1From 3c4b18dc14949d1c6dac8bae2e459c71b21e3416 Mon Sep 17 00:00:00 2001 2From: Derek Mauro <dmauro@google.com> 3Date: Wed, 22 Jan 2025 15:58:56 -0500 4Subject: [PATCH] Fix potential integer overflow in hash container 5 create/resize 6 7The sized constructors, reserve(), and rehash() methods of 8absl::{flat,node}_hash_{set,map} did not impose an upper bound on 9their size argument. As a result, it was possible for a caller to pass 10a very large size that would cause an integer overflow when computing 11the size of the container's backing store. Subsequent accesses to the 12container might then access out-of-bounds memory. 13 14The fix is in two parts: 15 161) Update max_size() to return the maximum number of items that can be 17stored in the container 18 192) Validate the size arguments to the constructors, reserve(), and 20rehash() methods, and abort the program when the argument is invalid 21 22We've looked at uses of these containers in Google codebases like 23Chrome, and determined this vulnerability is likely to be difficult to 24exploit. This is primarily because container sizes are rarely 25attacker-controlled. 26 27The bug was discovered by Dmitry Vyukov <dvyukov@google.com>. 28 29Conflict: remove absl/base/config.h 30Reference: https://github.com/abseil/abseil-cpp/commit/3c4b18dc14949d1c6dac8bae2e459c71b21e3416 31--- 32 absl/base/config.h | 2 +- 33 absl/container/internal/raw_hash_set.h | 16 +++++++++++++++- 34 absl/container/internal/raw_hash_set_test.cc | 8 ++++++++ 35 3 files changed, 24 insertions(+), 2 deletions(-) 36 37diff --git a/absl/container/internal/raw_hash_set.h b/absl/container/internal/raw_hash_set.h 38index 5f89d8efee6..92b93453314 100644 39--- a/absl/container/internal/raw_hash_set.h 40+++ b/absl/container/internal/raw_hash_set.h 41@@ -1076,6 +1076,12 @@ inline size_t NormalizeCapacity(size_t n) { 42 return n ? ~size_t{} >> countl_zero(n) : 1; 43 } 44 45+template <size_t kSlotSize> 46+size_t MaxValidCapacity() { 47+ return NormalizeCapacity((std::numeric_limits<size_t>::max)() / 4 / 48+ kSlotSize); 49+} 50+ 51 // General notes on capacity/growth methods below: 52 // - We use 7/8th as maximum load factor. For 16-wide groups, that gives an 53 // average of two empty slots per group. 54@@ -1717,6 +1723,8 @@ class raw_hash_set { 55 const allocator_type& alloc = allocator_type()) 56 : settings_(CommonFields{}, hash, eq, alloc) { 57 if (bucket_count) { 58+ ABSL_RAW_CHECK(bucket_count <= MaxValidCapacity<sizeof(slot_type)>(), 59+ "Hash table size overflow"); 60 common().set_capacity(NormalizeCapacity(bucket_count)); 61 initialize_slots(); 62 } 63@@ -1916,7 +1924,10 @@ class raw_hash_set { 64 bool empty() const { return !size(); } 65 size_t size() const { return common().size(); } 66 size_t capacity() const { return common().capacity(); } 67- size_t max_size() const { return (std::numeric_limits<size_t>::max)(); } 68+ size_t max_size() const { 69+ return CapacityToGrowth(MaxValidCapacity<sizeof(slot_type)>()); 70+ } 71+ 72 73 ABSL_ATTRIBUTE_REINITIALIZES void clear() { 74 // Iterating over this container is O(bucket_count()). When bucket_count() 75@@ -2266,6 +2277,8 @@ class raw_hash_set { 76 auto m = NormalizeCapacity(n | GrowthToLowerboundCapacity(size())); 77 // n == 0 unconditionally rehashes as per the standard. 78 if (n == 0 || m > capacity()) { 79+ ABSL_RAW_CHECK(m <= MaxValidCapacity<sizeof(slot_type)>(), 80+ "Hash table size overflow"); 81 resize(m); 82 83 // This is after resize, to ensure that we have completed the allocation 84@@ -2276,6 +2289,7 @@ class raw_hash_set { 85 86 void reserve(size_t n) { 87 if (n > size() + growth_left()) { 88+ ABSL_RAW_CHECK(n <= max_size(), "Hash table size overflow"); 89 size_t m = GrowthToLowerboundCapacity(n); 90 resize(NormalizeCapacity(m)); 91 92diff --git a/absl/container/internal/raw_hash_set_test.cc b/absl/container/internal/raw_hash_set_test.cc 93index 242a97cbe3f..d5d5f3934da 100644 94--- a/absl/container/internal/raw_hash_set_test.cc 95+++ b/absl/container/internal/raw_hash_set_test.cc 96@@ -2510,6 +2510,14 @@ TEST(Iterator, InvalidComparisonDifferentTables) { 97 "Invalid iterator comparison.*non-end"); 98 } 99 100+TEST(Table, MaxSizeOverflow) { 101+ size_t overflow = (std::numeric_limits<size_t>::max)(); 102+ EXPECT_DEATH_IF_SUPPORTED(IntTable t(overflow), "Hash table size overflow"); 103+ IntTable t; 104+ EXPECT_DEATH_IF_SUPPORTED(t.reserve(overflow), "Hash table size overflow"); 105+ EXPECT_DEATH_IF_SUPPORTED(t.rehash(overflow), "Hash table size overflow"); 106+} 107+ 108 } // namespace 109 } // namespace container_internal 110 ABSL_NAMESPACE_END 111