CVE-2024-4435

When storing unbounded types in a BTreeMap, a node is represented as a linked list of "memory chunks". It was discovered recently that when we deallocate a node, in some cases only the first memory chunk is deallocated, and the rest of the memory chunks remain (incorrectly) allocated, causing a memory leak. In the worst case, depending on how a canister uses the BTreeMap, an adversary could interact with the canister through its API and trigger interactions with the map that keep consuming memory due to the memory leak. This could potentially lead to using an excessive amount of memory, or even running out of memory. This issue has been fixed in #212 https://github.com/dfinity/stable-structures/pull/212 by changing the logic for deallocating nodes to ensure that all of a node's memory chunks are deallocated and users are asked to upgrade to version 0.6.4.. Tests have been added to prevent regressions of this nature moving forward. Note: Users of stable-structure < 0.6.0 are not affected. Users who are not storing unbounded types in BTreeMap are not affected and do not need to upgrade. Otherwise, an upgrade to version 0.6.4 is necessary.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://docs.rs/ic-stable-structures/0.6.4/ic_stable_structures/
https://github.com/dfinity/stable-structures/pull/212
https://internetcomputer.org/docs/current/developer-docs/smart-contracts/maintain/storage#stable-memory
https://docs.rs/ic-stable-structures/0.6.4/ic_stable_structures/
https://github.com/dfinity/stable-structures/pull/212
https://internetcomputer.org/docs/current/developer-docs/smart-contracts/maintain/storage#stable-memory

Configurations

No configuration.

History

21 Nov 2024, 09:42

Type	Values Removed	Values Added
Summary		(es) Al almacenar tipos ilimitados en un BTreeMap, un nodo se representa como una lista vinculada de "fragmentos de memoria". Recientemente se descubrió que cuando desasignamos un nodo, en algunos casos solo se desasigna el primer fragmento de memoria y el resto de los fragmentos de memoria permanecen (incorrectamente) asignados, lo que provoca una pérdida de memoria. En el peor de los casos, dependiendo de cómo un recipiente utilice BTreeMap, un adversario podría interactuar con el recipiente a través de su API y desencadenar interacciones con el mapa que sigan consumiendo memoria debido a la pérdida de memoria. Esto podría llevar potencialmente al uso de una cantidad excesiva de memoria o incluso a quedarse sin memoria. Este problema se solucionó en el n.º 212 https://github.com/dfinity/stable-structures/pull/212 cambiando la lógica para desasignar nodos para garantizar que todos los fragmentos de memoria de un nodo se desasignen y se solicite a los usuarios que actualicen a versión 0.6.4.. Se han agregado pruebas para evitar que avancen regresiones de esta naturaleza. Nota: Los usuarios de estructura estable <0.6.0 no se ven afectados. Los usuarios que no almacenan tipos ilimitados en BTreeMap no se ven afectados y no necesitan actualizar. De lo contrario, es necesaria una actualización a la versión 0.6.4.
References	~~() https://docs.rs/ic-stable-structures/0.6.4/ic_stable_structures/ -~~	() https://docs.rs/ic-stable-structures/0.6.4/ic_stable_structures/ -
References	~~() https://github.com/dfinity/stable-structures/pull/212 -~~	() https://github.com/dfinity/stable-structures/pull/212 -
References	~~() https://internetcomputer.org/docs/current/developer-docs/smart-contracts/maintain/storage#stable-memory -~~	() https://internetcomputer.org/docs/current/developer-docs/smart-contracts/maintain/storage#stable-memory -

21 May 2024, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-21 10:15

Updated : 2024-11-21 09:42

NVD link : CVE-2024-4435

Mitre link : CVE-2024-4435

CVE.ORG link : CVE-2024-4435

JSON object : View

Products Affected

No product.

CWE

CWE-401

Missing Release of Memory after Effective Lifetime

5.9 /10