fix out-of-bounds read in Groot2 hook insert handler#1170
Open
aysha-afrah26 wants to merge 2 commits into
Open
fix out-of-bounds read in Groot2 hook insert handler#1170aysha-afrah26 wants to merge 2 commits into
aysha-afrah26 wants to merge 2 commits into
Conversation
Collaborator
|
please fix CI |
Contributor
Author
|
The macOS failure was Parallel.FailingParallel, unrelated to this change (the Groot2 tests all passed). It's the same wall-clock timing class as the tests #1167 already excludes on that runner: it asserts exact per-node counts from 100/200/300ms async delays, and on the shared runner the timers landed out of order on all three until-pass retries (the 100ms failure never arrived before the 200ms success). It passes reliably on an idle arm64 Mac here, so I added it to the existing macOS exclude list; it still runs on Linux and Windows. Side note: PostConditions.Issue601 also aborted twice on that runner with 'mutex lock failed' before passing on retry, might be worth a look separately. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Groot2 publisher runs a ZeroMQ server so the Groot2 monitor can inspect and control a running tree, and the HOOK_INSERT handler treats the request JSON payload as fully attacker-controlled. Inside serverLoop, the InsertHook lambda reads the required fields with json["uid"] and json["position"], but nlohmann const operator[] does not tolerate a missing key: it hits JSON_ASSERT(it != object->end()) and then returns it->second. JSON_ASSERT is just assert(), which is compiled out under NDEBUG, so a well-formed JSON object that leaves out either key dereferences the map past-the-end iterator, an out-of-bounds read in release builds and an abort() when assertions are on. Because the request arrives over the network, one crafted message is enough to take down or corrupt the executor process. I noticed it while comparing this handler to its neighbors: BREAKPOINT_UNLOCK and HOOK_REMOVE already read the same fields with json.at(), whose exception is caught by the surrounding handler and turned into a normal error reply. Switching the two InsertHook reads to json.at() makes an incomplete request fail the same graceful way. The added regression test sends a valid JSON object with the keys removed and checks that the server rejects it and stays responsive.