Our team surveyed go-ethereum (geth) security vulnerabilities on CVE details website (https://www.cvedetails.com/vulnerability-list/vendor_id-17524/product_id-51210/Ethereum-Go-Ethereum.html) and spotted several ones that could affect XDC. Here is a list of the vulnerabilities.
1. CVE-2022-29177
This vulnerability is about using an index d
of type uint to access an array discReasonToString
, and the index bound check is done by converting d
to int(d)
and checking whether len(discReasonToString) < int(d)
. This check misses the situation where int(d)
could be negative. We fix the check to len(discReasonToString) <= int(d) || int(d) < 0
.
In XDC codebase, our team finds that we cannot use geth fix (ethereum#24507) since modifying DiscReason
to uint8
messes up the message encoding.
Status: Merged into branch dev-upgrade.
Links:
https://www.cvedetails.com/cve/CVE-2022-29177/
https://github.com/XinFinOrg/XDPoSChain/pull/242
2. CVE-2021-39137
This vulnerability is caused by pointer misusage in the Go language. It is fixed by using CopyBytes
to copy bytes rather than using the same pointer.
Status: Merged into branch master.
Links:
https://www.cvedetails.com/cve/CVE-2021-39137/
https://github.com/XinFinOrg/XDPoSChain/commit/b5abbfed79084fdd188837d645d13db229b2d5d0
3. CVE-2020-26241
This vulnerability is about the wrong implementation of the data copy native contract. It is fixed by using CopyBytes
to copy bytes.
Status: PR created.
Links:
https://www.cvedetails.com/cve/CVE-2020-26241/
https://github.com/XinFinOrg/XDPoSChain/pull/255
4. CVE-2018-16733
This vulnerability is about the attacker using incorrect starting and ending block numbers to trace blocks. If the starting block number is larger than the ending one, the program would be stuck in an infinite loop. We fix it by checking the starting and ending block numbers.
Status: PR created.
Links:
https://www.cvedetails.com/cve/CVE-2018-16733/
https://github.com/XinFinOrg/XDPoSChain/pull/251/files
5. CVE-2018-12018
This vulnerability is about the attacker using a negative skip
number to cause an infinite loop. We fix it by checking the skip
number.
Links:
https://www.cvedetails.com/cve/CVE-2018-12018/
https://github.com/XinFinOrg/XDPoSChain/pull/250
Unrelated CVEs
These CVEs are unrelated since it does not exist in XDC:
https://www.cvedetails.com/cve/CVE-2018-19184/
https://www.cvedetails.com/cve/CVE-2020-26264/
https://www.cvedetails.com/cve/CVE-2021-41173/
These CVEs are unrelated since they are about ethash consensus and XDC uses XDPoS consensus:
https://www.cvedetails.com/cve/CVE-2022-37450/
https://www.cvedetails.com/cve/CVE-2021-42219/
https://www.cvedetails.com/cve/CVE-2020-26240/
This CVE is solved by using the latest Go language:
https://www.cvedetails.com/cve/CVE-2020-26242/
This CVE is solved automatically since we have a gas limit for blocks:
https://www.cvedetails.com/cve/CVE-2018-20421/
Discussion (1)
This looks good!