Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix a memory bug in ldap's ParseDN function by disabling part of the functionality #6770

Merged
merged 1 commit into from Feb 19, 2024
Merged

Fix a memory bug in ldap's ParseDN function by disabling part of the functionality #6770

merged 1 commit into from Feb 19, 2024

Conversation

inteon
Copy link
Member

@inteon inteon commented Feb 19, 2024
edited

Quick fix for memory issues caused by github.com/go-asn1-ber/asn1-ber library.
Similar to notaryproject/notation-go#275.
Will be superseded by #6761, the goal of this PR is to backport this quick fix to older cert-manager versions.

Kind

/kind bug

Release Note

Bugfix: LiteralSubjects with a #= value can result in memory issues due to faulty BER parser (github.com/go-asn1-ber/asn1-ber).

@inteon
Fix a memory bug in ldap's ParseDN function by disabling part of the …
4a8b8c4 
…functionality

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@jetstack-bot jetstack-bot added kind/bug Categorizes issue or PR as related to a bug. release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. labels Feb 19, 2024
@inteon inteon added this to the 1.15-alpha.0 milestone Feb 19, 2024
@jetstack-bot jetstack-bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Feb 19, 2024
@ThatsMrTalbot
Copy link
Contributor

/lgtm

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Feb 19, 2024
@inteon
Copy link
Member Author

inteon commented Feb 19, 2024

/approve

@jetstack-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: inteon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 19, 2024
@inteon
Copy link
Member Author

inteon commented Feb 19, 2024

/cherrypick release-1.14

@jetstack-bot
Copy link
Collaborator

@inteon: once the present PR merges, I will cherry-pick it on top of release-1.14 in a new PR and assign it to you.

In response to this:

/cherrypick release-1.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@inteon
Copy link
Member Author

inteon commented Feb 19, 2024

/cherrypick release-1.13

@jetstack-bot
Copy link
Collaborator

@inteon: once the present PR merges, I will cherry-pick it on top of release-1.13 in a new PR and assign it to you.

In response to this:

/cherrypick release-1.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@inteon
Copy link
Member Author

inteon commented Feb 19, 2024

/cherrypick release-1.12

@jetstack-bot
Copy link
Collaborator

@inteon: once the present PR merges, I will cherry-pick it on top of release-1.12 in a new PR and assign it to you.

In response to this:

/cherrypick release-1.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@SgtCoDFish
Copy link
Member

/hold

Should this even be merged into master? Why not merge into release-1.14 and then cherry-pick from there into release-1.13 and release-1.12?

I don't think we ever intend for this code to be used in a future release.

I'm happy to merge as-is, hold is just to ask the question

@jetstack-bot jetstack-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 19, 2024
@inteon
Copy link
Member Author

inteon commented Feb 19, 2024
edited

@SgtCoDFish My plan is to merge this bugfix in master and backport to all older versions.
The goal is to already fix the problem here, so we can later have a new implementation that still works even for the new test case that was added in this PR.
I do agree that this will only be in the master branch for a short time, but I do think it is a good approach to not exceed master in terms of bugfixes etc.
/unhold

@jetstack-bot jetstack-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 19, 2024
@SgtCoDFish
Copy link
Member 

diff --git a/pkg/util/pki/parse_test.go b/pkg/util/pki/parse_test.go
index a219564c4..34307b0da 100644
--- a/pkg/util/pki/parse_test.go
+++ b/pkg/util/pki/parse_test.go
@@ -47,6 +47,15 @@ func generatePKCS8PrivateKey(keyAlgo v1.PrivateKeyAlgorithm, keySize int) ([]byt
 	return EncodePKCS8PrivateKey(privateKey)
 }
 
+func BenchmarkParseSubject(b *testing.B) {
+	for n := 0; n < b.N; n++ {
+		_, err := ParseSubjectStringToRawDERBytes("DF=#6666666666665006838820013100000746939546349182108463491821809FBFFFFFFFFF")
+		if err == nil {
+			b.Fatal("expected error, but got none")
+		}
+	}
+}
+
 func TestDecodePrivateKeyBytes(t *testing.T) {
 	type testT struct {
 		name         string

Run with:

go test -bench=. -benchmem ./pkg/util/pki/...

Before this change:

goos: darwin
goarch: arm64
pkg: github.com/cert-manager/cert-manager/pkg/util/pki
BenchmarkParseSubject-12              58          20398892 ns/op        1665740367 B/op       58 allocs/op

After this change:

goos: darwin
goarch: arm64
pkg: github.com/cert-manager/cert-manager/pkg/util/pki
BenchmarkParseSubject-12         2340868               475.9 ns/op           304 B/op          4 allocs/op

MIght be worth adding that benchmark to the followup PR for comparison

@inteon
Copy link
Member Author

inteon commented Feb 19, 2024

/retest

@inteon inteon mentioned this pull request Feb 19, 2024
Merged
@jetstack-bot jetstack-bot merged commit d642df3 into cert-manager:master Feb 19, 2024
7 checks passed
@jetstack-bot
Copy link
Collaborator

@inteon: new pull request created: #6772

In response to this:

/cherrypick release-1.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

This was referenced Feb 19, 2024
Merged
Merged
@jetstack-bot
Copy link
Collaborator

@inteon: new pull request created: #6773

In response to this:

/cherrypick release-1.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jetstack-bot jetstack-bot mentioned this pull request Feb 19, 2024
Merged
@jetstack-bot
Copy link
Collaborator

@inteon: new pull request created: #6774

In response to this:

/cherrypick release-1.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@inteon inteon mentioned this pull request Feb 19, 2024
Merged
@wallrj wallrj mentioned this pull request Feb 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
1.15-alpha.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@inteon @ThatsMrTalbot @jetstack-bot @SgtCoDFish