Consolidated Security Fixes for 1.1.4

- Various regression/unit tests
Co-authored-by: NKevin Heifner <heifner_k@ociweb.com>
Co-authored-by: NMatt Witherspoon <32485495+spoonincode@users.noreply.github.com>

unittests/abi_tests.cpp

@@ -24,6 +24,9 @@
 
 #include <config.hpp>
 
+#include <deep_nested.abi.hpp>
+#include <large_nested.abi.hpp>
+
 using namespace eosio;
 using namespace chain;
 
@@ -3299,6 +3302,43 @@ BOOST_AUTO_TEST_CASE(abi_account_name_in_eosio_abi)
 } FC_LOG_AND_RETHROW() }
 
 
+// Unlimited array size during abi serialization can exhaust memory and crash the process
+BOOST_AUTO_TEST_CASE(abi_large_array)
+{
+   try {
+      const char* abi_str = R"=====(
+      {
+        "types": [],
+        "structs": [{
+           "name": "hi",
+           "base": "",
+           "fields": [
+           ]
+         }
+       ],
+       "actions": [{
+           "name": "hi",
+           "type": "hi[]",
+           "ricardian_contract": ""
+         }
+       ],
+       "tables": []
+      }
+      )=====";
+
+      abi_serializer abis( fc::json::from_string( abi_str ).as<abi_def>(), max_serialization_time );
+      // indicate a very large array, but don't actually provide a large array
+      // curl http://127.0.0.1:8888/v1/chain/abi_bin_to_json -X POST -d '{"code":"eosio", "action":"hi", "binargs":"ffffffff08"}'
+      bytes bin = {static_cast<char>(0xff),
+                   static_cast<char>(0xff),
+                   static_cast<char>(0xff),
+                   static_cast<char>(0xff),
+                   static_cast<char>(0x08)};
+      BOOST_CHECK_THROW( abis.binary_to_variant( "hi[]", bin, max_serialization_time );, fc::exception );
+
+   } FC_LOG_AND_RETHROW()
+}
+
 // Infinite recursion of abi_serializer is_type
 BOOST_AUTO_TEST_CASE(abi_is_type_recursion)
 {
@@ -3402,4 +3442,33 @@ BOOST_AUTO_TEST_CASE(abi_recursive_structs)
    } FC_LOG_AND_RETHROW()
 }
 
+// Infinite recursion of abi_serializer in struct definitions
+BOOST_AUTO_TEST_CASE(abi_very_deep_structs)
+{
+   try {
+      abi_serializer abis( fc::json::from_string( large_nested_abi ).as<abi_def>(), max_serialization_time );
+      string hi_data = "{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":{\"f1\":0}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}";
+      BOOST_CHECK_THROW( abis.variant_to_binary( "s98", fc::json::from_string( hi_data ), max_serialization_time ), fc::exception );
+   } FC_LOG_AND_RETHROW()
+}
+
+// Infinite recursion of abi_serializer in struct definitions
+BOOST_AUTO_TEST_CASE(abi_very_deep_structs_1ms)
+{
+   try {
+      BOOST_CHECK_THROW(
+            abi_serializer abis( fc::json::from_string( large_nested_abi ).as<abi_def>(), fc::microseconds( 1 ) ),
+            fc::exception );
+   } FC_LOG_AND_RETHROW()
+}
+
+BOOST_AUTO_TEST_CASE(abi_deep_structs_validate)
+{
+   try {
+      BOOST_CHECK_THROW(
+            abi_serializer abis( fc::json::from_string( deep_nested_abi ).as<abi_def>(), max_serialization_time ),
+            fc::exception );
+   } FC_LOG_AND_RETHROW()
+}
+
 BOOST_AUTO_TEST_SUITE_END()

unittests/wasm_tests.cpp

@@ -1731,6 +1731,11 @@ INCBIN(leak_readGlobals, "leak_readGlobals.wasm");
 INCBIN(leak_readImports, "leak_readImports.wasm");
 INCBIN(leak_wasm_binary_cpp_L1249, "leak_wasm_binary_cpp_L1249.wasm");
 INCBIN(readFunctions_slowness_out_of_memory, "readFunctions_slowness_out_of_memory.wasm");
+INCBIN(locals_yc, "locals-yc.wasm");
+INCBIN(locals_s, "locals-s.wasm");
+INCBIN(slowwasm_localsets, "slowwasm_localsets.wasm");
+INCBIN(getcode_deepindent, "getcode_deepindent.wasm");
+INCBIN(indent_mismatch, "indent-mismatch.wasm");
 INCBIN(deep_loops_ext_report, "deep_loops_ext_report.wasm");
 INCBIN(80k_deep_loop_with_ret, "80k_deep_loop_with_ret.wasm");
 INCBIN(80k_deep_loop_with_void, "80k_deep_loop_with_void.wasm");
@@ -1857,6 +1862,18 @@ BOOST_FIXTURE_TEST_CASE( fuzz, TESTER ) try {
       vector<uint8_t> wasm(greadFunctions_slowness_out_of_memoryData, greadFunctions_slowness_out_of_memoryData + greadFunctions_slowness_out_of_memorySize);
       BOOST_CHECK_THROW(set_code(N(fuzzy), wasm), wasm_serialization_error);
    }
+   {
+      vector<uint8_t> wasm(glocals_ycData, glocals_ycData + glocals_ycSize);
+      BOOST_CHECK_THROW(set_code(N(fuzzy), wasm), wasm_serialization_error);
+   }
+   {
+      vector<uint8_t> wasm(glocals_sData, glocals_sData + glocals_sSize);
+      BOOST_CHECK_THROW(set_code(N(fuzzy), wasm), wasm_serialization_error);
+   }
+   {
+      vector<uint8_t> wasm(gslowwasm_localsetsData, gslowwasm_localsetsData + gslowwasm_localsetsSize);
+      BOOST_CHECK_THROW(set_code(N(fuzzy), wasm), wasm_serialization_error);
+   }
    {
       vector<uint8_t> wasm(gdeep_loops_ext_reportData, gdeep_loops_ext_reportData + gdeep_loops_ext_reportSize);
       BOOST_CHECK_THROW(set_code(N(fuzzy), wasm), wasm_execution_error);
@@ -1873,6 +1890,13 @@ BOOST_FIXTURE_TEST_CASE( fuzz, TESTER ) try {
    produce_blocks(1);
 } FC_LOG_AND_RETHROW()
 
+BOOST_FIXTURE_TEST_CASE( getcode_checks, TESTER ) try {
+   vector<uint8_t> wasm(ggetcode_deepindentData, ggetcode_deepindentData + ggetcode_deepindentSize);
+   wasm_to_wast( wasm.data(), wasm.size(), true );
+   vector<uint8_t> wasmx(gindent_mismatchData, gindent_mismatchData + gindent_mismatchSize);
+   wasm_to_wast( wasmx.data(), wasmx.size(), true );
+} FC_LOG_AND_RETHROW()
+
 
 // TODO: restore net_usage_tests
 #if 0