Fix critical security vulnerabilities and EVM compliance issues#67
Merged
Conversation
Changed Files
|
Copilot
AI
changed the title
[WIP] Add stack bounds checking to prevent memory corruption
Fix critical security vulnerabilities and EVM compliance issues
Feb 14, 2026
Co-authored-by: tcrypt25519 <212655132+tcrypt25519@users.noreply.github.com>
Co-authored-by: tcrypt25519 <212655132+tcrypt25519@users.noreply.github.com>
Co-authored-by: tcrypt25519 <212655132+tcrypt25519@users.noreply.github.com>
Co-authored-by: tcrypt25519 <212655132+tcrypt25519@users.noreply.github.com>
Co-authored-by: tcrypt25519 <212655132+tcrypt25519@users.noreply.github.com>
tcrypt25519
force-pushed
the
copilot/add-stack-bounds-checking
branch
from
February 14, 2026 22:16
cd7184c to
aba4bd2
Compare
tcrypt25519
marked this pull request as ready for review
February 14, 2026 22:16
There was a problem hiding this comment.
Pull request overview
This pull request addresses three critical security vulnerabilities in the EVM implementation: stack underflow memory corruption, ADDMOD/MULMOD arithmetic overflow, and use-after-free in memory operations.
Changes:
- Stack underflow protection: Adds bounds checking in stack_pop to return null pointer on underflow, with caller detecting and returning StackUnderflow error
- ADDMOD/MULMOD 512-bit precision: Implements runtime builtins using bnum's U512 for intermediate arithmetic to prevent overflow before modulo, as required by EVM spec
- Memory UAF fix: Changes mem_load to return i256 value directly instead of pointer, preventing dangling pointer issues when memory is reallocated
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| crates/jet_runtime/src/symbols.rs | Adds symbol constants FN_ADDMOD and FN_MULMOD for new builtin functions |
| crates/jet_runtime/src/runtime_builder.rs | Adds LLVM function declarations for addmod/mulmod, implements stack underflow check in build_stack_pop, changes mem_load return type from ptr to i256 |
| crates/jet_runtime/src/exec.rs | Adds StackUnderflow = -2 return code enum variant |
| crates/jet_runtime/src/builtins.rs | Implements jet_ops_addmod and jet_ops_mulmod with 512-bit intermediate arithmetic using bnum, includes helper functions for U256/U512 conversions |
| crates/jet/src/engine/mod.rs | Registers addmod and mulmod builtins with execution engine symbol map |
| crates/jet/src/builder/ops.rs | Updates addmod/mulmod to call new builtins, adds null pointer check in call_stack_pop for underflow detection, updates mload to handle i256 return value from mem_load |
| crates/jet/src/builder/env.rs | Adds addmod and mulmod function value fields to Symbols struct with accessor methods |
Comment on lines
+916
to
+939
| // Check if stack underflow occurred (null pointer returned) | ||
| let is_null = bctx.builder.build_is_null(ptr, "is_stack_underflow")?; | ||
|
|
||
| // Create basic blocks for handling null/non-null cases | ||
| let underflow_block = bctx | ||
| .env | ||
| .context() | ||
| .append_basic_block(bctx.func, "stack_underflow"); | ||
| let valid_block = bctx | ||
| .env | ||
| .context() | ||
| .append_basic_block(bctx.func, "stack_valid"); | ||
|
|
||
| bctx.builder | ||
| .build_conditional_branch(is_null, underflow_block, valid_block)?; | ||
|
|
||
| // In underflow block, return with StackUnderflow error | ||
| bctx.builder.position_at_end(underflow_block); | ||
| build_return(bctx, ReturnCode::StackUnderflow)?; | ||
|
|
||
| // Continue in valid block | ||
| bctx.builder.position_at_end(valid_block); | ||
|
|
||
| Ok(ptr) |
There was a problem hiding this comment.
The stack underflow detection logic is not covered by tests. Consider adding a test case that attempts to pop from an empty stack to verify that the StackUnderflow error is properly returned. This would ensure the security-critical underflow protection works correctly.
tcrypt25519
added a commit
that referenced
this pull request
Feb 16, 2026
* Initial plan * Add stack bounds checking to prevent memory corruption Co-authored-by: tcrypt25519 <212655132+tcrypt25519@users.noreply.github.com> * Fix Use-After-Free vulnerability in memory pointer handling Co-authored-by: tcrypt25519 <212655132+tcrypt25519@users.noreply.github.com> * Fix ADDMOD and MULMOD to use 512-bit precision for EVM compliance Co-authored-by: tcrypt25519 <212655132+tcrypt25519@users.noreply.github.com> * Add symbol mappings for ADDMOD and MULMOD builtins Co-authored-by: tcrypt25519 <212655132+tcrypt25519@users.noreply.github.com> * Refactor ADDMOD/MULMOD helpers to reduce code duplication Co-authored-by: tcrypt25519 <212655132+tcrypt25519@users.noreply.github.com> * chore: CI change 🤖 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: tcrypt25519 <212655132+tcrypt25519@users.noreply.github.com> Co-authored-by: tcrypt25519 <mail@tcry.pt>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses stack underflow memory corruption, ADDMOD/MULMOD arithmetic overflow, and use-after-free in memory operations. BYTE instruction verified correct, no changes needed.
Stack Underflow Protection
Stack pop operations now check for underflow before decrementing
stack_ptr. Returns null pointer on underflow, detected by caller which returnsStackUnderflowerror instead of wrapping tou32::MAXand accessing arbitrary memory.ADDMOD/MULMOD 512-bit Intermediate Arithmetic
EVM spec requires unlimited precision for
(a + b) % Nand(a * b) % Nto prevent overflow before modulo. Implemented runtime builtins using bnum'sU512for intermediate calculations:Handles division-by-zero per spec (returns 0). Symbol mappings added to execution engine.
Memory UAF Prevention
mem_loadpreviously returned pointer into memory buffer. Whenmem_expandreallocates, those pointers become dangling. Changed to return i256 value directly:BYTE Instruction
Verified implementation correct. The
31 - indexformula properly converts big-endian EVM indices to little-endian internal representation per existing tests and spec.💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.