-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
all: use of cosmossdk.io/math.ParseUint then cast to uint32 is unnecessary and susceptible to uint64->uint32 underflows which could be a security issue #292
Comments
odeke-em
added a commit
to orijtech/sommelier
that referenced
this issue
Mar 13, 2024
This fixes a potential security issue resulting from extraneous parsing that used cosmossdk.math.ParseUint which uses math/big.Int which is a big integer package and can allow uint64 in places where uint32 is used and there were underflow checks. The fix for this change was to simply use strconv.ParseUint(s, 10, BIT_SIZE) where BIT_SIZE is any of 32 or 64 bits for uint32 and uint64 respectively. Fixes PeggyJV#292
I've mailed out PR #293 |
odeke-em
added a commit
to orijtech/sommelier
that referenced
this issue
Mar 13, 2024
This fixes a potential security issue resulting from extraneous parsing that used cosmossdk.math.ParseUint which uses math/big.Int which is a big integer package and can allow uint64 in places where uint32 is used and there were underflow checks. The fix for this change was to simply use strconv.ParseUint(s, 10, BIT_SIZE) where BIT_SIZE is any of 32 or 64 bits for uint32 and uint64 respectively. Fixes PeggyJV#292
odeke-em
added a commit
to orijtech/sommelier
that referenced
this issue
Mar 13, 2024
…dk.io/math This fixes potential security issues resulting from extraneous parsing that used cosmossdk.math.ParseUint which uses math/big.Int which is a big integer package and can allow uint64 in places where uint32 is used and there were underflow checks. The fix for this change was to simply use strconv.ParseUint(s, 10, BIT_SIZE) where BIT_SIZE is any of 32 or 64 bits for uint32 and uint64 respectively, and by extracting the shared code to an internal package. Fixes PeggyJV#292
Turns out that there were even many more instances of the erroneous code in a bunch of packages so I've updated the PR #293. |
odeke-em
added a commit
to orijtech/sommelier
that referenced
this issue
Mar 13, 2024
…dk.io/math This fixes potential security issues resulting from extraneous parsing that used cosmossdk.math.ParseUint which uses math/big.Int which is a big integer package and can allow uint64 in places where uint32 is used and there were underflow checks. The fix for this change was to simply use strconv.ParseUint(s, 10, BIT_SIZE) where BIT_SIZE is any of 32 or 64 bits for uint32 and uint64 respectively, and by extracting the shared code to an internal package. Fixes PeggyJV#292
odeke-em
added a commit
to orijtech/sommelier
that referenced
this issue
Mar 13, 2024
…dk.io/math This fixes potential security issues resulting from extraneous parsing that used cosmossdk.math.ParseUint which uses math/big.Int which is a big integer package and can allow uint64 in places where uint32 is used and there were underflow checks. The fix for this change was to simply use strconv.ParseUint(s, 10, BIT_SIZE) where BIT_SIZE is any of 32 or 64 bits for uint32 and uint64 respectively, and by extracting the shared code to an internal package. Fixes PeggyJV#292
odeke-em
changed the title
x/auction/client/cli: use of cosmossdk.io/math.ParseUint then cast to uint32 is unnecessary and susceptible to uint64->uint32 underflows which could be a security issue
all: use of cosmossdk.io/math.ParseUint then cast to uint32 is unnecessary and susceptible to uint64->uint32 underflows which could be a security issue
Mar 14, 2024
odeke-em
added a commit
to orijtech/sommelier
that referenced
this issue
Jul 21, 2024
…dk.io/math This fixes potential security issues resulting from extraneous parsing that used cosmossdk.math.ParseUint which uses math/big.Int which is a big integer package and can allow uint64 in places where uint32 is used and there were underflow checks. The fix for this change was to simply use strconv.ParseUint(s, 10, BIT_SIZE) where BIT_SIZE is any of 32 or 64 bits for uint32 and uint64 respectively, and by extracting the shared code to an internal package. Fixes PeggyJV#292
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary of Bug
Noticed while auditing the code in x/auction/client/cli that there is this code
sommelier/x/auction/client/cli/query.go
Lines 333 to 341 in 3157d97
in which firstly cosmossdk.io/math.ParseUint is invoked and that returns a Uint object whose underlying structure uses a math/big.Int with arbitrary precision.
Down below to send in a uint32 into the query, we invoke
uint32(u.Uint64())
of which this code will cause an underflow for example if I pass in any value greater than uint32 which can actually help me with randomization to get random bids and other values and probably even clog y'all network if there are no gas fees to even make these queriesReproduction
Remedy
You can trivially use
strconv.ParseUint(args[0], 10, 32)
which is so much simpler and will directly help all these sites and catch range errorsLocation
There are 11 sites where this code pattern is used and can be fixed by extracting the fix into a helper function called parseUint32
Kindly /cc-ing @zmanian @fedekunze @jackzampolin
The text was updated successfully, but these errors were encountered: