vyper icon indicating copy to clipboard operation
vyper copied to clipboard

Published 20 hours ago verified publisher icon vyperlang

fix[codegen]: fix _abi_decode overflow

Open cyberthirst opened this issue 1 year ago • 6 comments

What I did

  • fix for: https://github.com/vyperlang/vyper/issues/3899

How I did it

  • validate that the head points within the parent bounds

How to verify it

  • added the PoC from https://github.com/vyperlang/vyper/security/advisories/GHSA-9p8r-4xp4-gw5w as a test

Commit message

Commit message for the final, squashed PR. (Optional, but reviewers will appreciate it! Please see our commit message style guide for what we would ideally like to see in a commit message.)

Description for the changelog

Cute Animal Picture

Put a link to a cute animal picture inside the parenthesis-->

cyberthirst avatar Apr 09 '24 08:04 cyberthirst

TODO: we should likely add a check that the element pointed to by head is also within the parent bounds

cyberthirst avatar Apr 09 '24 08:04 cyberthirst

also, looking at the code, i think there's a possibility for double eval of parent node

cyberthirst avatar Apr 09 '24 08:04 cyberthirst

yeah, looks like double eval

[with,
    arr_ptr,
    [add,
      [add, [add, 64 <x>, 32], 32],
      [with,
        clamp_arg,
        [mload, [add, [add, [add, 64 <x>, 32], 32], [mul, copy_darray_ix1, 32]]],
        [seq, [assert, [le, clamp_arg, 512]], clamp_arg]]],

cyberthirst avatar Apr 09 '24 08:04 cyberthirst

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 87.94%. Comparing base (003d0c6) to head (538cdaa). Report is 1 commits behind head on master.

:exclamation: Current head 538cdaa differs from pull request most recent head 898a91d

Please upload reports for the commit 898a91d to get more accurate results.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #3925      +/-   ##
==========================================
- Coverage   91.04%   87.94%   -3.10%     
==========================================
  Files         107      106       -1     
  Lines       15422    15325      -97     
  Branches     3389     3152     -237     
==========================================
- Hits        14041    13478     -563     
- Misses        947     1314     +367     
- Partials      434      533      +99

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov-commenter avatar Apr 09 '24 08:04 codecov-commenter

another example in case you want more tests there:

@external
def bar() -> (uint256, uint256, uint256):
    return (480, 0, 0)
    

interface A:
    def bar() -> String[32]: nonpayable

@internal
def internal_func():
    # in this case we extcall ourself for the sake of the POC but it could be any other contract
    x:String[32] = extcall A(self).bar()
    print(x) # prints "oooops"
@external
def foo():
    w:String[8] = "oooops"
    self.internal_func()

trocher avatar Apr 17 '24 16:04 trocher

this is more or less ready for review, @cyberthirst to add more tests

charles-cooper avatar May 15 '24 20:05 charles-cooper