TOB-FUEL-34: Integer overflow in load_byte

[xgreenx]

Description

The end of the range calculated in store_byte can overflow if a + c == Word::MAX. In the debug profile or if overflow checks are enabled in production then the code panics. Else function returns PanicReason::MemoryOverflow. Note that because the range ac..0 is empty, the ownership checks are passed. Though, the check ac < VM_MAX_RAM fails, because in order to trigger the overflow ac must equal Word::MAX. If VM_MAX_RAM would equal Word::MAX, then invalid data might be written to memory, bypassing the ownership checks.

The following figure shows the assembler code which triggered the overflow.

Figure 35.2: Proof of concept code for overflowing the range end.

op::aloc(RegId::ONE),
op::not(16, 59),
op::sb(16, 16, 0), // panic
op::ret(RegId::ONE)

Recommendations

Short term, avoid the overflow by using overflowing_add to add the 1 in order to create a range which can be validated by the ownership checks.
Long term, deploy the fuzzer described in the fuzzing appendix (see appendix E), which is able to discover this bug automatically. Furthermore, consider disallowing the clippy rule integer_arithmetic, which requires checking whether an overflow occurred.

[xgreenx]

Fixed with refactoring caused by #511