Skip to content

fix(avm)!: de-risk memory injection attacks#19620

Merged
jeanmon merged 7 commits into
merge-train/avmfrom
jean/avm-180-de-risk-memory-corruption-attacks
Jan 16, 2026
Merged

fix(avm)!: de-risk memory injection attacks#19620
jeanmon merged 7 commits into
merge-train/avmfrom
jean/avm-180-de-risk-memory-corruption-attacks

Conversation

@jeanmon

@jeanmon jeanmon commented Jan 15, 2026

Copy link
Copy Markdown
Contributor

Linear issue AVM-180

@jeanmon jeanmon changed the base branch from next to merge-train/avm January 15, 2026 12:08
@jeanmon jeanmon marked this pull request as ready for review January 15, 2026 12:10
sirasistant
sirasistant reviewed Jan 15, 2026
View reviewed changes

@sirasistant sirasistant left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to radix mem refactor looks good

@AztecBot

AztecBot commented Jan 15, 2026

Copy link
Copy Markdown
Collaborator

Flakey Tests

🤖 says: This CI run detected 3 tests that failed, but were tolerated due to a .test_patterns.yml entry.

\033FLAKED\033 (8;;http://ci.aztec-labs.com/a191e521d701581e�a191e521d701581e8;;�):  yarn-project/end-to-end/scripts/run_test.sh simple src/e2e_epochs/epochs_invalidate_block.parallel.test.ts "committee member invalidates a block if proposer does not come through" (96s) (code: 1) group:e2e-p2p-epoch-flakes (\033jeanmon\033: Fix unit test)
\033FLAKED\033 (8;;http://ci.aztec-labs.com/230043c72f6eb6fb�230043c72f6eb6fb8;;�):  yarn-project/end-to-end/scripts/run_test.sh simple src/e2e_p2p/multiple_validators_sentinel.parallel.test.ts "collects attestations for validators in proposer node when block is not published" (113s) (code: 1) group:e2e-p2p-epoch-flakes (\033jeanmon\033: Fix unit test)
\033FLAKED\033 (8;;http://ci.aztec-labs.com/63c8e76f15869c4e�63c8e76f15869c4e8;;�):  yarn-project/end-to-end/scripts/run_test.sh simple src/e2e_epochs/epochs_invalidate_block.parallel.test.ts "proposer invalidates multiple blocks" (603s) (code: 124) group:e2e-p2p-epoch-flakes (\033jeanmon\033: Fix unit test)

IlyasRidhuan
IlyasRidhuan approved these changes Jan 16, 2026
View reviewed changes

@IlyasRidhuan IlyasRidhuan left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice job looks great!

Comment thread barretenberg/cpp/pil/vm2/keccak_memory.pil
#[LAST_HAS_SEL_ON]
last * (1 - sel) = 0;

// Latch condition is boolean because `last` cannot be activated at first row due to #[LAST_HAS_SEL_ON].

@IlyasRidhuan IlyasRidhuan Jan 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But does #[LAST_HAS_SEL_ON] only guarantee it because there exists a sel' from #[TRACE_CONTINUITY]? So sel cannot be activated on the first row (which means latch can't either)

@jeanmon jeanmon Jan 16, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not follow from trace continuity. It follows from sel being shifted and therefore cannot be active on the first row (precomputed.first_row == 1). From #[LAST_HAS_SEL_ON], we have sel == 0 implies last == 0 and therefore last is mutually exclusive to precomputed.first_row.

We employed this reasoning many times and I might have been concise here due to habit of it.

@IlyasRidhuan IlyasRidhuan Jan 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gotcha, there are 2 instance of sel' in the trace, in #[TRACE_CONTINUITY] and in #[START_AFTER_LATCH]

@jeanmon jeanmon merged commit 6d215f3 into merge-train/avm Jan 16, 2026
8 checks passed
@jeanmon jeanmon deleted the jean/avm-180-de-risk-memory-corruption-attacks branch January 16, 2026 11:27
@AztecBot AztecBot mentioned this pull request Jan 16, 2026
Merged
github-merge-queue Bot pushed a commit that referenced this pull request Jan 17, 2026
@fcarreiro
feat: merge-train/avm (#19622)
5a7a453 
BEGIN_COMMIT_OVERRIDE
feat(avm): contract instance mutation (#19499)
fix(avm): Fix note hash exists fuzzing (#19616)
fix(avm): Build trace on coverage prover runs (#19627)
chore(avm): Use PC alias type consistently (#19625)
feat(avm): mutate global gas fees and timestamp (#19500)
docs: avm docs (#19603)
fix(avm): Increase chances of fuzzer finding limits (#19656)
fix(avm)!: de-risk memory injection attacks (#19620)
fix(avm): Fix TS ECC add infinity handling (#19657)
fix(avm): Fix jumpif in fuzzer (#19655)
feat(avm): protocol contractg mutations (#19586)
chore(avm): analyze fuzzer corpus distribution (#19614)
feat(avm): fuzzer treats enqueued call size as coverage (#19615)
refactor(avm): Refactor calldata copy and return data copy fuzzing
(#19666)
feat(avm): boundary values for mutations (#19617)
END_COMMIT_OVERRIDE
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sirasistant sirasistant sirasistant left review comments

@IlyasRidhuan IlyasRidhuan IlyasRidhuan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jeanmon @AztecBot @sirasistant @IlyasRidhuan