Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oNnhtLWM2cjQtdm13Zs4ABCrW
Unsound usages of `u8` type casting in spl-token-swap
The library provides a safe public API unpack to cast u8 array to arbitrary types, which can cause to undefined behaviors. The length check of array can only prevent out-of-bound access on the return type. However, it can't prevent misaligned pointer when casting u8 pointer to a type aligned to larger bytes. For example, if we assign u16 to T, misaligned raw pointer dereference could happen and cause to panic. Even if we pass the type aligned to same byte as u8 (e.g., bool), it could construct a illegal type since bool can only have 0 or 1 as bit patterns, which is also an undefined behavior. The further exploits of the bug here are still not clear, so we would report this issue as unsound.
The details of PoC to reproduce undefined behavior are provided in the issue.
Permalink: https://github.com/advisories/GHSA-h6xm-c6r4-vmwfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oNnhtLWM2cjQtdm13Zs4ABCrW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 days ago
Updated: 4 days ago
Identifiers: GHSA-h6xm-c6r4-vmwf
References:
- https://github.com/solana-labs/solana-program-library/issues/5243
- https://rustsec.org/advisories/RUSTSEC-2024-0426.html
- https://github.com/advisories/GHSA-h6xm-c6r4-vmwf
Blast Radius: 0.0
Affected Packages
cargo:spl-token-swap
Dependent packages: 7Dependent repositories: 50
Downloads: 79,536 total
Affected Version Ranges: <= 3.0.0
No known fixed version
All affected versions: 2.0.0, 2.1.0, 3.0.0