)]}' { "commit": "d7c7b98e5de3ae574b87516b81ff489e0f49e7ee", "tree": "403252f9917ebd4a83b27f1d4f39dbc42567cf8c", "parents": [ "e8aea9cf5153723dd5bc8230036ee59081d40940" ], "author": { "name": "0xASTRA", "email": "47869173+0xASTRA@users.noreply.github.com", "time": "Sat May 30 10:03:43 2026 +0100" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sat May 30 09:03:43 2026 +0000" }, "message": "[Security] Fix uint64 additive overflow in VM bytecode rodata segment verifier (#24551)\n\n## Summary\n\n\\`verifier.c:75-77\\` computes \\`segment_end \u003d archive_rodata_offset +\nsegment_offset + segment_length\\` as a plain 64-bit unsigned addition.\nFlatBuffer \\`uint64\\` scalars carry no per-field cap, so\nattacker-controlled \\`external_data_offset + external_data_length\\`\nvalues can wrap past 2^64, producing a small \\`segment_end\\` that\nfalsely passes the \\`\u003e data_length\\` check.\n\n\\`module.c:1015-1018\\` then constructs the rodata buffer span from the\noriginal unwrapped values (comment: *\"Note that we\u0027ve already verified\nthe referenced range is in bounds\"*), yielding a wild pointer. The\nruntime guard in \\`buffer.c\\` validates against the attacker-controlled\nlength, not the true archive bounds.\n\n## Fix\n\nReplaced the additive sum with non-overflowing subtraction comparisons\nthat reject any \\`segment_offset\\` or \\`segment_length\\` that would\nexceed available archive space.\n\n## Also flagged\n\nThe same unchecked-add pattern exists in \\`archive.c:184\\`\n(\\`iree_vm_bytecode_archive_infer_size\\`) and should be addressed\nsimilarly.\n\nSigned-off-by: 0xASTRA \u003castramentor2k20@gmail.com\u003e", "tree_diff": [ { "type": "modify", "old_id": "b7569599fcf74a7fa140a8ecd8be0f8025c4b8d7", "old_mode": 33188, "old_path": "runtime/src/iree/vm/bytecode/verifier.c", "new_id": "45b61182d310b7792994f07160eb13f9d70e1a41", "new_mode": 33188, "new_path": "runtime/src/iree/vm/bytecode/verifier.c" } ] }