BPFLoader slice index panic

[leoluk]

Problem

Kaboom!

(will acquire better stacktrace)

thread '<unnamed>' panicked at 'slice index starts at 7 but ends at 0', src/libcore/slice/mod.rs:2680:5

  17: <alloc::vec::Vec<T> as core::ops::index::Index<I>>::index
             at /rustc/b8cedc00407a4c56a3bda1ed605c6fc166655447/src/liballoc/vec.rs:1883
  18: elfkit::elf::Elf::from_reader
             at /data/solana-dev/.cargo/registry/src/github.com-1ecc6299db9ec823/elfkit-0.0.6/src/elf.rs:83
  19: solana_rbpf::elf::EBpfElf::load
             at /data/solana-dev/.cargo/registry/src/github.com-1ecc6299db9ec823/solana_rbpf-0.1.25/src/elf.rs:167
  20: solana_rbpf::EbpfVm<E>::set_elf
             at /data/solana-dev/.cargo/registry/src/github.com-1ecc6299db9ec823/solana_rbpf-0.1.25/src/lib.rs:252
  21: solana_bpf_loader_program::check_elf
             at programs/bpf_loader/src/lib.rs:71
  22: solana_bpf_loader_program::process_instruction
             at programs/bpf_loader/src/lib.rs:237
  23: solana_bpf_loader_program
             at ./<::solana_sdk::entrypoint_native::declare_program macros>:8
  24: solana_runtime::native_loader::invoke_entrypoint
             at runtime/src/native_loader.rs:123
  25: solana_runtime::message_processor::MessageProcessor::process_instruction
             at runtime/src/message_processor.rs:234
  26: solana_runtime::message_processor::MessageProcessor::execute_instruction
             at runtime/src/message_processor.rs:327
  27: solana_runtime::message_processor::MessageProcessor::process_message
             at runtime/src/message_processor.rs:355
  28: solana_runtime::bank::Bank::load_and_execute_transactions::{{closure}}
             at runtime/src/bank.rs:1377
  29: core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &mut F>::call_once
             at /rustc/b8cedc00407a4c56a3bda1ed605c6fc166655447/src/libcore/ops/function.rs:285
  30: core::option::Option<T>::map
             at /rustc/b8cedc00407a4c56a3bda1ed605c6fc166655447/src/libcore/option.rs:450
  31: <core::iter::adapters::Map<I,F> as core::iter::traits::iterator::Iterator>::next
             at /rustc/b8cedc00407a4c56a3bda1ed605c6fc166655447/src/libcore/iter/adapters/mod.rs:791
  32: <alloc::vec::Vec<T> as alloc::vec::SpecExtend<T,I>>::from_iter
             at /rustc/b8cedc00407a4c56a3bda1ed605c6fc166655447/src/liballoc/vec.rs:2007
  33: <alloc::vec::Vec<T> as core::iter::traits::collect::FromIterator<T>>::from_iter
             at /rustc/b8cedc00407a4c56a3bda1ed605c6fc166655447/src/liballoc/vec.rs:1919
  34: core::iter::traits::iterator::Iterator::collect
             at /rustc/b8cedc00407a4c56a3bda1ed605c6fc166655447/src/libcore/iter/traits/iterator.rs:1558
  35: solana_runtime::bank::Bank::load_and_execute_transactions
             at runtime/src/bank.rs:1366
  36: solana_core::banking_stage::BankingStage::process_and_record_transactions_locked
             at core/src/banking_stage.rs:514 
  37: solana_core::banking_stage::BankingStage::process_and_record_transactions
             at core/src/banking_stage.rs:584 
  38: solana_core::banking_stage::BankingStage::process_transactions
             at core/src/banking_stage.rs:626
  39: solana_core::banking_stage::BankingStage::process_received_packets
             at core/src/banking_stage.rs:829
  40: solana_core::banking_stage::BankingStage::process_packets
             at core/src/banking_stage.rs:947
  41: solana_core::banking_stage::BankingStage::process_loop
             at core/src/banking_stage.rs:394
  42: solana_core::banking_stage::BankingStage::new_num_threads::{{closure}}::{{closure}}
             at core/src/banking_stage.rs:129

Proposed Solution

TBD

[jackcmay]

Awesome, thanks @leoluk Can you tell me more about the program you are finalizing?

[jackcmay]

@mvines Looks like elfkit does a pretty bad job of verifying values before using them. We will either have to fork and fix elfkit, switch to goblin which has been fuzzed, or write our own.

[mvines]

Switching to goblin sounds nice

[leoluk]

Awesome, thanks @leoluk Can you tell me more about the program you are finalizing?

This one was artisanal random bytes sourced from /dev/urandom, I think.