Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00aHdxLTRjcG0tOHZteM4AA5gr
Vyper's `extract32` can ready dirty memory
Summary
When using the built-in extract32(b, start), if the start index provided has for side effect to update b, the byte array to extract 32 bytes from, it could be that some dirty memory is read and returned by extract32.
As of v0.4.0 (specifically, commit https://github.com/vyperlang/vyper/commit/3d9c537142fb99b2672f21e2057f5f202cde194f), the compiler will panic instead of generating bytecode.
Details
Before evaluating start, the function Extract32.build_IR caches only:
- The pointer in memory/storage to
b: https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L916-L918 - The length of
b: https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L920-L922
but do not cache the actual content of b. This means that if the evaluation of start changes b's content and length, an outdated length will be used with the new content when extracting 32 bytes from b.
PoC
Calling the function foo of the following contract returns b'uuuuuuuuuuuuuuuuuuuuuuuuuuu\x00\x00789' meaning that extract32 accessed some dirty memory.
var:Bytes[96]
@internal
def bar() -> uint256:
self.var = b'uuuuuuuuuuuuuuuuuuuuuuuuuuuuuu'
self.var = b''
return 3
@external
def foo() -> bytes32:
self.var = b'abcdefghijklmnopqrstuvwxyz123456789'
return extract32(self.var, self.bar(), output_type=bytes32)
# returns b'uuuuuuuuuuuuuuuuuuuuuuuuuuu\x00\x00789'
Impact
For contracts that are affected, it means that calling extract32 returns dirty memory bytes instead of some expected output.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00aHdxLTRjcG0tOHZteM4AA5gr
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 11 months ago
Updated: 3 months ago
CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Percentage: 0.00043
EPSS Percentile: 0.10511
Identifiers: GHSA-4hwq-4cpm-8vmx, CVE-2024-24564
References:
- https://github.com/vyperlang/vyper/security/advisories/GHSA-4hwq-4cpm-8vmx
- https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L916-L918
- https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L920-L922
- https://nvd.nist.gov/vuln/detail/CVE-2024-24564
- https://github.com/vyperlang/vyper/commit/3d9c537142fb99b2672f21e2057f5f202cde194f
- https://github.com/advisories/GHSA-4hwq-4cpm-8vmx
Blast Radius: 8.8
Affected Packages
pypi:vyper
Dependent packages: 5Dependent repositories: 236
Downloads: 90,482 last month
Affected Version Ranges: <= 0.3.10
Fixed in: 0.4.0
All affected versions: 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.2.15, 0.2.16, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10
All unaffected versions: 0.4.0