search

OpenDDS / OpenDDS

OpenDDS is an open source C++ implementation of the Object Management Group (OMG) Data Distribution Service (DDS). OpenDDS also supports Java bindings through JNI.
http://www.opendds.org
Other
1.28k stars 463 forks source link

Process killed with high RAM usage when setting malicious DataReaderQoS setting #4527

Closed mirusu400 closed 2 months ago

mirusu400 commented 2 months ago

Expected behavior

Process will exit or handle exceptions

Current Behavior

Process keeps trying to make DataReader, but it crash and got killed signal with high RAM usage, finally got exited with singal SIGKILL.

This allows a local attacker to cause a denial of service and obtain sensitive information via a crafted max_samples component.

Steps to produce

Download poc project below. DataReaderQos_poc.zip

mkdir build
cd build
cmake ..
make
./subscriber

stdout:

$ ./subscriber
Create DomainParticipantFactory
Create DomainParticipant
0x617000002380
Create Subscriber
0x61900001f480  0x61900001f980
Create DataWriter
Killed
    DDS::Subscriber_var subscriber = participant->create_subscriber(sub_qos, 0, OpenDDS::DCPS::DEFAULT_STATUS_MASK);
    DDS::Publisher_var publisher = participant->create_publisher(pub_qos, 0, OpenDDS::DCPS::DEFAULT_STATUS_MASK);

    std::cout << subscriber << "\t" << publisher << std::endl;

    /*
      What the hell?????????????????????????
    */
    subscriber->get_default_datareader_qos(dr_qos);
    dr_qos.resource_limits.max_samples = 900000000;

    std::cout << "Create DataWriter" << std::endl;
    // Create datawriter, datareader
    DDS::DataReader_var reader = subscriber->create_datareader(topic, dr_qos, 0, OpenDDS::DCPS::DEFAULT_STATUS_MASK);
    DDS::DataWriter_var writer = publisher->create_datawriter(topic, dw_qos, 0, OpenDDS::DCPS::DEFAULT_STATUS_MASK);

In lines 122 to 137 of the Oppends_poc.cpp file, if we specify a value that is too large for the PC to manage during DataReader's QoS settings, the process will be forced to shut down.

OpenDDS Version

https://github.com/OpenDDS/OpenDDS/commit/b1c534032bb62ad4ae32609778de6b8d6c823a66

Platform

Ubuntu 22.04

Additional context

This issue seems similar with #4388, and it was answered with one word: The responsiblity of the user. However, since fatal memory leaks can occur, I think OpenDDS, like other DDS software, should have at least a minimum guide.

iguessthislldo commented 2 months ago

It's basically the same as the other issue, but with a reader instead of a writer.