GSA_kwCzR0hTQS1qMzVwLXEyNHItNTM2N80_ng

High

Permalink JSON

Dep Group Remote Memory Exhaustion (Denial of Service) in ckb

Affected Packages	Affected Versions	Fixed Versions
cargo:ckb	< 0.43.1	0.43.1
0 Dependent packages 0 Dependent repositories 113,543 Downloads total Affected Version Ranges All affected versions 0.1.0, 0.37.0, 0.38.0, 0.39.0, 0.39.1, 0.40.0, 0.42.0, 0.43.0 All unaffected versions 0.43.2, 0.100.0, 0.101.0, 0.101.1, 0.101.2, 0.101.3, 0.101.4, 0.101.5, 0.101.6, 0.101.7, 0.101.8, 0.102.0, 0.103.0, 0.104.0, 0.104.1, 0.105.0, 0.105.1, 0.106.0, 0.107.0, 0.108.0, 0.108.1, 0.109.0, 0.110.0, 0.110.1, 0.110.2, 0.111.0, 0.112.0, 0.112.1, 0.113.0, 0.113.1, 0.114.0, 0.115.0, 0.116.0, 0.116.1, 0.117.0, 0.118.0, 0.119.0, 0.120.0, 0.121.0, 0.200.0, 0.201.0, 0.202.0

Impact

A remote attacker could exploit this vulnerability to exhaust ckb process memory of an affected node.

Patches

Upgrade to 0.43.1 or later.

References

After resolving the outpoints of one dep group, we put the corresponding content into a vec ( https://github.com/nervosnetwork/ckb/blob/v0.42.0/util/types/src/core/cell.rs#L600-L617 ), there is a vulnerability to a memory dos attack because there is no determination of whether the outpoints is duplicated.

PoC:

before send dos tx rss:
105700

after rss:
2306932

DoS cost: 25.6 KB * 150 + dep_tx out_points capacity ( 36 * 150 * 100 = 540000 ) = 4380000 CKB
Send 50 dos_tx, memory exhausted: (25.6 KB * 150 * 100) * 50 = 19.2 GB

References:

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories

GSA_kwCzR0hTQS1qMzVwLXEyNHItNTM2N80_ng

Dep Group Remote Memory Exhaustion (Denial of Service) in ckb

Affected Version Ranges

All affected versions

All unaffected versions

Impact

Patches

References

Identifiers

Risk

Severity

Classification

Source

Origin

Repository

Date and time

Published

Updated

API