Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS02cjhxLXBmcHYtN2Nnas4AAzUG

Vyper vulnerable to integer overflow in loop

Impact

Due to missing overflow check for loop variables, by assigning the iterator of a loop to a variable, it is possible to overflow the type of the latter.

In the following example, calling test returns 354, meaning that the variable a did store 354 a value out of bound for the type uint8.

@external
def test() -> uint16:
    x:uint8 = 255
    a:uint8 = 0
    for i in range(x, x+100):
        a = i
    return convert(a,uint16)

The issue seems to happen only in loops of type for i in range(a, a + N) as in loops of type for i in range(start, stop) and for i in range(stop), the compiler is able to raise a TypeMismatch when trying to overflow the variable.

thanks to @trocher for reporting

Patches

patched in 3de1415ee77a9244eb04bdb695e249d3ec9ed868

Workarounds

Permalink: https://github.com/advisories/GHSA-6r8q-pfpv-7cgj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02cjhxLXBmcHYtN2Nnas4AAzUG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 months ago
Updated: 5 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-6r8q-pfpv-7cgj, CVE-2023-32058
References:

• https://github.com/vyperlang/vyper/security/advisories/GHSA-6r8q-pfpv-7cgj
• https://nvd.nist.gov/vuln/detail/CVE-2023-32058
• https://github.com/vyperlang/vyper/commit/3de1415ee77a9244eb04bdb695e249d3ec9ed868
• https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-78.yaml
• https://github.com/advisories/GHSA-6r8q-pfpv-7cgj

Repository: https://github.com/vyperlang/vyper
Blast Radius: 17.8

Affected Packages