Canister Output Queue Overflow Incident Retrospective - Tuesday July 12, 2022

ulan · July 14, 2022, 1:52pm

Summary

Due to a bug in the replica code a canister sending messages to the IC management canister could potentially overflow its output message queue and cause the replica to crash. Exploiting the bug would allow an attacker to stall any subnet. The bug is a recent regression introduced on 2022-05-16.

A new replica version proposed in proposal 69804 contains a fix for the bug.

Timeline

2022-07-07: A DFINITY engineer observes a crash on a testnet while stress testing ECDSA signatures.

2022-07-08: The team submits a proposal to disable ECDSA signing (69117) which is adopted.

2022-07-11: The team finds that the root cause is not specific to ECDSA and starts working on a fix.

2022-07-12 (All times in UTC):

12:00: The fix is ready.
12:42: Quiet period starts: Mirroring to the public github repository is disabled according to the IC’s security patch policy until the issue has been fixed.
14:23: The hotfix rollout process starts.
17:02: NNS proposal 69804 to elect new replica binary revision.
17:55: NNS proposal to upgrade subnet io67a.
19:30: NNS proposals to upgrade subnets shefu, 2fq7c, w4asl.
21:03: NNS proposals to upgrade subnets pjljw, x33ed, uzr34, snjp4, qxesv, gmq5v.

2022-07-13 (All times in UTC):

08:59: NNS proposals to upgrade subnets 4zbus, ejbmu, lspz2.
09:37: NNS proposals to upgrade subnets pae4o, 5kdm2, csyj4.
10:31: NNS proposals to upgrade subnets brlsh, cv73p, 4ecnw.
11:48: NNS proposals to upgrade subnets lhg73, opn46, 3hhby.
12:36: NNS proposals to upgrade subnets 6pbhf, e66qm, qdvhd, fuqsr.
13:14: NNS proposals to upgrade subnets k44fs, yinp6, mpubz, o3ow2.
14:25: NNS proposals to upgrade subnets w4rem, eq6en, jtdsg, nl6hn.
15:38: NNS proposal to upgrade subnets tdb26.
16:13: Quiet period ends and the github source for the elected replica version with the fix is now publicly available on github.

What went wrong

The bug slipped through the tests and code review.

Where did we get lucky?

The bug was found by a DFINITY engineer while stress testing ECDSA signatures.

What went right?

The rollout of the fix was smooth.

Action items

Add regression tests for cross-subnet IC management calls.

Technical details

Each subnet has its own IC management canister. However all of them share the same canister id: aaaaa-aa. This means that the receiver of an IC management message needs to be resolved based on the network topology and the message payload in order to push the message to the right output queue. Previously the resolution was done by the Wasm executor in the handler of ic0.call_perform(). This was inefficient and complex due to the dependency of the Wasm executor on network topology. A simplification change moved the receiver resolution out of the Wasm executor. This however broke the available message slot checks in ic0.call_perform() because the check started using aaaaa-aa as the canister id instead of the actual receiver. The hotfix adds proper handling of aaaaa-aa in ic0.call_perform().

Topic		Replies	Views
Issue on subnet jtdsg-3h6gi-hs7o5-z2soi-43w3z-soyl3-ajnp3-ekni5-sw553-5kw67-nqe General	4	638	April 14, 2022
Cycle Balance Underflow Incident Retrospective - Friday, April 1st Developers	3	1512	June 7, 2022
Voting is open for a new IC release - 669673d Governance replica , release	3	560	October 31, 2022
Cycles Bookkeeping Incident Retrospective - Friday, April 29th Developers	0	411	April 29, 2022
Cycles Bookkeeping Incident Retrospective - Thursday August 10, 2023 Developers	2	526	August 11, 2023