GHSA-j35p-q24r-5367

Suggest an improvement
Source
https://github.com/advisories/GHSA-j35p-q24r-5367
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-j35p-q24r-5367/GHSA-j35p-q24r-5367.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-j35p-q24r-5367
Published
2022-04-22T20:23:04Z
Modified
2022-04-22T20:23:04Z
Summary
Dep Group Remote Memory Exhaustion (Denial of Service) in ckb
Details

Impact

A remote attacker could exploit this vulnerability to exhaust ckb process memory of an affected node.

Patches

Upgrade to 0.43.1 or later.

References

After resolving the outpoints of one dep group, we put the corresponding content into a vec ( https://github.com/nervosnetwork/ckb/blob/v0.42.0/util/types/src/core/cell.rs#L600-L617 ), there is a vulnerability to a memory dos attack because there is no determination of whether the outpoints is duplicated.

PoC:

before send dos tx rss:
105700

after rss:
2306932

DoS cost: 25.6 KB * 150 + deptx outpoints capacity ( 36 * 150 * 100 = 540000 ) = 4380000 CKB Send 50 dos_tx, memory exhausted: (25.6 KB * 150 * 100) * 50 = 19.2 GB

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-22T20:23:04Z"
}
References

Affected packages

crates.io / ckb

Package

Name
ckb
View open source insights on deps.dev
Purl
pkg:cargo/ckb

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.43.1