[jira] [Commented] (AVRO-1237) Avro-C segfaults when union discriminant out of bounds
[ https://issues.apache.org/jira/browse/AVRO-1237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13897536#comment-13897536 ] Michael Cooper commented on AVRO-1237: -- This looks like it made it into 1.7.6 (CHANGELOG.txt), but the "Fix version" wasnt filled in. So I have updated the "Fix version" field. > Avro-C segfaults when union discriminant out of bounds > -- > > Key: AVRO-1237 > URL: https://issues.apache.org/jira/browse/AVRO-1237 > Project: Avro > Issue Type: Bug > Components: c > Environment: Avro-C 1.7.2 > Ubuntu 12.04 x86_64 >Reporter: Michael Cooper > Fix For: 1.7.6 > > Attachments: > 0001-AVRO-1237.-C-Verify-union-discriminant-when-reading-.patch, > 0001-Check-union-discriminant-bounds-in-both-directions.patch, > 0001-Test-case-for-AVRO-1237.patch, avro-1237-bad-union-discriminant.avro, > avro-1237-good.avro > > > libavro will segfault when decrypting a specially crafted (or corrupted) avro > file when the discriminant is out of bounds. > There is already a check for < 0, but there is no upper bounds check. > I have attached a patch that checks the bounds. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Commented] (AVRO-1237) Avro-C segfaults when union discriminant out of bounds
[ https://issues.apache.org/jira/browse/AVRO-1237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13851945#comment-13851945 ] Hudson commented on AVRO-1237: -- ABORTED: Integrated in AvroJava #411 (See [https://builds.apache.org/job/AvroJava/411/]) AVRO-1237. C: Verify union discriminant when reading Avro data files. Test case submitted by Michael Cooper. Michael's original fix was to perform a bounds check in avro_value_set_branch, but I've opted for a solution in avro_value_read. This has two benefits: the check is only performed when reading a discriminant value from an unsafe source, and it doesn't impose an extra burden on anyone writing their own custom value implementations. (dcreager: rev 1551941) * /avro/trunk/CHANGES.txt * /avro/trunk/lang/c/src/value-read.c * /avro/trunk/lang/c/tests/CMakeLists.txt * /avro/trunk/lang/c/tests/avro-1237-bad-union-discriminant.avro * /avro/trunk/lang/c/tests/avro-1237-good.avro * /avro/trunk/lang/c/tests/test_avro_1237.c > Avro-C segfaults when union discriminant out of bounds > -- > > Key: AVRO-1237 > URL: https://issues.apache.org/jira/browse/AVRO-1237 > Project: Avro > Issue Type: Bug > Components: c > Environment: Avro-C 1.7.2 > Ubuntu 12.04 x86_64 >Reporter: Michael Cooper > Attachments: > 0001-AVRO-1237.-C-Verify-union-discriminant-when-reading-.patch, > 0001-Check-union-discriminant-bounds-in-both-directions.patch, > 0001-Test-case-for-AVRO-1237.patch, avro-1237-bad-union-discriminant.avro, > avro-1237-good.avro > > > libavro will segfault when decrypting a specially crafted (or corrupted) avro > file when the discriminant is out of bounds. > There is already a check for < 0, but there is no upper bounds check. > I have attached a patch that checks the bounds. -- This message was sent by Atlassian JIRA (v6.1.4#6159)
[jira] [Commented] (AVRO-1237) Avro-C segfaults when union discriminant out of bounds
[ https://issues.apache.org/jira/browse/AVRO-1237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13851723#comment-13851723 ] ASF subversion and git services commented on AVRO-1237: --- Commit 1551941 from dcrea...@apache.org in branch 'avro/trunk' [ https://svn.apache.org/r1551941 ] AVRO-1237. C: Verify union discriminant when reading Avro data files. Test case submitted by Michael Cooper. Michael's original fix was to perform a bounds check in avro_value_set_branch, but I've opted for a solution in avro_value_read. This has two benefits: the check is only performed when reading a discriminant value from an unsafe source, and it doesn't impose an extra burden on anyone writing their own custom value implementations. > Avro-C segfaults when union discriminant out of bounds > -- > > Key: AVRO-1237 > URL: https://issues.apache.org/jira/browse/AVRO-1237 > Project: Avro > Issue Type: Bug > Components: c > Environment: Avro-C 1.7.2 > Ubuntu 12.04 x86_64 >Reporter: Michael Cooper > Attachments: > 0001-AVRO-1237.-C-Verify-union-discriminant-when-reading-.patch, > 0001-Check-union-discriminant-bounds-in-both-directions.patch, > 0001-Test-case-for-AVRO-1237.patch, avro-1237-bad-union-discriminant.avro, > avro-1237-good.avro > > > libavro will segfault when decrypting a specially crafted (or corrupted) avro > file when the discriminant is out of bounds. > There is already a check for < 0, but there is no upper bounds check. > I have attached a patch that checks the bounds. -- This message was sent by Atlassian JIRA (v6.1.4#6159)
[jira] [Commented] (AVRO-1237) Avro-C segfaults when union discriminant out of bounds
[ https://issues.apache.org/jira/browse/AVRO-1237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13698900#comment-13698900 ] Michael Cooper commented on AVRO-1237: -- Hey, have you had a chance to look at doing the bounds check in the reader yet? > Avro-C segfaults when union discriminant out of bounds > -- > > Key: AVRO-1237 > URL: https://issues.apache.org/jira/browse/AVRO-1237 > Project: Avro > Issue Type: Bug > Components: c > Environment: Avro-C 1.7.2 > Ubuntu 12.04 x86_64 >Reporter: Michael Cooper > Attachments: > 0001-Check-union-discriminant-bounds-in-both-directions.patch, > 0001-Test-case-for-AVRO-1237.patch, avro-1237-bad-union-discriminant.avro, > avro-1237-good.avro > > > libavro will segfault when decrypting a specially crafted (or corrupted) avro > file when the discriminant is out of bounds. > There is already a check for < 0, but there is no upper bounds check. > I have attached a patch that checks the bounds. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AVRO-1237) Avro-C segfaults when union discriminant out of bounds
[
https://issues.apache.org/jira/browse/AVRO-1237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13577593#comment-13577593
]
Douglas Creager commented on AVRO-1237:
---
If you apply just the test case, you get a segfault (or some other undefined
behavior), as Michael describes. If you also apply Michael's fix patch, then
the test case succeeds.
One possible concern with the fix is that is moves responsibility for doing the
bounds check. Before, we would only check the bounds when reading from an
unsafe source — i.e., inside the function that reads the binary data from the
file. Now, we check the bounds inside of the value's {{set_branch}} method.
This has two ramifications: first, it means that we're now performing a bounds
check *every* time we set the branch of a union value, even if we're doing it
from (ostensibly) safe hard-coded C code. Normally the C idiom would be to
only perform the bounds check where we know that it's needed, allowing us to
save cycles when we know that it's not. I'm not completely against the safe
solution, I just wanted to point out the difference.
The second ramification is that every custom value implementation must now be
responsible for performing this bounds check. I don't know if there very many
people writing their own custom value implementations, but this solution does
add a burden to those who do.
Ideally we'd get around both of these issues by doing the bounds check in the
file reader code, as we did before. But, as Michael probably noticed, we don't
easily have access in that function to the number of branches in the underlying
schema. I want to see how difficult it would be to provide that access; if we
can, then I think that would be a cleaner solution.
> Avro-C segfaults when union discriminant out of bounds
> --
>
> Key: AVRO-1237
> URL: https://issues.apache.org/jira/browse/AVRO-1237
> Project: Avro
> Issue Type: Bug
> Components: c
> Environment: Avro-C 1.7.2
> Ubuntu 12.04 x86_64
>Reporter: Michael Cooper
> Attachments:
> 0001-Check-union-discriminant-bounds-in-both-directions.patch,
> 0001-Test-case-for-AVRO-1237.patch, avro-1237-bad-union-discriminant.avro,
> avro-1237-good.avro
>
>
> libavro will segfault when decrypting a specially crafted (or corrupted) avro
> file when the discriminant is out of bounds.
> There is already a check for < 0, but there is no upper bounds check.
> I have attached a patch that checks the bounds.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AVRO-1237) Avro-C segfaults when union discriminant out of bounds
[ https://issues.apache.org/jira/browse/AVRO-1237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13576601#comment-13576601 ] Douglas Creager commented on AVRO-1237: --- I will take a look at this this afternoon. > Avro-C segfaults when union discriminant out of bounds > -- > > Key: AVRO-1237 > URL: https://issues.apache.org/jira/browse/AVRO-1237 > Project: Avro > Issue Type: Bug > Components: c > Environment: Avro-C 1.7.2 > Ubuntu 12.04 x86_64 >Reporter: Michael Cooper > Attachments: > 0001-Check-union-discriminant-bounds-in-both-directions.patch > > > libavro will segfault when decrypting a specially crafted (or corrupted) avro > file when the discriminant is out of bounds. > There is already a check for < 0, but there is no upper bounds check. > I have attached a patch that checks the bounds. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AVRO-1237) Avro-C segfaults when union discriminant out of bounds
[ https://issues.apache.org/jira/browse/AVRO-1237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13573693#comment-13573693 ] Doug Cutting commented on AVRO-1237: Can someone familiar with Avro C please review this? Also, is it possible to add a test case for this? > Avro-C segfaults when union discriminant out of bounds > -- > > Key: AVRO-1237 > URL: https://issues.apache.org/jira/browse/AVRO-1237 > Project: Avro > Issue Type: Bug > Components: c > Environment: Avro-C 1.7.2 > Ubuntu 12.04 x86_64 >Reporter: Michael Cooper > Attachments: > 0001-Check-union-discriminant-bounds-in-both-directions.patch > > > libavro will segfault when decrypting a specially crafted (or corrupted) avro > file when the discriminant is out of bounds. > There is already a check for < 0, but there is no upper bounds check. > I have attached a patch that checks the bounds. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
