search

edgexfoundry / app-functions-sdk-go

Owner: Applications WG
Apache License 2.0
43 stars 81 forks source link

Decoding 9 bytes of bad CBOR can exhaust memory (internal/runtime/runtime.go) #305

Closed x448 closed 4 years ago

x448 commented 4 years ago

Decoding 9-10 bytes of malformed CBOR data can cause exhaust memory and cause:

Only 1 decode attempt of 9 bytes is required to exhaust memory.

cc @lenny-intel @rsdmike

Relevant Code

internal/runtime/runtime.go

import (
... 
    "github.com/ugorji/go/codec"
...
)
...
// ProcessMessage sends the contents of the message thru the functions pipeline
func (gr *GolangRuntime) ProcessMessage(edgexcontext *appcontext.Context, envelope types.MessageEnvelope) *MessageError {
...
        case clients.ContentTypeCBOR:
            x := codec.CborHandle{}
            err := codec.NewDecoderBytes([]byte(envelope.Payload), &x).Decode(&target)

🔥 Error (fatal error: out of memory)

alt text

For info about CBOR and security, see Section 8 of RFC 7049 (Security Considerations).

For more comparisons, see fxamacker/cbor.

Description and Minimal Reproduction

In October 2013, RFC 7049 (CBOR) Section 8 (Security Considerations) warned that malformed CBOR data can be used to exhaust system resources.

Resource exhaustion attacks might attempt to lure a decoder into allocating very big data items (strings, arrays, maps) or exhaust the stack depth by setting up deeply nested items. Decoders need to have appropriate resource management to mitigate these attacks. (Items for which very large sizes are given can also attempt to exploit integer overflow vulnerabilities.)

In September 2019, oasislabs/oasis-core discovered tiny CBOR data could exhaust memory so they switched to a more secure and maintainable CBOR library.

In February 2020, smartcontractkit/chainlink found and fixed CBOR security issue(s) in
a GitHub PR titled "Switch to more secure CBOR library".

Both projects were using same CBOR library (ugorji/go) as edgexfoundry/app-functions-sdk-go.

To reproduce, decode 9-byte or 10-byte malformed CBOR data described in Section 8 of RFC 7049.

Examples of malformed CBOR data that can exhaust memory can be found on GitHub since September 2019 (or possibly earlier if you look beyond Go projects).

lenny-goodell commented 4 years ago

We should switch CBOR library to fix this issue per this issue on Device SDK https://github.com/edgexfoundry/device-sdk-go/issues/471

lenny-goodell commented 4 years ago

Fix should also include updating to latest go-mod-core-contracts for this PR https://github.com/edgexfoundry/go-mod-core-contracts/pull/233

lenny-goodell commented 4 years ago

Related PR on swapping the CBOR module used: https://github.com/edgexfoundry/edgex-go/pull/2490

lenny-goodell commented 4 years ago

Brian McGinn from Intel will be working on this issue.