pysec-2024-103

Vulnerability from pysec

Published

2024-01-18 19:15

Modified

2024-10-09 23:22

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. The concat built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The root cause is that the build_IR for concat doesn't properly adhere to the API of copy functions (for >=0.3.2 the copy_bytes function). A contract search was performed and no vulnerable contracts were found in production. The buffer overflow can result in the change of semantics of the contract. The overflow is length-dependent and thus it might go unnoticed during contract testing. However, certainly not all usages of concat will result in overwritten valid data as we require it to be in an internal function and close to the return statement where other memory allocations don't occur. This issue has been addressed in 0.4.0.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper",
        "purl": "pkg:pypi/vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "55e18f6d128b2da8986adbbcccf1cd59a4b9ad6f"
            }
          ],
          "repo": "https://github.com/vyperlang/vyper",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.0b1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.0b1",
        "0.1.0b10",
        "0.1.0b11",
        "0.1.0b12",
        "0.1.0b13",
        "0.1.0b14",
        "0.1.0b15",
        "0.1.0b16",
        "0.1.0b17",
        "0.1.0b2",
        "0.1.0b3",
        "0.1.0b4",
        "0.1.0b5",
        "0.1.0b6",
        "0.1.0b7",
        "0.1.0b8",
        "0.1.0b9",
        "0.2.1",
        "0.2.10",
        "0.2.11",
        "0.2.12",
        "0.2.13",
        "0.2.14",
        "0.2.15",
        "0.2.16",
        "0.2.2",
        "0.2.3",
        "0.2.4",
        "0.2.5",
        "0.2.6",
        "0.2.7",
        "0.2.8",
        "0.2.9",
        "0.3.0",
        "0.3.1",
        "0.3.10",
        "0.3.10rc1",
        "0.3.10rc2",
        "0.3.10rc3",
        "0.3.10rc4",
        "0.3.10rc5",
        "0.3.2",
        "0.3.3",
        "0.3.4",
        "0.3.5",
        "0.3.6",
        "0.3.7",
        "0.3.8",
        "0.3.9"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-22419",
    "GHSA-2q8v-3gqq-4f8p"
  ],
  "details": "Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. The `concat` built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The root cause is that the `build_IR` for `concat` doesn\u0027t properly adhere to the API of copy functions (for `\u003e=0.3.2` the `copy_bytes` function). A contract search was performed and no vulnerable contracts were found in production. The buffer overflow can result in the change of semantics of the contract. The overflow is length-dependent and thus it might go unnoticed during contract testing. However, certainly not all usages of concat will result in overwritten valid data as we require it to be in an internal function and close to the return statement where other memory allocations don\u0027t occur. This issue has been addressed in 0.4.0.",
  "id": "PYSEC-2024-103",
  "modified": "2024-10-09T23:22:49.818476+00:00",
  "published": "2024-01-18T19:15:00+00:00",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-2q8v-3gqq-4f8p"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-2q8v-3gqq-4f8p"
    },
    {
      "type": "EVIDENCE",
      "url": "https://github.com/vyperlang/vyper/issues/3737"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/vyperlang/vyper/issues/3737"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/vyperlang/vyper/issues/3737"
    },
    {
      "type": "FIX",
      "url": "https://github.com/vyperlang/vyper/commit/55e18f6d128b2da8986adbbcccf1cd59a4b9ad6f"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

ghsa-2q8v-3gqq-4f8p

Vulnerability from github

Published

2024-01-19 16:19

Modified

2024-10-10 14:46

Severity ?

7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Summary

concat built-in can corrupt memory in vyper

Details

### Summary concat built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The root cause is that the build_IR for concat doesn't properly adhere to the API of copy functions (for >=0.3.2 the copy_bytes function).

A contract search was performed and no vulnerable contracts were found in production.

Tracked in issue https://github.com/vyperlang/vyper/issues/3737

Details

The build_IR allocates a new internal variable for the concatenation: https://github.com/vyperlang/vyper/blob/3b310d5292c4d1448e673d7b3adb223f9353260e/vyper/builtins/functions.py#L534-L550

Notice that the buffer is allocated for the maxlen + 1 word to actually hold the length of the array.

Later the copy_bytes function is used to copy the actual source arguments to the destination: https://github.com/vyperlang/vyper/blob/3b310d5292c4d1448e673d7b3adb223f9353260e/vyper/builtins/functions.py#L569-L572

The dst_data is defined via: - data ptr - to skip the 1 word that holds the length - offset - to skip the source arguments that were already written to the buffer - the offset is increased via: ["set", ofst, ["add", ofst, arglen]], ie it is increased by the length of the source argument

Now, the copy_bytes function has multiple control flow paths, the following ones are of interest: 1) https://github.com/vyperlang/vyper/blob/3b310d5292c4d1448e673d7b3adb223f9353260e/vyper/codegen/core.py#L270-L273 2) https://github.com/vyperlang/vyper/blob/3b310d5292c4d1448e673d7b3adb223f9353260e/vyper/codegen/core.py#L301-L320

Note that the function itself contains the following note: https://github.com/vyperlang/vyper/blob/3b310d5292c4d1448e673d7b3adb223f9353260e/vyper/codegen/core.py#L245-L247

That is we can ask for a copy of 1B yet a whole word is copied.

Consider the first interesting path - if the dst_data's distance to the end of the concat data buffer is < 32B, the copy_op = STORE(dst, LOAD(src)) from copy_bytes will result in buffer overflow as it essentially will mstore to dst_data the mload of the source (mload will load whole word and the distance of the dst_data to the word boundary is <32B).

From the two mentioned paths in copy_bytes it can be seen that both sources from memory and storage can cause the corruption.

PoC

The main attack vector that was found was when the concat is inside an internal function. Suppose we have an external function that calls internal one. In such case the address space is divided such that the memory for the internal function is in lower portion of the adr space. As such the buffer overflow can overwrite valid data of the caller.

Here is a simple example: ```python

@version ^0.3.9

@internal def bar() -> uint256: sss: String[2] = concat("a", "b") return 1

@external def foo() -> int256: a: int256 = -1 b: uint256 = self.bar() return a ```

foo should clearly return -1, but it returns 452312848583266388373324160190187140051835877600158453279131187530910662655

-1 was used intentionally due to its bit structure but the value here is fairly irelevant. In this example during the second iteration of the for loop in the build_IR mload to dst+1 will be executed (because len('a') == 1), thus the function will write 1B over the bounds of the buffer. The string 'b' is stored such that its right-most byte is a zero byte. So a zero byte will be written over the bounds. So when -1 is considered it's left-most B will be overwritten to all 0. Therefore it can be seen: 452312848583266388373324160190187140051835877600158453279131187530910662655 == (2**248-1) will output True.

IR

If we look at the contract's IR (vyper --no optimize -f ir), we see: ```

Line 30

                      /* a: int256 = -1 */ [mstore, 320, -1 <-1>],

And for the second iteration of the loop in concat: len, [mload, arg], [seq, [with, src, [add, arg, 32], [with, dst, [add, [add, 256 , 32], concat_ofst], [mstore, dst, [mload, src]]]], [set, concat_ofst, [add, concat_ofst, len]]]]], [mstore, 256 , concat_ofst], 256 ]], `` So the address of theint` is 320.

The dst is defined as: [add, [add, 256 <concat destination>, 32], concat_ofst],. In the second iteration the concat_ofst will be 1 because len('a)==1 so 256+32+1 = 289. Now this address will be mstored to - so the last mstored B will have the address 289+32=320 which clearly overlaps with the address of the int a.

PoC 2

Due to how immutables are handled, they can be corrupted too: ```python

@version ^0.3.9

i: immutable(int256)

@external def init(): i = -1 s: String[2] = concat("a", "b")

@external def foo() -> int256: return i ```

Output of calling foo() = 452312848583266388373324160190187140051835877600158453279131187530910662655.

Impact

The buffer overflow can result in the change of semantics of the contract. The overflow is length-dependent and thus it might go unnoticed during contract testing.

However, certainly not all usages of concat will result in overwritten valid data as we require it to be in an internal function and close to the return statement where other memory allocations don't occur.

Concluding remarks

The bug based on the fast path in copy_bytes was likely introduced in: 548d35d720fb6fd8efbdc0ce525bed259a73f0b9. git bisect was used between v0.3.1 and v0.3.2, forge test was run and the test asserted that the function indeed returns -1.

For the general case, 0.3.0 and 0.3.1 are also affected.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3.10"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.3.0"
            },
            {
              "fixed": "0.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-22419"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-120",
      "CWE-787"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-19T16:19:51Z",
    "nvd_published_at": "2024-01-18T19:15:10Z",
    "severity": "HIGH"
  },
  "details": " ### Summary\n`concat` built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The root cause is that the `build_IR` for `concat` doesn\u0027t properly adhere to the API of copy functions (for `\u003e=0.3.2` the `copy_bytes` function).\n\nA contract search was performed and no vulnerable contracts were found in production.\n\nTracked in issue https://github.com/vyperlang/vyper/issues/3737\n\n### Details\nThe `build_IR` allocates a new internal variable for the concatenation: https://github.com/vyperlang/vyper/blob/3b310d5292c4d1448e673d7b3adb223f9353260e/vyper/builtins/functions.py#L534-L550\n\nNotice that the buffer is allocated for the `maxlen` + 1 word to actually hold the length of the array.\n\nLater the `copy_bytes` function is used to copy the actual source arguments to the destination: https://github.com/vyperlang/vyper/blob/3b310d5292c4d1448e673d7b3adb223f9353260e/vyper/builtins/functions.py#L569-L572\n\nThe `dst_data` is defined via:\n- `data ptr` - to skip the 1 word that holds the length\n- `offset`  - to skip the source arguments that were already written to the buffer\n  - the `offset` is increased via: `[\"set\", ofst, [\"add\", ofst, arglen]]`, ie it is increased by the length of the source argument\n\nNow, the `copy_bytes` function has multiple control flow paths, the following ones are of interest:\n1) https://github.com/vyperlang/vyper/blob/3b310d5292c4d1448e673d7b3adb223f9353260e/vyper/codegen/core.py#L270-L273\n2)  https://github.com/vyperlang/vyper/blob/3b310d5292c4d1448e673d7b3adb223f9353260e/vyper/codegen/core.py#L301-L320\n\nNote that the function itself contains the following note: \nhttps://github.com/vyperlang/vyper/blob/3b310d5292c4d1448e673d7b3adb223f9353260e/vyper/codegen/core.py#L245-L247\n\nThat is we can ask for a copy of `1B` yet a whole word is copied.\n\nConsider the first interesting path -  if the `dst_data`\u0027s distance to the end of the concat data buffer is `\u003c 32B`, the `copy_op = STORE(dst, LOAD(src))` from `copy_bytes` will result in buffer overflow as it essentially will `mstore` to `dst_data` the `mload` of the source (mload will load whole word and the distance of the `dst_data` to the word boundary is `\u003c32B`).\n\nFrom the two mentioned paths in `copy_bytes` it can be seen that both sources from memory and storage can cause the corruption.\n\n### PoC\nThe main attack vector that was found was when the `concat` is inside an `internal` function.  Suppose we have an `external` function that calls `internal` one. In such case the address space is divided such that the memory for the internal function is in _lower_  portion of the adr space. As such the buffer overflow can overwrite _valid_ data of the caller.\n\nHere is a simple example:\n```python\n#@version ^0.3.9\n\n@internal\ndef bar() -\u003e uint256:\n    sss: String[2] = concat(\"a\", \"b\") \n    return 1\n\n\n@external\ndef foo() -\u003e int256:\n    a: int256 = -1\n    b: uint256 = self.bar()\n    return a \n```\n\n`foo` should clearly return `-1`, but it returns `452312848583266388373324160190187140051835877600158453279131187530910662655`\n\n`-1` was used intentionally due to its bit structure but the value here is fairly irelevant. In this example during the second iteration of the for loop in the `build_IR` `mload` to `dst+1` will be executed (because len(\u0027a\u0027) == 1), thus the function will write `1B` over the bounds of the buffer. The string \u0027b\u0027 is stored such that its right-most byte is a zero byte. So a zero byte will be written over the bounds.  So when `-1` is considered it\u0027s left-most B will be overwritten to all 0. Therefore it can be seen: `452312848583266388373324160190187140051835877600158453279131187530910662655 == (2**248-1)` will output `True`.\n\n#### IR\nIf we look at the contract\u0027s IR (vyper --no optimize -f ir), we see:\n```\n# Line 30\n                          /* a: int256 = -1 */ [mstore, 320, -1 \u003c-1\u003e],\n```\nAnd for the second iteration of the loop in concat:\n```\n len,\n                        [mload, arg],\n                        [seq,\n                          [with,\n                            src,\n                            [add, arg, 32],\n                            [with,\n                              dst,\n                              [add, [add, 256 \u003cconcat destination\u003e, 32], concat_ofst],\n                              [mstore, dst, [mload, src]]]],\n                          [set, concat_ofst, [add, concat_ofst, len]]]]],\n                    [mstore, 256 \u003cconcat destination\u003e, concat_ofst],\n                    256 \u003cconcat destination\u003e]],\n```\nSo the address of the `int` is 320. \n\nThe `dst` is defined as: `[add, [add, 256 \u003cconcat destination\u003e, 32], concat_ofst],`.\nIn the second iteration the `concat_ofst` will be 1 because `len(\u0027a)==1` so `256+32+1 = 289`. Now this address will be `mstored` to - so the last mstored B will have the address `289+32=320` which clearly overlaps with the address of the `int a`.\n\n#### PoC 2\nDue to how `immutables` are handled, they can be corrupted too:\n```python\n#@version ^0.3.9\n\ni: immutable(int256)\n\n@external\ndef __init__():\n    i = -1\n    s: String[2] = concat(\"a\", \"b\")\n\n@external\ndef foo() -\u003e int256:\n    return i\n```\n\nOutput of calling `foo()` = `452312848583266388373324160190187140051835877600158453279131187530910662655`.\n\n### Impact\nThe buffer overflow can result in the change of semantics of the contract. The overflow is length-dependent and thus it might go unnoticed during contract testing.\n\nHowever, certainly not all usages of `concat` will result in overwritten valid data as we require it to be in an `internal` function and close to the `return` statement where other memory allocations don\u0027t occur. \n\n### Concluding remarks\nThe bug based on the fast path in `copy_bytes` was likely introduced in: `548d35d720fb6fd8efbdc0ce525bed259a73f0b9`. `git bisect` was used between v0.3.1 and v0.3.2, `forge test` was run and the test asserted that the function indeed returns -1.\n\nFor the general case, `0.3.0` and `0.3.1` are also affected.",
  "id": "GHSA-2q8v-3gqq-4f8p",
  "modified": "2024-10-10T14:46:31Z",
  "published": "2024-01-19T16:19:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-2q8v-3gqq-4f8p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22419"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/issues/3737"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/commit/55e18f6d128b2da8986adbbcccf1cd59a4b9ad6f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-103.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vyperlang/vyper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "concat built-in can corrupt memory in vyper"
}

cve-2024-22419

Vulnerability from cvelistv5

Published

2024-01-18 18:45

Modified

2024-10-09 19:41

Severity ?

7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Summary

concat built-in can corrupt memory in vyper

References

▼	URL	Tags
	https://github.com/vyperlang/vyper/security/advisories/GHSA-2q8v-3gqq-4f8p	x_refsource_CONFIRM
	https://github.com/vyperlang/vyper/issues/3737	x_refsource_MISC
	https://github.com/vyperlang/vyper/commit/55e18f6d128b2da8986adbbcccf1cd59a4b9ad6f	x_refsource_MISC

Impacted products

▼	Vendor	Product
	vyperlang	vyper

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T22:43:34.941Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-2q8v-3gqq-4f8p",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-2q8v-3gqq-4f8p"
          },
          {
            "name": "https://github.com/vyperlang/vyper/issues/3737",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/vyperlang/vyper/issues/3737"
          },
          {
            "name": "https://github.com/vyperlang/vyper/commit/55e18f6d128b2da8986adbbcccf1cd59a4b9ad6f",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/vyperlang/vyper/commit/55e18f6d128b2da8986adbbcccf1cd59a4b9ad6f"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vyper",
          "vendor": "vyperlang",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.4.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. The `concat` built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The root cause is that the `build_IR` for `concat` doesn\u0027t properly adhere to the API of copy functions (for `\u003e=0.3.2` the `copy_bytes` function). A contract search was performed and no vulnerable contracts were found in production. The buffer overflow can result in the change of semantics of the contract. The overflow is length-dependent and thus it might go unnoticed during contract testing. However, certainly not all usages of concat will result in overwritten valid data as we require it to be in an internal function and close to the return statement where other memory allocations don\u0027t occur. This issue has been addressed in 0.4.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-120",
              "description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-09T19:41:08.170Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vyperlang/vyper/security/advisories/GHSA-2q8v-3gqq-4f8p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-2q8v-3gqq-4f8p"
        },
        {
          "name": "https://github.com/vyperlang/vyper/issues/3737",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vyperlang/vyper/issues/3737"
        },
        {
          "name": "https://github.com/vyperlang/vyper/commit/55e18f6d128b2da8986adbbcccf1cd59a4b9ad6f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vyperlang/vyper/commit/55e18f6d128b2da8986adbbcccf1cd59a4b9ad6f"
        }
      ],
      "source": {
        "advisory": "GHSA-2q8v-3gqq-4f8p",
        "discovery": "UNKNOWN"
      },
      "title": "concat built-in can corrupt memory in vyper"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-22419",
    "datePublished": "2024-01-18T18:45:55.731Z",
    "dateReserved": "2024-01-10T15:09:55.554Z",
    "dateUpdated": "2024-10-09T19:41:08.170Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Action not permitted

pysec-2024-103

Vulnerability from pysec

ghsa-2q8v-3gqq-4f8p

Vulnerability from github

Details

PoC

@version ^0.3.9

IR

Line 30

PoC 2

@version ^0.3.9

Impact

Concluding remarks

cve-2024-22419

Vulnerability from cvelistv5

Tags