From 499e78c25ba6fcc408f8352320f20fff1d4dff54 Mon Sep 17 00:00:00 2001
From: Simon Warta <simon@warta.it>
Date: Wed, 21 Aug 2024 17:14:06 +0200
Subject: [PATCH 1/2] Add title and description to CWA-2023-004

---
 CWAs/CWA-2023-004.md | 36 +++++++++++++++++++++++++++++++++++-
 CWAs/README.md       | 12 ++++++------
 2 files changed, 41 insertions(+), 7 deletions(-)

diff --git a/CWAs/CWA-2023-004.md b/CWAs/CWA-2023-004.md
index 8b51f66..9826d90 100644
--- a/CWAs/CWA-2023-004.md
+++ b/CWAs/CWA-2023-004.md
@@ -1,4 +1,4 @@
-# CWA-2023-004
+# CWA-2023-004: Excessive number of function paramters in compiled Wasm
 
 **Severity**
 
@@ -20,6 +20,39 @@ and are neither patched nor analyzed.
 - [wasmvm 1.4.2](https://github.com/CosmWasm/wasmvm/releases/tag/v1.4.2) (cosmwasm-vm 1.4.2)
 - [wasmvm 1.5.1](https://github.com/CosmWasm/wasmvm/releases/tag/v1.5.1) (cosmwasm-vm 1.5.1)
 
+## Description of the bug
+
+In a Wasm file, the signature of a function is stored separately and referenced in the function.
+This is demonstrated in the following example where you see
+
+1. a function signature with two integers input and one integer output is defined
+2. two functions referencing this signature are defined (`a+b` and `a-b`)
+3. the two functions are exported under the names "sum" and "diff"
+
+```wasm
+(module
+  (type $binary_operation_t (func (param i32 i32) (result i32)))
+  (func $sum_f (type $binary_operation_t)
+    local.get 0
+    local.get 1
+    i32.add)
+  (func $diff_f (type $binary_operation_t)
+    local.get 0
+    local.get 1
+    i32.sub)
+  (export "sum" (func $sum_f))
+  (export "diff" (func $diff_f))
+)
+```
+
+This is harmless in Wasm bytecode, but once the function is compiled, signature are inlined multiple times
+in the compiled code.
+Using a large signature that is referenced by a large number of function,
+you get pretty much a compression bomb – small in the uploaded Wasm blob but huge after compilation.
+This can lead to
+modules of several hundreds of megabytes or even gigabytes, leading to unexpected cache behaviour, unexpected disk
+consumption, slowdows and in some cases even crashes of the node process.
+
 ## Patch
 
 - 1.5: https://github.com/CosmWasm/cosmwasm/compare/v1.5.0...v1.5.1
@@ -73,3 +106,4 @@ We extend our gratitude to the CertiK team for their professionalism and commitm
 - 2024-01-08: Patch release announcement is sent to the notification list and posted in the Cosmos Hub Forum.
 - 2024-01-09: Backports to CosmWasm 1.2, 1.3, 1.4, 1.5 are finalized.
 - 2024-01-10: Patch released
+- 2024-08-21: Title and description added to advisory
diff --git a/CWAs/README.md b/CWAs/README.md
index 2fedff0..e028177 100644
--- a/CWAs/README.md
+++ b/CWAs/README.md
@@ -27,12 +27,12 @@
 
 ## 2023
 
-| Severity[^1] | Scope[^2] | ID                                                                          |
-| ------------ | --------- | --------------------------------------------------------------------------- |
-| High         | VM        | [CWA-2023-004][CWA-2023-004]                                                |
-| Medium       | x/wasm    | [CWA-2023-003: Inefficient ListChannels query implementation][CWA-2023-003] |
-|              | VM        | [CWA-2023-002: Stack overflow crash (Codename Cherry)][CWA-2023-002]        |
-|              | VM        | [CWA-2023-001: Potential overflow in cache statistics][CWA-2023-001]        |
+| Severity[^1] | Scope[^2] | ID                                                                                    |
+| ------------ | --------- | ------------------------------------------------------------------------------------- |
+| High         | VM        | [CWA-2023-004: Excessive number of function paramters in compiled Wasm][CWA-2023-004] |
+| Medium       | x/wasm    | [CWA-2023-003: Inefficient ListChannels query implementation][CWA-2023-003]           |
+|              | VM        | [CWA-2023-002: Stack overflow crash (Codename Cherry)][CWA-2023-002]                  |
+|              | VM        | [CWA-2023-001: Potential overflow in cache statistics][CWA-2023-001]                  |
 
 [CWA-2023-004]: ./CWA-2023-004.md
 [CWA-2023-003]: ./CWA-2023-003.md

From 2921a2e34a1c2d6776bc9b64f6c32d43b453b629 Mon Sep 17 00:00:00 2001
From: Simon Warta <2603011+webmaster128@users.noreply.github.com>
Date: Thu, 22 Aug 2024 09:50:22 +0200
Subject: [PATCH 2/2] Apply suggestions from code review

Co-authored-by: Christoph Otter <chipshort@tutanota.com>
---
 CWAs/CWA-2023-004.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/CWAs/CWA-2023-004.md b/CWAs/CWA-2023-004.md
index 9826d90..d0fbc0d 100644
--- a/CWAs/CWA-2023-004.md
+++ b/CWAs/CWA-2023-004.md
@@ -45,9 +45,9 @@ This is demonstrated in the following example where you see
 )
 ```
 
-This is harmless in Wasm bytecode, but once the function is compiled, signature are inlined multiple times
+This is harmless in Wasm bytecode, but once the function is compiled, signatures are inlined multiple times
 in the compiled code.
-Using a large signature that is referenced by a large number of function,
+Using a large signature that is referenced by a large number of functions,
 you get pretty much a compression bomb – small in the uploaded Wasm blob but huge after compilation.
 This can lead to
 modules of several hundreds of megabytes or even gigabytes, leading to unexpected cache behaviour, unexpected disk