Dereferencing Null Pointers without Validation in __pink_runtime_init

[c4-bot-5]

Lines of code

https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/runtime/src/capi/mod.rs#L18-L30

Vulnerability details

Impact

The function __pink_runtime_init dereferences a raw pointer (config) without prior validation to ensure that it is not null and This operation occurs within an unsafe block, which indicates the bypassing of Rust's safety guarantees. The lack of null pointer check before dereferencing poses a significant risk of undefined behavior, which can lead to runtime crashes or memory corruption.

#[no_mangle]
pub unsafe extern "C" fn __pink_runtime_init(
    config: *const config_t,
    ecalls: *mut ecalls_t,
) -> ::core::ffi::c_int {
    let config = unsafe { &*config }; // Vulnerable line
    ...
}

Dereferencing a null pointer can lead to undefined behavior including segmentation faults crashes and potential memory corruption. this could compromise the integrity and reliability of the runtime, potentially affecting all operations relying on this initialization process. the vulnerability can cause incorrect or malicious input where config is a null pointer. Failures in ensuring that all external calls to __pink_runtime_init validate pointers before passing them to the function.

Tools Used

MANUAL REVIEW

Recommended Mitigation Steps

NEED to validate all raw pointers for nullity before dereferencing them

Assessed type

Other

[c4-pre-sort]

141345 marked the issue as duplicate of #80

[c4-pre-sort]

141345 marked the issue as not a duplicate

[c4-pre-sort]

141345 marked the issue as sufficient quality report

[141345]

seems invalid

[kvinwang]

This is an unsafe function. As the comment sad:

/// # Safety
///
/// The caller should make sure the pointers are valid and non-null.

[c4-sponsor]

kvinwang (sponsor) disputed

[c4-judge]

OpenCoreCH marked the issue as unsatisfactory: Invalid