Stop untrusted preallocation during deserialization #1925
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Zebra believes the untrusted `JoinSplit` list size field when deserializing `JoinSplit`s, and preallocates a `Vec` based on that size. This is trivial a memory exhaustion attack. Instead, use the current auto-growing implementation, which is limited by the size of the message data.
This is an easy memory denial of service attack.
This is an easy memory denial of service attack.
e763ea3 to
473a042
Compare
|
I also found similar security issues in |
Zebra already uses `Read::take` to enforce message, body, and block maximum sizes. So using `Read::take` on untrusted sizes can result in short reads, without a corresponding `UnexpectedEof` error. (The old code was correct, but copying it elsewhere would have been risky.)
|
I also found some risky uses of |
oxarbitrage
reviewed
Mar 19, 2021
teor2345
commented
Mar 21, 2021
teor2345
commented
Mar 21, 2021
Co-authored-by: Alfredo Garcia <oxarbitrage@gmail.com>
dconnolly
approved these changes
Mar 22, 2021
dconnolly
previously approved these changes
Mar 22, 2021
23 tasks
dconnolly
added a commit
that referenced
this pull request
Mar 23, 2021
Zebra's latest alpha checkpoints on Canopy activation, continues our work on NU5, and fixes a security issue. Some notable changes include: ## Added - Log address book metrics when PeerSet or CandidateSet don't have many peers (#1906) - Document test coverage workflow (#1919) - Add a final job to CI, so we can easily require all the CI jobs to pass (#1927) ## Changed - Zebra has moved its mandatory checkpoint from Sapling to Canopy (#1898, #1926) - This is a breaking change for users that depend on the exact height of the mandatory checkpoint. ## Fixed - tower-batch: wake waiting workers on close to avoid hangs (#1908) - Assert that pre-Canopy blocks use checkpointing (#1909) - Fix CI disk space usage by disabling incremental compilation in coverage builds (#1923) ## Security - Stop relying on unchecked length fields when preallocating vectors (#1925)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
Zebra believes untrusted lengths when deserializing, and preallocates a
Vecbased on that size:JoinSplitlist size fieldStringsizesScriptsizesThis is trivial a memory exhaustion attack.
Zebra also uses
Read::takein risky ways. The old code was correct, but copying it elsewhere could have hidden short reads.Solution
Vecdeserialize implementation, which is limited by the size of the message dataRead::takewith validatedVecpreallocationThe code in this pull request has:
Review
@dconnolly or @oxarbitrage this fix is urgent, but not critical, because it's only a local memory denial of service.
Related Issues
Blocks #1920, this fix will cause #1920 to fail due to a missing trusted preallocation impl for the listed types
Follow Up Work
Trusted vector preallocation #1920