GH-43070: [C++][Parquet] Check for valid ciphertext length to prevent segfault

[adamreeve]

Rationale for this change

See #43070

What changes are included in this PR?

Checks that the ciphertext length is at least enough to hold the length (if written), nonce and GCM tag for the GCM cipher type.

Also enforces that the input ciphertext length parameter is provided (is > 0) and verifies that the ciphertext size read from the file isn't going to cause reads beyond the end of the ciphertext buffer.

Are these changes tested?

Yes I've added new unit tests for this.

Are there any user-facing changes?

No

• GitHub Issue: [C++][Parquet] Reading corrupted encrypted Parquet files can cause a segfault #43070

[github-actions]

⚠️ GitHub issue #43070 has been automatically assigned in GitHub to PR creator.

[adamreeve]

Ah it looks like all the Windows builds are failing as I'm using non-exported classes in the new tests. Would it make sense to add PARQUET_EXPORT to these, or should I not be testing these internal classes? I think it would be quite difficult to add tests for this change at a higher level.

[mapleFU]

The code LGTM, but I'm not familiar with decrypt module. So @wgtmac @pitrou for help

[pitrou]

Looking at the existing code in these methods, several things stand out:

1. we don't validate ciphertext length before fetching the 4 bytes encoding the actual length (a corrupt file could perhaps have a ciphertext length < 4?)
2. use of raw C arrays instead of std::array<uint8_t> for example
3. why is the ciphertext_len argument optional in this API? this looks fickle and error-prone.
4. the part that extracts and validates the actual length is duplicated in the two methods

I would suggest we take the opportunity and refactor this into a cleaner and less error-prone implementation. In particular, the GCM and CTR-specific methods should probably have a mandatory ciphertext length, and would not have to bother with reading the length bytes.

@ggershinsky @thamht4190 Do we have an explanation for the very odd choices here?

[adamreeve]

Yeah I didn't dig in too deep to find why the ciphertext_len is optional, it would be nice if that could be mandatory. But if that's not possible we should at least be able to provide the size of the buffer that the ciphertext is being read from to ensure that ciphertext_len isn't greater than this.

[adamreeve]

It does look like we don't always know the length of the ciphertext but sometimes just an upper bound that's used to allocate the buffer. I found an example of this when reading the bloom filter header:

arrow/cpp/src/parquet/bloom_filter.cc

Lines 116 to 121 in e615a30

	// NOTE: we don't know the bloom filter header size upfront without
	// bloom_filter_length, and we can't rely on InputStream::Peek() which isn't always
	// implemented. Therefore, we must first Read() with an upper bound estimate of the
	// header size, then once we know the bloom filter data size, we can Read() the exact
	// number of remaining data bytes.
	bloom_filter_header_read_size = kBloomFilterHeaderSizeGuess;

I'm thinking that rather than having separate arguments like ciphertext_buffer_len (required) and ciphertext_expected_len (optional), it's probably fine to make ciphertext_len required and mean the size of the buffer, so we would validate that the actual length is <= this after accounting for the 4 byte length rather than enforcing an exact match. Does that seem reasonable? (I've gone ahead and made this change but am happy to adjust the approach)

[pitrou]

Another potential weak point is this:

arrow/cpp/src/parquet/thrift_internal.h

Lines 415 to 417 in 1da71ba

	auto decrypted_buffer = std::static_pointer_cast<ResizableBuffer>(
	AllocateBuffer(decryptor->pool(),
	static_cast<int64_t>(clen - decryptor->CiphertextSizeDelta())));

and of course this part where we totally ignore the physical buffer length, letting the Decrypt function happily read past the end of the buffer:

arrow/cpp/src/parquet/thrift_internal.h

Lines 419 to 420 in 1da71ba

	uint32_t decrypted_buffer_len =
	decryptor->Decrypt(cipher_buf, 0, decrypted_buffer->mutable_data());

All in all, this warrants a refactor for sanity and robustness.

[adamreeve]

@pitrou, I think I've addressed all of your comments now thank you

• I've added extra validation of the buffer sizes in various places
• I've switched from raw pointers to arrow::util::span (I think this is more appropriate than std::array which is for fixed length arrays, but let me know if I've misunderstood)
• The ciphertext size is no longer optional, although it's no longer checked for an exact match, the actual ciphertext length might be less than the buffer size
• I've pulled out the length reading and validation into a shared method
• I've refactored how the plaintext/ciphertext length conversions are handled by adding methods for these rather than adding or subtracting the size delta in consumer code

I haven't touched the AesEncryptor API at all, but it would probably make sense to follow up after this to at least change that to use arrow::util::span too for consistency.

[pitrou]

@adamreeve I just want to let you know that I'm currently sick and may not be able to review this before the next week. Thanks for doing this!

[adamreeve]

OK no problem, thanks for letting me know, and I hope you're feeling better soon.

[raulcd]

@mapleFU @wgtmac is there any possibility you could take a look on this? Otherwise this fix will have to miss the 17.0.0 release unfortunately

[mapleFU]

The style looks ok but I'm not familiar with encryption

[mapleFU]

Ever used?

[adamreeve]

Yes this is needed so that ARROW_WITH_SNAPPY is defined, otherwise the tests below are always skipped. This is a bit unrelated to this change but I noticed this problem when running the tests locally, and I'd come across this problem before in #40327.

[wgtmac]

Generally LGTM. Thanks for the fix!

[wgtmac]

It seems pretty common, does it make sense to relocate it to arrow/util/span.h?

[adamreeve]

You can already construct a span from a string but that creates a span<const char>. Converting to a uint8_t span might be more specific to the encryption use case so I'm not sure about this.

[wgtmac]

Should we add using ::arrow::util::span to this source file to make the signatures shorter?

[adamreeve]

Good point, I've done that now

[wgtmac]

We can refactor this to use span in the follow up changes.

[adamreeve]

Yes I've just made #43142 for this, and I will follow up after this PR

[wgtmac]

Suggested change

	if (ciphertext.size() > static_cast<size_t>(std::numeric_limits<int>::max())) {
	if (ciphertext.size() > static_cast<size_t>(std::numeric_limits<int32_t>::max())) {

[adamreeve]

👍 fixed

[wgtmac]

Should we replace int with int32_t to be more portable? Same for functions below. Of course this can be a followup change.

[adamreeve]

Yes it would make sense to do this as a follow up to avoid changing too much in this PR, I've made #43141 for this

[wgtmac]

It took me a while to understand this line. Perhaps it is better to explicitly use kBufferSizeLength here as line 484 to 486 have assumed this length is 4 bytes.

[adamreeve]

Yes good point, that also confused me a bit. I've changed that and added a comment to hopefully make this more readable

[wgtmac]

nit: include the length (4 bytes) in the error message.

[adamreeve]

👍 fixed

[wgtmac]

+1

Thanks!

[wgtmac]

CI failures are unrelated. I will merge it shortly.

[wgtmac]

@raulcd Please feel free to port it to maint-17.0.0

[mapleFU]

(Gang says he has api error when run merge script so I merged this, lol)

[raulcd]

Thanks both for jumping in on the review and thanks @adamreeve for the PR

[conbench-apache-arrow]

After merging your PR, Conbench analyzed the 4 benchmarking runs that have been run so far on merge-commit eadeb74.

There were no benchmark performance regressions. 🎉

The full Conbench report has more details. It also includes information about 27 possible false positives for unstable benchmarks that are known to sometimes produce them.

[pitrou]

Belated review, sorry.

[pitrou]

We should ideally check for signed addition overflow here.

[adamreeve]

Good point. Is it ok to add this to the changes in #43195, or should I make a separate PR for these follow ups?

[pitrou]

IMHO you can add them to the aforementioned PR.

[adamreeve]

I've added this check in fb63bcc

[pitrou]

I wonder if the compiler won't elide this, as ((ciphertext[3] & 0xff) << 24) becoming negative implies signed integer overflow which is undefined behavior. @felipecrv What do you think?

[felipecrv]

This check is weird. written_ciphertext_len should be uint32_t, then checking that written_ciphertext_len is not greater than std::numeric_limits<int32_t>::max() is enough. In other words: the encoded value is never negative, but it can be too big.

[pitrou]

ciphertext[3] & 0xff is weird as well, since ciphertext[3] is a uint8, thus in [0,255] already.
Perhaps the proper check should simply be ciphertext[3] < 0x80u?

[adamreeve]

Hmm yeah the & 0xffs are all redundant, maybe it ended up written this way to be similar to the code for writing the length. Rather than just checking the length isn't negative, we should also check that written_ciphertext_len + length_buffer_length_ doesn't overflow, so I think it would probably be simplest to read as uint32_t.

[adamreeve]

I've changed this check as part of #43195, in this commit: b81cafe

[pitrou]

Or more idiomatically:

  std::array<uint8_t, kGcmTagLength> tag{};

[adamreeve]

I've changed this as well as the other uses of C style arrays in ff31c7b

[pitrou]

Unrelated, but since we're not attempting to resize the buffer, the cast to ResizableBuffer should be superfluous?

[adamreeve]

AllocateBuffer here is ::parquet::AllocateBuffer which returns a std::shared_ptr<ResizableBuffer>, rather than ::arrow::AllocateBuffer, so it looks like the cast would be unnecessary even if we were resizing it:

arrow/cpp/src/parquet/platform.cc

Lines 36 to 37 in 031497d

	std::shared_ptr<ResizableBuffer> AllocateBuffer(MemoryPool* pool, int64_t size) {
	PARQUET_ASSIGN_OR_THROW(auto result, ::arrow::AllocateResizableBuffer(size, pool));

[pitrou]

Hmm, I see. We can try removing it at some point then, as the code currently looks weird.

[adamreeve]

I've removed this as well as another occurrence of the same behaviour in f4a7721