Unreachable panic in sway compiler when parsing malicious cfg in contract #6326

IGI-111 · 2024-07-30T01:43:07Z

From https://bugs.immunefi.com/dashboard/submission/33139

Brief/Intro

While parsing malicious contract, the sway compiler crashed with unreachable code.

Vulnerability Details

There exists an edge case which is not handled properly when parsing the cfg tree, this finally cause the unreachable panic in [1]

    _ => { // [1] unhandled case causes panic:
        // Already checked with `AttributeKind::expected_args_*`
        unreachable!("cfg attribute should only have the `target` or the `program_type` argument");
    }

Impact Details

Online verification service or sway playground which accept sw contract using sway compiler could be crashed by the malicous sw contract.

References

[1]

sway/sway-core/src/transform/to_parsed_lang/convert_parse_tree.rs

Lines 4897 to 4900 in f82d9e6

    
           _ => { 
        
               // Already checked with `AttributeKind::expected_args_*` 
        
               unreachable!("cfg attribute should only have the `target` or the `program_type` argument"); 
        
           }

Proof of Concept

build the following contract using forc would crash:

predicate;
#[cfg(c)] a

Running it would get:

   Compiling predicate abi_superabis (/test/sway/cfg_crash)
thread 'main' panicked at sway-core/src/transform/to_parsed_lang/convert_parse_tree.rs:4899:25:
internal error: entered unreachable code: cfg attribute should only have the `target` or the `program_type` argument
stack backtrace:
   0: rust_begin_unwind
             at /rustc/ed7e35f3494045fa1194be29085fa73e2d6dab40/library/std/src/panicking.rs:661:5
   1: core::panicking::panic_fmt
             at /rustc/ed7e35f3494045fa1194be29085fa73e2d6dab40/library/core/src/panicking.rs:74:14
   2: sway_core::transform::to_parsed_lang::convert_parse_tree::cfg_eval
             at /test/sway/sway-core/src/transform/to_parsed_lang/convert_parse_tree.rs:4899:25
   3: sway_core::transform::to_parsed_lang::convert_parse_tree::item_to_ast_nodes
             at /test/sway/sway-core/src/transform/to_parsed_lang/convert_parse_tree.rs:119:9
   4: sway_core::transform::to_parsed_lang::convert_parse_tree::module_to_sway_parse_tree
             at /test/sway/sway-core/src/transform/to_parsed_lang/convert_parse_tree.rs:82:29
   5: sway_core::transform::to_parsed_lang::convert_parse_tree::convert_parse_tree
             at /test/sway/sway-core/src/transform/to_parsed_lang/convert_parse_tree.rs:57:16
   6: sway_core::parse_module_tree
             at /test/sway/sway-core/src/lib.rs:370:24
   7: sway_core::parse
             at /test/sway/sway-core/src/lib.rs:104:25
   8: sway_core::compile_to_ast
             at /test/sway/sway-core/src/lib.rs:722:9
   9: forc_pkg::pkg::compile
             at /test/sway/forc-pkg/src/pkg.rs:1791:9
  10: forc_pkg::pkg::build
             at /test/sway/forc-pkg/src/pkg.rs:2462:28
  11: forc_pkg::pkg::build_with_options
             at /test/sway/forc-pkg/src/pkg.rs:2183:26
  12: forc::ops::forc_build::build
             at /test/sway/forc/src/ops/forc_build.rs:8:17
  13: forc::cli::commands::build::exec
             at /test/sway/forc/src/cli/commands/build.rs:42:5
  14: forc::cli::run_cli::{{closure}}
             at /test/sway/forc/src/cli/mod.rs:131:33
  15: forc::main::{{closure}}
             at /test/sway/forc/src/main.rs:5:26
...
  25: forc::main
             at /test/sway/forc/src/main.rs:5:5
  26: core::ops::function::FnOnce::call_once
             at /rustc/ed7e35f3494045fa1194be29085fa73e2d6dab40/library/core/src/ops/function.rs:250:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

The text was updated successfully, but these errors were encountered:

We now throw an error that enforces cfg arg to be a valid one. Fixes #6326

## Description We now throw an error that enforces cfg arg to be a valid one. Fixes #6326 ## Checklist - [x] I have linked to any relevant issues. - [x] I have commented my code, particularly in hard-to-understand areas. - [ ] I have updated the documentation where relevant (API docs, the reference, and the Sway book). - [ ] If my change requires substantial documentation changes, I have [requested support from the DevRel team](https://github.com/FuelLabs/devrel-requests/issues/new/choose) - [x] I have added tests that prove my fix is effective or that my feature works. - [x] I have added (or requested a maintainer to add) the necessary `Breaking*` or `New Feature` labels where relevant. - [x] I have done my best to ensure that my PR adheres to [the Fuel Labs Code Review Standards](https://github.com/FuelLabs/rfcs/blob/master/text/code-standards/external-contributors.md). - [x] I have requested a review from the relevant team or maintainers.

IGI-111 self-assigned this Jul 30, 2024

IGI-111 added bug Something isn't working audit-report Related to the audit report labels Jul 30, 2024

IGI-111 assigned esdrubal and unassigned IGI-111 Jul 30, 2024

esdrubal added a commit that referenced this issue Sep 16, 2024

Fixes unreachable on invalid cfg attribute arg.

851b722

We now throw an error that enforces cfg arg to be a valid one. Fixes #6326

esdrubal mentioned this issue Sep 16, 2024

Fixes unreachable on invalid cfg attribute arg. #6553

Merged

8 tasks

JoshuaBatty closed this as completed in #6553 Sep 17, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unreachable panic in sway compiler when parsing malicious cfg in contract #6326

Unreachable panic in sway compiler when parsing malicious cfg in contract #6326

IGI-111 commented Jul 30, 2024

Unreachable panic in sway compiler when parsing malicious cfg in contract #6326

Unreachable panic in sway compiler when parsing malicious cfg in contract #6326

Comments

IGI-111 commented Jul 30, 2024

Brief/Intro

Vulnerability Details

Impact Details

References

Proof of Concept