fix: Cross-chain plugin registration reuse

handle_set_plugin() parsed the signed chain_id only to call
app_compatible_with_chain_id() and then discarded it. The stored
tokenContext kept the plugin name, contract address, and selector but
never the chain the registration was signed for. eth_plugin_perform_
init_default() therefore authorized the plugin solely on address +
selector match, which let a host preload a valid signed registration
for chain A and then route a transaction on chain B through the same
plugin UI, masking attacker-controlled calldata behind a familiar
review flow.

Store the signed chain_id alongside the registration and refuse to
activate the plugin when the transaction's chain_id differs.
set_external_plugin keeps its chain-unbound semantics (its signed
payload contains no chain_id) and is marked explicitly via
PLUGIN_CHAIN_ID_ANY; cross-chain protection there requires a protocol
change and is left out of scope.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: cedelavergne-ledger

src/features/set_external_plugin/cmd_set_external_plugin.c

@@ -73,6 +73,11 @@ uint16_t handle_set_external_plugin(const uint8_t *workBuffer, uint8_t dataLengt
     workBuffer += ADDRESS_LENGTH;
     memmove(dataContext.tokenContext.methodSelector, workBuffer, SELECTOR_SIZE);
     pluginType = PLUGIN_TYPE_EXTERNAL;
+    // External-plugin registration is not bound to a chain (no chain_id in the
+    // signed payload), so we mark it ANY here. Cross-chain replay protection
+    // for external plugins requires extending the signed payload to include
+    // chain_id, which is a protocol change outside the scope of this fix.
+    dataContext.tokenContext.pluginChainId = PLUGIN_CHAIN_ID_ANY;
 
     return SWO_SUCCESS;
 }

src/features/set_plugin/cmd_set_plugin.c

@@ -145,6 +145,11 @@ uint16_t handle_set_plugin(const uint8_t *workBuffer, uint8_t dataLength) {
         UNSUPPORTED_CHAIN_ID_MSG(chain_id);
         return SWO_INCORRECT_DATA;
     }
+    // Bind the registration to the signed chain. Without this, a host could
+    // load a valid signed plugin registration for one EVM chain and then have
+    // the device activate the plugin UI for a transaction on a different
+    // chain where the same address/selector means something else.
+    tokenContext->pluginChainId = chain_id;
     offset += CHAIN_ID_SIZE;
 
     keyId = workBuffer[offset];

src/features/sign_tx/logic_sign_tx.c

@@ -318,6 +318,19 @@ __attribute__((noinline)) static uint16_t finalize_parsing_helper(const txContex
         goto end;
     }
     PRINTF("FROM address displayed: %s\n", strings.common.fromAddress);
+    // Enforce chain binding for plugin registrations now that the full tx has
+    // been parsed and get_tx_chain_id() is reliable (LEGACY transactions only
+    // expose chain_id through the V field, which is parsed after the plugin
+    // init triggered on the data field).
+    if ((dataContext.tokenContext.pluginStatus >= ETH_PLUGIN_RESULT_SUCCESSFUL) &&
+        (dataContext.tokenContext.pluginChainId != PLUGIN_CHAIN_ID_ANY) &&
+        (dataContext.tokenContext.pluginChainId != chain_id)) {
+        PRINTF("Plugin registered for chain %llu but tx is on chain %llu\n",
+               dataContext.tokenContext.pluginChainId,
+               chain_id);
+        report_finalize_error();
+        return SWO_NO_RESPONSE;
+    }
     // Finalize the plugin handling
     if (dataContext.tokenContext.pluginStatus >= ETH_PLUGIN_RESULT_SUCCESSFUL) {
         eth_plugin_prepare_finalize(&pluginFinalize);

src/plugins/eth_plugin_handler.c

@@ -98,6 +98,24 @@ void eth_plugin_prepare_query_contract_ui(ethQueryContractUI_t *query_contract_u
 
 static void eth_plugin_perform_init_default(uint8_t *contract_address,
                                             ethPluginInitContract_t *init) {
+    // Refuse to activate a plugin registration that was signed for a different
+    // chain than the one we are about to sign on. Skipped when:
+    //   * the registration is chain-unbound (e.g., set_external_plugin payload
+    //     carries no chain_id field, marked as PLUGIN_CHAIN_ID_ANY);
+    //   * we cannot yet resolve the transaction chain_id (LEGACY transactions
+    //     only expose it through the V field, which is parsed after the data
+    //     field that triggers this init). In that case the check is deferred
+    //     to finalize_parsing_helper(), which runs once V has been parsed.
+    if (dataContext.tokenContext.pluginChainId != PLUGIN_CHAIN_ID_ANY) {
+        uint64_t tx_chain_id = get_tx_chain_id();
+        if ((tx_chain_id != 0) && (tx_chain_id != dataContext.tokenContext.pluginChainId)) {
+            PRINTF("Plugin registered for chain %llu but tx is on chain %llu\n",
+                   dataContext.tokenContext.pluginChainId,
+                   tx_chain_id);
+            dataContext.tokenContext.pluginStatus = ETH_PLUGIN_RESULT_UNAVAILABLE;
+            return;
+        }
+    }
     // check if the registered external plugin matches the TX contract address / selector
     if (memcmp(contract_address,
                dataContext.tokenContext.contractAddress,

src/shared_context.h

@@ -50,6 +50,11 @@ typedef struct internalStorage_t {
     bool initialized;
 } internalStorage_t;
 
+// Sentinel for tokenContext_t.pluginChainId meaning "registration is not bound
+// to a specific chain" (used by paths whose signed metadata does not carry a
+// chain_id). All real EVM chain IDs are > 0.
+#define PLUGIN_CHAIN_ID_ANY 0
+
 typedef struct tokenContext_t {
     char pluginName[PLUGIN_ID_LENGTH];
 
@@ -76,6 +81,11 @@ typedef struct tokenContext_t {
 
     uint8_t pluginStatus;
 
+    // Chain ID the plugin registration was issued for. Populated from the
+    // signed SET_PLUGIN payload so we can refuse to activate the plugin on a
+    // transaction whose chain_id differs.
+    uint64_t pluginChainId;
+
 } tokenContext_t;
 
 _Static_assert((offsetof(tokenContext_t, pluginContext) % 4) == 0, "Plugin context not aligned");