Copying malicious calldata to memory in Assembly

junderw · July 13, 2020, 11:48pm

I am looking at the assembly in Proxy.sol (reference below)

OpenZeppelin/openzeppelin-sdk/blob/3e2860ef7d5ea2d0397e0c5d25ed1d215d1e79f2/packages/lib/contracts/upgradeability/Proxy.sol#L31-L48


assembly {
  // Copy msg.data. We take full control of memory in this inline assembly
  // block because it will not return to Solidity code. We overwrite the
  // Solidity scratch pad at memory position 0.
  calldatacopy(0, 0, calldatasize)

  // Call the implementation.
  // out and outsize are 0 because we don't know the size yet.
  let result := delegatecall(gas, implementation, 0, calldatasize, 0, 0)

  // Copy the returned data.
  returndatacopy(0, 0, returndatasize)

  switch result
  // delegatecall returns 0 on error.
  case 0 { revert(0, returndatasize) }
  default { return(0, returndatasize) }
}

Question: What if someone calls the Proxy with some malformed / extremely large piece of data, won’t calldatacopy have free reign over the entire memory? Overwriting free memory pointer at 0x40 etc.? Also, can the same be said for returndatacopy? I know returndata will be from our implementation logic, so it shouldn’t be malformed.

I’m sure there’s some simple answer, ie. “memory is independent for each subsequent call, so as long as we don’t return to non-assembly in this contract’s call frame, memory doesn’t matter since nothing will access it in any meaningful way.”

abcoathup · July 14, 2020, 1:22am

Hi @junderw,

Welcome to the community

I don’t know the answer unfortunately, I tried looking through the Solidity documentation on assembly/Yul but didn’t find the simple answer. I will see what I can find out or hopefully someone from the community can provide the answer.

junderw · July 14, 2020, 12:58pm

From gitter

Marius van der Wijden @MariusVanDerWijden 21:53
Afaik we create a new stack for every call into another contract, see

github.com

ethereum/go-ethereum/blob/5b081ab214d8d6373cbfdd9464f2503934b9bb68/core/vm/interpreter.go#L166


      
          	in.returnData = nil
          
          	// Don't bother with the execution if there's no code.
          	if len(contract.Code) == 0 {
          		return nil, nil
          	}
          
          	var (
          		op          OpCode             // current opcode
          		mem         = NewMemory()      // bound memory
          		stack       = newstack()       // local stack
          		returns     = newReturnStack() // local returns stack
          		callContext = &callCtx{
          			memory:   mem,
          			stack:    stack,
          			rstack:   returns,
          			contract: contract,
          		}
          		// For optimisation reason we're using uint64 as the program counter.
          		// It's theoretically possible to go above 2^64. The YP defines the PC
          		// to be uint256. Practically much less so feasible.

frangio · July 14, 2020, 2:18pm

Exactly!

Topic		Replies	Views
How to use assembly codes around call forwarding? Support design	2	2314	August 21, 2020
How is the output of a contract call encoded? Support	2	408	April 30, 2021
Error cases in AddressUpgradeable.sol::verifyCallResultFromTarget Contracts	2	598	June 29, 2023
YUL call transferFrom inline assembly run out of gas Smart Contracts erc20	3	996	June 3, 2022
Bytes[] memory conversion to bytes[] calldata Contracts	4	4944	May 31, 2021

Copying malicious calldata to memory in Assembly

Related Topics