logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-7884 ic-cdk

Package

Manager: cargo
Name: ic-cdk
Vulnerable Version: >=0.8.0 <0.8.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00506 pctl0.65265

Details

Memory leak when calling a canister method via `ic_cdk::call` When a canister method is called via `ic_cdk::call*`, a new Future `CallFuture` is created and can be awaited by the caller to get the execution result. Internally, the state of the Future is tracked and stored in a struct called `CallFutureState`. A bug in the polling implementation of the `CallFuture` allows multiple references to be held for this internal state and not all references were dropped before the `Future` is resolved. Since we have unaccounted references held, a copy of the internal state ended up being persisted in the canister's heap and thus causing a memory leak. ### Impact Canisters built in Rust with `ic_cdk` and `ic_cdk_timers` are affected. If these canisters call a canister method, use timers or heartbeat, they will likely leak a small amount of memory on every such operation. **In the worst case, this could lead to heap memory exhaustion triggered by an attacker.** Motoko based canisters are not affected by the bug. ### Patches The patch has been backported to all minor versions between `>= 0.8.0, <= 0.15.0`. The patched versions available are `0.8.2, 0.9.3, 0.10.1, 0.11.6, 0.12.2, 0.13.5, 0.14.1, 0.15.1` and their previous versions have been yanked. ### Workarounds There are no known workarounds at the moment. Developers are recommended to upgrade their canister as soon as possible to the latest available patched version of `ic_cdk` to avoid running out of Wasm heap memory. > Upgrading the canisters (without updating `ic_cdk`) also frees the leaked memory but it's only a temporary solution. ### Referencesas - [dfinity/cdk-rs/pull/509](https://github.com/dfinity/cdk-rs/pull/509) - [ic_cdk docs](https://docs.rs/ic-cdk/latest/ic_cdk/) - [Internet Computer Specification](https://internetcomputer.org/docs/current/references/ic-interface-spec)

Metadata

Created: 2024-09-05T12:00:00Z
Modified: 2024-09-07T18:23:36Z
Source: https://osv-vulnerabilities
CWE IDs: N/A
Alternative ID: N/A
Finding: F067
Auto approve: 1