Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential index out of bounds in quantity_proto.go #116745

Open
chunklhit opened this issue Mar 20, 2023 · 5 comments
Open

Potential index out of bounds in quantity_proto.go #116745

chunklhit opened this issue Mar 20, 2023 · 5 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery.

Comments

@chunklhit
Copy link

What happened?

During fuzz testing of Kubernetes, I discovered a crash, which I believe might be an issue. this issue is in the code located at kubernetes/staging/src/k8s.io/apimachinery/pkg/api/resource/quantity_proto.go on lines 239, 255, 266, and 270.

Code Snippet

image

image

The value of index may potentially exceed the boundaries of the int type, becoming a negative value. However, there is no non-negative check in the code, and it is directly used on line 255. This may result in an out-of-bounds access error.

Comparing the skipGenerated method with others, such as in kubernetes/staging/src/k8s.io/api/apps/v1/generated.pb.go, it can be seen that they validate and handle the index accordingly.

image

This issue could potentially lead to program crashes and misbehavior in other locations.

Please investigate and address the issue.

What did you expect to happen?

I expect to validate and handle the “iNdEx” value to prevent program crashes.

How can we reproduce it (as minimally and precisely as possible)?

I attempted to trigger the issue using a unit test, with the following code:

package fuzzing

import (
	"fmt"
	"testing"
)
import autoscalingv2 "k8s.io/api/autoscaling/v2"

func TestMetricValueStatus(t *testing.T) {
	m1 := &autoscalingv2.MetricValueStatus{}
	data := []byte("\xbf\n@000000S\x98000000000" +
		"00000000000000000000" +
		"00000s000\x800\x1a\xff\xff\xff\xff\xff\xff\xff\xff" +
		"\xff000000")

	//data := []byte("qwe123qwe123qwe123qwe1231q2ew123qwe123qwe123qwe1231q2qweqwe")
	op := int(data[0])
	fmt.Printf("option is %d\n", op%noOfTargets)
	fmt.Printf("buff is %x\n", data[1:])
	err := m1.Unmarshal(data[1:])
	if err != nil {
		fmt.Println("error is ", err)

		return
	}
}

Running the above unit test results in a crash and throws an exception:

image

If using "data := []byte("qwe123qwe123qwe123qwe1231q2ew123qwe123qwe123qwe1231q2qweqwe")", it returns a reasonable error output:

image

Anything else we need to know?

No response

Kubernetes version

code version is release-1.26 or master

Cloud provider

im using kubernetes in my local pc with one master node and three workers configured with kubeadm

OS version

# On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Install tools

Container runtime (CRI) and version (if applicable)

Related plugins (CNI, CSI, ...) and versions (if applicable)
@chunklhit chunklhit added the kind/bug Categorizes issue or PR as related to a bug. label Mar 20, 2023
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Mar 20, 2023
@AxeZhan
Copy link
Member

AxeZhan commented Mar 20, 2023

You can assign yourself and create a pr for this if you like.

@chunklhit
Copy link
Author

ok, I will try to create a pr

clarkdian pushed a commit to chunklhit/kubernetes that referenced this issue Mar 22, 2023
fix bug kubernetes#116745
86d0a99 
bug details: kubernetes#116745
This was referenced Mar 22, 2023
Closed
Closed
Closed
clarkdian pushed a commit to chunklhit/kubernetes that referenced this issue Mar 22, 2023
fix bug kubernetes#116745
deb525e
@clarkdian clarkdian mentioned this issue Mar 22, 2023
Closed
clarkdian pushed a commit to chunklhit/kubernetes that referenced this issue Mar 22, 2023
@chunklhit
fix bug kubernetes#116745
928d188
@chunklhit chunklhit mentioned this issue Mar 22, 2023
Closed
@cici37
Copy link
Contributor

cici37 commented Mar 28, 2023

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Mar 28, 2023
@neolit123
Copy link
Member

/sig api-machinery

@k8s-ci-robot k8s-ci-robot added sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Apr 19, 2023
@k8s-triage-robot
Copy link

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

  • Confirm that this issue is still relevant with /triage accepted (org members only)
  • Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. and removed triage/accepted Indicates an issue or PR is ready to be actively worked on. labels Apr 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery.
Projects
None yet
Milestone
No milestone
6 participants
@neolit123 @cici37 @k8s-ci-robot @AxeZhan @k8s-triage-robot @chunklhit