Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

panic on unwrapping in decl_to_type_info #6330

Closed
IGI-111 opened this issue Jul 30, 2024 · 0 comments · Fixed by #6552
Closed

panic on unwrapping in decl_to_type_info #6330

IGI-111 opened this issue Jul 30, 2024 · 0 comments · Fixed by #6552
Assignees
@esdrubal
Labels
audit-report Related to the audit report bug Something isn't working

Comments

@IGI-111
Copy link
Contributor

IGI-111 commented Jul 30, 2024

From https://bugs.immunefi.com/dashboard/submission/33171

Brief/Intro

The identified bug is a panic in the Sway compiler's semantic analysis module, specifically in the root namespace processing. This occurs due to an unexpected None value being unwrapped, likely indicating a failure to properly handle certain code structures or declarations. If exploited in production, this bug could lead to compiler crashes, preventing developers from building their Fuel projects.

Vulnerability Details

The bug is in decl_to_type_info at

sway/sway-core/src/semantic_analysis/namespace/root.rs

Line 934 in 28db326

(*engines.te().get(type_decl.ty.clone().unwrap().type_id)).clone()

if type_decl.ty.clone() is None, it will cause unexpected unwrap panic like:

thread 'main' panicked at sway-core/src/semantic_analysis/namespace/root.rs:934:61:
called `Option::unwrap()` on a `None` value
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Possible fix

A possible fix is checking whether type_decl.ty is None before return.

    fn decl_to_type_info(
        &self,
        handler: &Handler,
        engines: &Engines,
        symbol: &Ident,
        decl: ResolvedDeclaration,
    ) -> Result<TypeInfo, ErrorEmitted> {
        match decl {
            ResolvedDeclaration::Parsed(_decl) => todo!(),
            ResolvedDeclaration::Typed(decl) => Ok(match decl.clone() {
                ty::TyDecl::StructDecl(struct_ty_decl) => TypeInfo::Struct(struct_ty_decl.decl_id),
                ty::TyDecl::EnumDecl(enum_ty_decl) => TypeInfo::Enum(enum_ty_decl.decl_id),
                ty::TyDecl::TraitTypeDecl(type_decl) => {
                    let type_decl = engines.de().get_type(&type_decl.decl_id);
                    if type_decl.ty.is_none() {
                        return Err(handler.emit_err(CompileError::Internal(
                            "Trait type declaration has no type",
                            symbol.span(),
                        )));
                    }
                    (*engines.te().get(type_decl.ty.clone().unwrap().type_id)).clone()
                }
                _ => {
                    return Err(handler.emit_err(CompileError::SymbolNotFound {
                        name: symbol.clone(),
                        span: symbol.span(),
                    }))
                }
            }),
        }
    }

Impact Details

While this bug doesn't directly put funds at risk, its potential to introduce vulnerabilities and disrupt the development process makes it a severe issue. The compiler is a critical component of the blockchain development stack, and its reliability is paramount for the security and success of the entire ecosystem. Addressing this vulnerability is crucial to maintain the integrity and trustworthiness of the Fuel platform.

References

Add any relevant links to documentation or code

Proof of Concept

Step1
forc new poc
Step2
write minimized code to main.sw

script;trait T{type E const C:Self::E::E}

Step3
forc build
It return panic like:

thread 'main' panicked at sway-core/src/semantic_analysis/namespace/root.rs:934:61:
called `Option::unwrap()` on a `None` value
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
@IGI-111 IGI-111 self-assigned this Jul 30, 2024
@IGI-111 IGI-111 added bug Something isn't working audit-report Related to the audit report labels Jul 30, 2024
@IGI-111 IGI-111 assigned esdrubal and unassigned IGI-111 Jul 30, 2024
esdrubal added a commit that referenced this issue Sep 16, 2024
@esdrubal
Fixes panic error on decl_to_type_info.
248a957 
Doing an unwrap without checking if the value was none was causing a panic.
Fixed by throwing an error so we can also see the previous errors.

Fixes #6330
@esdrubal esdrubal mentioned this issue Sep 16, 2024
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@esdrubal esdrubal

Labels
audit-report Related to the audit report bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes panic error on decl_to_type_info. FuelLabs/sway
2 participants
@esdrubal @IGI-111