N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-q669-2vfg-cxcg

EPSS Score

CWE

Published

2/2/2024

Updated

2/2/2024

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-q669-2vfg-cxcg

GHSA-q669-2vfg-cxcg: Nervos CKB Unaligned Pointer Dereference

via bounty@nervos.org

There are multiple type conversions in ckb that unsafely cast between byte pointers and other types of pointers. This results in unaligned pointers, which are not allowed by the Rust language, and are considered undefined behavior, meaning that the compiler is free to do anything with code. This can lead to unpredictable bugs that can become security vulnerabilities.

Some of the bugs here could potentially lead to buffer overreads in malformed data (it's not clear to me as I haven't investigated the practical impact of these bugs).

Two of these (in blockchain.rs) do not create unaligned data. They do though perform an unsafe operation that may not uphold the invariants of the safe function they are in, and could lead to undefined behavior and buffer overreads on malformed input.

These are of the same nature as those in my previous report about the molecule crate.

Patch attached for commit 1b09e37c8e1b7945495cd18d9782417fbe51e986 that fixes all cases I know of at this time.

Please consider this report for reward under the terms of the bug bounty program.

Related advisory: https://github.com/nervosnetwork/molecule/security/advisories/GHSA-rffv-8x7x-p7pw

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-q669-2vfg-cxcg

EPSS Score

CWE

Published

2/2/2024

Updated

2/2/2024

KEV Status

Technology

Rust

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ckb	rust	<= 0.31.0	0.31.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsafe pointer casts from byte arrays to native integer pointers (u32/u64/u128) followed by immediate dereferencing. This violates Rust's alignment requirements, creating undefined behavior. The commit diff shows these patterns were replaced with safe byte array copying using from_le_bytes/from_be_bytes, confirming the original implementations were vulnerable. The affected functions are clearly identified in protocol message decoding and primitive type conversion implementations where raw pointer manipulation occurred.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

vi* *ounty@n*rvos.or* T**r* *r* multipl* typ* *onv*rsions in *k* t**t uns***ly **st **tw**n *yt* point*rs *n* ot**r typ*s o* point*rs. T*is r*sults in un*li*n** point*rs, w*i** *r* not *llow** *y t** Rust l*n*u***, *n* *r* *onsi**r** un***in** ****v

Reasoning

T** vuln*r**ility st*ms *rom uns*** point*r **sts *rom *yt* *rr*ys to n*tiv* int***r point*rs (u**/u**/u***) *ollow** *y imm**i*t* **r***r*n*in*. T*is viol*t*s Rust's *li*nm*nt r*quir*m*nts, *r**tin* un***in** ****vior. T** *ommit *i** s*ows t**s* p*

N/A

Basic Information

Concerned about an active attack path?

GHSA-q669-2vfg-cxcg: Nervos CKB Unaligned Pointer Dereference

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI