILDKIT=1 docker build \
--secret id=mynetrc,src=$(HOME)/.netrc \
--build-arg VERSION=${VERSION} \
-t go-spacemesh:$(SHA) \
-t $(DOCKER_HUB)/$(DOCKER_IMAGE_REPO):$(DOCKER_IMAGE_VERSION) .
-t $(DOCKER_HUB)/$(DOCKER_IMAGE_REPO):$(DOCKER_IMAGE_VERSION) \
.
.PHONY: dockerbuild-go

dockerpush: dockerbuild-go dockerpush-only
Expand All @@ -171,7 +173,12 @@ endif
.PHONY: dockerpush-only

dockerbuild-bs:
DOCKER_BUILDKIT=1 docker build -t go-spacemesh-bs:$(SHA) -t $(DOCKER_HUB)/$(DOCKER_IMAGE_REPO)-bs:$(DOCKER_IMAGE_VERSION) -f ./bootstrap.Dockerfile .
DOCKER_BUILDKIT=1 docker build \
--secret id=mynetrc,src=$(HOME)/.netrc \
-t go-spacemesh-bs:$(SHA) \
-t $(DOCKER_HUB)/$(DOCKER_IMAGE_REPO)-bs:$(DOCKER_IMAGE_VERSION) \
-f ./bootstrap.Dockerfile \
.
.PHONY: dockerbuild-bs

dockerpush-bs: dockerbuild-bs dockerpush-bs-only
Expand Down
2 changes: 1 addition & 1 deletion activation/handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,7 @@ func (h *Handler) HandleSyncedAtx(ctx context.Context, expHash types.Hash32, pee

// HandleGossipAtx handles the atx gossip data channel.
func (h *Handler) HandleGossipAtx(ctx context.Context, peer p2p.Peer, msg []byte) error {
proof, err := h.handleAtx(ctx, types.Hash32{}, peer, msg)
proof, err := h.handleAtx(ctx, types.EmptyHash32, peer, msg)
if err != nil && !errors.Is(err, errMalformedData) && !errors.Is(err, errKnownAtx) {
h.log.WithContext(ctx).With().Warning("failed to process atx gossip",
log.Stringer("sender", peer),
Expand Down
12 changes: 5 additions & 7 deletions activation/handler_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -227,9 +227,8 @@ func testHandler_PostMalfeasanceProofs(t *testing.T, synced bool) {

sig, err := signing.NewEdSigner()
require.NoError(t, err)
nodeID := sig.NodeID()

_, err = identities.GetMalfeasanceProof(atxHdlr.cdb, nodeID)
_, err = identities.GetMalfeasanceProof(atxHdlr.cdb, sig.NodeID())
require.ErrorIs(t, err, sql.ErrNotFound)

atx := newInitialATXv1(t, goldenATXID)
Expand Down Expand Up @@ -314,7 +313,7 @@ func TestHandler_ProcessAtxStoresNewVRFNonce(t *testing.T) {
require.NoError(t, err)
require.Equal(t, types.VRFPostIndex(*atx1.VRFNonce), got)

atx2 := newChainedActivationTxV1(t, goldenATXID, atx1, atx1.ID())
atx2 := newChainedActivationTxV1(t, atx1, atx1.ID())
nonce2 := types.VRFPostIndex(456)
atx2.VRFNonce = (*uint64)(&nonce2)
atx2.Sign(sig)
Expand All @@ -336,7 +335,7 @@ func TestHandler_HandleGossipAtx(t *testing.T) {
first := newInitialATXv1(t, goldenATXID)
first.Sign(sig)

second := newChainedActivationTxV1(t, goldenATXID, first, first.ID())
second := newChainedActivationTxV1(t, first, first.ID())
second.Sign(sig)

// the poet is missing
Expand Down Expand Up @@ -639,7 +638,7 @@ func TestHandler_AtxWeight(t *testing.T) {
require.Equal(t, leaves/tickSize, stored1.TickHeight())
require.Equal(t, (leaves/tickSize)*units, stored1.GetWeight())

atx2 := newChainedActivationTxV1(t, goldenATXID, atx1, atx1.ID())
atx2 := newChainedActivationTxV1(t, atx1, atx1.ID())
atx2.Sign(sig)
buf = codec.MustEncode(atx2)

Expand Down Expand Up @@ -740,7 +739,6 @@ func newInitialATXv1(

func newChainedActivationTxV1(
t testing.TB,
goldenATXID types.ATXID,
prev *wire.ActivationTxV1,
pos types.ATXID,
) *wire.ActivationTxV1 {
Expand All @@ -751,7 +749,7 @@ func newChainedActivationTxV1(
NIPostChallengeV1: wire.NIPostChallengeV1{
PrevATXID: prev.ID(),
PublishEpoch: prev.PublishEpoch + 1,
PositioningATXID: prev.ID(),
PositioningATXID: pos,
},
NIPost: newNIPosV1tWithPoet(t, poetRef.Bytes()),
Coinbase: prev.Coinbase,
Expand Down
Loading

0 comments on commit 5e6551a

Please sign in to comment.