Skip to content

Overflow Flag Setting Misoptimization

Moderate
hedgar2017 published GHSA-qmhp-5v3m-jph6 Nov 10, 2023

Package

zksolc (Solidity)

Affected versions

1.3.12 - 1.3.15

Patched versions

1.3.16

Description

Impact

The bug affects addmod and mulmod instructions when a specific LLVM optimizer pass for EraVM finds patterns described below.

To model overflow flag setting instructions, LLVM Selection DAG provides uaddo (umulo, usubo) nodes. These nodes return wrapped computation result as well as an overflow flag. Unlike add! (mul!, sub!) the flag set by nodes is not perished if another flag setting node exists in cthe omputation, and scheduler is able to handle cases of circular dependencies.

result, of = uaddo a, b
c = another_flag ? result : d
e = of ? c : f

There is also a select DAG node which reflects the C ternary operator's ?: semantic. The bug happens when both uaddo result and flags are used in a way that a single add! instruction makes the correct scheduling impossible.

Analysis has shown that no contracts were affected by the date of publishing this advisory.

Patches

Fixed in version 1.3.16.

Workarounds

Upgrading and redeploying affected contracts is the only way.

Severity

Moderate

CVE ID

CVE-2023-46232

Weaknesses

No CWEs