Fix write_memory aux data access check on the recompiler; add set_host_side_aux_write_protect

koute · koute · commit d3260d552469 · 2025-09-22T14:13:04.000+01:00
diff --git a/crates/polkavm/src/api.rs b/crates/polkavm/src/api.rs
@@ -746,6 +746,7 @@ impl Module {
             module: self.clone(),
             backend,
             crosscheck_instance,
+            host_side_aux_write_protect: false,
         })
     }
 
@@ -1033,6 +1034,7 @@ pub struct RawInstance {
     module: Module,
     backend: InstanceBackend,
     crosscheck_instance: Option<Box<InterpretedInstance>>,
+    host_side_aux_write_protect: bool,
 }
 
 impl RawInstance {
@@ -1259,7 +1261,25 @@ impl RawInstance {
 
         access_backend!(self.backend, |mut backend| backend
             .set_accessible_aux_size(size)
-            .into_result("failed to set accessible aux size"))
+            .into_result("failed to set accessible aux size"))?;
+
+        debug_assert_eq!(access_backend!(self.backend, |backend| backend.accessible_aux_size()), size);
+        Ok(())
+    }
+
+    /// Sets whether the aux data region is write-protected on the host-side.
+    ///
+    /// This affects `write_memory`, `zero_memory` and `is_memory_accessible`.
+    ///
+    /// Will return an error if called on an instance with dynamic paging enabled.
+    /// Infallible otherwise.
+    pub fn set_host_side_aux_write_protect(&mut self, is_write_protected: bool) -> Result<(), Error> {
+        if self.module.is_dynamic_paging() {
+            return Err("write-protecting the aux data region is only possible on modules without dynamic paging".into());
+        }
+
+        self.host_side_aux_write_protect = is_write_protected;
+        Ok(())
     }
 
     /// Resets the VM's memory to its initial state.
@@ -1285,7 +1305,8 @@ impl RawInstance {
             return false;
         }
 
-        if u64::from(address) + cast(size).to_u64() > 0x100000000 {
+        let upper_limit = if is_writable { self.get_write_upper_limit() } else { 0x100000000 };
+        if u64::from(address) + cast(size).to_u64() > upper_limit {
             return false;
         }
 
@@ -1391,6 +1412,15 @@ impl RawInstance {
         result
     }
 
+    fn get_write_upper_limit(&self) -> u64 {
+        if self.host_side_aux_write_protect {
+            debug_assert!(!self.module.is_dynamic_paging());
+            u64::from(self.module.memory_map().stack_address_high())
+        } else {
+            0x100000000
+        }
+    }
+
     /// Writes into the VM's memory.
     ///
     /// When dynamic paging is enabled calling this can be used to resolve a segfault. It can also
@@ -1407,7 +1437,7 @@ impl RawInstance {
             });
         }
 
-        if u64::from(address) + cast(data.len()).to_u64() > 0x100000000 {
+        if u64::from(address) + cast(data.len()).to_u64() > self.get_write_upper_limit() {
             return Err(MemoryAccessError::OutOfRangeAccess {
                 address,
                 length: cast(data.len()).to_u64(),
@@ -1551,7 +1581,7 @@ impl RawInstance {
             });
         }
 
-        if u64::from(address) + u64::from(length) > 0x100000000 {
+        if u64::from(address) + u64::from(length) > self.get_write_upper_limit() {
             return Err(MemoryAccessError::OutOfRangeAccess {
                 address,
                 length: u64::from(length),
diff --git a/crates/polkavm/src/sandbox/generic.rs b/crates/polkavm/src/sandbox/generic.rs
@@ -931,9 +931,6 @@ impl Sandbox {
         };
 
         if address >= self.aux_data_address && address_end < self.aux_data_address + self.aux_data_full_length {
-            if is_writable {
-                return Ok(());
-            }
             if address_end > self.aux_data_address + self.aux_data_length {
                 return Err(());
             }
diff --git a/crates/polkavm/src/sandbox/linux.rs b/crates/polkavm/src/sandbox/linux.rs
@@ -1995,11 +1995,10 @@ impl super::Sandbox for Sandbox {
         if !self.dynamic_paging_enabled {
             let memory_map = module.memory_map();
             let is_ok = if address >= memory_map.aux_data_address() {
-                let aux_data_size = module.memory_map().aux_data_size();
-                let aux_data_end = module.memory_map().aux_data_address() + aux_data_size;
-                let address_end = address as usize + data.len();
-                if address_end <= aux_data_end as usize {
-                    self.memory_mmap.as_slice_mut()[address as usize..address as usize + data.len()].copy_from_slice(data);
+                let aux_data_end = module.memory_map().aux_data_address() + self.aux_data_length;
+                let address_end = cast(address).to_usize() + data.len();
+                if address_end <= cast(aux_data_end).to_usize() {
+                    self.memory_mmap.as_slice_mut()[cast(address).to_usize()..address_end].copy_from_slice(data);
                     return Ok(());
                 } else {
                     false
@@ -2053,8 +2052,10 @@ impl super::Sandbox for Sandbox {
         if !self.dynamic_paging_enabled {
             let memory_map = module.memory_map();
             let is_ok = if address >= memory_map.aux_data_address() {
-                if u64::from(address) + u64::from(length) <= u64::from(memory_map.aux_data_range().end) {
-                    self.memory_mmap.as_slice_mut()[address as usize..address as usize + length as usize].fill(0);
+                let aux_data_end = module.memory_map().aux_data_address() + self.aux_data_length;
+                let address_end = cast(address).to_usize() + cast(length).to_usize();
+                if address_end <= cast(aux_data_end).to_usize() {
+                    self.memory_mmap.as_slice_mut()[cast(address).to_usize()..address_end].fill(0);
                     return Ok(());
                 } else {
                     false
diff --git a/crates/polkavm/src/tests.rs b/crates/polkavm/src/tests.rs
@@ -2730,7 +2730,89 @@ fn aux_data_accessible_area(config: Config) {
     instance.set_next_program_counter(offsets[0]);
     match_interrupt!(instance.run().unwrap(), InterruptKind::Finished);
 
+    assert!(instance.is_memory_accessible(module.memory_map().aux_data_address() + page_size - 3, 4, false));
+    assert!(instance.is_memory_accessible(module.memory_map().aux_data_address() + page_size * 2 - 4, 4, false));
+    assert!(!instance.is_memory_accessible(module.memory_map().aux_data_address() + page_size * 2 - 3, 4, false));
     assert!(instance.read_u32(module.memory_map().aux_data_address() + page_size - 3).is_ok());
+    assert!(instance
+        .read_u32(module.memory_map().aux_data_address() + page_size * 2 - 4)
+        .is_ok());
+    assert!(instance
+        .read_u32(module.memory_map().aux_data_address() + page_size * 2 - 3)
+        .is_err());
+
+    assert!(instance.is_memory_accessible(module.memory_map().aux_data_address() + page_size - 3, 4, true));
+    assert!(instance.is_memory_accessible(module.memory_map().aux_data_address() + page_size * 2 - 4, 4, true));
+    assert!(!instance.is_memory_accessible(module.memory_map().aux_data_address() + page_size * 2 - 3, 4, true));
+    assert!(!instance.is_memory_accessible(module.memory_map().aux_data_address() + page_size * 2, 4, true));
+    assert!(instance
+        .write_u32(module.memory_map().aux_data_address() + page_size - 3, 0)
+        .is_ok());
+    assert!(instance
+        .write_u32(module.memory_map().aux_data_address() + page_size * 2 - 4, 0)
+        .is_ok());
+    assert!(instance
+        .write_u32(module.memory_map().aux_data_address() + page_size * 2 - 3, 0)
+        .is_err());
+    assert!(instance
+        .write_u32(module.memory_map().aux_data_address() + page_size * 2, 0)
+        .is_err());
+    assert!(instance
+        .zero_memory(module.memory_map().aux_data_address() + page_size - 3, 4)
+        .is_ok());
+    assert!(instance
+        .zero_memory(module.memory_map().aux_data_address() + page_size * 2 - 4, 4)
+        .is_ok());
+    assert!(instance
+        .zero_memory(module.memory_map().aux_data_address() + page_size * 2 - 3, 4)
+        .is_err());
+    assert!(instance
+        .zero_memory(module.memory_map().aux_data_address() + page_size * 2, 4)
+        .is_err());
+
+    instance.set_host_side_aux_write_protect(true).unwrap();
+
+    // Still readable as before.
+    assert!(instance.is_memory_accessible(module.memory_map().aux_data_address() + page_size - 3, 4, false));
+    assert!(instance.is_memory_accessible(module.memory_map().aux_data_address() + page_size * 2 - 4, 4, false));
+    assert!(!instance.is_memory_accessible(module.memory_map().aux_data_address() + page_size * 2 - 3, 4, false));
+    assert!(instance.read_u32(module.memory_map().aux_data_address() + page_size - 3).is_ok());
+    assert!(instance
+        .read_u32(module.memory_map().aux_data_address() + page_size * 2 - 4)
+        .is_ok());
+    assert!(instance
+        .read_u32(module.memory_map().aux_data_address() + page_size * 2 - 3)
+        .is_err());
+
+    // Not writable anymore.
+    assert!(!instance.is_memory_accessible(module.memory_map().aux_data_address() + page_size - 3, 4, true));
+    assert!(!instance.is_memory_accessible(module.memory_map().aux_data_address() + page_size * 2 - 4, 4, true));
+    assert!(!instance.is_memory_accessible(module.memory_map().aux_data_address() + page_size * 2 - 3, 4, true));
+    assert!(!instance.is_memory_accessible(module.memory_map().aux_data_address() + page_size * 2, 4, true));
+    assert!(instance
+        .write_u32(module.memory_map().aux_data_address() + page_size - 3, 0)
+        .is_err());
+    assert!(instance
+        .write_u32(module.memory_map().aux_data_address() + page_size * 2 - 4, 0)
+        .is_err());
+    assert!(instance
+        .write_u32(module.memory_map().aux_data_address() + page_size * 2 - 3, 0)
+        .is_err());
+    assert!(instance
+        .write_u32(module.memory_map().aux_data_address() + page_size * 2, 0)
+        .is_err());
+    assert!(instance
+        .zero_memory(module.memory_map().aux_data_address() + page_size - 3, 4)
+        .is_err());
+    assert!(instance
+        .zero_memory(module.memory_map().aux_data_address() + page_size * 2 - 4, 4)
+        .is_err());
+    assert!(instance
+        .zero_memory(module.memory_map().aux_data_address() + page_size * 2 - 3, 4)
+        .is_err());
+    assert!(instance
+        .zero_memory(module.memory_map().aux_data_address() + page_size * 2, 4)
+        .is_err());
 }
 
 fn access_memory_from_host(config: Config) {

Original file line number	Diff line number	Diff line change
`@@ -931,9 +931,6 @@ impl Sandbox {`
`931`	`931`	`};`
`932`	`932`
`933`	`933`	`if address >= self.aux_data_address && address_end < self.aux_data_address + self.aux_data_full_length {`
`934`		`- if is_writable {`
`935`		`- return Ok(());`
`936`		`- }`
`937`	`934`	`if address_end > self.aux_data_address + self.aux_data_length {`
`938`	`935`	`return Err(());`
`939`	`936`	`}`