Open c4-bot-8 opened 3 months ago
141345 marked the issue as primary issue
141345 marked the issue as sufficient quality report
no limit on timeout
could be abused to DOS the system
The runtime doesn't call the implementation directly. Instead, it calls into the worker, via ocalls here, and the timeout is actually clamped in the worker side. However, the suggested change is good to have. This might be a QA or Mid Risk level report.
kvinwang (sponsor) confirmed
kvinwang marked the issue as disagree with severity
Not sure about the severity here. @kvinwang Could you point out where the clamping happens? Because in the linked code it is a normal u64
that could potentially be set to e.g. u64::MAX - 1
to trigger the issue.
Could you point out where the clamping happens?
This is the OCalls implementation in the worker, where the time remaining is less than the MAX_QUERY_TIME
Great, thanks for the link. In that case, I am downgrading this to a medium: It is not directly exploitable as an attacker, but the issue itself still exists within the codebase and if a future worker would integrate it differently / without limit, it could become exploitable.
OpenCoreCH changed the severity to 2 (Med Risk)
OpenCoreCH marked the issue as selected for report
OpenCoreCH marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/chain-extension/src/lib.rs#L56
Vulnerability details
Impact
Any user can intentionally crash a worker by sending a maliciously crafted request with a huge timeout. This attack has no costs for the attacker, and it can result in a DoS of the worker/cluster system.
Proof of Concept
A user can specify a timeout when doing a
batch_http_request
:https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/chain-extension/src/lib.rs#L56
The issue is that in Rust, the
+
operator can overflow when numerics bound are exceeded: this will result in apanic
error.When a malicious user sends a request with a timeout greater than
u64::MAX - 200
, they will crash the worker. As this action will cost nothing to the attacker, they can simply send multiple requests to crash all the workers, which will result in a DoS of the cluster system.Coded PoC
Copy-paste the following test in
phala-blockchain/crates/pink/chain-extension/src/mock_ext.rs
:Output:
Tools Used
Manual review
Recommended Mitigation Steps
Consider using
saturating_add
instead:Assessed type
Invalid Validation