ghsa-r56x-j438-vw5m
Vulnerability from github
Published
2024-04-25 19:51
Modified
2024-06-18 15:02
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
vyper performs double eval of the slice start/length args in certain cases
Details

Summary

Using the slice builtin can result in a double eval vulnerability when the buffer argument is either msg.data, self.code or <address>.code and either the start or length arguments have side-effects.

A contract search was performed and no vulnerable contracts were found in production. Having side-effects in the start and length patterns is also an unusual pattern which is not that likely to show up in user code. It is also much harder (but not impossible!) to trigger the bug since 0.3.4 since the unique symbol fence was introduced (https://github.com/vyperlang/vyper/pull/2914).

Details

It can be seen that the _build_adhoc_slice_node function of the slice builtin doesn't cache the mentioned arguments to the stack: https://github.com/vyperlang/vyper/blob/4595938734d9988f8e46e8df38049ae0559abedb/vyper/builtins/functions.py#L244

As such, they can be evaluated multiple times (instead of retrieving the value from the stack).

PoC

with Vyper version 0.3.3+commit.48e326f the call to foo passes the asserts: ```vyper l: DynArray[uint256, 10]

@external def foo(cs: String[64]) -> uint256: for i in range(10): self.l.append(1) assert len(self.l) == 10 s: Bytes[64] = b"" s = slice(msg.data, self.l.pop(), 3) assert len(self.l) == 10 - 2 return len(self.l) ```

Patches

Patched in https://github.com/vyperlang/vyper/pull/3976.

Impact

No vulnerable production contracts were found.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32646"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-25T19:51:41Z",
    "nvd_published_at": "2024-04-25T18:15:08Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nUsing the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `\u003caddress\u003e.code` and either the `start` or `length` arguments have side-effects.\n\nA contract search was performed and no vulnerable contracts were found in production. Having side-effects in the start and length patterns is also an unusual pattern which is not that likely to show up in user code. It is also much harder (but not impossible!) to trigger the bug since `0.3.4` since the unique symbol fence was introduced (https://github.com/vyperlang/vyper/pull/2914).\n\n### Details\nIt can be seen that the `_build_adhoc_slice_node` function of the `slice` builtin doesn\u0027t cache the mentioned arguments to the stack: https://github.com/vyperlang/vyper/blob/4595938734d9988f8e46e8df38049ae0559abedb/vyper/builtins/functions.py#L244\n\nAs such, they can be evaluated multiple times (instead of retrieving the value from the stack).\n\n### PoC\nwith Vyper version `0.3.3+commit.48e326f` the call to `foo` passes the `asserts`:\n```vyper\nl: DynArray[uint256, 10]\n\n@external\ndef foo(cs: String[64]) -\u003e uint256:\n    for i in range(10):\n        self.l.append(1)\n    assert len(self.l) == 10\n    s: Bytes[64] = b\"\"\n    s = slice(msg.data, self.l.pop(), 3)\n    assert len(self.l) == 10 - 2\n    return len(self.l)\n```\n\n### Patches\nPatched in https://github.com/vyperlang/vyper/pull/3976.\n\n### Impact\nNo vulnerable production contracts were found.\n",
  "id": "GHSA-r56x-j438-vw5m",
  "modified": "2024-06-18T15:02:55Z",
  "published": "2024-04-25T19:51:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-r56x-j438-vw5m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32646"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/pull/2914"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vyperlang/vyper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "vyper performs double eval of the slice start/length args in certain cases"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.