Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

math: no check for negative precisions which result in runtime panics when passed into *NewDec #14004

Closed
odeke-em opened this issue Nov 24, 2022 · 0 comments · Fixed by #14922
Closed

math: no check for negative precisions which result in runtime panics when passed into *NewDec #14004

odeke-em opened this issue Nov 24, 2022 · 0 comments · Fixed by #14922
Labels
T:Bug

Comments

@odeke-em
Copy link
Collaborator

Noticed in a security audit that this code for LegacyNewDec only checks that precision > LegacyPrecision

cosmos-sdk/math/dec.go

Lines 81 to 86 in 00ad3ec

func precisionMultiplier(prec int64) *big.Int {
if prec > LegacyPrecision {
panic(fmt.Sprintf("too much precision, maximum %v, provided %v", LegacyPrecision, prec))
}
return precisionMultipliers[prec]
}

but then blindly passes the value to index precisionMultipliers

Reproduction:

func TestDecPrecision(t *testing.T) {
        LegacyNewDecWithPrec(10, -1)
}

which panics with

panic: runtime error: index out of range [-1] [recovered]
	panic: runtime error: index out of range [-1]

goroutine 19 [running]:
testing.tRunner.func1.2({0x1475040, 0xc000136288})
	/Users/emmanuelodeke/go/src/go.googlesource.com/go/src/testing/testing.go:1506 +0x24e
testing.tRunner.func1()
	/Users/emmanuelodeke/go/src/go.googlesource.com/go/src/testing/testing.go:1509 +0x39f
panic({0x1475040, 0xc000136288})
	/Users/emmanuelodeke/go/src/go.googlesource.com/go/src/runtime/panic.go:884 +0x213
cosmossdk.io/math.precisionMultiplier(...)
	/Users/emmanuelodeke/go/src/github.com/cosmos/cosmos-sdk/math/dec.go:85
cosmossdk.io/math.LegacyNewDecWithPrec(0xa, 0xffffffffffffffff)
	/Users/emmanuelodeke/go/src/github.com/cosmos/cosmos-sdk/math/dec.go:97 +0xd9
cosmossdk.io/math.TestDecPrecision(0x0?)
	/Users/emmanuelodeke/go/src/github.com/cosmos/cosmos-sdk/math/panic_test.go:27 +0x25
testing.tRunner(0xc000103860, 0x14d2748)
	/Users/emmanuelodeke/go/src/go.googlesource.com/go/src/testing/testing.go:1556 +0x10b
created by testing.(*T).Run
	/Users/emmanuelodeke/go/src/go.googlesource.com/go/src/testing/testing.go:1603 +0x35f
exit status 2

Even though the validation is to panic, at least let's ensure it is intended as opposed to being unintended.
@odeke-em odeke-em added the T:Bug label Nov 24, 2022
@odeke-em odeke-em mentioned this issue Dec 11, 2022
Merged
odeke-em added a commit that referenced this issue Dec 11, 2022
@odeke-em
fix: math: add LegacyNewDecFromStr fuzzers + remove unnecessary error…
f13fa73 
… wrapping

Adds fuzzers for LegacyNewDecFromStr as well as a regression test
that requires some patches to have been made. While here, removed
unnecessary error wrapping.

Updates #14004
Fixes #14251
@github-project-automation github-project-automation bot moved this to 📝 Todo in Cosmos-SDK Jan 16, 2023
@julienrbrt julienrbrt mentioned this issue Feb 6, 2023
Merged
19 tasks
@github-project-automation github-project-automation bot moved this from 📝 Todo to 👏 Done in Cosmos-SDK Feb 6, 2023
@tac0turtle tac0turtle removed this from Cosmos-SDK May 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
T:Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(math): check for negative precision cosmos/cosmos-sdk
2 participants
@odeke-em @tac0turtle