host: Reject DELEGATECALL crossing EOF<>legacy boundary

Author: axic

test/state/host.cpp

@@ -76,16 +76,17 @@ uint256be Host::get_balance(const address& addr) const noexcept
 
 namespace
 {
+bool is_eof(bytes_view code) noexcept
+{
+    return code.size() >= 2 && code[0] == 0xEF && code[1] == 0x00;
+}
+
 // For EXTCODE* instructions if the target is an EOF account, then only return EF00.
 // While we only do this if the caller is legacy, it is not a problem doing this
 // unconditionally, because EOF contracts dot no have EXTCODE* instructions.
 bytes_view extcode(bytes_view code) noexcept
 {
-    if (code.size() >= 2 && code[0] == 0xEF && code[1] == 0x00)
-    {
-        return code.substr(2);
-    }
-    return code;
+    return is_eof(code) ? code.substr(2) : code;
 }
 }  // namespace
 
@@ -281,6 +282,17 @@ evmc::Result Host::execute_message(const evmc_message& msg) noexcept
 
     // Copy of the code. Revert will invalidate the account.
     const auto code = dst_acc != nullptr ? dst_acc->code : bytes{};
+
+    if (msg.kind == EVMC_DELEGATECALL)
+    {
+        // TODO: does the sender always have code here? or is this function used for EOAs too?
+        const auto sender = m_state.get(msg.sender);
+
+        // DELEGATECALL initiator and destination both must be either legacy or EOF
+        if (is_eof(code) != is_eof(sender.code))
+            return evmc::Result{EVMC_FAILURE};
+    }
+
     return m_vm.execute(*this, m_rev, msg, code.data(), code.size());
 }