CVE-2021-46102

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-46102

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-46102.json

Aliases

GHSA-xwqr-xmgg-j69q

Published

2022-01-27T18:15:07Z

Modified

2023-11-29T09:07:14.617115Z

Details

From version 0.2.14 to 0.2.16 for Solana rBPF, function "relocate" in the file src/elf.rs has an integer overflow bug because the sym.stvalue is read directly from ELF file without checking. If the sym.stvalue is rather large, an integer overflow is triggered while calculating the variable "addr" via "addr = (sym.stvalue + refdpa) as u64";

References

https://blocksecteam.medium.com/new-integer-overflow-bug-discovered-in-solana-rbpf-7729717159ee
https://github.com/solana-labs/rbpf/blob/c14764850f0b83b58aa013248eaf6d65836c1218/src/elf.rs#L609-L630
https://github.com/solana-labs/rbpf/pull/200
https://github.com/solana-labs/rbpf/pull/236

Affected packages

Git / github.com/solana-labs/rbpf

Affected ranges

Type: GIT
Repo: https://github.com/solana-labs/rbpf
Events: Introduced

302de4d10888dfb76534693308f4ef8060b86fcd

Last affected

c14764850f0b83b58aa013248eaf6d65836c1218

Affected versions

v0.*

v0.2.14

v0.2.15

v0.2.16