[medium] [runtime] integer overflow in runtime/src/storage/iouring.rs

`runtime/src/storage/iouring.rs` derives per-operation offsets with unchecked `u64` arithmetic. If a caller can supply an `offset` near `u64::MAX`, these additions can wrap on subsequent loop iterations (short read/write), redirecting I/O to unintended earlier positions:

- `let offset = offset + bytes_read as u64;` [[1]](https://github.com/commonwarexyz/monorepo/blob/50d3e73a8720e8565e42b619dd507d8a01dfaf81/runtime/src/storage/iouring.rs#L458)

- `offset += op_bytes_written as u64;` in single-buffer write (`runtime/src/storage/iouring.rs:324`) [[2]](https://github.com/commonwarexyz/monorepo/blob/50d3e73a8720e8565e42b619dd507d8a01dfaf81/runtime/src/storage/iouring.rs#L324)
- `offset += op_bytes_written as u64;` in vectored write [[3]](https://github.com/commonwarexyz/monorepo/blob/50d3e73a8720e8565e42b619dd507d8a01dfaf81/runtime/src/storage/iouring.rs#L412)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[medium] [runtime] integer overflow in runtime/src/storage/iouring.rs #3288

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[medium] [runtime] integer overflow in runtime/src/storage/iouring.rs #3288

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions