cvelistv5 - cve-2024-24560

cve-2024-24560

Vulnerability from cvelistv5

Published

2024-02-02 16:19

Modified

2024-08-01 23:19

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

Vyper external calls can overflow return data to return input buffer

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686	Exploit, Vendor Advisory

Impacted products

▼	Vendor	Product
	vyperlang	vyper

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:python:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "vyper",
            "vendor": "vyperlang",
            "versions": [
              {
                "lessThanOrEqual": "0.3.10",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-24560",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-26T14:31:50.296984Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-26T14:33:43.333Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:19:52.915Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vyper",
          "vendor": "vyperlang",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 0.3.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 (overlapping with the input buffer). When checking RETURNDATASIZE for dynamic types, the size is compared only to the minimum allowed size for that type, and not to the returned value\u0027s length. As a result, malformed return data can cause the contract to mistake data from the input buffer for returndata.  When the called contract returns invalid ABIv2 encoded data, the calling contract can read different invalid data (from the dirty buffer) than the called contract returned."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-02T16:19:45.822Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686"
        }
      ],
      "source": {
        "advisory": "GHSA-gp3w-2v2m-p686",
        "discovery": "UNKNOWN"
      },
      "title": "Vyper external calls can overflow return data to return input buffer"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-24560",
    "datePublished": "2024-02-02T16:19:45.822Z",
    "dateReserved": "2024-01-25T15:09:40.208Z",
    "dateUpdated": "2024-08-01T23:19:52.915Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-24560\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-02-02T17:15:11.720\",\"lastModified\":\"2024-02-12T15:23:42.867\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 (overlapping with the input buffer). When checking RETURNDATASIZE for dynamic types, the size is compared only to the minimum allowed size for that type, and not to the returned value\u0027s length. As a result, malformed return data can cause the contract to mistake data from the input buffer for returndata.  When the called contract returns invalid ABIv2 encoded data, the calling contract can read different invalid data (from the dirty buffer) than the called contract returned.\"},{\"lang\":\"es\",\"value\":\"Vyper es un lenguaje de contrato inteligente pit\u00f3nico para la m\u00e1quina virtual Ethereum. Cuando se realizan llamadas a contratos externos, escribimos el b\u00fafer de entrada comenzando en el byte 28 y asignamos el b\u00fafer de retorno para que comience en el byte 0 (superponi\u00e9ndose con el b\u00fafer de entrada). Al verificar RETURNDATASIZE para tipos din\u00e1micos, el tama\u00f1o se compara solo con el tama\u00f1o m\u00ednimo permitido para ese tipo y no con la longitud del valor devuelto. Como resultado, los datos de devoluci\u00f3n con formato incorrecto pueden hacer que el contrato confunda los datos del b\u00fafer de entrada con los datos de devoluci\u00f3n. Cuando el contrato llamado devuelve datos codificados ABIv2 no v\u00e1lidos, el contrato que llama puede leer datos no v\u00e1lidos diferentes (del b\u00fafer sucio) que los devueltos por el contrato llamado.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":3.7,\"baseSeverity\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-119\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:python:*:*\",\"versionEndIncluding\":\"0.3.10\",\"matchCriteriaId\":\"832C489D-4288-46B4-A29E-0E7168748042\"}]}]}],\"references\":[{\"url\":\"https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}"
  }
}

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 (overlapping with the input buffer). When checking RETURNDATASIZE for dynamic types, the size is compared only to the minimum allowed size for that type, and not to the returned value's length. As a result, malformed return data can cause the contract to mistake data from the input buffer for returndata. When the called contract returns invalid ABIv2 encoded data, the calling contract can read different invalid data (from the dirty buffer) than the called contract returned.

Aliases

CVE-2024-24560

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-24560"
      ],
      "details": "Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 (overlapping with the input buffer). When checking RETURNDATASIZE for dynamic types, the size is compared only to the minimum allowed size for that type, and not to the returned value\u0027s length. As a result, malformed return data can cause the contract to mistake data from the input buffer for returndata.  When the called contract returns invalid ABIv2 encoded data, the calling contract can read different invalid data (from the dirty buffer) than the called contract returned.",
      "id": "GSD-2024-24560",
      "modified": "2024-01-26T06:02:26.045241Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-24560",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "vyper",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c= 0.3.10"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "vyperlang"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 (overlapping with the input buffer). When checking RETURNDATASIZE for dynamic types, the size is compared only to the minimum allowed size for that type, and not to the returned value\u0027s length. As a result, malformed return data can cause the contract to mistake data from the input buffer for returndata.  When the called contract returns invalid ABIv2 encoded data, the calling contract can read different invalid data (from the dirty buffer) than the called contract returned."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-119",
                "lang": "eng",
                "value": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686",
            "refsource": "MISC",
            "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-gp3w-2v2m-p686",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:vyperlang:vyper:*:*:*:*:*:python:*:*",
                    "matchCriteriaId": "832C489D-4288-46B4-A29E-0E7168748042",
                    "versionEndIncluding": "0.3.10",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 (overlapping with the input buffer). When checking RETURNDATASIZE for dynamic types, the size is compared only to the minimum allowed size for that type, and not to the returned value\u0027s length. As a result, malformed return data can cause the contract to mistake data from the input buffer for returndata.  When the called contract returns invalid ABIv2 encoded data, the calling contract can read different invalid data (from the dirty buffer) than the called contract returned."
          },
          {
            "lang": "es",
            "value": "Vyper es un lenguaje de contrato inteligente pit\u00f3nico para la m\u00e1quina virtual Ethereum. Cuando se realizan llamadas a contratos externos, escribimos el b\u00fafer de entrada comenzando en el byte 28 y asignamos el b\u00fafer de retorno para que comience en el byte 0 (superponi\u00e9ndose con el b\u00fafer de entrada). Al verificar RETURNDATASIZE para tipos din\u00e1micos, el tama\u00f1o se compara solo con el tama\u00f1o m\u00ednimo permitido para ese tipo y no con la longitud del valor devuelto. Como resultado, los datos de devoluci\u00f3n con formato incorrecto pueden hacer que el contrato confunda los datos del b\u00fafer de entrada con los datos de devoluci\u00f3n. Cuando el contrato llamado devuelve datos codificados ABIv2 no v\u00e1lidos, el contrato que llama puede leer datos no v\u00e1lidos diferentes (del b\u00fafer sucio) que los devueltos por el contrato llamado."
          }
        ],
        "id": "CVE-2024-24560",
        "lastModified": "2024-02-12T15:23:42.867",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 1.4,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.2,
              "impactScore": 1.4,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-02-02T17:15:11.720",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Exploit",
              "Vendor Advisory"
            ],
            "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-119"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

ghsa-gp3w-2v2m-p686

Vulnerability from github

Published

2024-02-02 18:10

Modified

2024-06-18 15:17

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

Vyper's external calls can overflow return data to return input buffer

Details

Summary

When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 (overlapping with the input buffer). When checking RETURNDATASIZE for dynamic types, the size is compared only to the minimum allowed size for that type, and not to the returned value's length. As a result, malformed return data can cause the contract to mistake data from the input buffer for returndata.

This advisory is given a severity of "Low" because when the called contract returns invalid ABIv2 encoded data, the calling contract can read different invalid data (from the dirty buffer) than the called contract returned.

Details

When arguments are packed for an external call, we create a buffer of size max(args, return_data) + 32. The input buffer is placed in this buffer (starting at byte 28), and the return buffer is allocated to start at byte 0. The assumption is that we can reuse the memory becase we will not be able to read past RETURNDATASIZE.

```python if fn_type.return_type is not None: return_abi_t = calculate_type_for_external_return(fn_type.return_type).abi_type

# we use the same buffer for args and returndata,
# so allocate enough space here for the returndata too.
buflen = max(args_abi_t.size_bound(), return_abi_t.size_bound())

else: buflen = args_abi_t.size_bound()

buflen += 32 # padding for the method id ```

When data is returned, we unpack the return data by starting at byte 0. We check that RETURNDATASIZE is greater than the minimum allowed for the returned type: python if not call_kwargs.skip_contract_check: assertion = IRnode.from_list( ["assert", ["ge", "returndatasize", min_return_size]], error_msg="returndatasize too small", ) unpacker.append(assertion)

This check ensures that any dynamic types returned will have a size of at least 64. However, it does not verify that RETURNDATASIZE is as large as the length word of the dynamic type.

As a result, if a contract expects a dynamic type to be returned, and the part of the return data that is read as length includes a size that is larger than the actual RETURNDATASIZE, the return data read from the buffer will overrun the actual return data size and read from the input buffer.

Proof of Concept

This contract calls an external contract with two arguments. As the call is made, the buffer includes: - byte 28: method_id - byte 32: first argument (0) - byte 64: second argument (hash)

The return data buffer begins at byte 0, and will return the returned bytestring, up to a maximum length of 96 bytes.

```python interface Zero: def sneaky(a: uint256, b: bytes32) -> Bytes[96]: view

@external def test_sneaky(z: address) -> Bytes[96]: return Zero(z).sneaky(0, keccak256("oops")) On the other side, imagine a simple contract that does not, in fact, return a bytestring, but instead returns two uint256s. I've implemented it in Solidity for ease of use with Foundry:solidity function sneaky(uint a, bytes32 b) external pure returns (uint, uint) { return (32, 32); } ```

The return data will be parsed as a bytestring. The first 32 will point us to byte 32 to read the length. The second 32 will be perceived as the length. It will then read the next 32 bytes from the return data buffer, even though those weren't a part of the return data.

Since these bytes will come from byte 64, we can see above that the hash was placed there in the input buffer.

If we run the following Foundry test, we can see that this does in fact happen: solidity function test__sneakyZeroReturn() public { ZeroReturn z = new ZeroReturn(); c = SuperContract(deployer.deploy("src/loose/", "ret_overflow", "")); console.logBytes(c.test_sneaky(address(z))); }

md Logs: 0xd54c03ccbc84dd6002c98c6df5a828e42272fc54b512ca20694392ca89c4d2c6

Patches

Patched in https://github.com/vyperlang/vyper/pull/3925, https://github.com/vyperlang/vyper/pull/4091, https://github.com/vyperlang/vyper/pull/4144, https://github.com/vyperlang/vyper/pull/4060.

Impact

Malicious or mistaken contracts returning the malformed data can result in overrunning the returned data and reading return data from the input buffer.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-24560"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-02T18:10:10Z",
    "nvd_published_at": "2024-02-02T17:15:11Z",
    "severity": "LOW"
  },
  "details": "## Summary\n\nWhen calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 (overlapping with the input buffer). When checking `RETURNDATASIZE` for dynamic types, the size is compared only to the minimum allowed size for that type, and not to the returned value\u0027s `length`. As a result, malformed return data can cause the contract to mistake data from the input buffer for returndata.\n\nThis advisory is given a severity of \"Low\" because when the called contract returns invalid ABIv2 encoded data, the calling contract can read different invalid data (from the dirty buffer) than the called contract returned.\n\n## Details\n\nWhen arguments are packed for an external call, we create a buffer of size `max(args, return_data) + 32`. The input buffer is placed in this buffer (starting at byte 28), and the return buffer is allocated to start at byte 0. The assumption is that we can reuse the memory becase we will not be able to read past `RETURNDATASIZE`.\n\n```python\nif fn_type.return_type is not None:\n    return_abi_t = calculate_type_for_external_return(fn_type.return_type).abi_type\n\n    # we use the same buffer for args and returndata,\n    # so allocate enough space here for the returndata too.\n    buflen = max(args_abi_t.size_bound(), return_abi_t.size_bound())\nelse:\n    buflen = args_abi_t.size_bound()\n\nbuflen += 32  # padding for the method id\n```\n\nWhen data is returned, we unpack the return data by starting at byte 0. We check that `RETURNDATASIZE` is greater than the minimum allowed for the returned type:\n```python\nif not call_kwargs.skip_contract_check:\n    assertion = IRnode.from_list(\n        [\"assert\", [\"ge\", \"returndatasize\", min_return_size]],\n        error_msg=\"returndatasize too small\",\n    )\n    unpacker.append(assertion)\n```\n\nThis check ensures that any dynamic types returned will have a size of at least 64. However, it does not verify that `RETURNDATASIZE` is as large as the `length` word of the dynamic type. \n\nAs a result, if a contract expects a dynamic type to be returned, and the part of the return data that is read as `length` includes a size that is larger than the actual `RETURNDATASIZE`, the return data read from the buffer will overrun the actual return data size and read from the input buffer.\n\n## Proof of Concept\n\nThis contract calls an external contract with two arguments. As the call is made, the buffer includes:\n- byte 28: method_id\n- byte 32: first argument (0)\n- byte 64: second argument (hash)\n\nThe return data buffer begins at byte 0, and will return the returned bytestring, up to a maximum length of 96 bytes.\n\n```python\ninterface Zero:\n    def sneaky(a: uint256, b: bytes32) -\u003e Bytes[96]: view\n\n@external\ndef test_sneaky(z: address) -\u003e Bytes[96]:\n    return Zero(z).sneaky(0, keccak256(\"oops\"))\n```\nOn the other side, imagine a simple contract that does not, in fact, return a bytestring, but instead returns two uint256s. I\u0027ve implemented it in Solidity for ease of use with Foundry:\n```solidity\nfunction sneaky(uint a, bytes32 b) external pure returns (uint, uint) {\n    return (32, 32);\n}\n```\n\nThe return data will be parsed as a bytestring. The first 32 will point us to byte 32 to read the length. The second 32 will be perceived as the length. It will then read the next 32 bytes from the return data buffer, even though those weren\u0027t a part of the return data.\n\nSince these bytes will come from byte 64, we can see above that the hash was placed there in the input buffer.\n\nIf we run the following Foundry test, we can see that this does in fact happen:\n```solidity\nfunction test__sneakyZeroReturn() public {\n    ZeroReturn z = new ZeroReturn();\n    c = SuperContract(deployer.deploy(\"src/loose/\", \"ret_overflow\", \"\"));\n    console.logBytes(c.test_sneaky(address(z)));\n}\n```\n\n```md\nLogs:\n  0xd54c03ccbc84dd6002c98c6df5a828e42272fc54b512ca20694392ca89c4d2c6\n```\n\n### Patches\nPatched in https://github.com/vyperlang/vyper/pull/3925, https://github.com/vyperlang/vyper/pull/4091, https://github.com/vyperlang/vyper/pull/4144, https://github.com/vyperlang/vyper/pull/4060.\n\n## Impact\n\nMalicious or mistaken contracts returning the malformed data can result in overrunning the returned data and reading return data from the input buffer.",
  "id": "GHSA-gp3w-2v2m-p686",
  "modified": "2024-06-18T15:17:07Z",
  "published": "2024-02-02T18:10:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-gp3w-2v2m-p686"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24560"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vyperlang/vyper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vyper\u0027s external calls can overflow return data to return input buffer"
}

Action not permitted

cve-2024-24560

Vulnerability from cvelistv5

gsd-2024-24560

Vulnerability from gsd

ghsa-gp3w-2v2m-p686

Vulnerability from github

Summary

Details

Proof of Concept

Patches

Impact

Tags