Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid reading out of buffer limits in readWordFromBytes #402

Closed
wants to merge 2 commits into from

Conversation

zoep
Copy link
Collaborator

@zoep zoep commented Oct 3, 2023

Description

It adds a check that avoids trying to read a word from a concrete buffer that goes beyond its address space.

Closes #401.

Checklist

  • tested locally
  • added automated tests
  • updated the docs
  • updated the changelog

@d-xo
Copy link
Collaborator

d-xo commented Oct 4, 2023

As discussed in chat: our smt encoding does not match geth (or even our own concrete semantics) if the index being read from memory is > 2^64. In this situation geth always returns zero (matching the behaviour of readWord on main, but our smt semantics will read data from any index.

The easiest short term fix is probably to constrain BufLength <= 2^64 for all buffers, and update readWord to return 0 for indexes greater than 2^64. longer term we might benefit from encoding bufs as an array with a 64 but address space.

msooseth

This comment was marked as outdated.

@msooseth
Copy link
Collaborator

msooseth commented Oct 9, 2023

Moving this comment to #401

@msooseth
Copy link
Collaborator

our smt encoding does not match geth (or even our own concrete semantics) if the index being read from memory is > 2^64. In this situation geth always returns zero

While that's true, geth's behaviour is basically undefined for such large idx. The behaviour mentioned above is guarded by a check that the idx is <2^64. When asked, the geth developers said that it doesn't deal with that large indexes, that's gas-out anyway. So I don't know if we should rely on geth's behaviour here.

This is related to #401 where this is explained in a bit more detail.

@msooseth
Copy link
Collaborator

This has finally been experimented with and partially fixed, with the fuzzer fix as the last resort. Closing.

@msooseth msooseth closed this Oct 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ReadWord equivalence bug
3 participants