Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix potential segfault with stream iterators. #1923

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix potential segfault with stream iterators. #1923

wants to merge 2 commits into from

Conversation

rsmmr
Copy link
Member

@rsmmr rsmmr commented Nov 19, 2024
edited
Loading

When trimming off the beginning of a stream, an existing iterator
could end up dereferencing its internal chunk pointer even if the
chunk now no longer existed. The issue was inside the
increment/decrement operations, which didn't check if the current
iterator offset was still valid (because only then the current chunk
is guaranteed to be valid too).

Closes #1918.

@rsmmr
Copy link
Member Author

rsmmr commented Nov 19, 2024

@evantypanski can you see if this fixes the issue from #1918? It's now raining an exception (view starts before available range) though I'm not quite sure if that's semantically correct.

@rsmmr rsmmr mentioned this pull request Nov 19, 2024
Open
@evantypanski
Copy link
Contributor

Sure I'll take a look on my reproducers tomorrow, I'll be driving for the rest of the day :)

Thanks for looking at this, I figured it'd take me a little longer just to figure out the generated code

@evantypanski
Copy link
Contributor

@rsmmr this indeed fixes the use-after-free in the reproducers I have

@rsmmr
Copy link
Member Author

rsmmr commented Nov 21, 2024

@rsmmr this indeed fixes the use-after-free in the reproducers I have

Great, thanks for confirming. Is it now reporting an exception (view starts before available range) for you too? If so, are you able to tell if that's correct/expected behviour?

@evantypanski
Copy link
Contributor

Is it now reporting an exception (view starts before available range) for you too?

I see no discernable difference end-to-end for cases that only had a UAF with the sanitizer but didn't segfault. The verbose logs are exactly the same and any logs that Zeek output are exactly the same in every case I tried.

In other cases that did segfault, it's hard to track down that exact exception - they have lots of them anyway since they're trying to parse data that doesn't fit. so - maybe?

If so, are you able to tell if that's correct/expected behaviour?

Well, I'll say that everything end-to-end seems to be as expected: cases that only saw UAF but no segfault work the same, then cases that saw a segfault no longer segfault. Cases that segfaulted also seem to have more of that exception in analyzer.log (compared to just removing the advance call that causes the segfault), but that could be for a lot of reasons.

So - it's pretty tough for me to tell, but at least this doesn't seem to do anything bad and fixes the segfault so I see that as correct.

If you have a specific test I can do that too. The HTTP examples in the issue seem to be representative of the problem

@rsmmr
Copy link
Member Author

rsmmr commented Nov 22, 2024

it's pretty tough for me to tell, but at least this doesn't seem to do anything bad and fixes the segfault so I see that as correct.

That sounds good enough to me. I'll get this ready for review & merge then. Thanks!

@rsmmr
Add regression tests triggering #1918.
50da8ae
@rsmmr
Fix potential segfault with stream iterators.
e88650c 
When trimming off the beginning of a stream, an existing iterator
could end up dereferencing its internal chunk pointer even if the
chunk now no longer existed. The issue was inside the
increment/decrement operations, which didn't check if the *current*
iterator offset was still valid (because only then the current chunk
is guaranteed to be valid too).

Closes #1918.
@rsmmr rsmmr force-pushed the topic/robin/gh-1918-trim-fix branch from 3e703eb to e88650c Compare November 22, 2024 11:22
@rsmmr rsmmr marked this pull request as ready for review November 22, 2024 11:22
evantypanski
evantypanski approved these changes Nov 22, 2024
View reviewed changes
Copy link
Contributor

@evantypanski evantypanski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a bunch for looking at this, it looks good to me. And a lot simpler than what I was afraid of :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evantypanski evantypanski evantypanski approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Generated code segfaults when parsing bytes with &until
2 participants
@rsmmr @evantypanski