GHSA-r56x-j438-vw5m

Source

https://github.com/advisories/GHSA-r56x-j438-vw5m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-r56x-j438-vw5m/GHSA-r56x-j438-vw5m.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-r56x-j438-vw5m

Aliases

Related

Published

2024-04-25T19:51:41Z

Modified

2025-01-21T18:22:00.552220Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

vyper performs double eval of the slice start/length args in certain cases

Details

Summary

Using the slice builtin can result in a double eval vulnerability when the buffer argument is either msg.data, self.code or <address>.code and either the start or length arguments have side-effects.

A contract search was performed and no vulnerable contracts were found in production. Having side-effects in the start and length patterns is also an unusual pattern which is not that likely to show up in user code. It is also much harder (but not impossible!) to trigger the bug since 0.3.4 since the unique symbol fence was introduced (https://github.com/vyperlang/vyper/pull/2914).

Details

It can be seen that the _build_adhoc_slice_node function of the slice builtin doesn't cache the mentioned arguments to the stack: https://github.com/vyperlang/vyper/blob/4595938734d9988f8e46e8df38049ae0559abedb/vyper/builtins/functions.py#L244

As such, they can be evaluated multiple times (instead of retrieving the value from the stack).

PoC

with Vyper version 0.3.3+commit.48e326f the call to foo passes the asserts:

l: DynArray[uint256, 10]

@external
def foo(cs: String[64]) -> uint256:
    for i in range(10):
        self.l.append(1)
    assert len(self.l) == 10
    s: Bytes[64] = b""
    s = slice(msg.data, self.l.pop(), 3)
    assert len(self.l) == 10 - 2
    return len(self.l)

Patches

Patched in https://github.com/vyperlang/vyper/pull/3976.

Impact

No vulnerable production contracts were found.

Database specific

{
    "nvd_published_at": "2024-04-25T18:15:08Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-25T19:51:41Z"
}

References

Affected packages

PyPI / vyper

Package

Name: vyper; View open source insights on deps.dev
Purl: pkg:pypi/vyper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.4.0

Affected versions

0.*

0.1.0b1

0.1.0b2

0.1.0b3

0.1.0b4

0.1.0b5

0.1.0b6

0.1.0b7

0.1.0b8

0.1.0b9

0.1.0b10

0.1.0b11

0.1.0b12

0.1.0b13

0.1.0b14

0.1.0b15

0.1.0b16

0.1.0b17

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.2.10

0.2.11

0.2.12

0.2.13

0.2.14

0.2.15

0.2.16

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

0.3.10rc1

0.3.10rc2

0.3.10rc3

0.3.10rc4

0.3.10rc5

0.3.10

0.4.0b1

0.4.0b2

0.4.0b3

0.4.0b4

0.4.0b5

0.4.0b6

0.4.0rc1

0.4.0rc2

0.4.0rc3

0.4.0rc4

0.4.0rc5

0.4.0rc6