|
| 1 | +--- |
| 2 | +simd: '0459' |
| 3 | +title: Syscall Parameter Address Restrictions |
| 4 | +authors: |
| 5 | + - Alexander Meißner (Anza) |
| 6 | +category: Standard |
| 7 | +type: Core |
| 8 | +status: Review |
| 9 | +created: 2026-01-30 |
| 10 | +feature: TBD |
| 11 | +supersedes: 0219 |
| 12 | +--- |
| 13 | + |
| 14 | +## Summary |
| 15 | + |
| 16 | +Syscall parameter related changes split off from SIMD-0219. |
| 17 | + |
| 18 | +## Motivation |
| 19 | + |
| 20 | +In a recent meeting between the Agave and Firedancer core developers it was |
| 21 | +decided that SIMD-0219 should be split into two feature gates. |
| 22 | + |
| 23 | +## New Terminology |
| 24 | + |
| 25 | +None. |
| 26 | + |
| 27 | +## Detailed Design |
| 28 | + |
| 29 | +### Additional changes |
| 30 | + |
| 31 | +`InstructionError::InvalidRealloc` must be thrown if the caller requested an |
| 32 | +account length which does not fit the payload address space of the account. |
| 33 | +This check must occur after the address of the account length is translated |
| 34 | +but before the address of the account payload is translated. |
| 35 | + |
| 36 | +All sites in the CPI code which perform guest to host address translation first |
| 37 | +and then perform pointer arithmetic on the host must be swapped such that they |
| 38 | +perform pointer arithmetic in the virtual address space first followed by the |
| 39 | +address translation second. This specifically affects the account length field. |
| 40 | + |
| 41 | +The CU charging for the account length must be moved to occur after the address |
| 42 | +translation of the account length field. |
| 43 | + |
| 44 | +### Changes inherited from SIMD-0219 |
| 45 | + |
| 46 | +- The following pointers must be on the stack or heap, |
| 47 | +meaning their virtual address is inside `0x200000000..0x400000000`, |
| 48 | +otherwise `SyscallError::InvalidPointer` must be thrown: |
| 49 | + - The destination address of all sysvar related syscalls |
| 50 | + - The pointer in the array of `&[AccountInfo]` / `SolAccountInfo*` |
| 51 | + - The `AccountInfo::data` field, |
| 52 | + which is a `RefCell<&[u8]>` in `sol_invoke_signed_rust` |
| 53 | + - The `AccountInfo::lamports` field, |
| 54 | + which is a `RefCell<&u64>` in `sol_invoke_signed_rust` |
| 55 | +- The following pointers must point to what was originally serialized in the |
| 56 | +input regions by the program runtime, |
| 57 | +otherwise `SyscallError::InvalidPointer` must be thrown: |
| 58 | + - `AccountInfo::key` / `SolAccountInfo::key` |
| 59 | + - `AccountInfo::owner` / `SolAccountInfo::owner` |
| 60 | + - `AccountInfo::lamports` / `SolAccountInfo::lamports` |
| 61 | + - `AccountInfo::data::ptr` / `SolAccountInfo::data` |
| 62 | + |
| 63 | +## Alternatives Considered |
| 64 | + |
| 65 | +Leaving SIMD-0219 as is. |
| 66 | + |
| 67 | +## Impact |
| 68 | + |
| 69 | +Splitting SIMD-0219 should have no impact on dApp developers or validators. |
| 70 | +The additional changes have been tested to not cause any existing dApps to |
| 71 | +behave differently. |
| 72 | + |
| 73 | +## Security Considerations |
| 74 | + |
| 75 | +None. |
0 commit comments