Search criteria
2 vulnerabilities found for ic-stable-structures by Internet Computer
CVE-2024-4435 (GCVE-0-2024-4435)
Vulnerability from cvelistv5 – Published: 2024-05-21 09:41 – Updated: 2024-08-01 20:40
VLAI?
Summary
When storing unbounded types in a BTreeMap, a node is represented as a linked list of "memory chunks". It was discovered recently that when we deallocate a node, in some cases only the first memory chunk is deallocated, and the rest of the memory chunks remain (incorrectly) allocated, causing a memory leak. In the worst case, depending on how a canister uses the BTreeMap, an adversary could interact with the canister through its API and trigger interactions with the map that keep consuming memory due to the memory leak. This could potentially lead to using an excessive amount of memory, or even running out of memory.
This issue has been fixed in #212 https://github.com/dfinity/stable-structures/pull/212 by changing the logic for deallocating nodes to ensure that all of a node's memory chunks are deallocated and users are asked to upgrade to version 0.6.4.. Tests have been added to prevent regressions of this nature moving forward. Note: Users of stable-structure < 0.6.0 are not affected.
Users who are not storing unbounded types in BTreeMap are not affected and do not need to upgrade. Otherwise, an upgrade to version 0.6.4 is necessary.
Severity ?
5.9 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Internet Computer | ic-stable-structures |
Affected:
0.6.0 , < 0.6.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4435",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-23T20:17:52.489055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:53:57.433Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:40:47.180Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dfinity/stable-structures/pull/212"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.rs/ic-stable-structures/0.6.4/ic_stable_structures/"
},
{
"tags": [
"x_transferred"
],
"url": "https://internetcomputer.org/docs/current/developer-docs/smart-contracts/maintain/storage#stable-memory"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://crates.io/crates/ic-stable-structures",
"defaultStatus": "unaffected",
"packageName": "ic-stable-structures",
"product": "ic-stable-structures",
"repo": "https://github.com/dfinity/stable-structures",
"vendor": "Internet Computer",
"versions": [
{
"lessThan": "0.6.4",
"status": "affected",
"version": "0.6.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-05-21T09:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWhen storing unbounded types in a \u003ccode\u003eBTreeMap\u003c/code\u003e, a node is represented as a linked list of \"memory chunks\". It was discovered recently that when we deallocate a node, in some cases only the first memory chunk is deallocated, and the rest of the memory chunks remain (incorrectly) allocated, causing a memory leak. In the worst case, depending on how a canister uses the \u003ccode\u003eBTreeMap\u003c/code\u003e, an adversary could interact with the canister through its API and trigger interactions with the map that keep consuming memory due to the memory leak. This could potentially lead to using an excessive amount of memory, or even running out of memory.\u003c/p\u003e\u003cp\u003eThis issue has been fixed in \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/dfinity/stable-structures/pull/212\"\u003e#212\u003c/a\u003e\u0026nbsp;by changing the logic for deallocating nodes to ensure that all of a node\u0027s memory chunks are deallocated \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eand users are asked to upgrade to version \u003c/span\u003e\u003ccode\u003e0.6.4\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e. Tests have been added to prevent regressions of this nature moving forward. \u003cstrong\u003eNote:\u003c/strong\u003e\u0026nbsp;Users of stable-structure \u0026lt; 0.6.0 are not affected.\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eUsers who are not storing unbounded types in \u003c/span\u003e\u003ccode\u003eBTreeMap\u003c/code\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;are not affected and do not need to upgrade. Otherwise, an upgrade to version \u003c/span\u003e\u003ccode\u003e0.6.4\u003c/code\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;is necessary.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "When storing unbounded types in a BTreeMap, a node is represented as a linked list of \"memory chunks\". It was discovered recently that when we deallocate a node, in some cases only the first memory chunk is deallocated, and the rest of the memory chunks remain (incorrectly) allocated, causing a memory leak. In the worst case, depending on how a canister uses the BTreeMap, an adversary could interact with the canister through its API and trigger interactions with the map that keep consuming memory due to the memory leak. This could potentially lead to using an excessive amount of memory, or even running out of memory.\n\nThis issue has been fixed in #212 https://github.com/dfinity/stable-structures/pull/212 \u00a0by changing the logic for deallocating nodes to ensure that all of a node\u0027s memory chunks are deallocated and users are asked to upgrade to version 0.6.4.. Tests have been added to prevent regressions of this nature moving forward. Note:\u00a0Users of stable-structure \u003c 0.6.0 are not affected.\n\nUsers who are not storing unbounded types in BTreeMap\u00a0are not affected and do not need to upgrade. Otherwise, an upgrade to version 0.6.4\u00a0is necessary."
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131: Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-21T09:41:35.242Z",
"orgId": "6b35d637-e00f-4228-858c-b20ad6e1d07b",
"shortName": "Dfinity"
},
"references": [
{
"url": "https://github.com/dfinity/stable-structures/pull/212"
},
{
"url": "https://docs.rs/ic-stable-structures/0.6.4/ic_stable_structures/"
},
{
"url": "https://internetcomputer.org/docs/current/developer-docs/smart-contracts/maintain/storage#stable-memory"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "BTreeMap memory leak when deallocating nodes with overflows",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b35d637-e00f-4228-858c-b20ad6e1d07b",
"assignerShortName": "Dfinity",
"cveId": "CVE-2024-4435",
"datePublished": "2024-05-21T09:41:35.242Z",
"dateReserved": "2024-05-02T16:25:27.399Z",
"dateUpdated": "2024-08-01T20:40:47.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4435 (GCVE-0-2024-4435)
Vulnerability from nvd – Published: 2024-05-21 09:41 – Updated: 2024-08-01 20:40
VLAI?
Summary
When storing unbounded types in a BTreeMap, a node is represented as a linked list of "memory chunks". It was discovered recently that when we deallocate a node, in some cases only the first memory chunk is deallocated, and the rest of the memory chunks remain (incorrectly) allocated, causing a memory leak. In the worst case, depending on how a canister uses the BTreeMap, an adversary could interact with the canister through its API and trigger interactions with the map that keep consuming memory due to the memory leak. This could potentially lead to using an excessive amount of memory, or even running out of memory.
This issue has been fixed in #212 https://github.com/dfinity/stable-structures/pull/212 by changing the logic for deallocating nodes to ensure that all of a node's memory chunks are deallocated and users are asked to upgrade to version 0.6.4.. Tests have been added to prevent regressions of this nature moving forward. Note: Users of stable-structure < 0.6.0 are not affected.
Users who are not storing unbounded types in BTreeMap are not affected and do not need to upgrade. Otherwise, an upgrade to version 0.6.4 is necessary.
Severity ?
5.9 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Internet Computer | ic-stable-structures |
Affected:
0.6.0 , < 0.6.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4435",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-23T20:17:52.489055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:53:57.433Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:40:47.180Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/dfinity/stable-structures/pull/212"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.rs/ic-stable-structures/0.6.4/ic_stable_structures/"
},
{
"tags": [
"x_transferred"
],
"url": "https://internetcomputer.org/docs/current/developer-docs/smart-contracts/maintain/storage#stable-memory"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://crates.io/crates/ic-stable-structures",
"defaultStatus": "unaffected",
"packageName": "ic-stable-structures",
"product": "ic-stable-structures",
"repo": "https://github.com/dfinity/stable-structures",
"vendor": "Internet Computer",
"versions": [
{
"lessThan": "0.6.4",
"status": "affected",
"version": "0.6.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-05-21T09:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWhen storing unbounded types in a \u003ccode\u003eBTreeMap\u003c/code\u003e, a node is represented as a linked list of \"memory chunks\". It was discovered recently that when we deallocate a node, in some cases only the first memory chunk is deallocated, and the rest of the memory chunks remain (incorrectly) allocated, causing a memory leak. In the worst case, depending on how a canister uses the \u003ccode\u003eBTreeMap\u003c/code\u003e, an adversary could interact with the canister through its API and trigger interactions with the map that keep consuming memory due to the memory leak. This could potentially lead to using an excessive amount of memory, or even running out of memory.\u003c/p\u003e\u003cp\u003eThis issue has been fixed in \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/dfinity/stable-structures/pull/212\"\u003e#212\u003c/a\u003e\u0026nbsp;by changing the logic for deallocating nodes to ensure that all of a node\u0027s memory chunks are deallocated \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eand users are asked to upgrade to version \u003c/span\u003e\u003ccode\u003e0.6.4\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e. Tests have been added to prevent regressions of this nature moving forward. \u003cstrong\u003eNote:\u003c/strong\u003e\u0026nbsp;Users of stable-structure \u0026lt; 0.6.0 are not affected.\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eUsers who are not storing unbounded types in \u003c/span\u003e\u003ccode\u003eBTreeMap\u003c/code\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;are not affected and do not need to upgrade. Otherwise, an upgrade to version \u003c/span\u003e\u003ccode\u003e0.6.4\u003c/code\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;is necessary.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "When storing unbounded types in a BTreeMap, a node is represented as a linked list of \"memory chunks\". It was discovered recently that when we deallocate a node, in some cases only the first memory chunk is deallocated, and the rest of the memory chunks remain (incorrectly) allocated, causing a memory leak. In the worst case, depending on how a canister uses the BTreeMap, an adversary could interact with the canister through its API and trigger interactions with the map that keep consuming memory due to the memory leak. This could potentially lead to using an excessive amount of memory, or even running out of memory.\n\nThis issue has been fixed in #212 https://github.com/dfinity/stable-structures/pull/212 \u00a0by changing the logic for deallocating nodes to ensure that all of a node\u0027s memory chunks are deallocated and users are asked to upgrade to version 0.6.4.. Tests have been added to prevent regressions of this nature moving forward. Note:\u00a0Users of stable-structure \u003c 0.6.0 are not affected.\n\nUsers who are not storing unbounded types in BTreeMap\u00a0are not affected and do not need to upgrade. Otherwise, an upgrade to version 0.6.4\u00a0is necessary."
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131: Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-21T09:41:35.242Z",
"orgId": "6b35d637-e00f-4228-858c-b20ad6e1d07b",
"shortName": "Dfinity"
},
"references": [
{
"url": "https://github.com/dfinity/stable-structures/pull/212"
},
{
"url": "https://docs.rs/ic-stable-structures/0.6.4/ic_stable_structures/"
},
{
"url": "https://internetcomputer.org/docs/current/developer-docs/smart-contracts/maintain/storage#stable-memory"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "BTreeMap memory leak when deallocating nodes with overflows",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b35d637-e00f-4228-858c-b20ad6e1d07b",
"assignerShortName": "Dfinity",
"cveId": "CVE-2024-4435",
"datePublished": "2024-05-21T09:41:35.242Z",
"dateReserved": "2024-05-02T16:25:27.399Z",
"dateUpdated": "2024-08-01T20:40:47.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}