Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ZKVM-945: emu: validate address range before allocating to_guest vector #2713

Merged
merged 7 commits into from
Jan 14, 2025
+30 −8
Merged

ZKVM-945: emu: validate address range before allocating to_guest vector #2713

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
4d62c66
emu: validate address range before allocating to_guest vector
SchmErik Jan 8, 2025
1413c0a
update copyright
SchmErik Jan 9, 2025
f5293f7
address Frank's feedback
SchmErik Jan 14, 2025
38df4b4
Merge branch 'main' into erik/ecall-validate-end-addr
SchmErik Jan 14, 2025
19cf14a
add checks in fork emu
SchmErik Jan 14, 2025
9508876
update copyright
SchmErik Jan 14, 2025
fdbba56
Merge branch 'main' into erik/ecall-validate-end-addr
SchmErik Jan 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion risc0/circuit/rv32im/src/prove/emu/addr.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright 2024 RISC Zero, Inc.
// Copyright 2025 RISC Zero, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -52,6 +52,10 @@ impl ByteAddr {
pub fn wrapping_add(self, rhs: u32) -> Self {
Self(self.0.wrapping_add(rhs))
}

pub fn checked_add(self, rhs: u32) -> Option<Self> {
self.0.checked_add(rhs).map(Self)
}
}

impl WordAddr {
Expand All @@ -66,6 +70,10 @@ impl WordAddr {
pub fn page_idx(&self) -> u32 {
self.0 / PAGE_WORDS as u32
}

pub fn checked_add(self, rhs: u32) -> Option<Self> {
self.0.checked_add(rhs).map(Self)
}
}

impl fmt::Debug for ByteAddr {
Expand Down
13 changes: 10 additions & 3 deletions risc0/circuit/rv32im/src/prove/emu/exec/mod.rs
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to make the same changes to the fork version of the executor?

Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ mod tests;

use std::{array, cell::RefCell, collections::BTreeSet, io::Cursor, mem, rc::Rc};

use anyhow::{bail, ensure, Result};
use anyhow::{anyhow, bail, ensure, Result};
use crypto_bigint::{CheckedMul as _, Encoding as _, NonZero, U256, U512};
use enum_map::{Enum, EnumMap};
use num_bigint::BigUint;
Expand Down Expand Up @@ -440,6 +440,14 @@ impl<'a, 'b, S: Syscall> Executor<'a, 'b, S> {
if into_guest_len > 0 && !is_guest_memory(into_guest_ptr.0) {
bail!("{into_guest_ptr:?} is an invalid guest address");
}

if into_guest_len > 0 && !into_guest_ptr.is_null() {
let end_addr = into_guest_ptr
.checked_add(into_guest_len as u32)
.ok_or_else(|| anyhow!("invalid guest address range"))?;
Self::check_guest_addr(end_addr)?;
}

let name_ptr = self.load_guest_addr_from_register(REG_A2)?;
let syscall_name = self.peek_string(name_ptr)?;
let name_end = name_ptr + syscall_name.len();
Expand Down Expand Up @@ -469,8 +477,7 @@ impl<'a, 'b, S: Syscall> Executor<'a, 'b, S> {
// The guest uses a null pointer to indicate that a transfer from host
// to guest is not needed.
if into_guest_len > 0 && !into_guest_ptr.is_null() {
Self::check_guest_addr(into_guest_ptr + into_guest_len)?;
self.store_region(into_guest_ptr, bytemuck::cast_slice(&syscall.to_guest))?
self.store_region(into_guest_ptr, bytemuck::cast_slice(&syscall.to_guest))?;
}

let (a0, a1) = syscall.regs;
Expand Down
15 changes: 11 additions & 4 deletions risc0/zkvm/src/host/server/exec/syscall/fork.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright 2024 RISC Zero, Inc.
// Copyright 2025 RISC Zero, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
Expand All @@ -14,7 +14,7 @@

use std::{cell::RefCell, rc::Rc};

use anyhow::{bail, Context as _, Result};
use anyhow::{anyhow, bail, Context as _, Result};
use risc0_circuit_rv32im::prove::emu::{
addr::{ByteAddr, WordAddr},
rv32im::{DecodedInstruction, EmuContext, Emulator, Instruction, TrapCause},
Expand Down Expand Up @@ -114,7 +114,15 @@ impl<'a, 'b> ChildExecutor<'a, 'b> {
if !is_guest_memory(into_guest_ptr.0) && !into_guest_ptr.is_null() {
bail!("{into_guest_ptr:?} is an invalid guest address");
}

let into_guest_len = EmuContext::load_register(self, REG_A1)? as usize;
if into_guest_len > 0 && !into_guest_ptr.is_null() {
let end_addr = into_guest_ptr
.checked_add(into_guest_len as u32)
.ok_or_else(|| anyhow!("invalid guest address range"))?;
Self::check_guest_addr(end_addr)?;
}

let name_ptr = self.load_guest_addr_from_register(REG_A2)?;
let syscall_name = self.load_string(name_ptr)?;
let name_end = name_ptr + syscall_name.len();
Expand All @@ -140,8 +148,7 @@ impl<'a, 'b> ChildExecutor<'a, 'b> {
// The guest uses a null pointer to indicate that a transfer from host
// to guest is not needed.
if !into_guest_ptr.is_null() {
Self::check_guest_addr(into_guest_ptr + into_guest_len)?;
self.store_region(into_guest_ptr, bytemuck::cast_slice(&into_guest))?
self.store_region(into_guest_ptr, bytemuck::cast_slice(&into_guest))?;
}

self.store_register(REG_A0, a0)?;
Expand Down
Loading