Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/net/route: ParseRIB panics on message from Darwin #70528

Closed
raggi opened this issue Nov 22, 2024 · 10 comments
Closed

x/net/route: ParseRIB panics on message from Darwin #70528

raggi opened this issue Nov 22, 2024 · 10 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. OS-Darwin
Milestone
Unreleased

Comments

@raggi
Copy link
Contributor

raggi commented Nov 22, 2024
edited
Loading

Go version

go1.23.3 & golang.org/x/[email protected]

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='arm64'
GOBIN=''
GOCACHE='/Users/raggi/Library/Caches/go-build'
GOENV='/Users/raggi/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/raggi/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/raggi/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/Users/raggi/.cache/tailscale-go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/Users/raggi/.cache/tailscale-go/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.23.1'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/Users/raggi/Library/Application Support/go/telemetry'
GCCGO='gccgo'
GOARM64='v8.0'
AR='ar'
CC='clang'
CXX='clang++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/bb/dyr_1n6j575g8nq85nmnfbt00000gn/T/go-build3032505426=/tmp/go-build -gno-record-gcc-switches -fno-common'

What did you do?

Seen from tailscale client, usage at https://github.com/tailscale/tailscale/blob/8e5cfbe4ab11713e383b3ff0d978f116320de2a3/net/netmon/netmon_darwin.go#L59

What did you see happen?

2024-11-22T19:46:58Z	panic: runtime error: slice bounds out of range [8:0]
2024-11-22T19:46:58Z	
2024-11-22T19:46:58Z	goroutine 75 [running]:
2024-11-22T19:46:58Z	golang.org/x/net/route.parseInetAddr(0x14000582dc8?, {0x1400024e090, 0x14000f38480?, 0x788})
2024-11-22T19:46:58Z	golang.org/x/[email protected]/route/address.go:203 +0x280
2024-11-22T19:46:58Z	golang.org/x/net/route.parseAddrs(0x15, 0x1033fb958, {0x1400024e074, 0x34, 0x7a4})
2024-11-22T19:46:58Z	golang.org/x/[email protected]/route/address.go:408 +0xd8
2024-11-22T19:46:58Z	golang.org/x/net/route.(*wireFormat).parseRouteMessage(0x1400012a018, 0x140003f8008?, {0x1400024e018, 0x90, 0x800})
2024-11-22T19:46:58Z	golang.org/x/[email protected]/route/route_classic.go:70 +0x2b8
2024-11-22T19:46:58Z	golang.org/x/net/route.ParseRIB(0x1, {0x1400024e018?, 0x14000f38380?, 0x140001105b0?})
2024-11-22T19:46:58Z	golang.org/x/[email protected]/route/message.go:55 +0x194
2024-11-22T19:46:58Z	tailscale.com/net/netmon.(*darwinRouteMon).Receive(0x1400024e008)
2024-11-22T19:46:58Z	[email protected]/net/netmon/netmon_darwin.go:59 +0x60
2024-11-22T19:46:58Z	tailscale.com/net/netmon.(*Monitor).pump(0x140001821c0)
2024-11-22T19:46:58Z	[email protected]/net/netmon/netmon.go:346 +0x78
2024-11-22T19:46:58Z	created by tailscale.com/net/netmon.(*Monitor).Start in goroutine 17
2024-11-22T19:46:58Z	[email protected]/net/netmon/netmon.go:265 +0x1b8

What did you expect to see?

No panic.

Related issue: #44740
Related change: hurricanehrndz/golang-net@61924c1
@gabyhelp
Copy link

Related Issues

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@bradfitz
Copy link
Contributor

cc @hurricanehrndz

@hurricanehrndz
Copy link

Thanks, I will take a look at this on the weekend.

@dmitshur dmitshur added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Nov 22, 2024
@dmitshur dmitshur added this to the Unreleased milestone Nov 22, 2024
@hurricanehrndz
Copy link

@raggi do you have the bytes array so that I can write up a test for this?

@raggi
Copy link
Contributor Author

raggi commented Nov 22, 2024

@hurricanehrndz I'm working on getting that, in the meantime this should be sufficient defense: https://github.com/golang/net/compare/master...raggi:raggi/darwin-rib-parse?expand=1

@raggi raggi mentioned this issue Nov 22, 2024
Closed
raggi added a commit to tailscale/tailscale that referenced this issue Nov 22, 2024
@raggi
net/netmon: catch ParseRIB panic to gather buffer data
f6d0412 
Updates #14201
Updates golang/go#70528

Signed-off-by: James Tucker <[email protected]>
@raggi raggi mentioned this issue Nov 22, 2024
Merged
@hurricanehrndz
Copy link

@raggi yeah that looks good.

raggi added a commit to tailscale/tailscale that referenced this issue Nov 22, 2024
@raggi
net/netmon: catch ParseRIB panic to gather buffer data
f643118 
Updates #14201
Updates golang/go#70528

Signed-off-by: James Tucker <[email protected]>
@spikecurtis spikecurtis mentioned this issue Nov 25, 2024
Closed
@deansheather
Copy link

I was able to gather a panicking RIB from a real darwin amd64 machine using a coredump:

data := []byte{
	0x84, 0x00, 0x05, 0x04, 0x01, 0x00, 0x00, 0x00, 0x03, 0x08, 0x00, 0x01, 0x15, 0x00, 0x00, 0x00,
	0x1B, 0x01, 0x00, 0x00, 0xF5, 0x5A, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x02, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00,
	0x14, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00,
}

_, _ = route.ParseRIB(route.RIBTypeRoute, data)
panic: runtime error: slice bounds out of range [4:0] [recovered]
        panic: runtime error: slice bounds out of range [4:0]

goroutine 18 [running]:
testing.tRunner.func1.2({0xb775380, 0xc0000ac048})
        /usr/local/Cellar/[email protected]/1.22.9/libexec/src/testing/testing.go:1631 +0x24a
testing.tRunner.func1()
        /usr/local/Cellar/[email protected]/1.22.9/libexec/src/testing/testing.go:1634 +0x377
panic({0xb775380?, 0xc0000ac048?})
        /usr/local/Cellar/[email protected]/1.22.9/libexec/src/runtime/panic.go:770 +0x132
golang.org/x/net/route.parseInetAddr(0x80?, {0xc00010206c, 0xc0000d6200?, 0x18})
        /Users/ec2-user/net/route/address.go:188 +0x267
golang.org/x/net/route.parseAddrs(0x15, 0xb784080, {0xc00010205c, 0x28, 0x28})
        /Users/ec2-user/net/route/address.go:408 +0xdd
golang.org/x/net/route.(*wireFormat).parseRouteMessage(0xc00009c0c0, 0xc000050680?, {0xc000102000, 0x84, 0x84})
        /Users/ec2-user/net/route/route_classic.go:70 +0x2fd
golang.org/x/net/route.ParseRIB(0x1, {0xc000102000?, 0xb6bf1f3?, 0xb66ed8f?})
        /Users/ec2-user/net/route/message.go:55 +0x1b3
golang.org/x/net/route.TestPanic(0xc0000b2680?)
        /Users/ec2-user/net/route/message_test.go:271 +0x9a
testing.tRunner(0xc0000b2680, 0xb784000)
        /usr/local/Cellar/[email protected]/1.22.9/libexec/src/testing/testing.go:1689 +0xfb
created by testing.(*T).Run in goroutine 1
        /usr/local/Cellar/[email protected]/1.22.9/libexec/src/testing/testing.go:1742 +0x390

raggi's patch does seem to fix the panic in this case.

It might be related to a recent MacOS update, since the RIB above was gathered from a 15.1 machine (released Oct 28th).

raggi added a commit to tailscale/tailscale that referenced this issue Nov 25, 2024
@raggi
net/netmon: improve panic reporting from #14202
505020b 
I was hoping we'd catch an example input quickly, but the reporter had
rebooted their machine and it is no longer exhibiting the behavior. As
such this code may be sticking around quite a bit longer and we might
encounter other errors, so include the panic in the log entry.

Updates #14201
Updates #14202
Updates golang/go#70528

Signed-off-by: James Tucker <[email protected]>
@raggi raggi mentioned this issue Nov 25, 2024
Merged
raggi added a commit to raggi/net that referenced this issue Nov 25, 2024
@raggi
route: fix parse of zero-length sockaddrs in RIBs
57b1b70 
Zero-length sockaddrs were observed in RIBs within golang/go#70528.
These records are to be skipped, and an invariant for later slice
manipulation is to be enforced by a defensive check in parseAddr.

Fixes golang/go#70528
raggi added a commit to raggi/net that referenced this issue Nov 25, 2024
@raggi
route: fix parse of zero-length sockaddrs in RIBs
72227a3 
Zero-length sockaddrs were observed in RIBs within golang/go#70528.
These records are to be skipped, and an invariant for later slice
manipulation is to be enforced by a defensive check in parseAddr.

Fixes golang/go#70528
@raggi
Copy link
Contributor Author

raggi commented Nov 25, 2024

agreed, 15.1 changes are the likely cause.

@raggi raggi mentioned this issue Nov 25, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/631475 mentions this issue: route: fix parse of zero-length sockaddrs in RIBs

raggi added a commit to tailscale/tailscale that referenced this issue Nov 25, 2024
@raggi
net/netmon: improve panic reporting from #14202
4d33f30 
I was hoping we'd catch an example input quickly, but the reporter had
rebooted their machine and it is no longer exhibiting the behavior. As
such this code may be sticking around quite a bit longer and we might
encounter other errors, so include the panic in the log entry.

Updates #14201
Updates #14202
Updates golang/go#70528

Signed-off-by: James Tucker <[email protected]>
raggi added a commit to raggi/net that referenced this issue Nov 25, 2024
@raggi
route: fix parse of zero-length sockaddrs in RIBs
cf77ffd 
Zero-length sockaddrs were observed in RIBs within golang/go#70528.
These records are to be skipped, and an invariant for later slice
manipulation is to be enforced by a defensive check in parseAddr.

Fixes golang/go#70528
raggi added a commit to raggi/net that referenced this issue Nov 25, 2024
@raggi
route: fix parse of zero-length sockaddrs in RIBs
066ba8a 
Zero-length sockaddrs were observed in RIBs within golang/go#70528.
These records are to be skipped, and an invariant for later slice
manipulation is to be enforced by a defensive check in parseAddr.

Fixes golang/go#70528
@gabyhelp gabyhelp mentioned this issue Nov 27, 2024
Open
@Emyrk Emyrk mentioned this issue Dec 18, 2024
Merged
@gabyhelp gabyhelp mentioned this issue Dec 30, 2024
Open
@joeljeske
Copy link

I know this issue is closed, but I wanted to chime in that I can reproduce this panic (without golang/net@e9cd716) on darwin on macOS 14.7.1, as opposed to only 15.1 like previously suggested.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. OS-Darwin
Projects
None yet
Milestone
Unreleased
Development

Successfully merging a pull request may close this issue.

route: fix parse of zero-length sockaddrs in RIBs raggi/net
8 participants
@raggi @bradfitz @dmitshur @joeljeske @hurricanehrndz @gopherbot @deansheather @gabyhelp