Closed c4-bot-2 closed 3 months ago
141345 marked the issue as duplicate of #82
OpenCoreCH marked the issue as not a duplicate
This is known and the responsibility of the pink runtime init caller:
/// # Safety
///
/// The caller should make sure the pointers are valid and non-null.
OpenCoreCH marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/runtime/src/capi/ocall_impl.rs#L18-L34
Vulnerability details
MED:
set_ocall_fn
function is to set theOCALL
,ALLOC_FUNC
, andDEALLOC_FUNC
function pointers based on the providedocalls
parameter. LOC: Panic inset_ocall_fn
crates/pink/runtime/src/capi/ocall_impl.rs:18-33Description
The
set_ocall_fn
function usesunsafe
blocks to set theOCALL
,ALLOC_FUNC
, andDEALLOC_FUNC
function pointers. If these pointers are not properly validated or if they are set to invalid or malicious functions, it could lead to undefined behavior or security vulnerabilities.The
set_ocall_fn
is to set theOCALL
,ALLOC_FUNC
, andDEALLOC_FUNC
function pointers to valid and safe functions provided through theocalls
parameter. These pointers should point to trusted and well-defined functions that perform the intended operations safely.The issue is lack of proper validation of the function pointers, an attacker can potentially provide malicious function pointers that point to arbitrary code or invalid memory locations. When these malicious function pointers are called, it can lead to undefined behavior, crashes, or the execution of arbitrary code.
Impact
This can lead to a complete compromise of the system, allowing the attacker to perform unauthorized actions, access sensitive data, or disrupt the normal functioning of the runtime.
Tools Used
Manual audit
Recommended Mitigation Steps
Ensure that the
ocalls
parameter is properly validated before setting the function pointers. Consider implementing additional safety checks and error handling to prevent the setting of invalid or malicious function pointers.In this, separate validation functions (
is_valid_ocall_fn
,is_valid_alloc_fn
,is_valid_dealloc_fn
) are introduced to check if the provided function pointers are in the allowlist of trusted functions. Theset_ocall_fn
function is modified to perform these validations before setting the function pointers. If any of the validations fail, an error is returned, preventing the setting of invalid function pointers.Assessed type
Access Control