add VMRuntimeLimitsConfig and vector len limit (#963)

* add vector len limit

Author: oxade

language/move-bytecode-verifier/bytecode-verifier-tests/src/unit_tests/limit_tests.rs

@@ -587,6 +587,167 @@ fn max_mixed_config_test() {
     );
 }
 
+#[test]
+fn max_vec_len() {
+    let config = VerifierConfig {
+        max_constant_vector_len: 0xFFFF - 1,
+        ..Default::default()
+    };
+    let double_vec = |item: Vec<u8>| -> Vec<u8> {
+        let mut items = vec![2];
+        items.extend(item.clone());
+        items.extend(item);
+        items
+    };
+    let large_vec = |item: Vec<u8>| -> Vec<u8> {
+        let mut items = vec![0xFF, 0xFF, 3];
+        (0..0xFFFF).for_each(|_| items.extend(item.clone()));
+        items
+    };
+    fn tvec(s: SignatureToken) -> SignatureToken {
+        SignatureToken::Vector(Box::new(s))
+    }
+
+    let mut module = empty_module();
+    module.constant_pool = vec![Constant {
+        type_: tvec(SignatureToken::Bool),
+        data: large_vec(vec![0]),
+    }];
+    let res = LimitsVerifier::verify_module(&config, &module);
+    assert_eq!(
+        res.unwrap_err().major_status(),
+        StatusCode::TOO_MANY_VECTOR_ELEMENTS,
+    );
+
+    let mut module = empty_module();
+    module.constant_pool = vec![Constant {
+        type_: tvec(SignatureToken::U256),
+        data: large_vec(vec![
+            0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+            0, 0, 0,
+        ]),
+    }];
+    let res = LimitsVerifier::verify_module(&config, &module);
+    assert_eq!(
+        res.unwrap_err().major_status(),
+        StatusCode::TOO_MANY_VECTOR_ELEMENTS,
+    );
+
+    let config = VerifierConfig {
+        max_constant_vector_len: 0xFFFF,
+        ..Default::default()
+    };
+
+    let mut module = empty_module();
+    module.constant_pool = vec![
+        // empty
+        Constant {
+            type_: tvec(SignatureToken::Bool),
+            data: vec![0],
+        },
+        Constant {
+            type_: tvec(tvec(SignatureToken::Bool)),
+            data: vec![0],
+        },
+        Constant {
+            type_: tvec(tvec(tvec(tvec(SignatureToken::Bool)))),
+            data: vec![0],
+        },
+        Constant {
+            type_: tvec(tvec(tvec(tvec(SignatureToken::Bool)))),
+            data: double_vec(vec![0]),
+        },
+        // small
+        Constant {
+            type_: tvec(SignatureToken::Bool),
+            data: vec![9, 1, 1, 1, 1, 1, 1, 1, 1, 1],
+        },
+        Constant {
+            type_: tvec(SignatureToken::U8),
+            data: vec![9, 1, 1, 1, 1, 1, 1, 1, 1, 1],
+        },
+        // large
+        Constant {
+            type_: tvec(SignatureToken::Bool),
+            data: large_vec(vec![0]),
+        },
+        Constant {
+            type_: tvec(SignatureToken::U8),
+            data: large_vec(vec![0]),
+        },
+        Constant {
+            type_: tvec(SignatureToken::U16),
+            data: large_vec(vec![0, 0]),
+        },
+        Constant {
+            type_: tvec(SignatureToken::U32),
+            data: large_vec(vec![0, 0, 0, 0]),
+        },
+        Constant {
+            type_: tvec(SignatureToken::U64),
+            data: large_vec(vec![0, 0, 0, 0, 0, 0, 0, 0]),
+        },
+        Constant {
+            type_: tvec(SignatureToken::U128),
+            data: large_vec(vec![0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]),
+        },
+        Constant {
+            type_: tvec(SignatureToken::U256),
+            data: large_vec(vec![
+                0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+                0, 0, 0, 0,
+            ]),
+        },
+        Constant {
+            type_: tvec(SignatureToken::Address),
+            data: large_vec(vec![0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]),
+        },
+        // double large
+        Constant {
+            type_: tvec(tvec(SignatureToken::Bool)),
+            data: double_vec(large_vec(vec![0])),
+        },
+        Constant {
+            type_: tvec(tvec(SignatureToken::U8)),
+            data: double_vec(large_vec(vec![0])),
+        },
+        Constant {
+            type_: tvec(tvec(SignatureToken::U16)),
+            data: double_vec(large_vec(vec![0, 0])),
+        },
+        Constant {
+            type_: tvec(tvec(SignatureToken::U32)),
+            data: double_vec(large_vec(vec![0, 0, 0, 0])),
+        },
+        Constant {
+            type_: tvec(tvec(SignatureToken::U64)),
+            data: double_vec(large_vec(vec![0, 0, 0, 0, 0, 0, 0, 0])),
+        },
+        Constant {
+            type_: tvec(tvec(SignatureToken::U128)),
+            data: double_vec(large_vec(vec![
+                0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+            ])),
+        },
+        Constant {
+            type_: tvec(tvec(SignatureToken::U256)),
+            data: double_vec(large_vec(vec![
+                0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+                0, 0, 0, 0,
+            ])),
+        },
+        Constant {
+            type_: tvec(tvec(SignatureToken::Address)),
+            data: double_vec(large_vec(vec![
+                0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+            ])),
+        },
+    ];
+    let res = LimitsVerifier::verify_module(&config, &module);
+
+    assert!(res.is_ok());
+}
+
 fn multi_struct(module: &mut CompiledModule, count: usize) {
     for i in 0..count {
         module

language/move-bytecode-verifier/bytecode-verifier-tests/src/unit_tests/signature_tests.rs

@@ -7,7 +7,8 @@ use move_binary_format::file_format::{
     Bytecode::*, CompiledModule, SignatureToken::*, Visibility::Public, *,
 };
 use move_bytecode_verifier::{
-    verify_module, verify_module_with_config, SignatureChecker, VerifierConfig,
+    verifier::MAX_CONSTANT_VECTOR_LEN, verify_module, verify_module_with_config, SignatureChecker,
+    VerifierConfig,
 };
 use move_core_types::{
     account_address::AccountAddress, identifier::Identifier, vm_status::StatusCode,
@@ -228,6 +229,7 @@ fn big_signature_test() {
             max_struct_definitions: Some(200),
             max_fields_in_struct: Some(30),
             max_function_definitions: Some(1000),
+            max_constant_vector_len: MAX_CONSTANT_VECTOR_LEN,
         },
         &module,
     )

language/move-bytecode-verifier/bytecode-verifier-tests/src/unit_tests/vec_pack_tests.rs

@@ -5,7 +5,7 @@ use move_binary_format::file_format::{
     empty_module, Bytecode, CodeUnit, FunctionDefinition, FunctionHandle, FunctionHandleIndex,
     IdentifierIndex, ModuleHandleIndex, Signature, SignatureIndex, SignatureToken, Visibility,
 };
-use move_bytecode_verifier::VerifierConfig;
+use move_bytecode_verifier::{verifier::MAX_CONSTANT_VECTOR_LEN, VerifierConfig};
 use move_core_types::{identifier::Identifier, vm_status::StatusCode};
 
 fn vec_sig(len: usize) -> SignatureToken {
@@ -72,6 +72,7 @@ fn test_vec_pack() {
             max_struct_definitions: Some(200),
             max_fields_in_struct: Some(30),
             max_function_definitions: Some(1000),
+            max_constant_vector_len: MAX_CONSTANT_VECTOR_LEN,
         },
         &m,
     )

language/move-bytecode-verifier/src/limits.rs

@@ -4,11 +4,13 @@
 use crate::VerifierConfig;
 use move_binary_format::{
     binary_views::BinaryIndexedView,
-    errors::{Location, PartialVMError, PartialVMResult, VMResult},
-    file_format::{CompiledModule, CompiledScript, SignatureToken, StructFieldInformation},
+    errors::{verification_error, Location, PartialVMError, PartialVMResult, VMResult},
+    file_format::{
+        CompiledModule, CompiledScript, SignatureToken, StructFieldInformation, TableIndex,
+    },
     IndexKind,
 };
-use move_core_types::vm_status::StatusCode;
+use move_core_types::{value::MoveValue, vm_status::StatusCode};
 
 pub struct LimitsVerifier<'a> {
     resolver: BinaryIndexedView<'a>,
@@ -27,6 +29,7 @@ impl<'a> LimitsVerifier<'a> {
         let limit_check = Self {
             resolver: BinaryIndexedView::Module(module),
         };
+        limit_check.verify_constants(config)?;
         limit_check.verify_function_handles(config)?;
         limit_check.verify_struct_handles(config)?;
         limit_check.verify_type_nodes(config)?;
@@ -170,4 +173,35 @@ impl<'a> LimitsVerifier<'a> {
         }
         Ok(())
     }
+
+    fn verify_constants(&self, config: &VerifierConfig) -> PartialVMResult<()> {
+        for (idx, constant) in self.resolver.constant_pool().iter().enumerate() {
+            if let SignatureToken::Vector(_) = constant.type_ {
+                if let MoveValue::Vector(cons) =
+                    constant.deserialize_constant().ok_or_else(|| {
+                        verification_error(
+                            StatusCode::MALFORMED_CONSTANT_DATA,
+                            IndexKind::ConstantPool,
+                            idx as TableIndex,
+                        )
+                    })?
+                {
+                    if cons.len() > config.max_constant_vector_len as usize {
+                        return Err(PartialVMError::new(StatusCode::TOO_MANY_VECTOR_ELEMENTS)
+                            .with_message(format!(
+                                "vector size limit is {}",
+                                config.max_constant_vector_len as usize
+                            )));
+                    }
+                } else {
+                    return Err(verification_error(
+                        StatusCode::INVALID_CONSTANT_TYPE,
+                        IndexKind::ConstantPool,
+                        idx as TableIndex,
+                    ));
+                }
+            }
+        }
+        Ok(())
+    }
 }

language/move-bytecode-verifier/src/verifier.rs

@@ -18,6 +18,8 @@ use move_binary_format::{
 };
 use move_core_types::{state::VMState, vm_status::StatusCode};
 
+pub const MAX_CONSTANT_VECTOR_LEN: u64 = 1024 * 1024;
+
 #[derive(Debug, Clone)]
 pub struct VerifierConfig {
     pub max_loop_depth: Option<usize>,
@@ -31,6 +33,7 @@ pub struct VerifierConfig {
     pub max_struct_definitions: Option<usize>,
     pub max_fields_in_struct: Option<usize>,
     pub max_function_definitions: Option<usize>,
+    pub max_constant_vector_len: u64,
 }
 
 /// Helper for a "canonical" verification of a module.
@@ -139,6 +142,8 @@ impl Default for VerifierConfig {
             max_fields_in_struct: None,
             // Max count of functions in a module
             max_function_definitions: None,
+            // Max len of vector constant
+            max_constant_vector_len: MAX_CONSTANT_VECTOR_LEN,
         }
     }
 }

language/move-core/types/src/vm_status.rs

@@ -608,6 +608,7 @@ pub enum StatusCode {
     MAX_FUNCTION_DEFINITIONS_REACHED = 1119,
     MAX_STRUCT_DEFINITIONS_REACHED = 1120,
     MAX_FIELD_DEFINITIONS_REACHED = 1121,
+    TOO_MANY_VECTOR_ELEMENTS = 1122,
 
     // These are errors that the VM might raise if a violation of internal
     // invariants takes place.

language/move-stdlib/src/natives/vector.rs

@@ -132,7 +132,11 @@ pub fn native_push_back(
 
     NativeResult::map_partial_vm_result_empty(
         native_gas_total_cost!(context, gas_left),
-        r.push_back(e, &ty_args[0]),
+        r.push_back(
+            e,
+            &ty_args[0],
+            context.runtime_limits_config().vector_len_max,
+        ),
     )
 }
 

language/move-stdlib/tests/move_unit_test.rs

@@ -32,7 +32,7 @@ fn run_tests_for_pkg(path_to_pkg: impl Into<String>, include_nursery_natives: bo
             install_dir: Some(tempdir().unwrap().path().to_path_buf()),
             ..Default::default()
         },
-        UnitTestingConfig::default_with_bound(Some(100_000)),
+        UnitTestingConfig::default_with_bound(Some(1_000_000_000)),
         natives,
         None,
         /* compute_coverage */ false,

language/move-stdlib/tests/vector_tests.move

@@ -539,4 +539,31 @@ module std::vector_tests {
         let v = vector[7];
         V::insert(&mut v, 6, 2);
     }
+
+    #[test]
+    fun size_limit_ok() {
+        let v = V::empty();
+        let i = 0;
+        // Limit is currently 1024 * 1024
+        let max_len = 1024 * 1024;
+
+        while (i < max_len) {
+            V::push_back(&mut v, i);
+            i = i + 1;
+        };
+    }
+
+    #[test]
+    #[expected_failure(vector_error, minor_status = 4, location = Self)]
+    fun size_limit_fail() {
+        let v = V::empty();
+        let i = 0;
+        // Limit is currently 1024 * 1024
+        let max_len = 1024 * 1024 + 1;
+
+        while (i < max_len) {
+            V::push_back(&mut v, i);
+            i = i + 1;
+        };
+    }
 }

language/move-vm/runtime/src/config.rs

@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use move_binary_format::file_format_common::VERSION_MAX;
-use move_bytecode_verifier::VerifierConfig;
+use move_bytecode_verifier::{verifier::MAX_CONSTANT_VECTOR_LEN, VerifierConfig};
 
 /// Dynamic config options for the Move VM.
 pub struct VMConfig {
@@ -11,6 +11,7 @@ pub struct VMConfig {
     // When this flag is set to true, MoveVM will perform type check at every instruction
     // execution to ensure that type safety cannot be violated at runtime.
     pub paranoid_type_checks: bool,
+    pub runtime_limits_config: VMRuntimeLimitsConfig,
 }
 
 impl Default for VMConfig {
@@ -19,6 +20,20 @@ impl Default for VMConfig {
             verifier: VerifierConfig::default(),
             max_binary_format_version: VERSION_MAX,
             paranoid_type_checks: false,
+            runtime_limits_config: VMRuntimeLimitsConfig::default(),
+        }
+    }
+}
+
+#[derive(Clone, Debug)]
+pub struct VMRuntimeLimitsConfig {
+    /// Maximum number of items that can be pushed into a vec
+    pub vector_len_max: u64,
+}
+impl Default for VMRuntimeLimitsConfig {
+    fn default() -> Self {
+        Self {
+            vector_len_max: MAX_CONSTANT_VECTOR_LEN,
         }
     }
 }