Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ReadSlice: limit the max length for slices before invoking make([]byte, length) #37

Closed
odeke-em opened this issue Oct 6, 2017 · 1 comment
Closed

ReadSlice: limit the max length for slices before invoking make([]byte, length) #37

odeke-em opened this issue Oct 6, 2017 · 1 comment

Comments

@odeke-em
Copy link
Contributor

odeke-em commented Oct 6, 2017

Just found with go-fuzz, we should check that the number of bytes in the slice doesn't overflow.
The offending code below is at

https://github.com/tendermint/go-wire/blob/5f88da3dbc1a72844e6dfaf274ce87f851d488eb/byteslice.go#L28

In the check right above, we should also perform the due diligence to ensure that we report ErrBinaryReadOverflow

https://github.com/tendermint/go-wire/blob/5f88da3dbc1a72844e6dfaf274ce87f851d488eb/byteslice.go#L23-L26

Repro code:

package main

import "github.com/tendermint/tendermint/types"

func main() {
	vs := new(types.ValidatorSet)
	vs.FromBytes([]byte{0x01, 0x01, 0x30, 0x01, 0x06, 0x30, 0x30, 0x30, 0x30, 0x30,0x30})
}

which gives

panic: runtime error: makeslice: len out of range

goroutine 1 [running]:
github.com/tendermint/tendermint/vendor/github.com/tendermint/go-wire.ReadByteSlice(0x1668ba0, 0xc4205488a0, 0x0, 0xc42018fee0, 0xc42018fef0, 0x86, 0xc420056601, 0x1432820)
	/Users/emmanuelodeke/go/src/github.com/tendermint/tendermint/vendor/github.com/tendermint/go-wire/byteslice.go:30 +0x227
github.com/tendermint/tendermint/vendor/github.com/tendermint/go-wire.readReflectBinary(0x1471ce0, 0xc42055e080, 0x197, 0x1672200, 0x1471ce0, 0x1402dcf, 0x7, 0x0, 0x1471ce0, 0xc42000c160, ...)
	/Users/emmanuelodeke/go/src/github.com/tendermint/tendermint/vendor/github.com/tendermint/go-wire/reflect.go:277 +0x1169
github.com/tendermint/tendermint/vendor/github.com/tendermint/go-wire.readReflectBinary(0x14a4060, 0xc42055e080, 0x199, 0x1672200, 0x14a4060, 0x1407c55, 0xa, 0x0, 0x1426580, 0xc42000c020, ...)
	/Users/emmanuelodeke/go/src/github.com/tendermint/tendermint/vendor/github.com/tendermint/go-wire/reflect.go:317 +0xa96
github.com/tendermint/tendermint/vendor/github.com/tendermint/go-wire.readReflectBinary(0x1426580, 0xc420548870, 0x197, 0x1672200, 0x1426580, 0x1407c55, 0xa, 0x0, 0x1426580, 0xc42000c020, ...)
	/Users/emmanuelodeke/go/src/github.com/tendermint/tendermint/vendor/github.com/tendermint/go-wire/reflect.go:292 +0xf53
github.com/tendermint/tendermint/vendor/github.com/tendermint/go-wire.readReflectBinary(0x1492be0, 0xc420548870, 0x199, 0x1672200, 0x1492be0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
	/Users/emmanuelodeke/go/src/github.com/tendermint/tendermint/vendor/github.com/tendermint/go-wire/reflect.go:317 +0xa96
github.com/tendermint/tendermint/vendor/github.com/tendermint/go-wire.ReadBinary(0x14d23c0, 0xc420548870, 0x1668ba0, 0xc4205488a0, 0x0, 0xc42018fee0, 0xc42018fef0, 0xc42018ff00, 0x1012e38)
	/Users/emmanuelodeke/go/src/github.com/tendermint/tendermint/vendor/github.com/tendermint/go-wire/wire.go:31 +0x32e
github.com/tendermint/tendermint/types.(*ValidatorSet).FromBytes(0xc420548870, 0xc420564000, 0xb, 0x20b)
	/Users/emmanuelodeke/go/src/github.com/tendermint/tendermint/types/validator_set.go:308 +0xd0
main.main()
	/Users/emmanuelodeke/go/src/github.com/tendermint/tendermint/fuzz/types/validatorSet/repro/main.go:22 +0x142
exit status 2

where:

  • length value is: 52983525027888
  • lmt: 0
This was referenced Oct 6, 2017
Closed
Closed
odeke-em added a commit that referenced this issue Oct 6, 2017
@odeke-em
byteslice: ensure no MaxInt overflow before invoking make for slice
3188b63 
Fixes #25
Fixes #37
Fixes tendermint/tendermint#722

Before attempting to allocate a buffer to hold
decoded lengths, check that it doesn't exceed
math.MaxInt32 ie (2^31) - 1.
In the case of overflows, report ErrBinaryReadOverflow
and don't attempt to read anything.

This issue was found firstly by @mveytsman in #25
and then independently confirmed by go-fuzz in tendermint.
odeke-em added a commit that referenced this issue Oct 6, 2017
@odeke-em
byteslice: ensure no MaxInt overflow before invoking make for slice
7f2d8ae 
Fixes #25
Fixes #37
Fixes tendermint/tendermint#722

Before attempting to allocate a buffer to hold
decoded lengths, check that it doesn't exceed
math.MaxInt32 ie (2^31) - 1.
In the case of overflows, report ErrBinaryReadOverflow
and don't attempt to read anything.

This issue was found firstly by @mveytsman in #25
and then independently confirmed by go-fuzz in tendermint.
odeke-em added a commit that referenced this issue Oct 6, 2017
@odeke-em
byteslice: ensure no MaxInt overflow before invoking make for slice
c5b8885 
Fixes #25
Fixes #37
Fixes tendermint/tendermint#722

Before attempting to allocate a buffer to hold
decoded lengths, check that it doesn't exceed
math.MaxInt32 ie (2^31) - 1.
In the case of overflows, report ErrBinaryReadOverflow
and don't attempt to read anything.

This issue was found firstly by @mveytsman in #25
and then independently confirmed by go-fuzz in tendermint.
@odeke-em odeke-em mentioned this issue Oct 6, 2017
Merged
@odeke-em
Copy link
Contributor Author

Fixed by #38.

odeke-em referenced this issue Jan 7, 2018
@jaekwon
Fixed time issues
fba7b72
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@odeke-em