fix(flexbuffers): harden Rust Reader against panics from untrusted input#8924
Open
jrey8343 wants to merge 1 commit intogoogle:masterfrom
Open
fix(flexbuffers): harden Rust Reader against panics from untrusted input#8924jrey8343 wants to merge 1 commit intogoogle:masterfrom
jrey8343 wants to merge 1 commit intogoogle:masterfrom
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
jrey8343
force-pushed
the
fix/flexbuffers-bounds-checks
branch
from
ccd9e6d to
3bc1848
Compare
The FlexBuffers Rust Reader had multiple code paths that could panic when processing malformed or malicious input: 1. Bounds check failures: `get_bool()`, `get_key_len()`, `read_usize()`, and `MapReader::lazy_strcmp()` used direct slice indexing (`buffer[addr..]`) which panics on out-of-bounds access. Replaced with checked `.get()` calls that return errors instead. 2. Integer overflow: `get_str()`, `get_blob()`, `get_key()`, `get_slice()`, `VectorReader::index()`, `VectorReader::get_elem_type()`, `MapReader::index_key()`, and `MapReader::usize_index()` computed `address + length` or `address + width * count` using unchecked arithmetic, which panics on overflow in debug mode and wraps in release mode. Replaced with `checked_add()` / `checked_mul()`. These panics are reachable from any code that deserializes FlexBuffers from untrusted sources (network, files, IPC), enabling denial of service. All three crash inputs found by fuzzing now return `Err` instead of panicking. Fixes google#8923
jrey8343
force-pushed
the
fix/flexbuffers-bounds-checks
branch
from
3bc1848 to
ba4027e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The FlexBuffers Rust
Readerhas multiple code paths that panic when processing malformed or malicious input, enabling denial of service for any application that deserializes FlexBuffers from untrusted sources.This patch systematically replaces all unchecked buffer accesses and unchecked integer arithmetic in the FlexBuffers reader with checked alternatives that return
Errinstead of panicking.Bounds check failures (direct
buffer[addr..]indexing →.get())get_bool()(mod.rs): slicedself.buffer[self.address..self.address + width]without bounds checkget_key_len()(mod.rs): slicedself.buffer[self.address..]without bounds checkread_usize()(mod.rs): sliced&buffer[address..]and usedcursor[0]without bounds checkMapReader::lazy_strcmp()(map.rs): slicedself.buffer[key_addr..]without bounds check (had aTODO: Can we know this won't OOB and panic?comment)Integer overflow (
address + length→checked_add/checked_mul)get_str(),get_blob(),get_key()(mod.rs):self.address + self.length()overflows when length is read from malicious inputget_slice()(mod.rs):self.address + self.length() * size_of::<T>()— double overflow riskVectorReader::get_elem_type(),VectorReader::index()(vector.rs):address + length * widthMapReader::index_key(),MapReader::usize_index()(map.rs): multipleaddress + width * countcalculationsCrash inputs (found by fuzzing with cargo-fuzz/libFuzzer)
5d 79 6b 02mod.rs:326get_bool()— range end index 8 out of range for slice of length 44f 71 02 6b 02mod.rs:32600*14 17 02mod.rs:378get_str()— attempt to add with overflowAll three inputs now return
Err(FlexbufferOutOfBounds)instead of panicking.Test plan
cargo checkpasses for flexbuffers cratecargo fuzz run <target> <crash> -- -runs=1)fuzz_flexbuffers_readerFixes #8923