ghsa-9p8r-4xp4-gw5w
Vulnerability from github
Published
2024-02-26 20:11
Modified
2024-06-18 15:16
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Vyper's `_abi_decode` vulnerable to Memory Overflow
Details

Summary

If an excessively large value is specified as the starting index for an array in _abi_decode, it can cause the read position to overflow. This results in the decoding of values outside the intended array bounds, potentially leading to bugs in contracts that use arrays within _abi_decode. The advisory has been assigned low severity, because it is only observable if there is a memory write between two invocations of abi_decode on the same input.

Proof of Concept

```vyper event Pwn: pass

@external def f(x: Bytes[32 * 3]): a: Bytes[32] = b"foo" y: Bytes[32 * 3] = x

decoded_y1: Bytes[32] = _abi_decode(y, Bytes[32])
a = b"bar"
decoded_y2: Bytes[32] = _abi_decode(y, Bytes[32])

if decoded_y1 != decoded_y2:
    log Pwn()

```

Sending the following calldata results in Pwn being emitted.

0xd45754f8 0000000000000000000000000000000000000000000000000000000000000020 0000000000000000000000000000000000000000000000000000000000000060 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa0

Patches

Patched in https://github.com/vyperlang/vyper/pull/3925, https://github.com/vyperlang/vyper/pull/4091, https://github.com/vyperlang/vyper/pull/4144, https://github.com/vyperlang/vyper/pull/4060.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-26149"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-120"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-26T20:11:07Z",
    "nvd_published_at": "2024-02-26T20:19:05Z",
    "severity": "LOW"
  },
  "details": "## Summary\n\nIf an excessively large value is specified as the starting index for an array in `_abi_decode`, it can cause the read position to overflow. This results in the decoding of values outside the intended array bounds, potentially leading to bugs in contracts that use arrays within `_abi_decode`. The advisory has been assigned low severity, because it is only observable if there is a memory write between two invocations of `abi_decode` on the same input.\n\n## Proof of Concept\n\n```vyper\nevent Pwn:\n    pass\n\n@external\ndef f(x: Bytes[32 * 3]):\n    a: Bytes[32] = b\"foo\"\n    y: Bytes[32 * 3] = x\n\n    decoded_y1: Bytes[32] = _abi_decode(y, Bytes[32])\n    a = b\"bar\"\n    decoded_y2: Bytes[32] = _abi_decode(y, Bytes[32])\n\n    if decoded_y1 != decoded_y2:\n        log Pwn()\n```\n\nSending the following calldata results in `Pwn` being emitted. \n\n```\n0xd45754f8\n0000000000000000000000000000000000000000000000000000000000000020\n0000000000000000000000000000000000000000000000000000000000000060\nffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa0\n```\n\n### Patches\nPatched in https://github.com/vyperlang/vyper/pull/3925, https://github.com/vyperlang/vyper/pull/4091, https://github.com/vyperlang/vyper/pull/4144, https://github.com/vyperlang/vyper/pull/4060.",
  "id": "GHSA-9p8r-4xp4-gw5w",
  "modified": "2024-06-18T15:16:24Z",
  "published": "2024-02-26T20:11:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-9p8r-4xp4-gw5w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26149"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vyperlang/vyper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vyper\u0027s `_abi_decode` vulnerable to Memory Overflow"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.