From 5db2a306c2e8fbbb104fe09881e585ce5439d61b Mon Sep 17 00:00:00 2001 From: Vladislav Volosnikov Date: Wed, 27 Nov 2024 17:31:58 +0100 Subject: [PATCH] fix(EVM): Fix stack overflow check (#1085) --- system-contracts/contracts/EvmEmulator.yul | 28 ++++++++----------- .../EvmEmulatorFunctions.template.yul | 14 ++++------ 2 files changed, 18 insertions(+), 24 deletions(-) diff --git a/system-contracts/contracts/EvmEmulator.yul b/system-contracts/contracts/EvmEmulator.yul index e4d7e98b5..cf7cfd1a9 100644 --- a/system-contracts/contracts/EvmEmulator.yul +++ b/system-contracts/contracts/EvmEmulator.yul @@ -132,8 +132,12 @@ object "EvmEmulator" { offset := add(LAST_RETURNDATA_SIZE_OFFSET(), 64) } + function MAX_STACK_SLOT_OFFSET() -> offset { + offset := add(STACK_OFFSET(), mul(1023, 32)) + } + function BYTECODE_LEN_OFFSET() -> offset { - offset := add(STACK_OFFSET(), mul(1024, 32)) + offset := add(MAX_STACK_SLOT_OFFSET(), 32) } function BYTECODE_OFFSET() -> offset { @@ -507,7 +511,7 @@ object "EvmEmulator" { } function pushStackItem(sp, item, oldStackHead) -> newSp, stackHead { - if iszero(lt(sp, BYTECODE_LEN_OFFSET())) { + if iszero(lt(sp, MAX_STACK_SLOT_OFFSET())) { panic() } @@ -534,12 +538,6 @@ object "EvmEmulator" { } } - function pushStackCheck(sp, numInputs) { - if iszero(lt(add(sp, mul(0x20, sub(numInputs, 1))), BYTECODE_LEN_OFFSET())) { - panic() - } - } - function accessStackHead(sp, stackHead) -> value { if lt(sp, STACK_OFFSET()) { panic() @@ -3155,8 +3153,12 @@ object "EvmEmulator" { offset := add(LAST_RETURNDATA_SIZE_OFFSET(), 64) } + function MAX_STACK_SLOT_OFFSET() -> offset { + offset := add(STACK_OFFSET(), mul(1023, 32)) + } + function BYTECODE_LEN_OFFSET() -> offset { - offset := add(STACK_OFFSET(), mul(1024, 32)) + offset := add(MAX_STACK_SLOT_OFFSET(), 32) } function BYTECODE_OFFSET() -> offset { @@ -3530,7 +3532,7 @@ object "EvmEmulator" { } function pushStackItem(sp, item, oldStackHead) -> newSp, stackHead { - if iszero(lt(sp, BYTECODE_LEN_OFFSET())) { + if iszero(lt(sp, MAX_STACK_SLOT_OFFSET())) { panic() } @@ -3557,12 +3559,6 @@ object "EvmEmulator" { } } - function pushStackCheck(sp, numInputs) { - if iszero(lt(add(sp, mul(0x20, sub(numInputs, 1))), BYTECODE_LEN_OFFSET())) { - panic() - } - } - function accessStackHead(sp, stackHead) -> value { if lt(sp, STACK_OFFSET()) { panic() diff --git a/system-contracts/evm-emulator/EvmEmulatorFunctions.template.yul b/system-contracts/evm-emulator/EvmEmulatorFunctions.template.yul index 96d0df147..e58879762 100644 --- a/system-contracts/evm-emulator/EvmEmulatorFunctions.template.yul +++ b/system-contracts/evm-emulator/EvmEmulatorFunctions.template.yul @@ -70,8 +70,12 @@ function STACK_OFFSET() -> offset { offset := add(LAST_RETURNDATA_SIZE_OFFSET(), 64) } +function MAX_STACK_SLOT_OFFSET() -> offset { + offset := add(STACK_OFFSET(), mul(1023, 32)) +} + function BYTECODE_LEN_OFFSET() -> offset { - offset := add(STACK_OFFSET(), mul(1024, 32)) + offset := add(MAX_STACK_SLOT_OFFSET(), 32) } function BYTECODE_OFFSET() -> offset { @@ -445,7 +449,7 @@ function popStackItem(sp, oldStackHead) -> a, newSp, stackHead { } function pushStackItem(sp, item, oldStackHead) -> newSp, stackHead { - if iszero(lt(sp, BYTECODE_LEN_OFFSET())) { + if iszero(lt(sp, MAX_STACK_SLOT_OFFSET())) { panic() } @@ -472,12 +476,6 @@ function popStackCheck(sp, numInputs) { } } -function pushStackCheck(sp, numInputs) { - if iszero(lt(add(sp, mul(0x20, sub(numInputs, 1))), BYTECODE_LEN_OFFSET())) { - panic() - } -} - function accessStackHead(sp, stackHead) -> value { if lt(sp, STACK_OFFSET()) { panic()