Security Fix in Motoko (dfx 0.24.3)

We encountered a bug in the Motoko runtime system that, under specific circumstances, could lead to unwanted memory writes or reads. Programs are only affected if they use the incremental garbage collector (compile option —incremental-gc) or enhanced orthogonal persistence (compile-option --enhanced-orthogonal-persistence). The bug is hard to trigger, as it depends on heap constellations, GC scheduling, and the use of specific language features at a large or frequent scale.

The bug is fixed in the recent Motoko release 0.14.3 deployed in dfx version 0.24.3. If you are using the incremental garbage collector or enhanced orthogonal persistence, we strongly recommend you to upgrade your Motoko program with the latest dfx.

Instructions:

  1. Download or upgrade to latest dfx 0.24.3 or higher:

dfxvm update

  1. For all your Motoko applications on IC:

dfx deploy —network ic

We also have a GitHub security advisory for this: GH advisory: Uninitialized memory access in Motoko incremental garbage collector · Advisory · dfinity/motoko · GitHub

If you have any questions, please do not hesitate to contact us via team-motoko@dfinity.org

Many thanks
Luc

6 Likes