Noir Brillig Bytecode Heap Corruption Vulnerability via Improper Foreign Call Result Allocation

A heap corruption vulnerability has been identified in the Noir programming language's compilation to Brillig bytecode. This issue arises when Noir programs invoke external functions through foreign calls, particularly with nested array results containing composite types like tuples. The compiler fails to allocate the correct amount of memory for these nested arrays, leading to corruption of the Brillig VM heap. The vulnerability is present in Noir versions through 1.0.0-beta.18 and has been patched in version 1.0.0-beta.19.

Impact

Exploitation of this vulnerability corrupts the Brillig VM heap, potentially leading to arbitrary memory manipulation or crashes.

Reproduction

To reproduce this vulnerability, create a Noir program that includes a foreign call returning a nested array of tuples or other composite types. Compile the program to Brillig bytecode and execute it in the Brillig VM. The heap corruption can be observed when the VM attempts to process the under-allocated array results, overwriting adjacent memory.

Remediation

Users can upgrade to Noir version 1.0.0-beta.19, which fixes the allocation bug by correctly computing the semi-flattened size for nested arrays before foreign calls are made.