search

yetanotherco / aligned_layer

Aligned is a verification layer for zero-knowledge proofs using EigenLayer. Our mission is to accelerate the adoption of zero-knowledge and validity proofs on Ethereum.
https://alignedlayer.com/
MIT License
136 stars 336 forks source link

Unsafe Pointer Casting Without Length Verification #904

Open entropidelic opened 2 weeks ago

entropidelic commented 2 weeks ago

There are multiple instances in Go code where buffers are cast to unsafe.Pointer without verifying their lengths. This pattern can lead to potential out-of-bounds (OOB) vulnerabilities.

Example: File: ../operator/halo2ipa/halo2ipa.go

39  proofPtr := (*C.uchar)(unsafe.Pointer(&proofBuffer[0]))
40  csPtr := (*C.uchar)(unsafe.Pointer(&csBuffer[0]))
41  vkPtr := (*C.uchar)(unsafe.Pointer(&vkBuffer[0]))
42  ipaParamPtr := (*C.uchar)(unsafe.Pointer(&ipaParamBuffer[0]))
43  publicInputPtr := (*C.uchar)(unsafe.Pointer(&publicInputBuffer[0]))

Recommendations:

  1. Input Validation: Implement strict input validation to ensure that all buffers are of the expected size before casting them to unsafe.Pointer.
  2. Length Checks: Add length checks before accessing the first element of any buffer to prevent out-of-bounds errors.