From 1ab275573fcdea8d544b5fc78a8f5a0f5286497f Mon Sep 17 00:00:00 2001 From: Vladislav Volosnikov Date: Wed, 4 Dec 2024 13:54:22 +0100 Subject: [PATCH] fix(EVM): Do not check memory boundaries if size is zero (#1114) --- system-contracts/contracts/EvmEmulator.yul | 84 ++++++++++++------- .../EvmEmulatorFunctions.template.yul | 8 +- .../evm-emulator/EvmEmulatorLoop.template.yul | 34 +++++--- 3 files changed, 81 insertions(+), 45 deletions(-) diff --git a/system-contracts/contracts/EvmEmulator.yul b/system-contracts/contracts/EvmEmulator.yul index a966924bb..968ab3b38 100644 --- a/system-contracts/contracts/EvmEmulator.yul +++ b/system-contracts/contracts/EvmEmulator.yul @@ -280,10 +280,12 @@ object "EvmEmulator" { } function checkMemIsAccessible(relativeOffset, size) { - checkOverflow(relativeOffset, size) + if size { + checkOverflow(relativeOffset, size) - if gt(add(relativeOffset, size), MAX_POSSIBLE_MEM_LEN()) { - panic() + if gt(add(relativeOffset, size), MAX_POSSIBLE_MEM_LEN()) { + panic() + } } } @@ -2676,14 +2678,17 @@ object "EvmEmulator" { offset, sp, stackHead := popStackItemWithoutCheck(sp, stackHead) size, sp, stackHead := popStackItemWithoutCheck(sp, stackHead) - checkMemIsAccessible(offset, size) + if size { + checkMemIsAccessible(offset, size) - evmGasLeft := chargeGas(evmGasLeft, expandMemory(offset, size)) + evmGasLeft := chargeGas(evmGasLeft, expandMemory(offset, size)) + + returnLen := size + + // Don't check overflow here since previous checks are enough to ensure this is safe + returnOffset := add(MEM_OFFSET(), offset) + } - returnLen := size - - // Don't check overflow here since previous checks are enough to ensure this is safe - returnOffset := add(MEM_OFFSET(), offset) break } case 0xF4 { // OP_DELEGATECALL @@ -2710,12 +2715,19 @@ object "EvmEmulator" { popStackCheck(sp, 2) offset, sp, stackHead := popStackItemWithoutCheck(sp, stackHead) size, sp, stackHead := popStackItemWithoutCheck(sp, stackHead) - - checkMemIsAccessible(offset, size) - evmGasLeft := chargeGas(evmGasLeft, expandMemory(offset, size)) - - // Don't check overflow here since previous checks are enough to ensure this is safe - offset := add(offset, MEM_OFFSET()) + + switch iszero(size) + case 0 { + checkMemIsAccessible(offset, size) + evmGasLeft := chargeGas(evmGasLeft, expandMemory(offset, size)) + + // Don't check overflow here since previous checks are enough to ensure this is safe + offset := add(offset, MEM_OFFSET()) + } + default { + offset := MEM_OFFSET() + } + if eq(isCallerEVM, 1) { offset := sub(offset, 32) @@ -3340,10 +3352,12 @@ object "EvmEmulator" { } function checkMemIsAccessible(relativeOffset, size) { - checkOverflow(relativeOffset, size) + if size { + checkOverflow(relativeOffset, size) - if gt(add(relativeOffset, size), MAX_POSSIBLE_MEM_LEN()) { - panic() + if gt(add(relativeOffset, size), MAX_POSSIBLE_MEM_LEN()) { + panic() + } } } @@ -5736,14 +5750,17 @@ object "EvmEmulator" { offset, sp, stackHead := popStackItemWithoutCheck(sp, stackHead) size, sp, stackHead := popStackItemWithoutCheck(sp, stackHead) - checkMemIsAccessible(offset, size) + if size { + checkMemIsAccessible(offset, size) - evmGasLeft := chargeGas(evmGasLeft, expandMemory(offset, size)) + evmGasLeft := chargeGas(evmGasLeft, expandMemory(offset, size)) + + returnLen := size + + // Don't check overflow here since previous checks are enough to ensure this is safe + returnOffset := add(MEM_OFFSET(), offset) + } - returnLen := size - - // Don't check overflow here since previous checks are enough to ensure this is safe - returnOffset := add(MEM_OFFSET(), offset) break } case 0xF4 { // OP_DELEGATECALL @@ -5770,12 +5787,19 @@ object "EvmEmulator" { popStackCheck(sp, 2) offset, sp, stackHead := popStackItemWithoutCheck(sp, stackHead) size, sp, stackHead := popStackItemWithoutCheck(sp, stackHead) - - checkMemIsAccessible(offset, size) - evmGasLeft := chargeGas(evmGasLeft, expandMemory(offset, size)) - - // Don't check overflow here since previous checks are enough to ensure this is safe - offset := add(offset, MEM_OFFSET()) + + switch iszero(size) + case 0 { + checkMemIsAccessible(offset, size) + evmGasLeft := chargeGas(evmGasLeft, expandMemory(offset, size)) + + // Don't check overflow here since previous checks are enough to ensure this is safe + offset := add(offset, MEM_OFFSET()) + } + default { + offset := MEM_OFFSET() + } + if eq(isCallerEVM, 1) { offset := sub(offset, 32) diff --git a/system-contracts/evm-emulator/EvmEmulatorFunctions.template.yul b/system-contracts/evm-emulator/EvmEmulatorFunctions.template.yul index bd62c2600..345e13b82 100644 --- a/system-contracts/evm-emulator/EvmEmulatorFunctions.template.yul +++ b/system-contracts/evm-emulator/EvmEmulatorFunctions.template.yul @@ -218,10 +218,12 @@ function expandMemory2(retOffset, retSize, argsOffset, argsSize) -> maxExpand { } function checkMemIsAccessible(relativeOffset, size) { - checkOverflow(relativeOffset, size) + if size { + checkOverflow(relativeOffset, size) - if gt(add(relativeOffset, size), MAX_POSSIBLE_MEM_LEN()) { - panic() + if gt(add(relativeOffset, size), MAX_POSSIBLE_MEM_LEN()) { + panic() + } } } diff --git a/system-contracts/evm-emulator/EvmEmulatorLoop.template.yul b/system-contracts/evm-emulator/EvmEmulatorLoop.template.yul index c1ba325c1..4b817b149 100644 --- a/system-contracts/evm-emulator/EvmEmulatorLoop.template.yul +++ b/system-contracts/evm-emulator/EvmEmulatorLoop.template.yul @@ -1454,14 +1454,17 @@ for { } true { } { offset, sp, stackHead := popStackItemWithoutCheck(sp, stackHead) size, sp, stackHead := popStackItemWithoutCheck(sp, stackHead) - checkMemIsAccessible(offset, size) + if size { + checkMemIsAccessible(offset, size) - evmGasLeft := chargeGas(evmGasLeft, expandMemory(offset, size)) + evmGasLeft := chargeGas(evmGasLeft, expandMemory(offset, size)) + + returnLen := size + + // Don't check overflow here since previous checks are enough to ensure this is safe + returnOffset := add(MEM_OFFSET(), offset) + } - returnLen := size - - // Don't check overflow here since previous checks are enough to ensure this is safe - returnOffset := add(MEM_OFFSET(), offset) break } case 0xF4 { // OP_DELEGATECALL @@ -1488,12 +1491,19 @@ for { } true { } { popStackCheck(sp, 2) offset, sp, stackHead := popStackItemWithoutCheck(sp, stackHead) size, sp, stackHead := popStackItemWithoutCheck(sp, stackHead) - - checkMemIsAccessible(offset, size) - evmGasLeft := chargeGas(evmGasLeft, expandMemory(offset, size)) - - // Don't check overflow here since previous checks are enough to ensure this is safe - offset := add(offset, MEM_OFFSET()) + + switch iszero(size) + case 0 { + checkMemIsAccessible(offset, size) + evmGasLeft := chargeGas(evmGasLeft, expandMemory(offset, size)) + + // Don't check overflow here since previous checks are enough to ensure this is safe + offset := add(offset, MEM_OFFSET()) + } + default { + offset := MEM_OFFSET() + } + if eq(isCallerEVM, 1) { offset := sub(offset, 32)