check bool on non-solana target

rustopian · rustopian · commit d710b1e6c4c1 · 2025-12-05T10:58:54.000Z
diff --git a/sysvar/src/epoch_rewards.rs b/sysvar/src/epoch_rewards.rs
@@ -154,20 +154,28 @@
 //! # Ok::<(), anyhow::Error>(())
 //! ```
 
+use crate::Sysvar;
 #[cfg(feature = "bincode")]
 use crate::SysvarSerialize;
-use crate::{impl_sysvar_get, Sysvar};
 pub use {
     solana_epoch_rewards::EpochRewards,
     solana_sdk_ids::sysvar::epoch_rewards::{check_id, id, ID},
 };
 
+#[cfg(not(target_os = "solana"))]
+impl Sysvar for EpochRewards {
+    // For non-Solana targets (test environments), validate that the final byte
+    // is a valid bool (0x00 or 0x01) since data may come from untrusted sources.
+    crate::impl_sysvar_get_check_final_bool!(id(), 15);
+}
+
+#[cfg(target_os = "solana")]
 impl Sysvar for EpochRewards {
     // SAFETY: upstream invariant: the sysvar data is created exclusively
     // by the Solana runtime and serializes bool as 0x00 or 0x01, so the final
     // `bool` field of `EpochRewards` can be re-aligned with padding and read
     // directly without validation.
-    impl_sysvar_get!(id(), 15);
+    crate::impl_sysvar_get!(id(), 15);
 }
 
 #[cfg(feature = "bincode")]
@@ -198,4 +206,32 @@ mod tests {
         let got = EpochRewards::get().unwrap();
         assert_eq!(got, expected);
     }
+
+    #[test]
+    #[serial]
+    #[cfg(feature = "bincode")]
+    fn test_impl_sysvar_epochrewards_fails_non_solana_bad_bool() {
+        let epoch_rewards = EpochRewards {
+            distribution_starting_block_height: 42,
+            num_partitions: 7,
+            parent_blockhash: solana_hash::Hash::new_unique(),
+            total_points: 1234567890,
+            total_rewards: 100,
+            distributed_rewards: 10,
+            active: false,
+        };
+
+        let mut data = bincode::serialize(&epoch_rewards).unwrap();
+        assert_eq!(data.len(), 81);
+
+        // Corrupt the bool byte (last byte of serialized data) to an invalid value
+        data[80] = 2;
+
+        crate::tests::mock_get_sysvar_syscall(&data);
+        let result = EpochRewards::get();
+        assert_eq!(
+            result,
+            Err(solana_program_error::ProgramError::InvalidAccountData)
+        );
+    }
 }
diff --git a/sysvar/src/epoch_schedule.rs b/sysvar/src/epoch_schedule.rs
@@ -171,6 +171,11 @@ impl PodEpochSchedule {
     }
 
     pub fn warmup(&self) -> bool {
+        #[cfg(not(target_os = "solana"))]
+        if self.warmup > 1 {
+            panic!("Invalid warmup value: {}", self.warmup);
+        }
+
         // SAFETY: upstream invariant: the sysvar data is created exclusively
         // by the Solana runtime and serializes bool as 0x00 or 0x01.
         self.warmup > 0
diff --git a/sysvar/src/lib.rs b/sysvar/src/lib.rs
@@ -158,13 +158,31 @@ pub trait SysvarSerialize:
     }
 }
 
-/// Implements the [`Sysvar::get`] method for both SBF and host targets.
+/// Helper for conditional bool validation. Expands to a check or nothing.
 #[macro_export]
-macro_rules! impl_sysvar_get {
+#[doc(hidden)]
+macro_rules! __maybe_check_final_bool {
+    (true, $var_addr:ident, $length:ident) => {
+        let bool_byte = *$var_addr.add($length - 1);
+        if bool_byte > 1 {
+            return Err($crate::__private::ProgramError::InvalidAccountData);
+        }
+    };
+    (false, $var_addr:ident, $length:ident) => {};
+}
+
+/// Internal macro that implements [`Sysvar::get`] with optional bool validation.
+///
+/// Not intended for direct use. Use [`impl_sysvar_get`] or
+/// [`impl_sysvar_get_check_final_bool`] instead.
+#[macro_export]
+#[doc(hidden)]
+macro_rules! __impl_sysvar_get_internal {
     // DEPRECATED: This variant is only for the deprecated Fees sysvar and should be
     // removed once Fees is no longer in use. It uses the old-style direct syscall
     // approach instead of the new sol_get_sysvar syscall.
-    ($syscall_name:ident) => {
+    // The check_final_bool parameter is ignored for this deprecated path.
+    ($syscall_name:ident, $_check_final_bool:tt) => {
         fn get() -> Result<Self, $crate::__private::ProgramError> {
             let mut var = Self::default();
             let var_addr = &mut var as *mut _ as *mut u8;
@@ -185,7 +203,8 @@ macro_rules! impl_sysvar_get {
     // (size - padding bytes) and zeros the padding to avoid undefined behavior.
     // Only supports sysvars where padding is at the end of the layout. Caller
     // must supply the correct number of padding bytes.
-    ($sysvar_id:expr, $padding:literal) => {
+    // If check_final_bool is true, validates that the final byte is 0x00 or 0x01.
+    ($sysvar_id:expr, $padding:literal, $check_final_bool:tt) => {
         fn get() -> Result<Self, $crate::__private::ProgramError> {
             let mut var = core::mem::MaybeUninit::<Self>::uninit();
             let var_addr = var.as_mut_ptr() as *mut u8;
@@ -201,6 +220,7 @@ macro_rules! impl_sysvar_get {
                     // SAFETY: All bytes now initialized: syscall filled data
                     // bytes and we zeroed padding.
                     unsafe {
+                        $crate::__maybe_check_final_bool!($check_final_bool, var_addr, length);
                         var_addr.add(length).write_bytes(0, $padding);
                         Ok(var.assume_init())
                     }
@@ -211,8 +231,46 @@ macro_rules! impl_sysvar_get {
         }
     };
     // Variant for sysvars without padding (struct size matches bincode size).
+    ($sysvar_id:expr, $check_final_bool:tt) => {
+        $crate::__impl_sysvar_get_internal!($sysvar_id, 0, $check_final_bool);
+    };
+}
+
+/// Implements the [`Sysvar::get`] method for both SBF and host targets.
+#[macro_export]
+macro_rules! impl_sysvar_get {
+    // DEPRECATED: This variant is only for the deprecated Fees sysvar.
+    ($syscall_name:ident) => {
+        $crate::__impl_sysvar_get_internal!($syscall_name, false);
+    };
+    // Variant for sysvars with padding at the end.
+    ($sysvar_id:expr, $padding:literal) => {
+        $crate::__impl_sysvar_get_internal!($sysvar_id, $padding, false);
+    };
+    // Variant for sysvars without padding.
+    ($sysvar_id:expr) => {
+        $crate::__impl_sysvar_get_internal!($sysvar_id, 0, false);
+    };
+}
+
+/// Implements the [`Sysvar::get`] method with validation that the final byte is a valid bool.
+///
+/// This is the same as [`impl_sysvar_get`] but additionally validates that the last byte
+/// of the loaded data is either 0x00 or 0x01.
+#[cfg(not(target_os = "solana"))]
+#[macro_export]
+macro_rules! impl_sysvar_get_check_final_bool {
+    // DEPRECATED: This variant is only for the deprecated Fees sysvar.
+    ($syscall_name:ident) => {
+        $crate::__impl_sysvar_get_internal!($syscall_name, true);
+    };
+    // Variant for sysvars with padding at the end.
+    ($sysvar_id:expr, $padding:literal) => {
+        $crate::__impl_sysvar_get_internal!($sysvar_id, $padding, true);
+    };
+    // Variant for sysvars without padding.
     ($sysvar_id:expr) => {
-        $crate::impl_sysvar_get!($sysvar_id, 0);
+        $crate::__impl_sysvar_get_internal!($sysvar_id, 0, true);
     };
 }
 
