diff --git a/CWAs/CWA-2023-004.md b/CWAs/CWA-2023-004.md index 8b51f66..d0fbc0d 100644 --- a/CWAs/CWA-2023-004.md +++ b/CWAs/CWA-2023-004.md @@ -1,4 +1,4 @@ -# CWA-2023-004 +# CWA-2023-004: Excessive number of function paramters in compiled Wasm **Severity** @@ -20,6 +20,39 @@ and are neither patched nor analyzed. - [wasmvm 1.4.2](https://github.com/CosmWasm/wasmvm/releases/tag/v1.4.2) (cosmwasm-vm 1.4.2) - [wasmvm 1.5.1](https://github.com/CosmWasm/wasmvm/releases/tag/v1.5.1) (cosmwasm-vm 1.5.1) +## Description of the bug + +In a Wasm file, the signature of a function is stored separately and referenced in the function. +This is demonstrated in the following example where you see + +1. a function signature with two integers input and one integer output is defined +2. two functions referencing this signature are defined (`a+b` and `a-b`) +3. the two functions are exported under the names "sum" and "diff" + +```wasm +(module + (type $binary_operation_t (func (param i32 i32) (result i32))) + (func $sum_f (type $binary_operation_t) + local.get 0 + local.get 1 + i32.add) + (func $diff_f (type $binary_operation_t) + local.get 0 + local.get 1 + i32.sub) + (export "sum" (func $sum_f)) + (export "diff" (func $diff_f)) +) +``` + +This is harmless in Wasm bytecode, but once the function is compiled, signatures are inlined multiple times +in the compiled code. +Using a large signature that is referenced by a large number of functions, +you get pretty much a compression bomb – small in the uploaded Wasm blob but huge after compilation. +This can lead to +modules of several hundreds of megabytes or even gigabytes, leading to unexpected cache behaviour, unexpected disk +consumption, slowdows and in some cases even crashes of the node process. + ## Patch - 1.5: https://github.com/CosmWasm/cosmwasm/compare/v1.5.0...v1.5.1 @@ -73,3 +106,4 @@ We extend our gratitude to the CertiK team for their professionalism and commitm - 2024-01-08: Patch release announcement is sent to the notification list and posted in the Cosmos Hub Forum. - 2024-01-09: Backports to CosmWasm 1.2, 1.3, 1.4, 1.5 are finalized. - 2024-01-10: Patch released +- 2024-08-21: Title and description added to advisory diff --git a/CWAs/README.md b/CWAs/README.md index 2fedff0..e028177 100644 --- a/CWAs/README.md +++ b/CWAs/README.md @@ -27,12 +27,12 @@ ## 2023 -| Severity[^1] | Scope[^2] | ID | -| ------------ | --------- | --------------------------------------------------------------------------- | -| High | VM | [CWA-2023-004][CWA-2023-004] | -| Medium | x/wasm | [CWA-2023-003: Inefficient ListChannels query implementation][CWA-2023-003] | -| | VM | [CWA-2023-002: Stack overflow crash (Codename Cherry)][CWA-2023-002] | -| | VM | [CWA-2023-001: Potential overflow in cache statistics][CWA-2023-001] | +| Severity[^1] | Scope[^2] | ID | +| ------------ | --------- | ------------------------------------------------------------------------------------- | +| High | VM | [CWA-2023-004: Excessive number of function paramters in compiled Wasm][CWA-2023-004] | +| Medium | x/wasm | [CWA-2023-003: Inefficient ListChannels query implementation][CWA-2023-003] | +| | VM | [CWA-2023-002: Stack overflow crash (Codename Cherry)][CWA-2023-002] | +| | VM | [CWA-2023-001: Potential overflow in cache statistics][CWA-2023-001] | [CWA-2023-004]: ./CWA-2023-004.md [CWA-2023-003]: ./CWA-2023-003.md