Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix memcpy in byte_slice constructor #9583

Merged
merged 1 commit into from
Dec 23, 2024

Conversation

vtnerd
Copy link
Contributor

@vtnerd vtnerd commented Nov 19, 2024

There's technically an overflow in byte_slice.cpp that I caught while simply scanning the code. This can occur if the total memory being copied exceeds size_t. This is unlikely to ever trigger, because the platform probably needs sizeof(size_t) == 4 && sizeof(void*) == 8 (or similar) to occur. And somehow a malloc to copy all of this data needs to succeed too. Therefore, this is primarily just defensive programming to be strictly standards compliant.

@vtnerd
Copy link
Contributor Author

vtnerd commented Nov 19, 2024

I wasn't up-to-date with master, so the last force push was a rebase.

@iamamyth
Copy link

iamamyth commented Nov 20, 2024

This can occur if the total memory being copied exceeds size_t

If this happens, do you really want a silent failure? It'd mean the caller tried to produce a copy exceeding the whole of memory, very likely a bug, and probably unrecoverable.

@vtnerd
Copy link
Contributor Author

vtnerd commented Nov 20, 2024

The next line catches the overflow. remove_prefix returns the number of bytes actually removed, which is less than requested in the overflow case.

@iamamyth
Copy link

If you want to be paranoid about overflows, it would seem you need to check here for MAX wrapping back to 0:
https://github.com/monero-project/monero/pull/9583/files#diff-ae5d1c840afa6e07bbc29bc1432800ab4ef3bb779067e5e45b0a4943a6e65412L155

But if you include this check, based on my reading of allocate_slice and span, out.remove_prefix will never fail, so both the min and remove_prefix checks guard against the impossible.

@vtnerd
Copy link
Contributor Author

vtnerd commented Nov 21, 2024

The idea was to catch the overflow later on the remove_prefix line. It gets caught either way.

@iamamyth
Copy link

iamamyth commented Nov 21, 2024

It gets caught either way.

If it wraps to exactly zero, it's not caught, because the whole block is gated by if (space_needed).

@vtnerd
Copy link
Contributor Author

vtnerd commented Nov 21, 2024

Yup, it has defined behavior in that situation, but it is still incorrect.

@vtnerd vtnerd force-pushed the fix/byte_slice branch 3 times, most recently from 17c3370 to dbac8d7 Compare November 21, 2024 19:46
@vtnerd
Copy link
Contributor Author

vtnerd commented Nov 22, 2024

Force pushed a different change.

@luigi1111 luigi1111 merged commit 731854d into monero-project:master Dec 23, 2024
18 checks passed
@vtnerd vtnerd deleted the fix/byte_slice branch December 23, 2024 16:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants