diff --git a/Changelog.md b/Changelog.md index 91e9771be..1d322de5b 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,9 @@ ### 0.8.14 (unreleased) +Important Bugfixes: + * ABI Encoding: When ABI-encoding values from calldata that contain nested arrays, correctly validate the nested array length against ``calldatasize()`` in all cases. + + Language Features: diff --git a/docs/bugs.json b/docs/bugs.json index 9e24175b4..6613f1964 100644 --- a/docs/bugs.json +++ b/docs/bugs.json @@ -1,4 +1,14 @@ [ + { + "uid": "SOL-2022-2", + "name": "NestedCallataArrayAbiReencodingSizeValidation", + "summary": "ABI-reencoding of nested dynamic calldata arrays did not always perform proper size checks against the size of calldata and could read beyond ``calldatasize()``.", + "description": "Calldata validation for nested dynamic types is deferred until the first access to the nested values. Such an access may for example be a copy to memory or an index or member access to the outer type. While in most such accesses calldata validation correctly checks that the data area of the nested array is completely contained in the passed calldata (i.e. in the range [0, calldatasize()]), this check may not be performed, when ABI encoding such nested types again directly from calldata. For instance, this can happen, if a value in calldata with a nested dynamic array is passed to an external call, used in ``abi.encode`` or emitted as event. In such cases, if the data area of the nested array extends beyond ``calldatasize()``, ABI encoding it did not revert, but continued reading values from beyond ``calldatasize()`` (i.e. zero values).", + "link": "https://blog.soliditylang.org/2022/05/17/calldata-reencode-size-check-bug/", + "introduced": "0.5.8", + "fixed": "0.8.14", + "severity": "very low" + }, { "uid": "SOL-2022-1", "name": "AbiEncodeCallLiteralAsFixedBytesBug", diff --git a/docs/bugs_by_version.json b/docs/bugs_by_version.json index 7b9a7fc3d..0d103279f 100644 --- a/docs/bugs_by_version.json +++ b/docs/bugs_by_version.json @@ -1036,6 +1036,7 @@ }, "0.5.10": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", "EmptyByteArrayCopy", @@ -1051,6 +1052,7 @@ }, "0.5.11": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", "EmptyByteArrayCopy", @@ -1065,6 +1067,7 @@ }, "0.5.12": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", "EmptyByteArrayCopy", @@ -1079,6 +1082,7 @@ }, "0.5.13": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", "EmptyByteArrayCopy", @@ -1093,6 +1097,7 @@ }, "0.5.14": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", "EmptyByteArrayCopy", @@ -1109,6 +1114,7 @@ }, "0.5.15": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", "EmptyByteArrayCopy", @@ -1124,6 +1130,7 @@ }, "0.5.16": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", "EmptyByteArrayCopy", @@ -1138,6 +1145,7 @@ }, "0.5.17": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", "EmptyByteArrayCopy", @@ -1269,6 +1277,7 @@ }, "0.5.8": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", "EmptyByteArrayCopy", @@ -1287,6 +1296,7 @@ }, "0.5.9": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", "EmptyByteArrayCopy", @@ -1304,6 +1314,7 @@ }, "0.6.0": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", "EmptyByteArrayCopy", @@ -1319,6 +1330,7 @@ }, "0.6.1": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", "EmptyByteArrayCopy", @@ -1333,6 +1345,7 @@ }, "0.6.10": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", @@ -1343,6 +1356,7 @@ }, "0.6.11": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", @@ -1353,6 +1367,7 @@ }, "0.6.12": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", @@ -1363,6 +1378,7 @@ }, "0.6.2": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", "EmptyByteArrayCopy", @@ -1377,6 +1393,7 @@ }, "0.6.3": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", "EmptyByteArrayCopy", @@ -1391,6 +1408,7 @@ }, "0.6.4": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", "EmptyByteArrayCopy", @@ -1405,6 +1423,7 @@ }, "0.6.5": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", @@ -1419,6 +1438,7 @@ }, "0.6.6": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", @@ -1432,6 +1452,7 @@ }, "0.6.7": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", @@ -1445,6 +1466,7 @@ }, "0.6.8": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", @@ -1455,6 +1477,7 @@ }, "0.6.9": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", @@ -1466,6 +1489,7 @@ }, "0.7.0": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", @@ -1476,6 +1500,7 @@ }, "0.7.1": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", @@ -1487,6 +1512,7 @@ }, "0.7.2": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", @@ -1497,6 +1523,7 @@ }, "0.7.3": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching", @@ -1506,6 +1533,7 @@ }, "0.7.4": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching" @@ -1514,6 +1542,7 @@ }, "0.7.5": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching" @@ -1522,6 +1551,7 @@ }, "0.7.6": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching" @@ -1530,6 +1560,7 @@ }, "0.8.0": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching" @@ -1538,6 +1569,7 @@ }, "0.8.1": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching" @@ -1545,27 +1577,34 @@ "released": "2021-01-27" }, "0.8.10": { - "bugs": [], + "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation" + ], "released": "2021-11-09" }, "0.8.11": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "AbiEncodeCallLiteralAsFixedBytesBug" ], "released": "2021-12-20" }, "0.8.12": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "AbiEncodeCallLiteralAsFixedBytesBug" ], "released": "2022-02-16" }, "0.8.13": { - "bugs": [], + "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation" + ], "released": "2022-03-16" }, "0.8.2": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables", "ABIDecodeTwoDimensionalArrayMemory", "KeccakCaching" @@ -1574,6 +1613,7 @@ }, "0.8.3": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables", "ABIDecodeTwoDimensionalArrayMemory" ], @@ -1581,37 +1621,44 @@ }, "0.8.4": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables" ], "released": "2021-04-21" }, "0.8.5": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables" ], "released": "2021-06-10" }, "0.8.6": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables" ], "released": "2021-06-22" }, "0.8.7": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "SignedImmutables" ], "released": "2021-08-11" }, "0.8.8": { "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation", "UserDefinedValueTypesBug", "SignedImmutables" ], "released": "2021-09-27" }, "0.8.9": { - "bugs": [], + "bugs": [ + "NestedCallataArrayAbiReencodingSizeValidation" + ], "released": "2021-09-29" } } \ No newline at end of file diff --git a/test/libsolidity/semanticTests/abiEncoderV2/calldata_array_short.sol b/test/libsolidity/semanticTests/abiEncoderV2/calldata_array_short.sol new file mode 100644 index 000000000..b2a126d50 --- /dev/null +++ b/test/libsolidity/semanticTests/abiEncoderV2/calldata_array_short.sol @@ -0,0 +1,12 @@ +pragma abicoder v2; + +contract C { + function f(uint[] calldata) public {} +} +// ==== +// revertStrings: debug +// compileViaYul: also +// ---- +// f(uint256[]): 0x20, 0 -> +// f(uint256[]): 0x20, 1 -> FAILURE, hex"08c379a0", 0x20, 0x2b, "ABI decoding: invalid calldata a", "rray stride" +// f(uint256[]): 0x20, 2 -> FAILURE, hex"08c379a0", 0x20, 0x2b, "ABI decoding: invalid calldata a", "rray stride" diff --git a/test/libsolidity/semanticTests/abiEncoderV2/calldata_array_short_no_revert_string.sol b/test/libsolidity/semanticTests/abiEncoderV2/calldata_array_short_no_revert_string.sol new file mode 100644 index 000000000..19aa30a08 --- /dev/null +++ b/test/libsolidity/semanticTests/abiEncoderV2/calldata_array_short_no_revert_string.sol @@ -0,0 +1,10 @@ +contract C { + function f(uint[] calldata) public {} +} +// ==== +// compileViaYul: also +// ---- +// f(uint256[]): 0x20, 0 -> +// f(uint256[]): 0x20, 1 -> FAILURE +// f(uint256[]): 0x20, 2 -> FAILURE + diff --git a/test/libsolidity/semanticTests/abiEncoderV2/calldata_nested_array_static_reencode.sol b/test/libsolidity/semanticTests/abiEncoderV2/calldata_nested_array_static_reencode.sol new file mode 100644 index 000000000..a0b500876 --- /dev/null +++ b/test/libsolidity/semanticTests/abiEncoderV2/calldata_nested_array_static_reencode.sol @@ -0,0 +1,27 @@ +pragma abicoder v2; + +contract C { + function f(uint[3][] calldata a) public { + abi.encode(a); + } + function f(uint[][3] calldata a) public { + abi.encode(a); + } + function f(uint[2][2] calldata a) public { + abi.encode(a); + } +} +// ==== +// compileViaYul: also +// ---- +// f(uint256[3][]): 0x20, 1, 0x01 -> FAILURE +// f(uint256[3][]): 0x20, 1, 0x01, 0x02 -> FAILURE +// f(uint256[3][]): 0x20, 1, 0x01, 0x02, 0x03 -> +// f(uint256[][3]): 0x20, 0x60, 0x60, 0x60, 3, 0x01 -> FAILURE +// f(uint256[][3]): 0x20, 0x60, 0x60, 0x60, 3, 0x01, 0x02 -> FAILURE +// f(uint256[][3]): 0x20, 0x60, 0x60, 0x60, 3, 0x01, 0x02, 0x03 -> +// f(uint256[2][2]): 0x01 -> FAILURE +// f(uint256[2][2]): 0x01, 0x02 -> FAILURE +// f(uint256[2][2]): 0x01, 0x02, 0x03 -> FAILURE +// f(uint256[2][2]): 0x01, 0x02, 0x03, 0x04 -> +// f(uint256[2][2]): 0x01, 0x02, 0x03, 0x04, 0x05 ->