listener_manager: detect and reject effectively equivalent filter cha…

[htuch]

…ins.

Previously, it was possible to have two filter chains that didn't have proto equivalent
FilterChainMatches, yet had semantically equivalent matchers. E.g. when one filter chain has a
not-yet-implemented field. This led to a situation where the first filter chain might register for
SDS (and corresponding initialization callbacks), then the second equivalent filter chain would
replace it, freeing up the callback target. When SDS initialized, the stale callback would be
invoked, resulting in heap-user-after-free.

Fixes oss-fuzz issue https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13221.

Risk level: Low
Testing: Corpus entry and unit test added.

Signed-off-by: Harvey Tuch htuch@google.com

[PiotrSikora]

Shouldn't we reject configs that use unimplemented proto fields instead? While this PR fixes the issue for FilterChainMatch, there are 51 occurrences of not-implemented-hide in the api/, so perhaps a fix at the proto validation layer would be a bit more useful?

[htuch]

I can do that, we should at least add an ASSERT here though, catching this via fuzzers is not ideal.

…

On Thu, Feb 21, 2019 at 6:33 PM Piotr Sikora ***@***.***> wrote: ***@***.**** commented on this pull request. Shouldn't we reject configs that use unimplemented proto fields instead? While this PR fixes the issue for FilterChainMatch, there are 51 occurrences of not-implemented-hide in the api/, so perhaps a fix at the proto validation layer would be a bit more useful? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#6022 (review)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AKaLv14aBE93ELFHXEuscF8JsbKrPtLfks5vPyzbgaJpZM4bHZwt> .

[htuch]

Thinking about this a bit more, it's a bit tricky to do in general. Here are some considerations:

1. Scalar fields; we can tell if they are non-default (with per scalar field type logic), but not if they are "used" otherwise, in proto3.
2. Some [#not-implemented-hide:] we allow because a field is partially implemented, so we can't use this annotation as-is to do an automated check that we have an appropriate constraint.
3. We need to add to PGV a "do not use" annotation and then implement for all supported languages (Java, Go, C++), this doesn't exist today (AFAICT, CC @rodaine @akonradi)
4. Some use of [#not-implemented-hide:] is for v1 deprecated code.

I think they are all resolvable, the most tricky is (2), since we probably need to add a new tag type and use this for things that are "almost ready to bake" and not verboten.

I probably don't have cycles right now for extended PGV hacking to make (3) happen, but happy to open an issue.

Would you be alright with us landing this existing PR with appropriate TODOs and issues? I agree that long term we want to do this via PGV.

[htuch]

Actually, just chatted to @rodaine. We can do (3) by using const annotations for scalars (forcing them zero). So, that just leaves the message case, which should be easy. Sure, I can do this.

[PiotrSikora]

IMHO, changes in this PR won't be necessary once we have a proper fix in PGV (similarly to how we don't test for other PGV-enforced constraints in the code), but if you want to commit this, then that's fine with me, though it's more of "a fix for the case found by the fuzzer" than "a fix for the problem".

4. Some use of [#not-implemented-hide:] is for v1 deprecated code.

But that's an example of misusing [#not-implemented-hide:] 😜

[htuch]

Thanks, will merge and I will work on your suggested PGV based solution in the next few days.