CVE-2024-7884: ic-cdk has a memory leak when calling a canister method via `ic_cdk::call`

September 5, 2024

When a canister method is called via ic_cdk::call*, a new Future CallFuture is created and can be awaited by the caller to get the execution result. Internally, the state of the Future is tracked and stored in a struct called CallFutureState. A bug in the polling implementation of the CallFuture allows multiple references to be held for this internal state and not all references were dropped before the Future is resolved. Since we have unaccounted references held, a copy of the internal state ended up being persisted in the canister’s heap and thus causing a memory leak.

References

docs.rs/ic-cdk/latest/ic_cdk
github.com/advisories/GHSA-rwq6-crjg-9cpw
github.com/dfinity/cdk-rs
github.com/dfinity/cdk-rs/pull/509
github.com/dfinity/cdk-rs/security/advisories/GHSA-rwq6-crjg-9cpw
internetcomputer.org/docs/current/references/ic-interface-spec
nvd.nist.gov/vuln/detail/CVE-2024-7884

Code Behaviors & Features

Detect and mitigate CVE-2024-7884 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →