Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add advisory for memory leak in ic-stable-structures #1969

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add advisory for memory leak in ic-stable-structures #1969

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6609f95
Add advisory
venkkatesh-sekar May 21, 2024
92071d6
adapt review
venkkatesh-sekar May 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions crates/ic-stable-structures/RUSTSEC-0000-0000.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "ic-stable-structures"
date = "2024-05-17"
url = "https://github.com/dfinity/stable-structures/pull/212"
categories = ["denial-of-service"]
keywords = ["canister", "icp", "memory leak", "stable memory"]
aliases = ["CVE-2024-4435", "GHSA-3rcq-39xp-7xjp"]
cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"

[versions]
patched = [">= 0.6.4"]
unaffected = ["< 0.6.0"]
```

# BTreeMap memory leak when deallocating nodes with overflows

When storing unbounded types in a `BTreeMap`, a node is represented as a linked list of "memory chunks". In some cases, when we deallocate a node only the first memory chunk is deallocated, and the rest of the memory chunks remain (incorrectly) allocated, causing a memory leak.

In the worst case, depending on how a canister uses the `BTreeMap`, an adversary could interact with the canister through its API and trigger interactions with the map that keep consuming memory due to the memory leak. This could potentially lead to using an excessive amount of memory, or even running out of memory.

This issue has been fixed in [dfinity/stable-structures/pull/212](https://github.com/dfinity/stable-structures/pull/212) by changing the logic for deallocating nodes to ensure that all of a node's memory chunks are deallocated. Tests have been added to prevent regressions of this nature moving forward.

**Note:** Users of stable-structure < 0.6.0 are not affected.

### Workarounds
Users who are not storing unbounded types in `BTreeMap` are not affected and do not need to upgrade. Otherwise, an upgrade to version `0.6.4` is necessary.

### References
- [GitHub Security Advisory (GHSA-3rcq-39xp-7xjp)](https://github.com/dfinity/stable-structures/security/advisories/GHSA-3rcq-39xp-7xjp)
- [dfinity/stable-structures/pull/212](https://github.com/dfinity/stable-structures/pull/212)
- [Stable Structures Documentation](https://docs.rs/ic-stable-structures/0.6.4/ic_stable_structures/)
- [Stable Memory on the Internet Computer](https://internetcomputer.org/docs/current/developer-docs/smart-contracts/maintain/storage#stable-memory)