Native CPI caller write privileges is incorrect

[jstarry]

Problem

Caller write privileges are not created correctly for native cpi. The caller_write_privilegesvector should match up with message.account_keys because they will be indexed into in the same way

Proposed Solution

• Remove incorrect write privilege value insertion
• Match up write privileges vector with the accounts vector built from message.account_keys

fix with no tests is in this branch: https://github.com/jstarry/solana/tree/fix-caller-write-privileges

[jstarry]

Since native_invoke is only called for the bpf upgradeable program and that program doesn't modify caller accounts before invoking the native create account instruction, there shouldn't be any change of behavior before and after the fix.

[jstarry]

@jackcmay I'm pretty sure https://github.com/solana-labs/solana/pull/19645 will be blocked on this issue FYI

[jackcmay]

What specifically do you think is blocking?

[jstarry]

caller_write_privileges is constructed in order of keyed_account_indices instead of message.account_keys which contrasts with how accounts and keyed_account_indices_reordered are constructed. This means that if keyed_account_indices is not monotonically increasing, the write privileges can be incorrect. This is problematic because if a native program modifies any accounts before invoking another program, it's possible that the native program could be allowed to write to a read-only account that it owns. Or, it may be prevented from writing to a writable account that it owns.

19645 introduces a change which modifies a buffer account before the native invoke which means that a malicious user could trick the bpf loader program to successfully deplete the balance of a readonly buffer account.

[github-actions[bot]]

This issue has been automatically locked since there has not been any activity in past 7 days after it was closed. Please open a new issue for related bugs.