CVE-2024-24564: Vyper extract32 can ready dirty memory
First published: Mon Feb 26 2024(Updated: )
### Summary When using the built-in `extract32(b, start)`, if the `start` index provided has for side effect to update `b`, the byte array to extract `32` bytes from, it could be that some dirty memory is read and returned by `extract32`. As of v0.4.0 (specifically, commit https://github.com/vyperlang/vyper/commit/3d9c537142fb99b2672f21e2057f5f202cde194f), the compiler will panic instead of generating bytecode. ### Details Before evaluating `start`, the function `Extract32.build_IR` caches only: - The pointer in memory/storage to `b`: https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L916-L918 - The length of `b`: https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L920-L922 but do not cache the actual content of `b`. This means that if the evaluation of `start` changes `b`'s content and length, an outdated length will be used with the new content when extracting 32 bytes from `b`. ### PoC Calling the function `foo` of the following contract returns `b'uuuuuuuuuuuuuuuuuuuuuuuuuuu\x00\x00789'` meaning that `extract32` accessed some dirty memory. ```Vyper var:Bytes[96] @internal def bar() -> uint256: self.var = b'uuuuuuuuuuuuuuuuuuuuuuuuuuuuuu' self.var = b'' return 3 @external def foo() -> bytes32: self.var = b'abcdefghijklmnopqrstuvwxyz123456789' return extract32(self.var, self.bar(), output_type=bytes32) # returns b'uuuuuuuuuuuuuuuuuuuuuuuuuuu\x00\x00789' ``` ### Impact For contracts that are affected, it means that calling `extract32` returns dirty memory bytes instead of some expected output.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/vyper | <=0.3.10 | 0.4.0 |
| Vyper | <0.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/vyperlang/vyper/commit/3d9c537142fb99b2672f21e2057f5f202cde194f
- https://github.com/vyperlang/vyper/security/advisories/GHSA-4hwq-4cpm-8vmx
- https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L916-L918
- https://github.com/vyperlang/vyper/blob/10564dcc37756f3d3684b7a91fd8f4325a38c4d8/vyper/builtins/functions.py#L920-L922
- https://nvd.nist.gov/vuln/detail/CVE-2024-24564
- https://github.com/advisories/GHSA-4hwq-4cpm-8vmx (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-205.yaml
Frequently Asked Questions
What is the severity of CVE-2024-24564?
CVE-2024-24564 is considered to have a moderate severity due to the potential for reading uninitialized memory.
How do I fix CVE-2024-24564?
To fix CVE-2024-24564, upgrade to Vyper version 0.4.0 or later.
What software is affected by CVE-2024-24564?
CVE-2024-24564 affects Vyper versions prior to 0.4.0.
What issue does CVE-2024-24564 describe?
CVE-2024-24564 describes a vulnerability in the extract32 function that may read uninitialized memory.
Is there a known workaround for CVE-2024-24564?
There is no specific workaround for CVE-2024-24564; upgrading to the latest version is recommended.
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- agent/event
- agent/author
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/trending
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/source
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-4hwq-4cpm-8vmx
- alias/CVE-2024-24564
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/tags
- collector/github-advisory
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/pip
- vendor/vyperlang
- canonical/vyper