Feat/audit vague1 nil realm#6
Merged
Merged
Conversation
…R #5758) Three new audit scripts targeting commit 2c7f1abe3 (PR #5758): - audit_nil_realm_hole.sh: deploys a /p/-init-stamped Dispatcher + EvilInt (int-based Mutator, no PkgID anchor) and verifies the VM blocks the write to a /r/-stamped Slot routed through the nil-realm path. - audit_launder_pointer_write.sh: victim realm exposes &gValue via GetPtr(); verifies the VM blocks a direct *ptr = "pwnd" from outside the realm (PkgID mismatch: caller context vs victim-stamped string). - audit_launder_panic_recover.sh: /p/-init-stamped SafeRunner wraps a victim.SetAndPanic(100) call with defer/recover; verifies that state is fully rolled back to 0 despite the panic being caught in /p/ context (extends audit_cross_realm_recover for the nil-realm recover path).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add wave 1 audit tests — nil-realm cross-realm write hole (PR #5758)
Adds three on-chain audit scripts targeting the nil-realm cross-realm write hole
fixed in gnolang/gno#5758 (commit
2c7f1abe3, merged 2026-06-01).Background
Before
2c7f1abe3, methods defined in/p/packages ran withm.Realm == nil,which disabled the cross-realm write check. An attacker could dispatch through a
/p/-init-stampedobject to write into the state of a foreign realm. The fix gives/p/packages a frozen realm so the write check fires correctly.New scripts
audit_nil_realm_hole.sh/p/-init-stampedDispatcher + interface with no PkgID anchor (EvilInt); writes to/r/-stampedSlotaudit_launder_pointer_write.sh/r/-stampedstring obtained viaGetPtr(), written from outside the realmaudit_launder_panic_recover.sh/p/-init-stampedSafeRunner wrapsdefer/recoveraround a victim call that writes state then panics; verifies state rollback still occursAll three scripts deploy unique per-run package paths (timestamp suffix), use
maketx runfor the attack step (required since gnolang/gno#5669 — functionswithout
cur realmare non-crossing and cannot be called viaMsgCall), and exit0 on patched / exit 1 on vulnerable.
Test results
All three pass as PATCHED on test-13 (
PASS: 16 FAIL: 0).