Skip to content

pkg: hardening: disallow negative ExpectedSize #615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cyphar merged 5 commits into from
Sep 6, 2025
Merged

pkg: hardening: disallow negative ExpectedSize #615

cyphar merged 5 commits into from
Sep 6, 2025

Conversation

@cyphar
Copy link
Member

@cyphar cyphar commented Sep 6, 2025

VerifiedReadCloser previously would allow for negative ExpectedSize to
disable the size checking features added in commit ad66299 ("pkg:
hardening: expand to verify descriptor length").

This was based on a somewhat overly-permissive reading of the discussion
in opencontainers/image-spec#153 which was finally clarified in
opencontainers/image-spec#1285. Unknown sizes are a classic DoS vector,
so allowing them seems like a bad idea in general.

Signed-off-by: Aleksa Sarai [email protected]

@cyphar cyphar force-pushed the negative-expected-size branch 2 times, most recently from 7e5baeb to 349c9fe Compare September 6, 2025 08:43
@codecov-commenter
Copy link

codecov-commenter commented Sep 6, 2025
edited
Loading

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 90.62500% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.82%. Comparing base (e0662ee) to head (c5ac633).
⚠️ Report is 29 commits behind head on main.

Files with missing lines Patch % Lines
oci/cas/dir/dir.go 62.50% 2 Missing and 1 partial ⚠️
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #615      +/-   ##
==========================================
+ Coverage   73.68%   73.82%   +0.14%     
==========================================
  Files          69       69              
  Lines        5556     5575      +19     
==========================================
+ Hits         4094     4116      +22     
+ Misses       1074     1072       -2     
+ Partials      388      387       -1
Files with missing lines Coverage Δ
oci/casext/verified_blob.go 100.00% <100.00%> (ø)
pkg/hardening/verified_reader.go 87.36% <100.00%> (+3.85%) ⬆️
oci/cas/dir/dir.go 60.57% <62.50%> (+0.05%) ⬆️

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@cyphar cyphar force-pushed the negative-expected-size branch 2 times, most recently from 4d3bb5e to 2a9f248 Compare September 6, 2025 11:34
@cyphar
pkg: hardening: improve trailing data test
8438892 
The trailing data test relied on ExpectedSize < 0, but in actuality it
would be better to test it with the true ExpectedSize. This is also
needed because we will stop supporting ExpectedSize < 0 in a future
patch.

Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar
oci: cas: use blob file size as ExpectedSize
5f31a52 
In a future patch, ExpectedSize < 0 will no longer be supported by
VerifiedReadCloser.

However, this also gives us an opportunity to add a bit of extra
hardening here -- if an attacker can write blobs to our store then they
could in theory trigger a DoS by constantly writing more bytes (or
expanding a zero section of a sparse file) if we do not have some hard
limit. The current file size is as good a limit as any (and is going to
be correct in all reasonable cases).

This also lets us avoid double-hashing blobs in the common case where
the blob size is correct (because then the VerifiedReadCloser returned
by GetVerifiedBlob() will be a no-op).

Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar cyphar force-pushed the negative-expected-size branch from 2a9f248 to 714b09f Compare September 6, 2025 13:37
@cyphar
oci: casext: explicitly disallow negative-size descriptors
3037f87 
This was implicitly allowed by VerifiedReadCloser, and while we have
closed that hole it's probably best to provide a more helpful error
message.

Not blocking this earlier was mostly due to a somewhat overly-permissive
reading of the discussion in opencontainers/image-spec#153 which was
finally clarified in opencontainers/image-spec#1285. Unknown sizes are a
classic DoS vector, so allowing them (especially for descriptors where
it makes little sense to have an unknown size) seems like a bad idea in
general.

Ref: opencontainers/image-spec#1285
Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar
pkg: hardening: disallow negative ExpectedSize
38fc012 
VerifiedReadCloser previously would allow for negative ExpectedSize to
disable the size checking features added in commit ad66299 ("pkg:
hardening: expand to verify descriptor length").

This was added partially because a somewhat overly-permissive reading of
the discussion in opencontainers/image-spec#153 (which was finally
clarified in opencontainers/image-spec#1285), but was also necessary for
some users of VerifiedReadCloser that did not really know the proper
blob size. We have now adjusted all of those callers, so there is no
longer any reason to continue supporting this.

Unknown sizes are a classic DoS vector, so allowing them seems like a
bad idea in general. We might need to adjust this if/when umoci grows
OCI distribution-spec support, but for now it isn't needed.

Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar
oci: casext: properly return errors for GetVerifiedBlob
c5ac633 
Previously we would return a non-nil &VerifiedReadCloser{} even if the
underlying GetBlob failed -- this is not really a great idea, as you can
get nil panics if you try to Close it.

Signed-off-by: Aleksa Sarai <[email protected]>
@cyphar cyphar force-pushed the negative-expected-size branch from 714b09f to c5ac633 Compare September 6, 2025 13:45
@cyphar cyphar merged commit bca0881 into opencontainers:main Sep 6, 2025
20 checks passed
@cyphar cyphar deleted the negative-expected-size branch September 6, 2025 14:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cyphar @codecov-commenter