Skip to content

fix: check empty leader nondet result before indexing data[0]#319

Open
lau90eth wants to merge 1 commit into
genlayerlabs:v0.3-devfrom
lau90eth:fix/nondet-empty-leader-result
Open

fix: check empty leader nondet result before indexing data[0]#319
lau90eth wants to merge 1 commit into
genlayerlabs:v0.3-devfrom
lau90eth:fix/nondet-empty-leader-result

Conversation

@lau90eth

@lau90eth lau90eth commented Jun 28, 2026

Copy link
Copy Markdown

Summary

Fixes index-out-of-bounds panic when a malicious leader injects Bytes::new() as a nondet result.

Root Cause

In executor/src/wasi/genlayer_sdk.rs ~L1305, inside leader_nondet_results handling:

Some(data) => {
    let rest = &data[1..]; // panics if data.is_empty()
    let res = match data[0] { // index OOB if data is empty

data arrives from the wire via calldata::decode_obj with no per-element length validation. A malicious leader can inject Bytes::new() (empty bytes), causing data[0] to panic and crashing the validator.

Impact

Consensus liveness compromised — validator crashes on empty nondet result, preventing finalization.

Fix

Added data.is_empty() check before data[0] access, returning a proper error instead of panicking.

PoC

https://github.com/lau90eth/genvm-nondet-panic

Related

Finding originally submitted to GenLayer Builders Program portal.

Summary by CodeRabbit

  • Bug Fixes
    • Added validation for leader nondeterministic results to prevent empty values from being processed.
    • Users now receive a clear error if a result is missing expected bytes, reducing unexpected runtime failures.

Fixes index-out-of-bounds panic when a malicious leader injects
Bytes::new() as a nondet result. data[0] would panic if data is empty.

Affected: executor/src/wasi/genlayer_sdk.rs ~L1305
PoC: https://github.com/lau90eth/genvm-nondet-panic
@CLAassistant

CLAassistant commented Jun 28, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@coderabbitai

coderabbitai Bot commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8687414a-9ead-4964-a834-981055e3514b

📥 Commits

Reviewing files that changed from the base of the PR and between abb71bf and 7207d8f.

📒 Files selected for processing (1)
  • executor/src/wasi/genlayer_sdk.rs

📝 Walkthrough

Walkthrough

In run_nondet, a new guard checks whether the leader nondet result bytes are empty when Some(data) is matched. If data is empty, a trap error is returned immediately; otherwise, parsing of data[0] proceeds as before.

Changes

Empty leader nondet result guard

Layer / File(s) Summary
Empty data guard in run_nondet
executor/src/wasi/genlayer_sdk.rs
Adds a length check on data before indexing data[0]; returns a trapped error if the leader nondet result bytes are empty.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A hop and a check, before the byte is read,
"Is the data empty?" the rabbit said.
If nothing is there, we trap with care,
No panic, no crash — just a note to declare.
🐇 Safe bounds for all!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main fix: guarding against empty leader nondet results before indexing data[0].
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

Copy link
Copy Markdown
Contributor

👋 This PR targeted main, so I've retargeted it to the latest dev branch v0.3-dev.

main is protected and is only an alias of the latest release branch (v0.3-dev), kept in lockstep automatically. Active v0.3 work lands on v0.3-dev, which reaches v0.3.x through the standing release-gate PR once the cross-repo E2E matrix is green.

@github-actions github-actions Bot changed the base branch from main to v0.3-dev June 28, 2026 08:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants