Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow setting $sp < $ssp using CFS and CFSI instructions #473

Merged
merged 3 commits into from
Jun 5, 2023
Merged

Disallow setting $sp < $ssp using CFS and CFSI instructions #473

merged 3 commits into from
Jun 5, 2023

Conversation

Dentosal
Copy link
Member

@Dentosal Dentosal commented Jun 5, 2023

This is a critical security bug that allows bypassing memory ownership protection completely.

Exploiting this bug is trivial. Using the following code would make the whole VM memory writable using e.g. SB and SW instructions. This in turn allows for instance performing contract operations using different contracts id.

cfs $sp           // Use the bug to set $sp = 0
slli $a, $one, 26 // Set $a to VM_MAX_RAM
aloc $a           // Set $hp = 0, so that the whole memory is in owned heap range

@Dentosal Dentosal added bug Something isn't working breaking A breaking api change fuel-vm Related to the `fuel-vm` crate. labels Jun 5, 2023
@Dentosal Dentosal requested a review from a team June 5, 2023 13:57
@Dentosal Dentosal self-assigned this Jun 5, 2023
xgreenx
xgreenx reviewed Jun 5, 2023
View reviewed changes
Copy link
Collaborator

@xgreenx xgreenx left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch!=) Could you also update the CHANELOG please?=)

fuel-vm/src/interpreter/memory/allocation_tests.rs Show resolved Hide resolved
@Dentosal Dentosal enabled auto-merge June 5, 2023 19:06
@Dentosal Dentosal added this pull request to the merge queue Jun 5, 2023
Merged via the queue into master with commit 29f526a Jun 5, 2023
@Dentosal Dentosal deleted the dento/cfs-bugfix branch June 5, 2023 21:18
@xgreenx xgreenx mentioned this pull request Jun 13, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xgreenx xgreenx xgreenx approved these changes

Assignees

@Dentosal Dentosal

Labels
audit-blocker breaking A breaking api change bug Something isn't working fuel-vm Related to the `fuel-vm` crate.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Dentosal @xgreenx