CVE-2022-39354: Incorrect is_static parameter for custom stateful precompiles in SputnikVM (evm)

October 25, 2022

A custom stateful precompile can use the is_static parameter to determine if the call is executed in a static context (via STATICCALL), and thus decide if stateful operations should be done. Previously, the passed is_static parameter was incorrect – it was only set to true if the call comes from a direct STATICCALL opcode. However, once a static call context is entered, it should stay static.

The issue only impacts custom precompiles that actually uses is_static. The maintainers estimate the usage is low. However, for those affected, it can lead to possible incorrect state transitions.

References

github.com/advisories/GHSA-hhc4-47rh-cr34
github.com/rust-blockchain/evm
github.com/rust-blockchain/evm/pull/133
github.com/rust-blockchain/evm/security/advisories/GHSA-hhc4-47rh-cr34
nvd.nist.gov/vuln/detail/CVE-2022-39354
rustsec.org/advisories/RUSTSEC-2022-0083.html

Detect and mitigate CVE-2022-39354 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →