Skip to content

_abi_decode Memory Overflow

Low
charles-cooper published GHSA-9p8r-4xp4-gw5w Feb 26, 2024

Package

pip vyper (pip)

Affected versions

<=0.3.10

Patched versions

0.4.0

Description

Summary

If an excessively large value is specified as the starting index for an array in _abi_decode, it can cause the read position to overflow. This results in the decoding of values outside the intended array bounds, potentially leading to bugs in contracts that use arrays within _abi_decode. The advisory has been assigned low severity, because it is only observable if there is a memory write between two invocations of abi_decode on the same input.

Proof of Concept

event Pwn:
    pass

@external
def f(x: Bytes[32 * 3]):
    a: Bytes[32] = b"foo"
    y: Bytes[32 * 3] = x

    decoded_y1: Bytes[32] = _abi_decode(y, Bytes[32])
    a = b"bar"
    decoded_y2: Bytes[32] = _abi_decode(y, Bytes[32])

    if decoded_y1 != decoded_y2:
        log Pwn()

Sending the following calldata results in Pwn being emitted.

0xd45754f8
0000000000000000000000000000000000000000000000000000000000000020
0000000000000000000000000000000000000000000000000000000000000060
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa0

Patches

Patched in #3925, #4091, #4144, #4060.

Severity

Low

CVE ID

CVE-2024-26149

Weaknesses

No CWEs

Credits