GHSA-q669-2vfg-cxcg

Suggest an improvement
Source
https://github.com/advisories/GHSA-q669-2vfg-cxcg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-q669-2vfg-cxcg/GHSA-q669-2vfg-cxcg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q669-2vfg-cxcg
Published
2024-02-02T20:59:17Z
Modified
2024-02-02T20:59:17Z
Summary
Nervos CKB Unaligned Pointer Dereference
Details

via bounty@nervos.org

There are multiple type conversions in ckb that unsafely cast between byte pointers and other types of pointers. This results in unaligned pointers, which are not allowed by the Rust language, and are considered undefined behavior, meaning that the compiler is free to do anything with code. This can lead to unpredictable bugs that can become security vulnerabilities.

Some of the bugs here could potentially lead to buffer overreads in malformed data (it's not clear to me as I haven't investigated the practical impact of these bugs).

Two of these (in blockchain.rs) do not create unaligned data. They do though perform an unsafe operation that may not uphold the invariants of the safe function they are in, and could lead to undefined behavior and buffer overreads on malformed input.

These are of the same nature as those in my previous report about the molecule crate.

Patch attached for commit 1b09e37c8e1b7945495cd18d9782417fbe51e986 that fixes all cases I know of at this time.

Please consider this report for reward under the terms of the bug bounty program.

Related advisory: https://github.com/nervosnetwork/molecule/security/advisories/GHSA-rffv-8x7x-p7pw

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-02T20:59:17Z"
}
References

Affected packages

crates.io / ckb

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.31.1

Database specific

{
    "last_known_affected_version_range": "<= 0.31.0"
}