fix(evm): fix use-after-free in EXTCODEHASH due to deferred pointer load#368
fix(evm): fix use-after-free in EXTCODEHASH due to deferred pointer load#368zoowii merged 1 commit intoDTVMStack:mainfrom
Conversation
Co-authored-by: Aone Copilot <copilot@alibaba-inc.com>
There was a problem hiding this comment.
Pull request overview
Fixes a JIT use-after-free in the EVM frontend’s EXTCODEHASH handling by changing the runtime interface to return a stable uint256 result buffer (avoiding deferred loads from a pointer into a resizable container).
Changes:
- Update
GetExtCodeHashruntime function type/signature to returnconst intx::uint256*instead ofconst uint8_t*. - Change
evmGetExtCodeHashto convert the hostbytes32tointx::uint256and return it viastoreUint256Result(...)(thread-local buffer). - Update MIR builder to call the runtime with the new return type for
EXTCODEHASH.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/compiler/evm_frontend/evm_mir_compiler.cpp | Switches handleExtCodeHash runtime call to expect a uint256 pointer result. |
| src/compiler/evm_frontend/evm_imported.h | Updates RuntimeFunctions::GetExtCodeHash typedef/signature to U256WithBytes32Fn. |
| src/compiler/evm_frontend/evm_imported.cpp | Implements evmGetExtCodeHash returning a uint256 via the thread-local return buffer instead of a vector-backed bytes pointer. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -347,11 +347,9 @@ const uint8_t *evmGetExtCodeHash(zen::runtime::EVMInstance *Instance, | |||
| Instance->chargeGas(zen::evm::ADDITIONAL_COLD_ACCOUNT_ACCESS_COST); | |||
| } | |||
|
|
|||
| auto &Cache = Instance->getMessageCache(); | |||
| evmc::bytes32 Hash = Module->Host->get_code_hash(Addr); | |||
| Cache.ExtcodeHashes.push_back(Hash); | |||
|
|
|||
| return Cache.ExtcodeHashes.back().bytes; | |||
| intx::uint256 HashValue = intx::be::load<intx::uint256>(Hash); | |||
| return storeUint256Result(HashValue); | |||
There was a problem hiding this comment.
Add a regression test that exercises EXTCODEHASH in the JIT path (e.g., multiple EXTCODEHASH results used after subsequent host calls) to ensure the previous deferred-load use-after-free cannot reappear and that the returned hash value is stable/correct across repeated calls.
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
1. Does this PR affect any open issues?(Y/N) and add issue references (e.g. "fix #123", "re #123".):
2. What is the scope of this PR (e.g. component or file name):
3. Provide a description of the PR(e.g. more details, effects, motivations or doc link):
4. Are there any breaking changes?(Y/N) and describe the breaking changes(e.g. more details, motivations or doc link):
5. Are there test cases for these changes?(Y/N) select and add more details, references or doc links:
6. Release note