fix(zstd): return decode error instead of panicking on corrupt view lengths#8843
Open
mvanhorn wants to merge 1 commit into
Open
fix(zstd): return decode error instead of panicking on corrupt view lengths#8843mvanhorn wants to merge 1 commit into
mvanhorn wants to merge 1 commit into
Conversation
…engths
reconstruct_views read a u32 view-length prefix from ZSTD-decompressed
(untrusted) data and used it as a slice bound without validation. A corrupt
or fuzzed length produced an out-of-bounds slice panic ("range end index
... out of range for slice of length ...") in reconstruct_views.
Make reconstruct_views return VortexResult: bounds-check both the length
prefix read and the value slice (with a checked_add to avoid usize
overflow), returning a decode error instead of panicking. Both zstd
callers and the vortex-cuda caller propagate the error.
Closes vortex-data#8822
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
reconstruct_viewsdecodes a[u32-LE length][value bytes]stream from ZSTD-decompressed (untrusted) data and used the length prefix as a slice bound without validation, so a corrupt or fuzzed length triggered an out-of-bounds slice panic (range end index ... out of range for slice of length ...). This makesreconstruct_viewsreturnVortexResultand bounds-checks the untrusted reads, returning a decode error instead of panicking.Rationale for this change
This is a fuzzer-reported crash (#8822): decoding attacker-controllable ZSTD array data could panic a worker thread instead of surfacing a recoverable decode error. Decoding untrusted input should never panic; it should return an error the caller can handle. The panic reproduces on
developwith a length prefix that exceeds the remaining buffer.What changes are included in this PR?
encodings/zstd/src/array.rs:reconstruct_viewsnow returnsVortexResult<(Vec<ByteBuffer>, Buffer<BinaryView>)>. Both untrusted reads (the view-length prefix and the value slice) are bounds-checked (withchecked_addto avoidusizeoverflow) and return a decode error instead of panicking. The two in-crate callers propagate the error with?.vortex-cuda/src/kernel/encodings/zstd.rs: the CUDA decode caller propagates the new error with?.Errrather than panicking. The existingreconstruct_viewstests are unchanged in behavior.What APIs are changed? Are there any user-facing changes?
The
pub fn reconstruct_viewsinvortex-zstdchanges its return type from(Vec<ByteBuffer>, Buffer<BinaryView>)toVortexResult<(Vec<ByteBuffer>, Buffer<BinaryView>)>. Decoding a corrupt ZSTD array now yields aVortexErrorinstead of panicking. There is no behavior change for well-formed input.AI was used for assistance.