via bounty@nervos.org
The molecule crate, located at https://github.com/nervosnetwork/molecule, contains two instances of undefined behavior, in unpack_number, and unpack_number_vec. The former creates unaligned pointers, the second creates slices to unallocated memory.
I do not know an immediate security vulnerability, but these are serious bugs with the potential to become security bugs, particularly as they are in user-facing deserialization code.
I used miri to verify the UB and verify a fix that removes the unsafe code. Here are examples of the two cases:
error: Undefined Behavior: accessing memory with alignment 1, but alignment 4 is required
--> /home/ubuntu/molecule/bindings/rust/src/lib.rs:35:30
|
35 | Number::from_le(unsafe { *le })
| ^^^ accessing memory with alignment 1, but alignment 4 is required
|
= help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
= help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
= note: inside `molecule::unpack_number` at /home/ubuntu/molecule/bindings/rust/src/lib.rs:35:30
note: inside `<types::BytesReader as molecule::prelude::Reader>::verify` at /home/ubuntu/molecule/examples/ci-tests/target/debug/build/molecule-ci-tests-0173915571d4b2bd/out/types.rs
:125:2461
--> /home/ubuntu/molecule/examples/ci-tests/target/debug/build/molecule-ci-tests-0173915571d4b2bd/out/types.rs:125:2461
error: Undefined Behavior: Memory access failed: pointer must be in-bounds at offset 24, but is outside bounds of alloc209908 which has size 9
--> /home/ubuntu/molecule/bindings/rust/src/lib.rs:47:9
|
47 | &*(slice as *const [u8] as *const [[u8; 4]])
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Memory access failed: pointer must be in-bounds at offset 24, but is outside bounds
of alloc209908 which has size 9
|
= help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
= help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
= note: inside `molecule::unpack_number_vec` at /home/ubuntu/molecule/bindings/rust/src/lib.rs:47:9
note: inside `<types::Table1Reader as molecule::prelude::Reader>::verify` at /home/ubuntu/molecule/examples/ci-tests/target/debug/build/molecu
le-ci-tests-8663c052f3cd32d8/out/types.rs:164:3895
--> /home/ubuntu/molecule/examples/ci-tests/target/debug/build/molecule-ci-tests-8663c052f3cd32d8/out/types.rs:164:3895
They can be reproduced by running miri +nightly test in the examples/ci-tests folder.
A working patch against commit e870efcdec96b246f0d4daadd1eca02b6b021420 is attached.
via bounty@nervos.org
The molecule crate, located at https://github.com/nervosnetwork/molecule, contains two instances of undefined behavior, in
unpack_number, andunpack_number_vec. The former creates unaligned pointers, the second creates slices to unallocated memory.I do not know an immediate security vulnerability, but these are serious bugs with the potential to become security bugs, particularly as they are in user-facing deserialization code.
I used miri to verify the UB and verify a fix that removes the unsafe code. Here are examples of the two cases:
They can be reproduced by running
miri +nightly testin theexamples/ci-testsfolder.A working patch against commit e870efcdec96b246f0d4daadd1eca02b6b021420 is attached.