You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The snarkVM source code contains the Vec::with_capacity(capacity) pattern in many places, where capacity is a controllable non-sanitised value.
The following places in code are good examples:
Such code can cause panic in rust, as well as allocating an excessive amount of memory.
According to the description of the Vec::with_capacity() function:
Panics if the new capacity exceeds `isize::MAX` bytes.
Let's consider the following test case as an example:
the allocation size will be calculated as mem::size_of::<Fr>() * num_elements = 32 * 0x400000000000000 = 0x8000000000000000 (equal to isize::MAX + 1)
it will lead to panic caused by Vec::with_capacity() function
Proof-of-Concept (PoC)
Cargo.toml
[package]
name = "test"
version = "0.1.0"
edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
snarkvm-curves = { path = "../snarkVM/curves" }
snarkvm-fields = { path = "../snarkVM/fields" }
$ RUST_BACKTRACE=1 ./target/release/test
thread 'main' panicked at 'capacity overflow', library/alloc/src/raw_vec.rs:524:5
stack backtrace:
0: rust_begin_unwind
at /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/std/src/panicking.rs:593:5
1: core::panicking::panic_fmt
at /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/panicking.rs:67:14
2: alloc::raw_vec::capacity_overflow
at /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/alloc/src/raw_vec.rs:524:5
3: snarkvm_fields::traits::poseidon_grain_lfsr::PoseidonGrainLFSR::get_field_elements_rejection_sampling
4: test::main
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
Impact
This problem may result in a remote DoS.
The text was updated successfully, but these errors were encountered:
https://hackerone.com/reports/2255800
Summary:
The snarkVM source code contains the
Vec::with_capacity(capacity)
pattern in many places, wherecapacity
is a controllable non-sanitised value.The following places in code are good examples:
Such code can cause panic in rust, as well as allocating an excessive amount of memory.
According to the description of the
Vec::with_capacity()
function:Let's consider the following test case as an example:
This code will panic because:
mem::size_of::<Fr>() * num_elements = 32 * 0x400000000000000 = 0x8000000000000000
(equal toisize::MAX + 1
)Vec::with_capacity()
functionProof-of-Concept (PoC)
Cargo.toml
src/main.rs
Result
Impact
This problem may result in a remote DoS.
The text was updated successfully, but these errors were encountered: