Headline
CVE-2022-24788: Merge pull request from GHSA-j2x6-9323-fp7h · vyperlang/vyper@049dbdc
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Versions of vyper prior to 0.3.2 suffer from a potential buffer overrun. Importing a function from a JSON interface which returns bytes generates bytecode which does not clamp bytes length, potentially resulting in a buffer overrun. Users are advised to upgrade. There are no known workarounds for this issue.
Commit
Permalink
Browse files
Browse the repository at this point in the history
This commit addresses two issues in validating returndata, both related to the inferred type of the external call return.
First, it addresses an issue with interfaces imported from JSON. The JSON_ABI encoding type was added in 0.3.0 as part of the calling convention refactor to mimic the old code’s behavior when the signature of a function had `is_from_json` toggled to True. However, both implementations were a workaround for the fact that in FunctionSignatures from JSON with Bytes return types, length is set to 1 as a hack to ensure they always typecheck - almost always resulting in a runtime revert.
This commit removes the JSON_ABI encoding type, so that dynamic returndata from an interface defined with .json ABI file cannot result in a buffer overrun(!). To avoid the issue with always runtime reverting, codegen uses the uses the inferred ContractFunction type of the Call.func member (which is both more accurate than the inferred type of the Call expression, and the return type on the FunctionSignature!) to calculate the length of the external Bytes array.
Second, this commit addresses an issue with validating call returns in complex expressions. In the following examples, the type of the call return is either inferred incorrectly or it takes a path through codegen which avoids generating runtime clamps:
``` interface Foo: def returns_int128() -> int128: view def returns_Bytes3() -> Bytes[3]: view
foo: Foo … x: uint256 = convert(self.foo.returns_int128(), uint256) y: Bytes[32] = concat(self.foo.returns_Bytes3(), b"") ```
To address this issue, if the type of returndata needs validation, this commit decodes the returndata “strictly” into a newly allocated buffer at the time of the call, to avoid unvalidated data accidentally getting into the runtime. This does result in extra memory traffic which is a performance hit, but the performance issue can be addressed at a later date with a zero-copy buffering scheme (parent Expr allocates the buffer).
Additional minor fixes and cleanup:
- fix compiler panic in new_type_to_old_type for Tuples
- remove `_should_decode` helper function as it duplicates `needs_clamp`
- minor optimization in returndatasize check - assert ge uses one fewer instruction than assert gt.
- Loading branch information