Weak hash of serialized closures

[vicuna]

Original bug ID: 5942
Reporter: bvaugon
Status: confirmed (set by @damiendoligez on 2017-10-05T15:45:39Z)
Resolution: open
Priority: normal
Severity: major
Version: 4.00.1
Category: runtime system and C interface
Tags: patch

Bug description

Usually, when you serialize a closure with one program, it is impossible to unserialize it with a different program, and you expect to obtain a runtime exception like: Failure("input_value: unknown code module FAE2E4BE7A3AE0091CF3043126B2CC65")

But, when two programs differs only by their data segments (see the attached example), it is possible to marshal a closure with the first program and to unmarshal it with the second program. Obviously, if you try to call the invalid unserialized closue, execution results in the famous "segmentation fault".

This bug is reproducible with ocamlc and ocamlopt.

The problem is that the hash sum stored in the marshalled closure is only computed with the code segment and not with the data segment.

I wrote a patch to fix it.

Steps to reproduce

With attached x.ml and y.ml, run:

ocamlopt x.ml -o x
ocamlopt y.ml -o y
./x
Do not import "data", ok
./y
Segmentation fault (core dumped)

Additional information

Fixed by the attached patch: ocaml-4.00.1-data-marsh.diff.

Remark: dynlink is ok because the entire dynlinked files are hashed.
So, I just modify byterun and asmrun.

File attachments

• ocaml-4.00.1-data-marsh.diff
• ocaml-4.00.1-data-marsh.tgz

[vicuna]

Comment author: @gasche

I took the liberty to upload the patch independently from the archive, for eventual reviewers that would be more comfortable having a look directly inside Mantis.

I could reproduce the bug with 3.12.1, 32 bits, but not 4.00.1 64 bits: as the data fields should be of the same size (or at least aligned), on a 64 bits machine you need to shorten the list in y.ml to two integers rather than four to observe the segfault.

[vicuna]

Comment author: @alainfrisch

Important, but too risky to merge just before a release, I'd say.

[vicuna]

Comment author: @alainfrisch

I've started to review the code.

• In byterun/startup.c, function caml_main: if I'm not wrong, the patch has the effect of loading the DATA section twice (once to compute the digest, and once to deserialize the value). Instead, one could read once into caml_data and use caml_input_value_from_block to deserialize directly from this block.

• caml_startup_code (i.e. "ocamlc -custom") should be adapted as well. It receives the data block as an argument, so this should be quite easy.

Benoit: would you be as kind as to submit a Github PR rebased on trunk (including changes for the remarks above), trying to add a test to the suite (preferably one that would fail before including on 64-bit)?

[vicuna]

Comment author: bvaugon

Thanks for your remarks.

I just submit a PR on github (see #330). This PR is for the trunk and contains tests for 32 and 64 bits.

• The double reading of the DATA segment is now fixed.

• However, the caml_startup_code function from byterun/startup.c seems to already set the caml_data and caml_data_size variables in the original patch from mantis. So I didn't change that code in the GitHub PR. Maybe I missed something from your second remark... ?

[vicuna]

Comment author: @alainfrisch

However, the caml_startup_code function from byterun/startup.c seems to already set the caml_data and caml_data_size variables in the original patch from mantis.

Indeed, sorry!

[vicuna]

Comment author: @mshinwell

Downgrading to high priority.

@bvaugon Have you made any further progress on this problem? #330 and #332 have both stalled.

[vicuna]

Comment author: @xavierleroy

For reference: latest proposal at #332

[vicuna]

Comment author: @xavierleroy

This report and the associated Github pull requests have been dormant for a long time. What should we do? I still believe that my proposal is the most reasonable: use an MD5 checksum of the file denoted by Sys.executable_name, computed at run-time the first time we need it. MD5 is fast, don't worry.