Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

parseSpecIDEvent can allocate an unbounded amount of memory #128

Closed
brandonweeks opened this issue Oct 9, 2019 · 0 comments · Fixed by #129
Closed

parseSpecIDEvent can allocate an unbounded amount of memory #128

brandonweeks opened this issue Oct 9, 2019 · 0 comments · Fixed by #129
Assignees
@ericchiang

Comments

@brandonweeks
Copy link
Member 

algs := make([]specAlgSize, header.NumAlgs)
if err := binary.Read(r, binary.LittleEndian, &algs); err != nil {
    return nil, fmt.Errorf("reading algorithms: %v", err)
}

Reproduction:

AAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACEAAABTcGVjIElEIEV2ZW50MDMAAAAAAAACAAIB
AP///////////////////////////wAACwAgAAAAAAAABwAAAAEAAAALAOncXTZdcTKZAZ4BZJFL
HywaYh2rtLTAlhOFf00GNkXsGwAAAEJvb3QgR3VhcmQgTWVhc3VyZWQgUy1DUlRNAAAAAAAIAAAA
AQAAAAsAlqKW0iTyhcZ77pPDD4owkVfw2qNdxbh+QQt4YwoJz8cCAAAAAAAAAAAACAAAgAEAAAAL
AEO/dDplrD7fJ1mYkZcu6cRJetfahG1MNC/QldYetjNsEAAAAAAA2P8AAAAAAAAIAAAAAAAAAAAA
CAAAgAEAAAALAHPaZKxgoIy34Qa3VXTT1I8K+YQyeWS4S1xT91uwNyH6EAAAAAAAmP8AAAAAAAAo
AAAAAAAAAAAAAQAAAAEAAAALAD66CQ+8FLP+KYzSyMyldBekiyDXGjJWFRbyWjlHWSoDCQAAAEFD
UEkgREFUQQAAAAABAAAAAQAAAAsAHvrWre8UvSYH0mvpzfjbx9Jqby25RS1oXsZODcjGDTUJAAAA
QUNQSSBEQVRBBwAAAAEAAIABAAAACwDM/EuzKIijRbyK6tq6VStifZk0jHZ2gasxQfWwHkCkDjUA
AABh3+SLypPSEaoNAOCYAyuMCgAAAAAAAAABAAAAAAAAAFMAZQBjAHUAcgBlAEIAbwBvAHQAAQcA
AAABAACAAQAAAAsAQq6RiatH0DgnSLm3O/K3kxGY+LC5eilQL1iTcQB1JVewBgAAYd/ki8qT0hGq
DQDgmAMrjAIAAAAAAAAAjAYAAAAAAABQAEsAoVnApeSUp0qHtasVXCvwcowGAAAAAAAAcAYAALWo
d1UoaANNgMOK46gTKaowggZcMIIERKADAgECAhMzAAAAE1BhXiQAzsZ8AAAAAAATMA0GCSqGSIb3
DQEBCwUAMIGRMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVk
bW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTswOQYDVQQDEzJNaWNyb3NvZnQg
Q29ycG9yYXRpb24gVGhpcmQgUGFydHkgTWFya2V0cGxhY2UgUjZ2xMFaxr/kBMDqFtOsw2jvYqzd
VGxQMFim63z+lKdOjvTsfIZzV8JSIXM0WvOjilbIBNoHCe34i+PO9H6OrvD2C4oI+z/JHXJ/U7jr
vmPg4z0xZbCB5fKszRaknz2osZvCQtCQhF9UHf+J6rodR5BvsHNOQZ9An1/loSqyEZFziiEo8M7e
czlfPqtcYOzfAxCo0wnp9PaWhbZ/UYhmRxmNorASPYEqaAV3u5FMYnu2wQfHunqHNAMOS2J6menK
/M5KN8ktpFd8HP493LgPWvrWxLMChQI66rPZbuRpITfegdH2dRkFZ9OTV14pGznI7i3hzeRFc1vQ
0s56qxYZgkZY0F6dgbNnr2w18rzlPyTiNaIKdQb2GFaZ1Hgs0QUb69CIAZ2qEPEF37p+LGO3Bpsj
IcT5eGziWBcGNiuREgPMpNnyLbr5lJ1A7RhF8c6KXGs+qwPTcBgqCmrgX0fR1WMKMvKv1zYfKnBa
5UJZCHFLV7p+g4HwITz0HMHFuZCTDohFk4bpsSCZvpjLxZWkXWLWoGMIIL11EHd9PfNFuZ+Xn8tX
gG8zqQTPd6RiHFl+BwAAAAEAAIABAAAACwCgRLTOSk3KmvMSyJfcVu4XJ8OF64j3z7kJK4JlAp1b
HrIOAADLshnXOj2WRaO82tAOZ2VvAwAAAAAAAACMDgAAAAAAAGQAYgB4ACYWxMFMUJJArKlB+TaT
QyiMDgAAAAAAADAAAAC9mvp3WQMyTb1gKPTnj3hLgLTZaTG/DQL9kaYeGdFPHaRS5m2yQIyoYA1i
1tM8SJmcaylaKwoGvZr6d1kDMk29YCj05494SyjKaOlBRmKa8D9pwvhua+9i+TCzfG+8yHi3jfmM
AzTlvZr6d1kDMk29YCj05494S8OpmkYNpGSgV8NYbYPO9fSuCLcQOXntiTJ0LfDtUwxmvZr6d1kD
Mk29YCj05494S1j7lBrvlaJZQ7P7XyUQoN8/5ExYyV4KuN6HKXVoq5dxvZr6d1kDMk29YCj05494
S1ORw6L7ESECpqoe3CWud+GfRL2a+ndZAzJNvWAo9OePeEuQ++cOadYzQI0+FwxoMtuy0gngJyUn
37Y9SdKVcqb0TL2a+ndZAzJNvWAo9OePeEsHXuoGBYlUi6Bgsv7tENo8IMf+mxfNAmuU6KaDuBFS
OL2a+ndZAzJNvWAo9OePeEsH5saoWGRvse/GeQP+OAA2ADIAYwAtADUAYwBkAGQALQA0AGUANwAw
AC0AYQBjAGMAMQAtAGYAMwAyAGIAMwA0ADQAZAA0ADcAOQA1AH0AAAAzjAEAAAAQAAAABAAAAH//
BAABAAAAAgAAgAEAAAALAAYTe4qoDKiFBBoPNKe9My6qfMEygmPnRjyXZ0Wr2+WyXAEAAGHf5IvK
k9IRqg0A4JgDK4wIAAAAAAAAACwBAAAAAAAAQgBvAG8AdAAwADAAMAAwAAEAAAB0AFcAaQBuAGQA
bwB3AHMAIABCAG8AbwB0ACAAbmEATQAAYQBnAGUAcgAAAAQBKgACAAAAAKgPAAAAAAAAIAgAAAAA
ANypEtWiecBIm8gKRpLnuswCAgQERgBcAEUARgBJAFwATQBpAGMAcgBvAHMA5ubm5ubm5ubm5ubm
5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5qRdlP2hb9MeBNp7b7bM
CVXFcyeIAAAAYd/ki8qT0hGqDQDgmAMrjAgAAAAAAAAAWAAAAAAAAABCAG8AbwB0ADAAMAAwADYA
AQAAACwASQBuAHQAZQByAG4AYQBsACAAUwB0AG8AcgBhAGcAZQAAAAQHFABn1YGosGzuToQ1LnLT
PkW1BAYUAHEAZ1CPR+dLrROHVPN5xi9//wQAU0REAAEAAAACAACAAQAAAAsAyGXfp4APbRsJ5H0x
w3e1JaHL5HvTvsi1bumr4edG199+AAAAYd/ki8qT0hGqDQDgmAMrjAgAAAAAAAAATgAAAAAAAABC
AG8AbwB0ADAAMAAwADcAAQAAACwAVQBTAEIA4P+tBXQAbwByAGEAZwBlAAAABAcUAGfVgaiwbO5O
hDUuctM+RbUEBhQAcQBnUI9H50utE4dU83nGL3//BABVU0IAAQAAAAIAAIABAAAACwA+WT9MxAHv
vY9go8bTWE6Nz7BWbm3xK7mzU/g81Bout34AAABh3+SLypPSEaoNAOCYAyuMCAAAAAAAAABOAAAA
AAAAAEIAbwBvAHQAMAAwADAAOAABAAAALABQAFgARQAgAE4AZQB0AHcAbwByAGsAAAAEBxQAZ9WB
qLBs7k6ENS5y0z5FtQQGFABxAGdQj0fnS60Th1TzecYvf/8EAFBYRQAEAAAABwAAgAEAAAALAD1n
crT4TtR1ldcqLExf/RX1u3LHUH/ibyqu4sadVjO6KAAAAENhbGxpbmcgRUZJIEFwcGxpY2F0aW9u
IGZyb20gQm9vdCBPcHRpb24AAAAABAAAAAEAAAALAN8/YZgEqS/bQFcZLcQ910jqd4rcUrxJjOgF
JMAUuBEZBAAAAAAAAAABAAAABAAAAAEAAAALAN8/YZgEqS/bQFcZLcQ910jqd4rcUrxJjOgFJMAU
uBEZBAAAAAAAAAACAAAABAAAAAEAAAALAN8/YZgEqS/bQFcZLcQ910jqd4rcUrxJjOgFJMAUuBEZ
BAAAAAAAAAADAAAABAAAAAEAAAALAN8/YZgEqS/bQFcZLcQ910jqd4rcUrxJjOgFJMAUuBEZBAAA
AAAAAAAEAAAABAAAAAEAAAALAN8/YZgEqS/bQFcZLcQ910jqd4rcUrxJjOgFJMAUuBEZBAAAAAAA
AAAFAAAABAAAAAEAAAALAN8/YZgEqS/bQFcZLcQ910jqd4rcUrxJjOgFJMAUuBEZBAAAAAAAAAAG
AAAABAAAAAEAAAALAN8/YZgEqS/bQFcZLcQ910jqd4rcUrxJjOgFJMAUuBEZBAAAAAAAAAAHAAAA
4AAAgAEAAAALADC/Rk7jfxvAx7GlvyXs7SdTR8OrFJLVYjrp92Y74H3VDwYAAMuyGdc6PZZFo7za
0A5nZW8CAAAAAAAAAOsFAAAAAAAAZABiAL2a+ndZAzJNvWAo9OePeEswggXXMIIDv6ADAgECAgph
B3ZWAAAAAAAIMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu
Z3RvbjEQMA4GA1UEBxMHUmVkbmRtbzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTIw
MAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2EdAB4AdQBwAGQAYQB0AGUAXwBHAGUAbgB1
vIIPYE2DFsBo7nnSW2/wFaKIMLVDqLhkEAlGHkl//wQABQAA8M7eczlffqtcYOzfAxCo0wnp9PaW
hbZ/UYhmRxmNorASPYEqaAV3u5FMYnu2wQfHG596tRI44oeJpwoQxj32eiBrAAAAYd/ki8qT0hGq
DQDgmAMrjAgAAAAAAAAAOwAAAAAAAABCAG8AbwB0ADAAMAAxADkAAQAAACkATgBWAE0AZQAwAAAA
AwolANI4eLyCD2BNgxbAaO550lsAHBmZMtlMTq6aoLbpjrikAH//BAAFAAAAAgAAgAIAAAAEAPZo
vfhmuYdCke1zny/0yt9UllgKCwDB7D/u8mryjnP+z6921PHJ+Z6t++sBapN15qO0tajF1XEAAABh
3+SLypPSEaoNAOCYAyuMCAAAAAAAAABBAAAAAAAAAEIAbwBDGz5SxcJSmeRzCwDfP2GYBKkv20BX
GS3EPddI6neK3FK8SYzoBSTAFLgRGQQAAAAAAAAABQAAKgQAAAACAAAABACQacp450UKKFFzQxs+
UsXCUpnkcwsA3z9hmASpL9tAVxktxD3XSOp3itxSvEmM6AUkwBS4ERkEAAAAAAAAAAYAAAAEAAAA
AgBBVEEHAAAAAQAAgAEAAAALAMz8S7MoiKNFvIrq2rpVK2J9mTOMdnaBqzFB9bAeQKQONQAAAGHf
5IvKk9IRqg0A4JgDK4wKAAAAAAAAAAEAAAAAAAAAUwBlAGMAdQByAGUAQgBvAG8AdAABBwAAAAEA
AIABAAAACwBCrpGJq0fQOCdIubc78reTEZj4sLl6KVAvWJNxAHUlV7AGAABh3+SLypPSEaoNAOCY
AyuMAgAAAAAAAACMBgAAAAAAAFAASwChWcCl5JSnSoe1qxVcK/ByjAYAAAAAAABwBgAAtah3VSho
A02Aw4rjqBMpqjCCBlwwggREoAMCAQICEzMAAAATUGFeJADOxnwAAAAAABMwDQYJKoZIhvcNAQEL
BQAwgZExCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25k
MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xOzA5BgNVBAMTMk1pY3Jvc29mdCBDb3Jw
b3JhdGlvbiBUaGlyZCBQYXJ0eSBNYXJrZXRwbGFjZSBSNnbEwVrGv+QEwOoW06zDaO9irN1UbFAw
WKbrfP6Up06O9Ox8hnNXwlIhczRa86OKVsgE2gcJ7fiL4870fo6u8PYLigj7P8kdcn9TuOu+FsBo
7nnSW2/wFaKIMLVDqLhkEAlGHkl//wQABQAA8M7eczlfPqtcYOzfAxCo0wnp9PaWhbZ/UYhmRxmN
ibASPYEqaAV3u5FMYnu2wQfHG596tRI44oeJpwoQxj32eiBrAAAAYd/ki8qT0hGqDQDgmAMrjAgA
AAAAAAAAOwAAAAAAAABCAG8AbwB0ADAAMAAxADkAAQAAACkATgBWAE0AZQAwAAAAAwolANI4eLyC
D2BNgxbAaO550lsAHBmZMtlMTq6aoLbpjrikAH//BAAFAAAAAgAAgAIAAAAEAPZovfhmuYdCke1z
ny/0yt9UllgKCwDB7D/u8mryjnP+z6921PHJ+Z6t++sBapN15qO0tajF1XEAAABh3+SLypPSEaoN
AOCYAyuMCAAAAAAAAABBAAAAAAAAAEIAbwBDGz5SxcJSmeRzCwDfP2GYBKkv20BXGS3EPddI6neK
3FK8SYzoBSTAFLgRGQQAAAAAAAAABQAAKgQAAAACAAAABACQacp4j4+Pj4+Pj4+Pj4+Pj4+Pj4+P
j4+Pj4+Pj4+Pj4+Pj4+Pj4+P50UKKFFzQxs+UsXCUpnkcwsA3z9hmASpL9tAVxktxD3XSOp3itxS
vEmM6AUkwBS4ERkEAAAAAAAAAAYAAAAEAAAAAgAAAAQAkGnKeOdFCihRc0MbPayyAAAAAAHECT5S
xcJSmeRzOwsA3z9hmASpL9tAVxktxD3XSOp3itxSvEmM6AUkwBS4ERkEAAAAAAAAAAcAAADgAACA
AgAAAAQAn8cTtySNmaGg2z0ABwAUAAAArpwa5UdjUMFOubT/JwchCwCCLjC/Rk7jfxvA7ELHsaW/
RyXs7SdTSQ==

Produces:

header{
    Signature: [16]uint8{0x53, 0x70, 0x65, 0x63, 0x20, 0x49, 0x44, 0x20, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x30, 0x33, 0x0}, 
    PlatformClass: 0x0, 
    VersionMinor: 0x0, 
    VersionMajor: 0x2,
    Errata: 0x0, 
    UintnSize: 0x2, 
    NumAlgs: 0xffff0001,
}

0xffff0001 = 4.295 GB
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ericchiang ericchiang

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

attest: fix another unbounded memory allocation ericchiang/go-attestation
2 participants
@brandonweeks @ericchiang