From c716d764d0edd47e898fc58607afa91164687574 Mon Sep 17 00:00:00 2001 From: Gyuho Lee Date: Thu, 16 Apr 2020 13:31:19 -0700 Subject: [PATCH] wal: check out of range slice in "ReadAll", "decoder" wal: add slice bound checks in decoder CHANGELOG-3.5: add wal slice bound check CHANGELOG-3.5: add "decodeRecord" Signed-off-by: Gyuho Lee --- CHANGELOG-3.5.md | 2 +- wal/decoder.go | 8 ++++++++ wal/wal.go | 23 ++++++++++++++++------- wal/wal_test.go | 29 +++++++++++++++++++++++++++++ 4 files changed, 54 insertions(+), 8 deletions(-) diff --git a/CHANGELOG-3.5.md b/CHANGELOG-3.5.md index dd145cc3236..f944cb7b827 100644 --- a/CHANGELOG-3.5.md +++ b/CHANGELOG-3.5.md @@ -105,7 +105,6 @@ Note that any `etcd_debugging_*` metrics are experimental and subject to change. - Remove [redundant storage restore operation to shorten the startup time](https://github.com/etcd-io/etcd/pull/11779). - With 40 million key test data,it can shorten the startup time from 5 min to 2.5 min. - ### Package `embed` - Remove [`embed.Config.Debug`](https://github.com/etcd-io/etcd/pull/10947). @@ -133,6 +132,7 @@ Note that any `etcd_debugging_*` metrics are experimental and subject to change. ### Package `wal` - Add [`etcd_wal_write_bytes_total`](https://github.com/etcd-io/etcd/pull/11738). +- Handle [out-of-range slice bound in `ReadAll` and entry limit in `decodeRecord`](https://github.com/etcd-io/etcd/pull/11793). ### etcdctl v3 diff --git a/wal/decoder.go b/wal/decoder.go index f2f01fd881c..d007fe1c748 100644 --- a/wal/decoder.go +++ b/wal/decoder.go @@ -59,6 +59,11 @@ func (d *decoder) decode(rec *walpb.Record) error { return d.decodeRecord(rec) } +// raft max message size is set to 1 MB in etcd server +// assume projects set reasonable message size limit, +// thus entry size should never exceed 10 MB +const maxWALEntrySizeLimit = int64(10 * 1024 * 1024) + func (d *decoder) decodeRecord(rec *walpb.Record) error { if len(d.brs) == 0 { return io.EOF @@ -79,6 +84,9 @@ func (d *decoder) decodeRecord(rec *walpb.Record) error { } recBytes, padBytes := decodeFrameSize(l) + if recBytes >= maxWALEntrySizeLimit-padBytes { + return ErrMaxWALEntrySizeLimitExceeded + } data := make([]byte, recBytes+padBytes) if _, err = io.ReadFull(d.brs[0], data); err != nil { diff --git a/wal/wal.go b/wal/wal.go index 0b174205bdc..f253ab4353e 100644 --- a/wal/wal.go +++ b/wal/wal.go @@ -53,12 +53,14 @@ var ( // so that tests can set a different segment size. SegmentSizeBytes int64 = 64 * 1000 * 1000 // 64MB - ErrMetadataConflict = errors.New("wal: conflicting metadata found") - ErrFileNotFound = errors.New("wal: file not found") - ErrCRCMismatch = errors.New("wal: crc mismatch") - ErrSnapshotMismatch = errors.New("wal: snapshot mismatch") - ErrSnapshotNotFound = errors.New("wal: snapshot not found") - crcTable = crc32.MakeTable(crc32.Castagnoli) + ErrMetadataConflict = errors.New("wal: conflicting metadata found") + ErrFileNotFound = errors.New("wal: file not found") + ErrCRCMismatch = errors.New("wal: crc mismatch") + ErrSnapshotMismatch = errors.New("wal: snapshot mismatch") + ErrSnapshotNotFound = errors.New("wal: snapshot not found") + ErrSliceOutOfRange = errors.New("wal: slice bounds out of range") + ErrMaxWALEntrySizeLimitExceeded = errors.New("wal: max entry size limit exceeded") + crcTable = crc32.MakeTable(crc32.Castagnoli) ) // WAL is a logical representation of the stable storage. @@ -411,8 +413,15 @@ func (w *WAL) ReadAll() (metadata []byte, state raftpb.HardState, ents []raftpb. switch rec.Type { case entryType: e := mustUnmarshalEntry(rec.Data) + // 0 <= e.Index-w.start.Index - 1 < len(ents) if e.Index > w.start.Index { - ents = append(ents[:e.Index-w.start.Index-1], e) + // prevent "panic: runtime error: slice bounds out of range [:13038096702221461992] with capacity 0" + up := e.Index - w.start.Index - 1 + if up > uint64(len(ents)) { + // return error before append call causes runtime panic + return nil, state, nil, ErrSliceOutOfRange + } + ents = append(ents[:up], e) } w.enti = e.Index diff --git a/wal/wal_test.go b/wal/wal_test.go index d2709d042c6..ee0574ef130 100644 --- a/wal/wal_test.go +++ b/wal/wal_test.go @@ -645,6 +645,35 @@ func TestOpenForRead(t *testing.T) { } } +func TestOpenWithMaxIndex(t *testing.T) { + p, err := ioutil.TempDir(os.TempDir(), "waltest") + if err != nil { + t.Fatal(err) + } + defer os.RemoveAll(p) + // create WAL + w, err := Create(zap.NewExample(), p, nil) + if err != nil { + t.Fatal(err) + } + defer w.Close() + + es := []raftpb.Entry{{Index: uint64(math.MaxInt64)}} + if err = w.Save(raftpb.HardState{}, es); err != nil { + t.Fatal(err) + } + w.Close() + + w, err = Open(zap.NewExample(), p, walpb.Snapshot{}) + if err != nil { + t.Fatal(err) + } + _, _, _, err = w.ReadAll() + if err == nil || err != ErrSliceOutOfRange { + t.Fatalf("err = %v, want ErrSliceOutOfRange", err) + } +} + func TestSaveEmpty(t *testing.T) { var buf bytes.Buffer var est raftpb.HardState