GHSA-4hwq-4cpm-8vmx

Source

https://github.com/advisories/GHSA-4hwq-4cpm-8vmx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-4hwq-4cpm-8vmx/GHSA-4hwq-4cpm-8vmx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4hwq-4cpm-8vmx

Aliases

Related

Published

2024-02-26T20:11:35Z

Modified

2025-01-21T18:09:08.976904Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Vyper's `extract32` can ready dirty memory

Details

Summary

When using the built-in extract32(b, start), if the start index provided has for side effect to update b, the byte array to extract 32 bytes from, it could be that some dirty memory is read and returned by extract32.

As of v0.4.0 (specifically, commit https://github.com/vyperlang/vyper/commit/3d9c537142fb99b2672f21e2057f5f202cde194f), the compiler will panic instead of generating bytecode.

Details

Before evaluating start, the function Extract32.build_IR caches only:

The pointer in memory/storage to b: https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L916-L918
The length of b: https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L920-L922

but do not cache the actual content of b. This means that if the evaluation of start changes b's content and length, an outdated length will be used with the new content when extracting 32 bytes from b.

PoC

Calling the function foo of the following contract returns b'uuuuuuuuuuuuuuuuuuuuuuuuuuu\x00\x00789' meaning that extract32 accessed some dirty memory.

var:Bytes[96]

@internal
def bar() -> uint256:
    self.var = b'uuuuuuuuuuuuuuuuuuuuuuuuuuuuuu'
    self.var = b''
    return 3

@external
def foo() -> bytes32:
    self.var = b'abcdefghijklmnopqrstuvwxyz123456789'
    return extract32(self.var, self.bar(), output_type=bytes32)
    # returns b'uuuuuuuuuuuuuuuuuuuuuuuuuuu\x00\x00789'

Impact

For contracts that are affected, it means that calling extract32 returns dirty memory bytes instead of some expected output.

Database specific

{
    "severity": "LOW",
    "github_reviewed_at": "2024-02-26T20:11:35Z",
    "nvd_published_at": "2024-02-26T20:19:05Z",
    "cwe_ids": [
        "CWE-125"
    ],
    "github_reviewed": true
}

References

Affected packages

PyPI / vyper

Package

Name: vyper; View open source insights on deps.dev
Purl: pkg:pypi/vyper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.4.0

Affected versions

0.*

0.1.0b1

0.1.0b2

0.1.0b3

0.1.0b4

0.1.0b5

0.1.0b6

0.1.0b7

0.1.0b8

0.1.0b9

0.1.0b10

0.1.0b11

0.1.0b12

0.1.0b13

0.1.0b14

0.1.0b15

0.1.0b16

0.1.0b17

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.2.10

0.2.11

0.2.12

0.2.13

0.2.14

0.2.15

0.2.16

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

0.3.10rc1

0.3.10rc2

0.3.10rc3

0.3.10rc4

0.3.10rc5

0.3.10

0.4.0b1

0.4.0b2

0.4.0b3

0.4.0b4

0.4.0b5

0.4.0b6

0.4.0rc1

0.4.0rc2

0.4.0rc3

0.4.0rc4

0.4.0rc5

0.4.0rc6

Database specific

{
    "last_known_affected_version_range": "<= 0.3.10"
}