Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harden max proposal bytes configuration and deserialization #3220

Merged
merged 3 commits into from
May 21, 2024
Merged

Harden max proposal bytes configuration and deserialization #3220

merged 3 commits into from
May 21, 2024

Conversation

sug0
Copy link
Collaborator

@sug0 sug0 commented May 10, 2024
edited
Loading

Describe your changes

Closes #3189

Indeed, Namada ignores the max_tx_bytes parameter from CometBFT, which may shrink dynamically based on the presence of evidence of misbehavior data in blocks.

This parameter is only passed as an argument to PrepareProposal ABCI calls, and (crucially) never to ProcessProposal calls, forcing it to be available under ProcessProposal via some other means.

As such, max_proposal_bytes (a semantically equivalent Namada-only parameter) was introduced in #843. To ensure the application never exceeds max_tx_bytes, CometBFT was configured with a much larger maximum block size (100 MiB, and 90 MiB max for max_proposal_bytes).

In #2187, we modified these bounds, setting the max block size to 16 MiB and the max value of max_proposal_bytes to 6 MiB. Evidence data is the only reason the space reserved for txs may shrink; as 10 MiB is plenty of available space for misbehavior reports, we should never exceed the maximum block size.

It is also important to state CometBFT faces a problem of the same nature. During CometBFT block validation, MaxTxBytes is never checked. The only place where it is checked is during block construction, leaving the burden of this validation to ABCI apps. Unfortunately, as we stated, ProcessProposal is not called with max_tx_bytes...

That said, this PR does the following:

  • Hardens BorshDeserialize for ProposalBytes.
  • Avoids using "magic numbers" to configure CometBFT, and uses ProposalBytes::MAX instead.

Indicate on which release or other PRs this topic is based on

v0.35.1

Checklist before merging to draft

  • I have added a changelog
  • Git history is in acceptable state

@sug0 sug0 added the security label May 10, 2024
@sug0 sug0 force-pushed the tiago/max-proposal-bytes-validation branch from a105902 to ad9482b Compare May 10, 2024 13:39
sug0 added a commit that referenced this pull request May 10, 2024
@sug0
Changelog for #3220
e1712cc
@sug0 sug0 marked this pull request as ready for review May 10, 2024 13:42
@sug0 sug0 requested review from batconjurer, tzemanovic and cwgoes May 10, 2024 13:42
@sug0 sug0 added the bug Something isn't working label May 10, 2024
@codecov Codecov
Copy link

codecov bot commented May 10, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 35.71429% with 9 lines in your changes are missing coverage. Please review.

Project coverage is 60.24%. Comparing base (4ed6229) to head (d8f959c).

Files Patch % Lines
crates/core/src/chain.rs 41.66% 7 Missing ⚠️
crates/apps/src/lib/node/ledger/tendermint_node.rs 0.00% 2 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #3220   +/-   ##
=======================================
  Coverage   60.24%   60.24%           
=======================================
  Files         303      303           
  Lines       93191    93199    +8     
=======================================
+ Hits        56145    56152    +7     
- Misses      37046    37047    +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@sug0 sug0 marked this pull request as draft May 10, 2024 14:16
sug0 added a commit that referenced this pull request May 10, 2024
@sug0
Changelog for #3220
ca6aaa8
@sug0 sug0 force-pushed the tiago/max-proposal-bytes-validation branch from e1712cc to ca6aaa8 Compare May 10, 2024 15:09
@sug0 sug0 marked this pull request as ready for review May 10, 2024 15:09
@sug0 sug0 removed the bug Something isn't working label May 10, 2024
@sug0 sug0 changed the title Consider max_tx_bytes provided by CometBFT when initializing block allocator Harden max proposal bytes configuration and deserialization May 10, 2024
@sug0 sug0 force-pushed the tiago/max-proposal-bytes-validation branch from ca6aaa8 to d8f959c Compare May 10, 2024 15:17
cwgoes
cwgoes approved these changes May 10, 2024
View reviewed changes
Copy link
Collaborator

@cwgoes cwgoes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes are fine, but comment needs to be updated

crates/apps/src/lib/node/ledger/tendermint_node.rs
@@ -475,12 +472,13 @@ async fn write_tm_genesis(
.try_into()
.expect("Failed to convert initial genesis height");
}
const EVIDENCE_AND_PROTOBUF_OVERHEAD: u64 = 10 * 1024 * 1024;
let size = block::Size {
// maximum size of a serialized Tendermint block.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment is now out of date

@cwgoes cwgoes mentioned this pull request May 14, 2024
Closed
tzemanovic added a commit that referenced this pull request May 14, 2024
@tzemanovic
Merge branch 'tiago/max-proposal-bytes-validation' (#3220)
46d2c75 
* origin/tiago/max-proposal-bytes-validation:
  Changelog for #3220
  Avoid using hardcoded values when configuring CometBFT
  Validate borsh deserialization of ProposalBytes
tzemanovic added a commit that referenced this pull request May 14, 2024
@tzemanovic
fixup! Merge branch 'tiago/max-proposal-bytes-validation' (#3220)
4cafd2c
brentstone added a commit that referenced this pull request May 21, 2024
@brentstone
Merge branch 'tiago/max-proposal-bytes-validation' (#3220)
124f92f 
* origin/tiago/max-proposal-bytes-validation:
  Changelog for #3220
  Avoid using hardcoded values when configuring CometBFT
  Validate borsh deserialization of ProposalBytes
brentstone added a commit that referenced this pull request May 21, 2024
@brentstone
fixup! Merge branch 'tiago/max-proposal-bytes-validation' (#3220)
478ad89
tzemanovic added a commit that referenced this pull request May 21, 2024
@tzemanovic
Merge branch 'tomas/split-up-apps' (#3259)
d91b142 
* tomas/split-up-apps:
  changelog: add #3259
  test/apps_lib: fix the top-level dir check
  fix paths for split up namada_apps_lib
  git: ignore the new generated version.rs path
  symlink proto from `apps_lib`
  `mv crates/apps/build.rs crates/apps_lib/`
  `mv crates/apps_lib/src/lib/mod.rs crates/apps_lib/src/lib.rs`
  `mv crates/apps/src/lib crates/apps_lib/src`
  apps_lib: add a new crate for apps lib crate
  fixup! Merge branch 'grarco/masp-fees' (#3217)
  fixup! Merge branch 'grarco/tx-batch' (#3103)
  fixup! Merge branch 'grarco/tx-batch' (#3103)
  fixup! Merge branch 'bat/fix/issue-1796' (#3226)
  fixup! Merge branch 'tiago/max-proposal-bytes-validation' (#3220)
  fixup! Merge branch 'tomas/more-checked-arith' (#3214)
  empty commit
  changelog: add #3216
  deliberatly empty
  Changelog #2817
  added clone to transaction structs
@tzemanovic tzemanovic merged commit 4ec9ace into main May 21, 2024
17 of 19 checks passed
@tzemanovic tzemanovic deleted the tiago/max-proposal-bytes-validation branch May 21, 2024 13:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tzemanovic tzemanovic tzemanovic approved these changes

@batconjurer batconjurer batconjurer approved these changes

@cwgoes cwgoes cwgoes approved these changes

Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Inconsistent block size limit handling in proposal preparation
4 participants
@sug0 @tzemanovic @batconjurer @cwgoes