Merge pull request #316 from White-Whale-Defi-Platform/fix/wasmvm-sec…

…urity-patch Fix/wasmvm security patch
White-Whale-Defi-Platform · Jan 18, 2024 · 3d84f9a · 3d84f9a
2 parents dec2b3d + 6865377
commit 3d84f9a
Show file tree

Hide file tree

Showing 17 changed files with 702 additions and 13 deletions.
diff --git a/.gitignore b/.gitignore
@@ -8,4 +8,5 @@ mytestnet
 data
 screenlog.0
 _build
-.idea
+.idea
+build 
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.19-alpine AS go-builder
+FROM golang:1.21-alpine AS go-builder
 
 # this comes from standard alpine nightly file
 #  https://github.com/rust-lang/docker-rust-nightly/blob/master/alpine3.12/Dockerfile
@@ -14,11 +14,13 @@ RUN apk add --no-cache ca-certificates build-base git
 WORKDIR /code
 COPY . /code/
 
-# See https://github.com/CosmWasm/wasmvm/releases
-ADD https://github.com/CosmWasm/wasmvm/releases/download/v1.2.1/libwasmvm_muslc.aarch64.a /lib/libwasmvm_muslc.aarch64.a
-ADD https://github.com/CosmWasm/wasmvm/releases/download/v1.2.1/libwasmvm_muslc.x86_64.a /lib/libwasmvm_muslc.x86_64.a
-RUN sha256sum /lib/libwasmvm_muslc.aarch64.a | grep 86bc5fdc0f01201481c36e17cd3dfed6e9650d22e1c5c8983a5b78c231789ee0
-RUN sha256sum /lib/libwasmvm_muslc.x86_64.a | grep a00700aa19f5bfe0f46290ddf69bf51eb03a6dfcd88b905e1081af2e42dbbafc
+# See https://github.com/CosmWasm/wasmvm/releases 
+ADD https://github.com/CosmWasm/wasmvm/releases/download/v1.5.0/libwasmvm_muslc.aarch64.a /lib/libwasmvm_muslc.aarch64.a
+ADD https://github.com/CosmWasm/wasmvm/releases/download/v1.5.0/libwasmvm_muslc.x86_64.a /lib/libwasmvm_muslc.x86_64.a
+
+# TODO: add checksums later
+# RUN sha256sum /lib/libwasmvm_muslc.aarch64.a | grep 86bc5fdc0f01201481c36e17cd3dfed6e9650d22e1c5c8983a5b78c231789ee0
+# RUN sha256sum /lib/libwasmvm_muslc.x86_64.a | grep a00700aa19f5bfe0f46290ddf69bf51eb03a6dfcd88b905e1081af2e42dbbafc
 
 # Copy the library you want to the final location that will be found by the linker flag `-lwasmvm_muslc`
 RUN cp "/lib/libwasmvm_muslc.$(uname -m).a" /lib/libwasmvm_muslc.a

diff --git a/Makefile b/Makefile
@@ -7,6 +7,9 @@ APP_DIR = ./app
 BINDIR ?= ~/go/bin
 RUNSIM  = $(BINDIR)/runsim
 BINARY ?= migalood
+MIGALOO_ENV_V3 ?= $(CURDIR)/contrib/v3
+BUILDDIR ?= $(CURDIR)/build
+
 
 ifeq (,$(VERSION))
   VERSION := $(shell git describe --tags)
@@ -26,6 +29,10 @@ HTTPS_GIT := https://github.com/White-Whale-Defi-Platform/migaloo-chain.git
 
 export GO111MODULE = on
 
+TESTNET_NVAL := $(if $(TESTNET_NVAL),$(TESTNET_NVAL),6)
+TESTNET_CHAINID := $(if $(TESTNET_CHAINID),$(TESTNET_CHAINID),migaloo-1)
+
+
 # process build tags
 
 build_tags = netgo
@@ -240,3 +247,53 @@ proto-format:
 	@echo "Formatting Protobuf files"
 	@if docker ps -a --format '{{.Names}}' | grep -Eq "^${containerProtoFmt}$$"; then docker start -a $(containerProtoFmt); else docker run --name $(containerProtoFmt) -v $(CURDIR):/workspace --workdir /workspace tendermintdev/docker-build-proto \
 		find ./ -not -path "./third_party/*" -name "*.proto" -exec clang-format -i {} \; ; fi
+
+
+
+
+###############################################################################
+###                                Localnet                                 ###
+###############################################################################
+
+build-linux:
+	mkdir -p $(BUILDDIR)
+	@if [ -z "$(docker images -q migalood 2> /dev/null)" ]; then \
+		docker build --platform linux/amd64 --tag migalood ./; \
+	fi
+	docker create --platform limux/amd64 --name temp migalood:latest 
+	docker cp temp:/usr/bin/migalood $(BUILDDIR)/
+	docker rm temp
+
+
+localnet-start: localnet-stop
+	@if ! [ -f build/node0/$(BINARY)/config/genesis.json ]; then docker run --rm -v $(CURDIR)/build:/migaloo:Z migalood testnet init-files --chain-id ${TESTNET_CHAINID} --v ${TESTNET_NVAL} -o /migaloo --keyring-backend=test --starting-ip-address 192.168.10.2; fi
+
+
+localnet-stop:
+	docker-compose down
+	rm -rf build/node*
+	rm -rf build/gentxs.
+###############################################################################
+###                                Upgrade                                 ###
+###############################################################################
+build-cosmovisor-linux:
+	@if [ -z "$(docker images -q migaloo/migaloo.cosmovisor-binary 2> /dev/null)" ]; then \
+		$(MAKE) -C contrib/updates build-cosmovisor-linux BUILDDIR=$(BUILDDIR); \
+	fi
+
+build-migalood-env:
+	@if [ -z "$(docker images -q migaloo/migalood-upgrade-env 2> /dev/null)" ]; then \
+		$(MAKE) -C contrib/migalood-env migalood-upgrade-env; \
+	fi
+
+## Presiquites: build-cosmovisor-linux build-linux build-migalood-env 
+localnet-start-upgrade: localnet-upgrade-stop build-linux build-cosmovisor-linux build-migalood-env
+	bash contrib/updates/prepare_cosmovisor.sh $(BUILDDIR) ${TESTNET_NVAL} ${TESTNET_CHAINID}
+	docker-compose -f ./contrib/updates/docker-compose.yml up
+	@./contrib/updates/upgrade-test.sh
+	$(MAKE) localnet-upgrade-stop
+
+localnet-upgrade-stop:
+	docker-compose -f contrib/updates/docker-compose.yml down
+	rm -rf build/node*
+	rm -rf build/gentxs.
diff --git a/contrib/migalood-env/Dockerfile b/contrib/migalood-env/Dockerfile
@@ -0,0 +1,16 @@
+FROM ubuntu:18.04
+
+RUN apt-get update && \
+  apt-get -y upgrade && \
+  apt-get -y install curl jq file
+
+ARG entrypoint=entrypoint.sh
+
+VOLUME /migalood
+WORKDIR /migalood
+EXPOSE 26656 26657
+ENTRYPOINT ["/usr/bin/entrypoint.sh"]
+CMD ["start", "--log_format", "plain", "--p2p.seeds", ""]
+STOPSIGNAL SIGTERM
+
+COPY ${entrypoint} /usr/bin/entrypoint.sh
diff --git a/contrib/migalood-env/Makefile b/contrib/migalood-env/Makefile
@@ -0,0 +1,6 @@
+all: migalood-upgrade-env
+
+migalood-upgrade-env:
+	docker build --platform linux/amd64 --no-cache --build-arg entrypoint=cosmovisor-entrypoint.sh --tag migaloo/migalood-upgrade-env .
+
+.PHONY: all migalood-upgrade-env
diff --git a/contrib/migalood-env/cosmovisor-entrypoint.sh b/contrib/migalood-env/cosmovisor-entrypoint.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env sh
+
+BINARY=/migalood/${BINARY:-cosmovisor}
+ID=${ID:-0}
+LOG=${LOG:-migalood.log}
+
+if ! [ -f "${BINARY}" ]; then
+	echo "The binary $(basename "${BINARY}") cannot be found. Please add the binary to the shared folder. Please use the BINARY environment variable if the name of the binary is not 'migalood'"
+	exit 1
+fi
+
+BINARY_CHECK="$(file "$BINARY" | grep 'ELF 64-bit LSB executable, x86-64')"
+
+if [ -z "${BINARY_CHECK}" ]; then
+	echo "Binary needs to be OS linux, ARCH amd64"
+	exit 1
+fi
+
+export MIGALOOD_HOME="/migalood/node${ID}/migalood"
+
+if [ -d "$(dirname "${MIGALOOD_HOME}"/"${LOG}")" ]; then
+    "${BINARY}" run "$@" --home "${MIGALOOD_HOME}" | tee "${MIGALOOD_HOME}/${LOG}"
+else
+    "${BINARY}" run "$@" --home "${MIGALOOD_HOME}"
+fi
diff --git a/contrib/updates/Dockerfile.cosmovisor b/contrib/updates/Dockerfile.cosmovisor
@@ -0,0 +1,8 @@
+FROM golang:1.20-alpine
+
+RUN set -eux; apk add --no-cache ca-certificates build-base;
+
+# make cosmovisor statically linked
+RUN go install -ldflags '-w -s -linkmode=external -extldflags "-Wl,-z,muldefs -static"' -trimpath cosmossdk.io/tools/cosmovisor/cmd/cosmovisor@latest
+
+ENTRYPOINT [ "/bin/sh" ]
diff --git a/contrib/updates/Makefile b/contrib/updates/Makefile
@@ -0,0 +1,10 @@
+all: build-cosmovisor-linux
+
+build-cosmovisor-linux:
+	mkdir -p $(BUILDDIR)
+	docker build --platform linux/amd64 --no-cache --tag migaloo/migaloo.cosmovisor-binary --file Dockerfile.cosmovisor .
+	docker create --platform linux/amd64 --name temp migaloo/migaloo.cosmovisor-binary:latest
+	docker cp temp:/go/bin/cosmovisor $(BUILDDIR)/
+	docker rm temp
+
+.PHONY: all build-cosmovisor-linux
diff --git a/contrib/updates/docker-compose.yml b/contrib/updates/docker-compose.yml
@@ -0,0 +1,125 @@
+version: '3'
+
+services:
+  migaloodnode0:
+    container_name: migaloodnode0
+    platform: linux/amd64
+    image: "migaloo/migalood-upgrade-env"
+    ports:
+      - "9090:9090"
+      - "26656-26657:26656-26657"
+    environment:
+      - ID=0
+      - LOG=migalood.log
+      - DAEMON_HOME=/migalood/node0/migalood
+      - DAEMON_NAME=migalood
+      - DAEMON_RESTART_AFTER_UPGRADE=true
+    volumes:
+      - ../../build:/migalood:Z
+    networks:
+      localnet:
+        ipv4_address: 192.168.10.2
+
+  migaloodnode1:
+    container_name: migaloodnode1
+    platform: linux/amd64
+    image: "migaloo/migalood-upgrade-env"
+    ports:
+      - "9091:9090"
+      - "26659-26660:26656-26657"
+    environment:
+      - ID=1
+      - LOG=migalood.log
+      - DAEMON_HOME=/migalood/node1/migalood
+      - DAEMON_NAME=migalood
+      - DAEMON_RESTART_AFTER_UPGRADE=true
+    volumes:
+      - ../../build:/migalood:Z
+    networks:
+      localnet:
+        ipv4_address: 192.168.10.3
+
+  migaloodnode2:
+    container_name: migaloodnode2
+    platform: linux/amd64
+    image: "migaloo/migalood-upgrade-env"
+    environment:
+      - ID=2
+      - LOG=migalood.log
+      - DAEMON_HOME=/migalood/node2/migalood
+      - DAEMON_NAME=migalood
+      - DAEMON_RESTART_AFTER_UPGRADE=true
+    ports:
+      - "9092:9090"
+      - "26661-26662:26656-26657"
+    volumes:
+      - ../../build:/migalood:Z
+    networks:
+      localnet:
+        ipv4_address: 192.168.10.4
+
+  migaloodnode3:
+    container_name: migaloodnode3
+    platform: linux/amd64
+    image: "migaloo/migalood-upgrade-env"
+    environment:
+      - ID=3
+      - LOG=migalood.log
+      - DAEMON_HOME=/migalood/node3/migalood
+      - DAEMON_NAME=migalood
+      - DAEMON_RESTART_AFTER_UPGRADE=true
+    ports:
+      - "9093:9090"
+      - "26663-26664:26656-26657"
+    volumes:
+      - ../../build:/migalood:Z
+    networks:
+      localnet:
+        ipv4_address: 192.168.10.5
+
+  migaloodnode4:
+    container_name: migaloodnode4
+    platform: linux/amd64
+    image: "migaloo/migalood-upgrade-env"
+    environment:
+      - ID=4
+      - LOG=migalood.log
+      - DAEMON_HOME=/migalood/node4/migalood
+      - DAEMON_NAME=migalood
+      - DAEMON_RESTART_AFTER_UPGRADE=true
+    ports:
+      - "9094:9090"
+      - "26665-26666:26656-26657"
+    volumes:
+      - ../../build:/migalood:Z
+    networks:
+      localnet:
+        ipv4_address: 192.168.10.6
+
+  migaloodnode5:
+    container_name: migaloodnode5
+    platform: linux/amd64
+    image: "migaloo/migalood-upgrade-env"
+    environment:
+      - ID=5
+      - LOG=migalood.log
+      - DAEMON_HOME=/migalood/node5/migalood
+      - DAEMON_NAME=migalood
+      - DAEMON_RESTART_AFTER_UPGRADE=true
+    ports:
+      - "9095:9090"
+      - "26667-26668:26656-26657"
+    volumes:
+      - ../../build:/migalood:Z
+    networks:
+      localnet:
+        ipv4_address: 192.168.10.7
+
+networks:
+  localnet:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+      -
+        subnet: 192.168.10.0/16
diff --git a/contrib/updates/prepare_cosmovisor.sh b/contrib/updates/prepare_cosmovisor.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+# this bash will prepare cosmosvisor to the build folder so that it can perform upgrade
+# this script is supposed to be run by Makefile
+
+# These fields should be fetched automatically in the future
+# Need to do more upgrade to see upgrade patterns
+OLD_VERSION=v3.0.4
+# this command will retrieve the folder with the largest number in format v<number>
+SOFTWARE_UPGRADE_NAME="v4.1.0"
+BUILDDIR=$1
+TESTNET_NVAL=$2
+TESTNET_CHAINID=$3
+
+# check if BUILDDIR is set
+if [ -z "$BUILDDIR" ]; then
+    echo "BUILDDIR is not set"
+    exit 1
+fi
+
+# install old binary if not exist
+if [ ! -f "_build/$OLD_VERSION.zip" ] &> /dev/null
+then
+    mkdir -p _build/old
+    wget -c "https://github.com/White-Whale-Defi-Platform/migaloo-chain/archive/refs/tags/${OLD_VERSION}.zip" -O _build/${OLD_VERSION}.zip
+    unzip _build/${OLD_VERSION}.zip -d _build
+fi
+
+
+if [ ! -f "$BUILDDIR/old/migalood" ] &> /dev/null
+then
+    mkdir -p BUILDDIR/old
+    if [ ! "$(docker images -q migaloo/migalood.binary.old 2> /dev/null)" ]; then
+        docker build --platform linux/amd64 --no-cache --build-arg source=./_build/migaloo-chain-${OLD_VERSION:1}/ --tag migaloo/migalood.binary.old ./_build/migaloo-chain-${OLD_VERSION:1}
+    fi
+    docker create --platform linux/amd64 --name old-temp migaloo/migalood.binary.old:latest
+    mkdir -p $BUILDDIR/old
+    docker cp old-temp:/usr/bin/migalood $BUILDDIR/old/
+    docker rm old-temp
+fi
+
+
+# prepare cosmovisor config in TESTNET_NVAL nodes
+if [ ! -f "$BUILDDIR/node0/migalood/config/genesis.json" ]; then docker run --rm \
+    -v $BUILDDIR:/migalood:Z \
+    --platform linux/amd64 \
+    --entrypoint /migalood/old/migalood \
+    migaloo/migalood-upgrade-env testnet init-files --v $TESTNET_NVAL --chain-id $TESTNET_CHAINID -o . --starting-ip-address 192.168.10.2 --minimum-gas-prices "0stake" --node-daemon-home migalood --keyring-backend=test --home=temp; \
+fi
+
+for (( i=0; i<$TESTNET_NVAL; i++ )); do
+    CURRENT=$BUILDDIR/node$i/migalood
+
+    # change gov params voting_period
+    jq '.app_state.gov.voting_params.voting_period = "50s"' $CURRENT/config/genesis.json > $CURRENT/config/genesis.json.tmp && mv $CURRENT/config/genesis.json.tmp $CURRENT/config/genesis.json
+
+    docker run --rm \
+        -v $BUILDDIR:/migalood:Z \
+        -e DAEMON_HOME=/migalood/node$i/migalood \
+        -e DAEMON_NAME=migalood \
+        -e DAEMON_RESTART_AFTER_UPGRADE=true \
+        --entrypoint /migalood/cosmovisor \
+        --platform linux/amd64 \
+        migaloo/migalood-upgrade-env init /migalood/old/migalood
+    mkdir -p $CURRENT/cosmovisor/upgrades/$SOFTWARE_UPGRADE_NAME/bin
+    cp $BUILDDIR/migalood $CURRENT/cosmovisor/upgrades/$SOFTWARE_UPGRADE_NAME/bin
+    touch $CURRENT/cosmovisor/upgrades/$SOFTWARE_UPGRADE_NAME/upgrade-info.json
+done
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,4 +8,5 @@ mytestnet @@
     data
     screenlog.0
     _build
-    .idea
+    .idea
+    build