From 5cb53752d3fed3c97d678603452754f951feb9ea Mon Sep 17 00:00:00 2001 From: Outcry <843648230@qq.com> Date: Fri, 27 Feb 2026 08:08:49 +0000 Subject: [PATCH] fix(evm): fix use-after-free in EXTCODEHASH due to deferred pointer load Co-authored-by: Aone Copilot --- src/compiler/evm_frontend/evm_imported.cpp | 10 ++++------ src/compiler/evm_frontend/evm_imported.h | 6 +++--- src/compiler/evm_frontend/evm_mir_compiler.cpp | 2 +- 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/src/compiler/evm_frontend/evm_imported.cpp b/src/compiler/evm_frontend/evm_imported.cpp index 8c9ffadd..7a000f79 100644 --- a/src/compiler/evm_frontend/evm_imported.cpp +++ b/src/compiler/evm_frontend/evm_imported.cpp @@ -334,8 +334,8 @@ uint64_t evmGetExtCodeSize(zen::runtime::EVMInstance *Instance, return Size; } -const uint8_t *evmGetExtCodeHash(zen::runtime::EVMInstance *Instance, - const uint8_t *Address) { +const intx::uint256 *evmGetExtCodeHash(zen::runtime::EVMInstance *Instance, + const uint8_t *Address) { const zen::runtime::EVMModule *Module = Instance->getModule(); ZEN_ASSERT(Module && Module->Host); @@ -347,11 +347,9 @@ const uint8_t *evmGetExtCodeHash(zen::runtime::EVMInstance *Instance, Instance->chargeGas(zen::evm::ADDITIONAL_COLD_ACCOUNT_ACCESS_COST); } - auto &Cache = Instance->getMessageCache(); evmc::bytes32 Hash = Module->Host->get_code_hash(Addr); - Cache.ExtcodeHashes.push_back(Hash); - - return Cache.ExtcodeHashes.back().bytes; + intx::uint256 HashValue = intx::be::load(Hash); + return storeUint256Result(HashValue); } uint64_t evmGetCallDataSize(zen::runtime::EVMInstance *Instance) { diff --git a/src/compiler/evm_frontend/evm_imported.h b/src/compiler/evm_frontend/evm_imported.h index 0fd11dee..cb8cfa32 100644 --- a/src/compiler/evm_frontend/evm_imported.h +++ b/src/compiler/evm_frontend/evm_imported.h @@ -95,7 +95,7 @@ struct RuntimeFunctions { VoidWithUInt64UInt64UInt64Fn SetCodeCopy; U256Fn GetGasPrice; SizeWithBytes32Fn GetExtCodeSize; - Bytes32WithBytes32Fn GetExtCodeHash; + U256WithBytes32Fn GetExtCodeHash; Bytes32WithInt64Fn GetBlockHash; Bytes32Fn GetCoinBase; U256Fn GetTimestamp; @@ -185,8 +185,8 @@ void evmSetCodeCopy(zen::runtime::EVMInstance *Instance, uint64_t DestOffset, const intx::uint256 *evmGetGasPrice(zen::runtime::EVMInstance *Instance); uint64_t evmGetExtCodeSize(zen::runtime::EVMInstance *Instance, const uint8_t *Address); -const uint8_t *evmGetExtCodeHash(zen::runtime::EVMInstance *Instance, - const uint8_t *Address); +const intx::uint256 *evmGetExtCodeHash(zen::runtime::EVMInstance *Instance, + const uint8_t *Address); const uint8_t *evmGetBlockHash(zen::runtime::EVMInstance *Instance, int64_t BlockNumber); const uint8_t *evmGetCoinBase(zen::runtime::EVMInstance *Instance); diff --git a/src/compiler/evm_frontend/evm_mir_compiler.cpp b/src/compiler/evm_frontend/evm_mir_compiler.cpp index 06778732..b375b509 100644 --- a/src/compiler/evm_frontend/evm_mir_compiler.cpp +++ b/src/compiler/evm_frontend/evm_mir_compiler.cpp @@ -2549,7 +2549,7 @@ EVMMirBuilder::handleExtCodeHash(Operand Address) { #ifdef ZEN_ENABLE_EVM_GAS_REGISTER syncGasToMemory(); #endif - auto Result = callRuntimeFor( + auto Result = callRuntimeFor( RuntimeFunctions.GetExtCodeHash, Address); #ifdef ZEN_ENABLE_EVM_GAS_REGISTER reloadGasFromMemory();