Open c4-submissions opened 11 months ago
bytes032 marked the issue as low quality report
141345 marked the issue as duplicate of #683
141345 marked the issue as sufficient quality report
GalloDaSballo marked the issue as unsatisfactory: Out of scope
GalloDaSballo changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-10-zksync/blob/1fb4649b612fac7b4ee613df6f6b7d921ddd6b0d/code/era-zkevm_circuits/src/main_vm/opcodes/call_ret_impl/far_call.rs#L719 https://github.com/code-423n4/2023-10-zksync/blob/1fb4649b612fac7b4ee613df6f6b7d921ddd6b0d/code/era-zkevm_circuits/src/main_vm/opcodes/call_ret_impl/far_call.rs#L680 https://github.com/code-423n4/2023-10-zksync/blob/1fb4649b612fac7b4ee613df6f6b7d921ddd6b0d/code/era-zkevm_circuits/src/main_vm/opcodes/call_ret_impl/ret.rs#L296 https://github.com/code-423n4/2023-10-zksync/blob/1fb4649b612fac7b4ee613df6f6b7d921ddd6b0d/code/era-zkevm_circuits/src/main_vm/opcodes/call_ret_impl/ret.rs#L253
Vulnerability details
Impact
new_callstack_entry in main_vm/opcodes/ret.rs does not set heap_upper_bound and aux_heap_upper_bound
Proof of Concept
new_callstack_entry in main_vm/opcodes/ret.rs does not set heap_upper_bound and aux_heap_upper_bound
if we take a look at the far_call.rs called, the code properly manage the heap_upper_bound and aux_heap_upper_bound
the relevant code is here
such heap growth memory is carefully managed
However, in the implementation of ret.rs
such heap upper bound memory boundry validation is missing
In callstack_candidate_for_ret implementation,
in this line of code
note, even the boundry heap_upper_bound and aux_heap_upper_bound is initliazed here
these two heap boundary is not applied in new_callstack_entry, which cause memory management problems and data corruption in the heap if the heap growth is out of the boundary
Tools Used
Manual Review
Recommended Mitigation Steps
applying the heap_upper_bound and aux_heap_upper_bound in the callstack entry
Assessed type
Invalid Validation