GHSA-R56X-J438-VW5M

Vulnerability from github – Published: 2024-04-25 19:51 – Updated: 2025-01-21 17:53
VLAI?
Summary
vyper performs double eval of the slice start/length args in certain cases
Details

Summary

Using the slice builtin can result in a double eval vulnerability when the buffer argument is either msg.data, self.code or <address>.code and either the start or length arguments have side-effects.

A contract search was performed and no vulnerable contracts were found in production. Having side-effects in the start and length patterns is also an unusual pattern which is not that likely to show up in user code. It is also much harder (but not impossible!) to trigger the bug since 0.3.4 since the unique symbol fence was introduced (https://github.com/vyperlang/vyper/pull/2914).

Details

It can be seen that the _build_adhoc_slice_node function of the slice builtin doesn't cache the mentioned arguments to the stack: https://github.com/vyperlang/vyper/blob/4595938734d9988f8e46e8df38049ae0559abedb/vyper/builtins/functions.py#L244

As such, they can be evaluated multiple times (instead of retrieving the value from the stack).

PoC

with Vyper version 0.3.3+commit.48e326f the call to foo passes the asserts:

l: DynArray[uint256, 10]

@external
def foo(cs: String[64]) -> uint256:
    for i in range(10):
        self.l.append(1)
    assert len(self.l) == 10
    s: Bytes[64] = b""
    s = slice(msg.data, self.l.pop(), 3)
    assert len(self.l) == 10 - 2
    return len(self.l)

Patches

Patched in https://github.com/vyperlang/vyper/pull/3976.

Impact

No vulnerable production contracts were found.

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32646"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-25T19:51:41Z",
    "nvd_published_at": "2024-04-25T18:15:08Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nUsing the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `\u003caddress\u003e.code` and either the `start` or `length` arguments have side-effects.\n\nA contract search was performed and no vulnerable contracts were found in production. Having side-effects in the start and length patterns is also an unusual pattern which is not that likely to show up in user code. It is also much harder (but not impossible!) to trigger the bug since `0.3.4` since the unique symbol fence was introduced (https://github.com/vyperlang/vyper/pull/2914).\n\n### Details\nIt can be seen that the `_build_adhoc_slice_node` function of the `slice` builtin doesn\u0027t cache the mentioned arguments to the stack: https://github.com/vyperlang/vyper/blob/4595938734d9988f8e46e8df38049ae0559abedb/vyper/builtins/functions.py#L244\n\nAs such, they can be evaluated multiple times (instead of retrieving the value from the stack).\n\n### PoC\nwith Vyper version `0.3.3+commit.48e326f` the call to `foo` passes the `asserts`:\n```vyper\nl: DynArray[uint256, 10]\n\n@external\ndef foo(cs: String[64]) -\u003e uint256:\n    for i in range(10):\n        self.l.append(1)\n    assert len(self.l) == 10\n    s: Bytes[64] = b\"\"\n    s = slice(msg.data, self.l.pop(), 3)\n    assert len(self.l) == 10 - 2\n    return len(self.l)\n```\n\n### Patches\nPatched in https://github.com/vyperlang/vyper/pull/3976.\n\n### Impact\nNo vulnerable production contracts were found.\n",
  "id": "GHSA-r56x-j438-vw5m",
  "modified": "2025-01-21T17:53:57Z",
  "published": "2024-04-25T19:51:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-r56x-j438-vw5m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32646"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/pull/2914"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-207.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vyperlang/vyper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "vyper performs double eval of the slice start/length args in certain cases"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.