Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
Classes | Functions
acir_null_deref.test.cpp File Reference

Exploit and fix tests for null shared_ptr dereference in ACIR deserialization. More...

#include <gtest/gtest.h>
#include <memory>
#include <regex>
#include <vector>
#include "acir_to_constraint_buf.hpp"
#include "barretenberg/common/assert.hpp"
#include "barretenberg/serialize/msgpack_impl.hpp"
#include "serde/acir.hpp"

Go to the source code of this file.

Classes

class  AcirNullDerefTest
 

Functions

 TEST_F (AcirNullDerefTest, AES128Encrypt_NullIV_DirectCircuit_Crashes)
 
 TEST_F (AcirNullDerefTest, Keccakf1600_NullInputs_DirectCircuit_Crashes)
 
 TEST_F (AcirNullDerefTest, Sha256Compression_NullInputs_DirectCircuit_Crashes)
 
 TEST_F (AcirNullDerefTest, AES128Encrypt_NullIV_FromBytes_ThrowsAfterFix)
 
 TEST_F (AcirNullDerefTest, NullSharedPtr_RejectedByMsgpackRoundtrip)
 

Detailed Description

Exploit and fix tests for null shared_ptr dereference in ACIR deserialization.

Demonstrates that crafted ACIR bytecode containing msgpack NIL values for shared_ptr<array<T,N>> fields would produce a null pointer dereference in acir_to_constraint_buf.cpp, and that the fix (rejecting NIL in conv_fld_from_kvmap and conv_fld_from_array) prevents the crash.

Attack vector: An attacker crafts raw ACIR bytecode (bypassing the Noir compiler) containing a BlackBoxFuncCall opcode where a fixed-size array field is encoded as msgpack NIL (0xc0). Without the fix, the AztecProtocol/msgpack-c fork silently converts NIL to a null shared_ptr, which is then dereferenced unconditionally. With the fix, deserialization rejects NIL for required fields and throws.

Definition in file acir_null_deref.test.cpp.

Function Documentation

◆ TEST_F() [1/5]

TEST_F ( AcirNullDerefTest  ,
AES128Encrypt_NullIV_DirectCircuit_Crashes   
)

Definition at line 64 of file acir_null_deref.test.cpp.

◆ TEST_F() [2/5]

TEST_F ( AcirNullDerefTest  ,
AES128Encrypt_NullIV_FromBytes_ThrowsAfterFix   
)

Definition at line 133 of file acir_null_deref.test.cpp.

◆ TEST_F() [3/5]

TEST_F ( AcirNullDerefTest  ,
Keccakf1600_NullInputs_DirectCircuit_Crashes   
)

Definition at line 86 of file acir_null_deref.test.cpp.

◆ TEST_F() [4/5]

TEST_F ( AcirNullDerefTest  ,
NullSharedPtr_RejectedByMsgpackRoundtrip   
)

Definition at line 166 of file acir_null_deref.test.cpp.

◆ TEST_F() [5/5]

TEST_F ( AcirNullDerefTest  ,
Sha256Compression_NullInputs_DirectCircuit_Crashes   
)

Definition at line 106 of file acir_null_deref.test.cpp.