Skip to content

Nervos CKB Unaligned Pointer Dereference

Moderate severity GitHub Reviewed Published Apr 23, 2020 in nervosnetwork/ckb

Package

cargo ckb (Rust)

Affected versions

<= 0.31.0

Patched versions

0.31.1

Description

via bounty@nervos.org

There are multiple type conversions in ckb that unsafely cast between byte pointers and other types of pointers. This results in unaligned pointers, which are not allowed by the Rust language, and are considered undefined behavior, meaning that the compiler is free to do anything with code. This can lead to unpredictable bugs that can become security vulnerabilities.

Some of the bugs here could potentially lead to buffer overreads in malformed data (it's not clear to me as I haven't investigated the practical impact of these bugs).

Two of these (in blockchain.rs) do not create unaligned data. They do though perform an unsafe operation that may not uphold the invariants of the safe function they are in, and could lead to undefined behavior and buffer overreads on malformed input.

These are of the same nature as those in my previous report about the molecule crate.

Patch attached for commit 1b09e37c8e1b7945495cd18d9782417fbe51e986 that fixes all cases I know of at this time.

Please consider this report for reward under the terms of the bug bounty program.

Related advisory: GHSA-rffv-8x7x-p7pw

References

@doitian doitian published to nervosnetwork/ckb Apr 23, 2020
Published to the GitHub Advisory Database Feb 2, 2024
Reviewed Feb 2, 2024

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-q669-2vfg-cxcg

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.