Add advisory for solana_rbpf: OOB pointer arithmetic in invoke_function#2921
Conversation
|
@Lichtso do you think it makes sense to publish this, with a note attached to clarify that this crate is unmaintained? |
|
Hi, gentle ping on this advisory PR. Is there anything I can provide or update to help move the review forward? Thanks! |
|
I reached out to someone privately, let's see if that helps. |
|
It should be fine to land this. The issue is fixed in solana-sbpf (anza-xyz/sbpf#151) which is the maintained incarnation of the crate this report is against. Maybe if there's a way to nudge people towards a different crate, we should do that. Otherwise LGTM! |
Thanks! |
a69cde3 to
ed025cc
Compare
|
Done~ :) |
Affected crate(s)
solana_rbpf(362,603 recent downloads per crates.io; 4,761,947 total downloads)Links to upstream issue(s) or PR(s)
The upstream repository is archived, so I cannot report this through the normal upstream issue tracker.
Severity
Informational soundness issue. Safe Rust code can construct an
EbpfVmand call the safe methodEbpfVm::invoke_function, which performs out-of-bounds pointer arithmetic internally.The affected implementation casts
selfto*mut u64and applies a randomized offset fromget_runtime_environment_key()usingptr::offset. This can move the pointer outside the allocation containing theEbpfVm, causing undefined behavior before the supplied builtin function is invoked. Miri reports an in-bounds pointer arithmetic violation. Nounsafecode is required from the caller.Checklist
RUSTSEC-0000-0000as the IDdatefield is set to the public disclosure date