Headline
CVE-2022-23066: jit: sign-extend the quotient register on sdiv32 (#310) · solana-labs/rbpf@e61e045
In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to transfer tokens or not. The vulnerability affects both integrity and may cause serious availability problems.
@@ -838,6 +838,21 @@ fn test_sdiv32_imm() {
);
}
#[test]
fn test_sdiv32_neg_imm() {
test_interpreter_and_jit_asm!(
"
lddw r0, 0x10000000c
sdiv32 r0, -4
exit",
[],
(),
0,
{ |_vm, res: Result| { res.unwrap() as i64 == -3 } },
3
);
}
#[test]
fn test_sdiv32_reg() {
test_interpreter_and_jit_asm!(
@@ -854,6 +869,22 @@ fn test_sdiv32_reg() {
);
}
#[test]
fn test_sdiv32_neg_reg() {
test_interpreter_and_jit_asm!(
"
lddw r0, 0x10000000c
mov r1, -4
sdiv32 r0, r1
exit",
[],
(),
0,
{ |_vm, res: Result| { res.unwrap() as i64 == -0x3 } },
4
);
}
#[test]
fn test_div64_imm() {
test_interpreter_and_jit_asm!(
Related news
Bonanza Wealth Management System (BWM) 7.3.2 allows SQL injection via the login form. Users who supply the application with a SQL injection payload in the User Name textbox could collect all passwords in encrypted format from the Microsoft SQL Server component.
There is an invalid memory access in the TextLine class in TextOutputDev.cc in Xpdf 4.0.4 because the text extractor mishandles characters at large y coordinates. It can be triggered by (for example) sending a crafted pdf file to the pdftotext binary, which allows a remote attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact.