Add missing bounds check to <FamStructWrapper as Versionize>::deserialize
#53
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
An issue was discovered in the
Versionize::deserializeimplementation provided by theversionizecrate forvmm_sys_utils::fam::FamStructWrapper, which can lead to out of bounds memory accesses. Objects of this type are used to model structures containing C-style flexible array members [1]. These structures contain a memory allocation that is prefixed by a header containing the size of the allocation.Due to treating the header and the memory allocation as two objects,
Versionize's data format stores the size of the allocation twice: once in the header and then again as its own metadata of the memory allocation. A serializedFamStructWrapperthus looks as follows:During deserialization, the library separately deserializes the header and the memory allocation. It allocates
len2bytes of memory, and then prefixes it with the separately deserialized header. Sincelen2is an implementation detail of theVersionizeimplementation, it is forgotten about at the end of the deserializefunction, and all subsequent operations on theFamStructWrapperassume the memory allocated to have sizelen1. If deserialization input was malformed such thatlen1 != len2, then this can lead to (safe) functions onFamStructWrapperto read past the end of allocated memory (iflen1 > len2).The issue was corrected by inserting a check that verifies that these two lengths are equal, and aborting deserialization otherwise.
License Acceptance
By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license.
PR Checklist
[Author TODO: Meet these criteria.][Reviewer TODO: Verify that these criteria are met. Request changes if not]git commit -s).unsafecode is properly documented.CHANGELOG.md.