Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-6r8q-pfpv-7cgj: Vyper vulnerable to integer overflow in loop

Impact

Due to missing overflow check for loop variables, by assigning the iterator of a loop to a variable, it is possible to overflow the type of the latter.

In the following example, calling test returns 354, meaning that the variable a did store 354 a value out of bound for the type uint8.

@external
def test() -> uint16:
    x:uint8 = 255
    a:uint8 = 0
    for i in range(x, x+100):
        a = i
    return convert(a,uint16)

The issue seems to happen only in loops of type for i in range(a, a + N) as in loops of type for i in range(start, stop) and for i in range(stop), the compiler is able to raise a TypeMismatch when trying to overflow the variable.

thanks to @trocher for reporting

Patches

The problem is patched at https://github.com/vyperlang/vyper/commit/3de1415ee77a9244eb04bdb695e249d3ec9ed868

Workarounds

ghsa
Open in Source
#git#perl

Impact

Due to missing overflow check for loop variables, by assigning the iterator of a loop to a variable, it is possible to overflow the type of the latter.

In the following example, calling test returns 354, meaning that the variable a did store 354 a value out of bound for the type uint8.

@external def test() -> uint16: x:uint8 = 255 a:uint8 = 0 for i in range(x, x+100): a = i return convert(a,uint16)

The issue seems to happen only in loops of type for i in range(a, a + N) as in loops of type for i in range(start, stop) and for i in range(stop), the compiler is able to raise a TypeMismatch when trying to overflow the variable.

thanks to @trocher for reporting

Patches

The problem is patched at vyperlang/vyper@3de1415

Workarounds****References

  • GHSA-6r8q-pfpv-7cgj
  • https://nvd.nist.gov/vuln/detail/CVE-2023-32058
  • vyperlang/vyper@3de1415

Related news

CVE-2023-32058: Integer overflow for loops of form `for i in range(x, x+N)`

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, due to missing overflow check for loop variables, by assigning the iterator of a loop to a variable, it is possible to overflow the type of the latter. The issue seems to happen only in loops of type `for i in range(a, a + N)` as in loops of type `for i in range(start, stop)` and `for i in range(stop)`, the compiler is able to raise a `TypeMismatch` when trying to overflow the variable. The problem has been patched in version 0.3.8.

ghsa: Latest News

GHSA-j4jw-m6xr-fv6c: Soft Serve vulnerable to path traversal attacks
ghsa