Skip to content

Commit

Permalink
fix(EVM): Simplify and optimize out-of-bounds truncation in CODECOPY (
Browse files Browse the repository at this point in the history 
#1154)
  • Loading branch information
@0xVolosnikov
0xVolosnikov authored Dec 18, 2024
1 parent 9c9233e commit 5e4477e
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 15 deletions.
22 changes: 12 additions & 10 deletions system-contracts/contracts/EvmEmulator.yul
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1722,7 +1722,6 @@ object "EvmEmulator" {
ip := add(ip, 1)
}
case 0x39 { // OP_CODECOPY

evmGasLeft := chargeGas(evmGasLeft, 3)

let dstOffset, sourceOffset, len
Expand All @@ -1747,14 +1746,16 @@ object "EvmEmulator" {

sourceOffset := add(sourceOffset, BYTECODE_OFFSET())

if gt(sourceOffset, MEM_LEN_OFFSET()) {
sourceOffset := MEM_LEN_OFFSET()
let outOfBoundsOffset := add(BYTECODE_OFFSET(), mload(BYTECODE_LEN_OFFSET()))

if gt(sourceOffset, outOfBoundsOffset) {
sourceOffset := outOfBoundsOffset
}

// Check bytecode out-of-bounds access
let truncatedLen := len
if gt(add(sourceOffset, len), MEM_LEN_OFFSET()) {
truncatedLen := sub(MEM_LEN_OFFSET(), sourceOffset) // truncate
if gt(add(sourceOffset, len), outOfBoundsOffset) {
truncatedLen := sub(outOfBoundsOffset, sourceOffset) // truncate
$llvm_AlwaysInline_llvm$_memsetToZero(add(dstOffset, truncatedLen), sub(len, truncatedLen)) // pad with zeroes any out-of-bounds
}

Expand Down Expand Up @@ -4846,7 +4847,6 @@ object "EvmEmulator" {
ip := add(ip, 1)
}
case 0x39 { // OP_CODECOPY

evmGasLeft := chargeGas(evmGasLeft, 3)

let dstOffset, sourceOffset, len
Expand All @@ -4871,14 +4871,16 @@ object "EvmEmulator" {

sourceOffset := add(sourceOffset, BYTECODE_OFFSET())

if gt(sourceOffset, MEM_LEN_OFFSET()) {
sourceOffset := MEM_LEN_OFFSET()
let outOfBoundsOffset := add(BYTECODE_OFFSET(), mload(BYTECODE_LEN_OFFSET()))

if gt(sourceOffset, outOfBoundsOffset) {
sourceOffset := outOfBoundsOffset
}

// Check bytecode out-of-bounds access
let truncatedLen := len
if gt(add(sourceOffset, len), MEM_LEN_OFFSET()) {
truncatedLen := sub(MEM_LEN_OFFSET(), sourceOffset) // truncate
if gt(add(sourceOffset, len), outOfBoundsOffset) {
truncatedLen := sub(outOfBoundsOffset, sourceOffset) // truncate
$llvm_AlwaysInline_llvm$_memsetToZero(add(dstOffset, truncatedLen), sub(len, truncatedLen)) // pad with zeroes any out-of-bounds
}

Expand Down
11 changes: 6 additions & 5 deletions system-contracts/evm-emulator/EvmEmulatorLoop.template.yul
View file
Original file line number Diff line number Diff line change
Expand Up @@ -407,7 +407,6 @@ for { } true { } {
ip := add(ip, 1)
}
case 0x39 { // OP_CODECOPY

evmGasLeft := chargeGas(evmGasLeft, 3)

let dstOffset, sourceOffset, len
Expand All @@ -432,14 +431,16 @@ for { } true { } {

sourceOffset := add(sourceOffset, BYTECODE_OFFSET())

if gt(sourceOffset, MEM_LEN_OFFSET()) {
sourceOffset := MEM_LEN_OFFSET()
let outOfBoundsOffset := add(BYTECODE_OFFSET(), mload(BYTECODE_LEN_OFFSET()))

if gt(sourceOffset, outOfBoundsOffset) {
sourceOffset := outOfBoundsOffset
}

// Check bytecode out-of-bounds access
let truncatedLen := len
if gt(add(sourceOffset, len), MEM_LEN_OFFSET()) {
truncatedLen := sub(MEM_LEN_OFFSET(), sourceOffset) // truncate
if gt(add(sourceOffset, len), outOfBoundsOffset) {
truncatedLen := sub(outOfBoundsOffset, sourceOffset) // truncate
$llvm_AlwaysInline_llvm$_memsetToZero(add(dstOffset, truncatedLen), sub(len, truncatedLen)) // pad with zeroes any out-of-bounds
}

Expand Down

0 comments on commit 5e4477e

Please sign in to comment.