Skip to content

fix: use checked arithmetic in bounds_check! to prevent overflow bypass#1263

Merged
ludfjig merged 1 commit intohyperlight-dev:mainfrom
ludfjig:harden_bound_check
Feb 26, 2026
Merged

fix: use checked arithmetic in bounds_check! to prevent overflow bypass#1263
ludfjig merged 1 commit intohyperlight-dev:mainfrom
ludfjig:harden_bound_check

Conversation

@ludfjig
Copy link
Contributor

@ludfjig ludfjig commented Feb 25, 2026

The bounds check silently wraps on usize overflow in release builds, bypassing the check entirely. Not exploitable today since callers validate offsets before reaching the macro, but any future caller that doesn't could trigger it.

@ludfjig
fix: use checked arithmetic in bounds_check! to prevent overflow bypass
2e26c40 
The bounds check silently wraps on usize overflow in release builds,
bypassing the check entirely. Not exploitable today since callers
validate offsets before reaching the macro, but any future caller
that doesn't could trigger it.

Signed-off-by: Ludvig Liljenberg <4257730+ludfjig@users.noreply.github.com>
@ludfjig ludfjig added kind/bugfix For PRs that fix bugs area/security Involves security-related changes or fixes labels Feb 25, 2026
jsturtevant
jsturtevant reviewed Feb 26, 2026
View reviewed changes
jsturtevant
jsturtevant reviewed Feb 26, 2026
View reviewed changes
jsturtevant
jsturtevant reviewed Feb 26, 2026
View reviewed changes
jsturtevant
jsturtevant approved these changes Feb 26, 2026
View reviewed changes
Copy link
Contributor

@jsturtevant jsturtevant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Making the use of our helper functions easier to do the right thing properly is 💯

@jsturtevant jsturtevant requested a review from Copilot February 26, 2026 16:16
Copilot AI reviewed Feb 26, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens Hyperlight host shared-memory access by making the bounds_check! macro overflow-safe, preventing usize addition wraparound from bypassing bounds checks in release builds.

Changes:

  • Update bounds_check! to use checked_add so offset + size overflow is treated as out-of-bounds.
  • Add a regression test that exercises overflow offsets/sizes across several ExclusiveSharedMemory and HostSharedMemory APIs.
Comments suppressed due to low confidence (2)

src/hyperlight_host/src/mem/shared_mem.rs:57

  • bounds_check! is used by both read and write/copy/fill paths in this file, but the error message hard-codes "Cannot read value...". This can be misleading when the failing operation is a write or fill; consider making the message operation-agnostic (e.g., "Cannot access memory...") or allowing the call site to supply an operation label.
        if $offset.checked_add($size).is_none_or(|end| end > $mem_size) {
            return Err(new_error!(
                "Cannot read value from offset {} with size {} in memory of size {}",
                $offset,
                $size,
                $mem_size
            ));

src/hyperlight_host/src/mem/shared_mem.rs:56

  • bounds_check! references $offset, $size, and $mem_size multiple times (in the check and again in the formatted error). If a caller ever passes expressions with side effects, they could be evaluated more than once. Consider binding the macro inputs to local let variables inside the macro expansion so each argument is evaluated exactly once.
    ($offset:expr, $size:expr, $mem_size:expr) => {
        if $offset.checked_add($size).is_none_or(|end| end > $mem_size) {
            return Err(new_error!(
                "Cannot read value from offset {} with size {} in memory of size {}",
                $offset,
                $size,
                $mem_size

@ludfjig ludfjig merged commit 6d5d763 into hyperlight-dev:main Feb 26, 2026
61 of 62 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jsturtevant jsturtevant jsturtevant approved these changes

@andreiltd andreiltd andreiltd approved these changes

@dblnz dblnz dblnz approved these changes

@danbugs danbugs Awaiting requested review from danbugs danbugs is a code owner

@devigned devigned Awaiting requested review from devigned devigned is a code owner

@syntactically syntactically Awaiting requested review from syntactically syntactically is a code owner

@marosset marosset Awaiting requested review from marosset marosset is a code owner

@jprendes jprendes Awaiting requested review from jprendes jprendes is a code owner

@simongdavies simongdavies Awaiting requested review from simongdavies simongdavies is a code owner

Assignees

No one assigned

Labels

area/security Involves security-related changes or fixes kind/bugfix For PRs that fix bugs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ludfjig @jsturtevant @andreiltd @dblnz