You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Our team at FuzzingLabs discovered a bug in the op_revert function, this bug can lead to a panic when casting to usize.
Root cause
// REVERT operationpubfnop_revert(&mutself,current_call_frame:&mutCallFrame,) -> Result<OpcodeSuccess,VMError>{// Description: Gets values from stack, calculates gas cost and sets return data.// Returns: VMError RevertOpcode if executed correctly.// Notes:// The actual reversion of changes is made in the execute() function.let offset = current_call_frame.stack.pop()?.as_usize();let size = current_call_frame.stack.pop()?.as_usize();let gas_cost = current_call_frame.memory.expansion_cost(
offset
.checked_add(size).ok_or(VMError::MemoryLoadOutOfBounds)?,)?;self.increase_consumed_gas(current_call_frame, gas_cost)?;
current_call_frame.returndata = current_call_frame.memory.load_range(offset, size)?.into();Err(VMError::RevertOpcode)}
let offset = current_call_frame.stack.pop()?.as_usize(); AND let size = current_call_frame.stack.pop()?.as_usize(); are vulnerable : we can give a value greater than usize's maximum length to trigger an overflow because stack.pop() will return a U256.
#[test]fntest_usize_overflow_revert(){letmut vm = new_vm_with_bytecode(Bytes::copy_from_slice(&[61,63,61,253]));letmut current_call_frame = vm.call_frames.pop().unwrap();
vm.execute(&mut current_call_frame);}
Backtrace
---- tests::test_usize_overflow_revert stdout ----
thread 'tests::test_usize_overflow_revert' panicked at /home/.../.cargo/registry/src/index.crates.io-6f17d22bba15001f/primitive-types-0.12.2/src/lib.rs:38:1:Integer overflow when casting to usize
stack backtrace:0: rust_begin_unwind
at /rustc/59e2c01c2217a01546222e4d9ff4e6695ee8a1db/library/std/src/panicking.rs:658:51: core::panicking::panic_fmt
at /rustc/59e2c01c2217a01546222e4d9ff4e6695ee8a1db/library/core/src/panicking.rs:74:142: primitive_types::U256::as_usize
at /home/.../.cargo/registry/src/index.crates.io-6f17d22bba15001f/uint-0.9.5/src/uint.rs:661:63: ethereum_rust_levm::opcode_handlers::system::<impl ethereum_rust_levm::vm::VM>::op_revert
at ./src/opcode_handlers/system.rs:373:204: ethereum_rust_levm::vm::VM::execute
at ./src/vm.rs:244:355: lib::tests::test_usize_overflow_revert
at ./tests/tests.rs:50:56: lib::tests::test_usize_overflow_revert::{{closure}}
at ./tests/tests.rs:47:327: core::ops::function::FnOnce::call_once
at /rustc/59e2c01c2217a01546222e4d9ff4e6695ee8a1db/library/core/src/ops/function.rs:250:58: core::ops::function::FnOnce::call_once
at /rustc/59e2c01c2217a01546222e4d9ff4e6695ee8a1db/library/core/src/ops/function.rs:250:5
The text was updated successfully, but these errors were encountered:
Our team at FuzzingLabs discovered a bug in the op_revert function, this bug can lead to a panic when casting to usize.
Root cause
let offset = current_call_frame.stack.pop()?.as_usize();ANDlet size = current_call_frame.stack.pop()?.as_usize();are vulnerable : we can give a value greater than usize's maximum length to trigger an overflow because stack.pop() will return a U256.Step to reproduce
Payload
Add to test :
Backtrace
The text was updated successfully, but these errors were encountered: