Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Process killed with high RAM usage when setting malicious DataReaderQoS setting #4527

Closed
mirusu400 opened this issue Mar 20, 2024 · 1 comment
Closed

Process killed with high RAM usage when setting malicious DataReaderQoS setting #4527

mirusu400 opened this issue Mar 20, 2024 · 1 comment

Comments

@mirusu400
Copy link

mirusu400 commented Mar 20, 2024
edited

Expected behavior

Process will exit or handle exceptions

Current Behavior

Process keeps trying to make DataReader, but it crash and got killed signal with high RAM usage, finally got exited with singal SIGKILL.

This allows a local attacker to cause a denial of service and obtain sensitive information via a crafted max_samples component.

Steps to produce

Download poc project below.
DataReaderQos_poc.zip

mkdir build
cd build
cmake ..
make
./subscriber

stdout:

$ ./subscriber
Create DomainParticipantFactory
Create DomainParticipant
0x617000002380
Create Subscriber
0x61900001f480  0x61900001f980
Create DataWriter
Killed

    DDS::Subscriber_var subscriber = participant->create_subscriber(sub_qos, 0, OpenDDS::DCPS::DEFAULT_STATUS_MASK);
    DDS::Publisher_var publisher = participant->create_publisher(pub_qos, 0, OpenDDS::DCPS::DEFAULT_STATUS_MASK);

    std::cout << subscriber << "\t" << publisher << std::endl;

    /*
      What the hell?????????????????????????
    */
    subscriber->get_default_datareader_qos(dr_qos);
    dr_qos.resource_limits.max_samples = 900000000;


    std::cout << "Create DataWriter" << std::endl;
    // Create datawriter, datareader
    DDS::DataReader_var reader = subscriber->create_datareader(topic, dr_qos, 0, OpenDDS::DCPS::DEFAULT_STATUS_MASK);
    DDS::DataWriter_var writer = publisher->create_datawriter(topic, dw_qos, 0, OpenDDS::DCPS::DEFAULT_STATUS_MASK);

In lines 122 to 137 of the Oppends_poc.cpp file, if we specify a value that is too large for the PC to manage during DataReader's QoS settings, the process will be forced to shut down.

OpenDDS Version

b1c5340

Platform

Ubuntu 22.04

Additional context

This issue seems similar with #4388, and it was answered with one word: The responsiblity of the user. However, since fatal memory leaks can occur, I think OpenDDS, like other DDS software, should have at least a minimum guide.
@iguessthislldo
Copy link
Member

It's basically the same as the other issue, but with a reader instead of a writer.

@iguessthislldo iguessthislldo closed this as not planned Won't fix, can't repro, duplicate, stale Mar 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iguessthislldo @mirusu400