Incorrect Calculation Affecting github.com/ethereum/go-ethereum/core/vm package, versions <1.19.7


0.0
medium
  • Attack Complexity

    Low

  • Integrity

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-GOLANG-GITHUBCOMETHEREUMGOETHEREUMCOREVM-1045822

  • published

    26 Nov 2020

  • disclosed

    26 Nov 2020

  • credit

    Unknown

How to fix?

Upgrade github.com/ethereum/go-ethereum/core/vm to version 1.19.7 or higher.

Overview

github.com/ethereum/go-ethereum/core/vm is a Package that implements the Ethereum Virtual Machine.

Affected versions of this package are vulnerable to Incorrect Calculation. It can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00...04) contract did a shallow copy on invocation. An attacker could deploy a contract that writes X to an EVM memory region R, then calls 0x00..04 with R as an argument, then overwrites R to Y, and finally invokes the RETURNDATACOPY opcode.When this contract is invoked, a consensus-compliant node would push X on the EVM stack, whereas Geth would push Y.

References