Skip to content

zkVM args and env length can overflow #158016

Open
#158018
Open
zkVM args and env length can overflow#158016
#158018
Labels
C-bugCategory: This is a bug.O-risc0Operating system: RISC0 zkVM https://risczero.com/needs-triageThis issue may need triage. Remove it if it has been sufficiently triaged.

Description

@kevin-valerio
kevin-valerio
opened on Jun 17, 2026

A large byte length can overflow to zero and still be used as the slice length.

That's targeting riscv32im-risc0-zkvm-elf where the implementations of std::env::args_os() and std::env::var_os() trust the host length. The code can allocate zero words and then build a huge
slice from that pointer.

Ideally we should panic instead of overflowing to avoid any huge allocation

rust/library/std/src/sys/env/zkvm.rs

Lines 18 to 19 in 98594f4

let nwords = (nbytes + WORD_SIZE - 1) / WORD_SIZE;
let words = unsafe { abi::sys_alloc_words(nwords) };

rust/library/std/src/sys/args/zkvm.rs

Line 19 in 98594f4

let arg_len_words = (arg_len + WORD_SIZE - 1) / WORD_SIZE;

Metadata

Metadata

Assignees

No one assigned

    Labels

    C-bugCategory: This is a bug.O-risc0Operating system: RISC0 zkVM https://risczero.com/needs-triageThis issue may need triage. Remove it if it has been sufficiently triaged.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions