Skip to content

Latest commit

 

History

History
113 lines (84 loc) · 6.17 KB

CWA-2023-004.md

File metadata and controls

113 lines (84 loc) · 6.17 KB
Raw

CWA-2023-004: Excessive number of function paramters in compiled Wasm

Severity

High

Affected versions:

  • cosmwasm-vm < 1.2.8, < 1.3.4, < 1.4.2, < 1.5.1
  • wasmvm < 1.2.5, < 1.3.1, < 1.4.2, < 1.5.1

Versions in the 0.x, 1.0.x or 1.1.x range are probably affected as well but reached end of life and are neither patched nor analyzed.

Patched versions:

Description of the bug

In a Wasm file, the signature of a function is stored separately and referenced in the function. This is demonstrated in the following example where you see

  1. a function signature with two integers input and one integer output is defined
  2. two functions referencing this signature are defined (a+b and a-b)
  3. the two functions are exported under the names "sum" and "diff"
(module
  (type $binary_operation_t (func (param i32 i32) (result i32)))
  (func $sum_f (type $binary_operation_t)
    local.get 0
    local.get 1
    i32.add)
  (func $diff_f (type $binary_operation_t)
    local.get 0
    local.get 1
    i32.sub)
  (export "sum" (func $sum_f))
  (export "diff" (func $diff_f))
)

This is harmless in Wasm bytecode, but once the function is compiled, signatures are inlined multiple times in the compiled code. Using a large signature that is referenced by a large number of functions, you get pretty much a compression bomb – small in the uploaded Wasm blob but huge after compilation. This can lead to modules of several hundreds of megabytes or even gigabytes, leading to unexpected cache behaviour, unexpected disk consumption, slowdows and in some cases even crashes of the node process.

More in-depth description including the technical details can be found in the article released later by CertiK team.

Patch

Installing the patch

The patch will be shipped in releases of wasmvm. You can update more or less as follows:

  1. Check the current wasmvm version: go list -m github.com/CosmWasm/wasmvm
  2. Bump the github.com/CosmWasm/wasmvm dependency in your go.mod to 1.5.1, 1.4.2, 1.3.1 or 1.2.6 depending on which minor version you are; go mod tidy; commit.
  3. If you use the static libraries libwasmvm_muslc.aarch64.a/libwasmvm_muslc.x86_64.a, update them accordingly.
  4. Check the updated wasmvm version: go list -m github.com/CosmWasm/wasmvm and ensure you see 1.5.1, 1.4.2, 1.3.1 or 1.2.6.
  5. Follow your regular practices to deploy chain upgrades.

To double check if the correct libary version is loaded at runtime, use this query: <appd> query wasm libwasmvm-version. It must show 1.5.1, 1.4.2, 1.3.1 or 1.2.6.

Patch Announcement

Originally posted at https://forum.cosmos.network/t/high-severity-security-patch-upcoming-on-wednesday-10th-cwa-2023-004/12840

On Wednesday, January 10th between 10:00 and 12:00 Berlin time Confio will release a fix for a high severity security issue in the CosmWasm virtual machine tracked as CWA-2023-004. The patch for this issue will be distributed and communicated via the regular CosmWasm release process.

This issue impacts the availability of a chain running CosmWasm. Chains that use CosmWasm with permissioned uploads or instantiations are not directly at risk. We advise chains that support permissionless contract instantiation to be prepared to apply the patch and to coordinate network upgrades as quickly as their processes allow to fully remediate the issue.

The patch is a non consensus breaking security fix and can be applied in-place. Instructions will be provided as part of the release process. We anticipate that the patch will be a simple, straightforward fix for chain maintainers as it is a matter of updating the wasmvm Go dependency and rebuilding the application.

Patches will be provided for wasmvm 1.2, 1.3, 1.4 and 1.5. Please note that 1.2 reached end of life and this is the last patch for this version.

Update 2024-01-09

I had to make a small correction to the announcement: Chains that allow permissionless uploads and permissioned instantiations are partially affected as well and should upgrade. A chain is only safe if no malicious Wasm can be stored.

Acknowledgement

We express our appreciation to the CertiK team for discovering and responsibly reporting this bug. The detailed report made it possible to quickly understand the issue, reproduce it and confirm its validity. It was followed by collaborative efforts in developing and implementing the best possible patch for CosmWasm.

We extend our gratitude to the CertiK team for their professionalism and commitment to maintaining the security of CosmWasm and the broader crypto ecosystem. Our appreciation also extends to the dedicated community of white-hats, whose continuous efforts play a crucial role in safeguarding the broader crypto ecosystem.

Timeline

  • 2023-12-13: CertiK files bug report to Confio.
  • 2023-12-13: Confio security contributors confirm the report.
  • 2023-12-14: Confio security contributors confirm the reproducibility of the bug.
  • 2023-12-21: Confio developed the patch internally, planning for release in early January.
  • 2024-01-08: CosmosWasm shares the security patch with CertiK for review.
  • 2024-01-08: CertiK confirms the effectiveness of the security patch.
  • 2024-01-08: Patch release announcement is sent to the notification list and posted in the Cosmos Hub Forum.
  • 2024-01-09: Backports to CosmWasm 1.2, 1.3, 1.4, 1.5 are finalized.
  • 2024-01-10: Patch released
  • 2024-08-21: Title and description added to advisory