Skip to content

Latest commit

 

History

History
119 lines (84 loc) · 6.28 KB

CWA-2023-002.md

File metadata and controls

119 lines (84 loc) · 6.28 KB

CWA-2023-002: Stack overflow crash (Codename Cherry)

Affected versions:

  • cosmwasm-vm < 1.0.1, < 1.1.10, < 1.2.4
  • wasmvm < 1.0.1, < 1.1.2, < 1.2.3

Patched versions:

  • wasmvm 1.0.1 (cosmwasm-vm 1.0.1)
  • wasmvm 1.1.2 (cosmwasm-vm 1.1.10)
  • wasmvm 1.2.3 (cosmwasm-vm 1.2.4)

Description of the bug

The bug allows a recursive loop between guest and host using Wasm imports and exports, leading to a stack overflow crash of the VM.

A malicious contract can implement exports such as extern "C" fn allocate(size: usize) -> u32 differently than the standard library does. By calling a Wasm import such as addr_validate in the allocate implementation, the loop looks like

  • contracts calls import addr_validate
  • host calls export allocate
  • contracts calls import addr_validate
  • host calls export allocate
  • contracts calls import addr_validate
  • ...

After approximately 140 recursions, the process crashes with a stack overflow.

Non-malicious contracts can not trigger the loop as the regular uses of cosmwasm-std only have a call depths of up to 2.

A call depth limit fixes the problem.

Patch Announcement

Tomorrow, on Tuesday, April 18th at 17:00 Berlin time (15h UTC/ 8am Pacific Time) Confio will release a fix for a medium severity security issue in CosmWasm. The patch for this issue will be distributed and communicated via the regular CosmWasm release process.

This issue impacts the availability of a chain running CosmWasm, and could allow for a malicious contract to trigger a crash that can halt the chain. Though chains that use CosmWasm with permissioned uploads or instantiation are not directly at risk, we advise chains that support permissionless contract instantiation to be prepared to apply the patch and to coordinate network upgrades as quickly as their processes allow to fully remediate the issue.

The patch is not a consensus breaking security fix and can be applied in-place, and instructions will be provided to all maintainers tomorrow as part of the release process. We anticipate that the patch will be a simple, straightforward fix for chain maintainers as it is a matter of replacing one Go dependency and rebuilding the application.

publish at https://forum.cosmos.network/t/upcoming-cosmwasm-security-patch-codename-cherry/10474

Patch

The actual patch is done in the codebase of cosmwasm-vm: https://github.com/CosmWasm/cosmwasm/commit/3795f5cd03288405335d4fb0c46c239dbf4c7e60

It is included in the following releases:

Patch release

The patch is shipped to chain developers in the form of a wasmvm release. Your chain might depend on wasmvm directly or have it as a transitive dependency through wasmd.

The upgrade paths are the following:

Current wasmvm version Upgrade path Note
< 1.0.0 Unsupported 1
1.0.0 Upgrade wasmvm to 1.0.1
1.1.1 Upgrade wasmvm to 1.1.2
1.2.0 Upgrade to 1.2.2 first, then upgrade to 1.2.3 2
1.2.1 Upgrade wasmvm to 1.2.3 3
1.2.2 Upgrade wasmvm to 1.2.3

Applying the patch

  1. Go tho the Go project containing the go.mod.
  2. One of those:
    • If there is a direct github.com/CosmWasm/wasmvm dependency listed already, update that to 1.0.1, 1.1.2 or 1.2.3 as listed above. Run .
    • Otherwise you have wasmvm as an indirect dependency of wasmd. Use go list -m github.com/CosmWasm/wasmvm to get the current version and then use go mod edit -replace github.com/CosmWasm/wasmvm=github.com/CosmWasm/wasmvm@v<NEW WASMVM VERSIO> where <NEW WASMVM VERSION> is one of 1.0.1, 1.1.2 or 1.2.3 as listed above.
  3. Run go mod tidy to download the dependency and update go.sum
  4. Check the resulting version after the replace go list -m github.com/CosmWasm/wasmvm.
  5. Build, test, deploy according to your project's established flow.

After building your chain, you can check the libwasmvm version loaded at runtime with

# Replace <node> with you node name
<node> query wasm libwasmvm-version

Wasm module cache issue

If you upgrade from wasmvm 1.2.{0,1} to wasmvm 1.2.{2,3} please note that most likely the machine format of the compiled Wasm modules has changed, potentially leading to segmentation faults when running the new binary.

To avoid this problem, instruct your validators to delete the cache folder <node home>/wasm/wasm/cache/ (replace with the location your project uses) after they stopped the node.

See CosmWasm/wasmvm#426

Timeline

  • 2023-02-27: Confio receives a detailed vulnerability report from Felix Wilhelm of Jump Crypto, including instructions how to abuse it
  • 2023-03-13: Confio confirms reporter to the reporter
  • Further research is done and a deployment strategy is developed
  • 2023-04-12: Patch created
  • 2023-04-12: Patch release announced through the CosmWasm security notification list
  • 2023-04-12 to 2023-04-17: Deployment coordination
  • 2023-04-17: Patch announcement is published in the Cosmos forum
  • 2023-04-18 14:30 UTC: Advisory is released
  • 2023-04-18 15:00 UTC: Patch is released
  • 2023-04-18 16:15 UTC: All planned wasmvm versions are build and tagged
  • 2023-06-01: A detailed description of the vulnerability including attack instructions are published by Felix Wilhelm from Jump Crypto
  • 2023-06-19: Bug description added to CWA-2023-002

Footnotes

  1. Upgrade to any of the supported versions first.

  2. See https://github.com/CosmWasm/wasmvm/issues/419 for required wasmd changes

  3. No typo. You can skip 1.2.2 and upgrade from 1.2.1 -> 1.2.3 directly.