Fix silent value truncation in assembly import #15597
Conversation
| @@ -227,16 +239,19 @@ AssemblyItem Assembly::createAssemblyItemFromJSON(Json const& _json, std::vector | |||
| else if (name == "PUSH [tag]") | |||
| { | |||
| requireValueDefinedForInstruction(name, value); | |||
| requireValueInRange(name, value, 0, std::numeric_limits<unsigned>::max()); | |||
There was a problem hiding this comment.
I'm not 100% sure unsigned is the right type here. We convert the value to this type in many places, including when generating the bytecode so it seems to me that higher values cannot work, but there's one bit of code that seems to contradict it:
solidity/libevmasm/AssemblyItem.cpp
Lines 52 to 70 in 1cce974
toSubAssemblyTag() and splitForeignPushTag() apparently expect the value to be u256 with the tag stored in the lower 64 bits. Not sure how to square that with the rest of the code. Is that structure used only temporarily, never reaching the assembling stage?
| result = {AssemblyItemType::PushTag, updateUsedTags(u256(value))}; | ||
| } | ||
| else if (name == "PUSH [$]") | ||
| { | ||
| requireValueDefinedForInstruction(name, value); | ||
| requireValueInRange(name, "0x" + value, 0, std::numeric_limits<size_t>::max()); |
There was a problem hiding this comment.
We really shouldn't be using platform-dependent types here, like unsigned or size_t. This means that validation ranges are platform-dependent too.
There was a problem hiding this comment.
I'm only including tests for invalid values, because I didn't get very far testing valid ones. Things get very broken when you try to use very high values that are still in the allowed range. For example using large tag values results in random segfaults. I don't think anyone ever properly considered the corner cases and I suspect that things only work properly when we're far from the limits of the default integer type (regardless of which type various fields claim to need). We should clean up this mess some day.
… truncate the value
cameel
force-pushed
the
fix-value-truncation-in-evmasm-import
branch
from
2c3935e to
0564aa8
Compare
github-actions
bot
added
the
stale
cameel
removed
the
stale
|
This pull request is stale because it has been open for 14 days with no activity. |
github-actions
bot
added
the
stale
cameel
removed
the
stale
While doing #15596 I noticed that the validation against using PUSH with more than 32 bytes does not get triggered in assembly import. Turns out that this is because the import code blindly converts the
valuefield tou256, truncating it if it's too long. This happens for several other assembly item types as well.Validations for assembly import are generally a mess, but the PR does not attempt to clean that up. It only adds rough checks that should be enough to disallow cases affected by the truncation bug.