-
-
Notifications
You must be signed in to change notification settings - Fork 789
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: memory allocation in certain builtins using
msize (#3610)
in certain builtins which use `msize` to allocate a buffer for their arguments (specifically, `raw_call()`, `create_copy_of()` and `create_from_blueprint()`), corruption of the buffer can occur when `msize` is not properly initialized. (this usually happens when there are no variables which are held in memory in the outer external function). what can happen is that some arguments can be evaluated after `msize` is evaluated, leading to overwriting the memory region for the argument buffer with other arguments. specifically, combined with the condition that `msize` is underinitialized, this can happen with: - the buffer for the initcode of `create_copy_of()` and `create_from_blueprint()` can be overwritten when the `salt=` or `value=` arguments write to memory - the buffer for the `data` argument (when `msg.data` is provided, prompting the use of `msize`) of `raw_call()` can be overwritten when the `to`, `gas=` or `value=` arguments write to memory this commit fixes the issue by using a variant of `cache_when_complex()` to ensure that the relevant arguments are evaluated before `msize` is evaluated. this is a patch for GHSA-c647-pxm2-c52w. summarized changelog: * fix raw_call * test: raw_call with msg.data buffer clean memory * force memory effects in some clean_mem tests * add tests for clean memory in create_* functions * add scope_multi abstraction * refactor raw_call to use scope_multi * add fixes for create_* memory cleanliness * update optimizer tests -- callvalue is now considered constant * move salt back into scope_multi * add a note on reads in cache_when_complex --------- Co-authored-by: Tanguy Rocher <tanguy.rocher@protonmail.com>
- Loading branch information
1 parent
f224d83
commit 79303fc
Showing
5 changed files
with
487 additions
and
32 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.