Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stack overflow when parsing message #267

Closed
dbrgn opened this issue Jan 16, 2020 · 11 comments · Fixed by #268
Closed

Stack overflow when parsing message #267

dbrgn opened this issue Jan 16, 2020 · 11 comments · Fixed by #268

Comments

@dbrgn
Copy link
Contributor

dbrgn commented Jan 16, 2020

When parsing certain messages, the process aborts with a stack overflow.

I made a reproducer:

prost-stackoverflow-reproducer$ cargo run
     Running `target/debug/prost-stackoverflow-reproducer`
Hello, world!

thread 'main' has overflowed its stack
fatal runtime error: stack overflow
Aborted (core dumped)

Potentially the data requests allocation of a buffer that's larger than the actually available data? (23 KiB input data is not that large...)

(Found through afl.rs)
@danburkert
Copy link
Collaborator

Wow nice, thanks for the report. Getting a stack trace, if possible, would be super great if you are still looking at this (otherwise no worries, it should be easy to repro thanks to your repo). We have some fuzzers in-tree, but they haven't dug this up. That's something to be investigated as well, or maybe we can just upstream you're test into prost.

@danburkert
Copy link
Collaborator

I found it, I believe it's this recursive call within skip_field: https://github.com/danburkert/prost/blob/master/src/encoding.rs#L402. It should be straightforward to restructure that as a loop instead of recursion. Interestingly it doesn't manifest in release mode.

@danburkert
Copy link
Collaborator

Interestingly it doesn't manifest in release mode.

It likely would with longer input.

@danburkert danburkert reopened this Jan 16, 2020
danburkert added a commit that referenced this issue Jan 16, 2020
@danburkert
apply recursion limit when skipping fields
6e59843 
Fixes #267
@danburkert danburkert mentioned this issue Jan 16, 2020
Merged
danburkert added a commit that referenced this issue Jan 16, 2020
@danburkert
apply recursion limit when skipping fields
04091d3 
Fixes #267
@danburkert danburkert mentioned this issue Jan 16, 2020
Closed
@danburkert
Copy link
Collaborator

@dbrgn thanks again for the report, and thorough repro. Fix has been released in 0.6.1; more details are in the release notes: https://github.com/danburkert/prost/releases/tag/v0.6.1. Additionally I filed #270 to track better fuzz testing through afl.

@dbrgn
Copy link
Contributor Author

dbrgn commented Jan 16, 2020

Great, thank you for the very fast response! 🙂

I will also file a RUSTSEC advisory, since this could be used for DoS if untrusted input is fed to the parser.

@tarcieri
Copy link
Contributor

tarcieri commented Jan 16, 2020
edited
Loading

Note that in absence of stack probes on architectures like ARM, stack overflow is unsound and can result in potential memory corruption (or even RCE), so it's worse than DoS.

Fortunately x86/x86_64 has stack probes.

@dbrgn
Copy link
Contributor Author

dbrgn commented Jan 16, 2020

Oh, that's a good point! I wasn't aware of that.

I'll file a RUSTSEC advisory. In that case, should I put it both in "denial-of-service" and "memory-corruption" categories?

@tarcieri
Copy link
Contributor

Yup, sounds good.

@dbrgn dbrgn mentioned this issue Jan 16, 2020
Merged
@tarcieri
Copy link
Contributor

Assigned RUSTSEC-2020-0002 in rustsec/advisory-db#223

@mzabaluev
Copy link
Contributor

Are 0.5 versions affected? If so, is it possible to backport the fix?

@github-actions github-actions bot mentioned this issue Jan 17, 2020
Open
@danburkert
Copy link
Collaborator

0.5.x have no stack overflow protections at all, so yes. There will be no backport, as I don't have the resources to maintain backports.

@dbrgn dbrgn mentioned this issue Jan 20, 2020
Merged
hawkw pushed a commit to linkerd/prost that referenced this issue Jan 23, 2020
@danburkert @hawkw
apply recursion limit when skipping fields
8875bb9 
Fixes tokio-rs#267
@hawkw hawkw mentioned this issue Jan 23, 2020
Closed
dunmatt pushed a commit to dunmatt/prost that referenced this issue Apr 1, 2020
@danburkert @dunmatt
apply recursion limit when skipping fields
9a4b543 
Fixes tokio-rs#267
@github-actions github-actions bot mentioned this issue Jul 27, 2020
Open
@github-actions github-actions bot mentioned this issue Nov 17, 2020
Closed
zorion added a commit to zorion/trophy-case that referenced this issue Jan 17, 2022
@zorion
Fix broken link in prost
bde7896 
I tried to visit the link listed: https://github.com/danburkert/prost/issues/267 but it was unavailable.
I saw that this is a fork so I found the issue in the original(?) repo: tokio-rs/prost#267, so I propose to change the link (or remove the line).
@zorion zorion mentioned this issue Jan 17, 2022
Merged
@pront pront mentioned this issue Dec 20, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

apply recursion limit when skipping fields tokio-rs/prost
4 participants
@tarcieri @dbrgn @danburkert @mzabaluev