consensus_encoding: implement batched allocation for vector decoders

[jrakibi]

EDITED:

Right now vector decoders (VecDecoder and ByteVecDecoder) only checks that the element count/byte < 4,000,000. This still allows an attacker to claims a large size without providing the corresponding data



In this patch we allocates in 1 MB batches so an attacker now needs to provide X MB of data to make us allocate X+1 MB of memory

The allocation is applied for VecDecoder and ByteVecDecoder.

Fixes #5157

[jrakibi]

Keep in mind that this only checks the minimum possible size (minimum_encoded_size() × length), not the actual size of elements.

I think fixing this would require tracking decoded bytes during the decoding process
not sure if that’s something we’re interested in doing ?

[tcharding]

I'm hot and cold on this. The DoS protection seems valid but the solution adds to the public API in a non-trivial way. I'm not sure its worth it? The other DoS protection was a no-brainer because it was all internal and easy to implement.

[nyonson]

Have similar feelings as Tobin. I think the new method would be worth it if it was the single plane that protected against large allocations. But even with this new requirement, we still have the witness decoder ones as well, and even with both of those it is possible to have some massive allocations.

[jrakibi]

I see four scenarios we can go with:

• Implement what I already mentioned in a previous review, allocate memory in batches consensus_encoding: Implement additional decoders #5057 (comment)
• Don’t allocate any memory in advance, and instead keep track of bytes consumed during decoding, once it exceeds 4 Mb, we return an error.
• Accept the current solution even though it adds to the public API (and add the missing WitnessDecoder).
• Just keep things as they are.

[apoelstra]

I think "allocate memory in batches" is probably the best solution. (Actually, I like this solution, but it's getting a lot of pushback and it affects the API so I'll concede).

[tcharding]

I"m down with 'allocate in batches' thing since I expect it to be an internal change.

Going forwards, perhaps we should have an issue investigating and/or deciding on how much DoS protection we aim as a project to guarantee (or guard against). FTR I have not personally had this in mind over the last few years. We probably need a full audit of all malloc call sites. Or is this going to far? Might be a good use of the new ADR idea or a doc in docs?

[apoelstra]

We probably need a full audit of all malloc call sites. Or is this going too far?

Yes, we should. It's not too hard. There are very few. Basically only the deserialization code (which I have always read with DoS vectors in mind).

Might be a good use of the new ADR idea or a doc in docs?

Yeah, not a bad idea.

[jrakibi]

Updated the PR title/description to reflect the new changes.

The batched allocation is applied to WitnessDecoder, VecDecoder, and ByteVecDecoder as well.
We now allocate in 1 MB batches, so an attacker needs to provide X Mb of data to make us allocate X+1 MB of memory.

[tcharding]

Do we want to merge #5224 and redo this one, I'll wait to hear before reviewing. Sorry for my part in making you do extra work @jrakibi

[jrakibi]

yeah, let’s get Nyonson’s PR merged first
I’ll redo this one in the meantime

[apoelstra]

#5224 is now closed. I think nyonson is planning to do a replacement one.

[jrakibi]

Sorry for the delay on this.

Added batched allocation for WitnessDecoder
we also apply batched allocation for the index space to avoid allocating the full 16 MB upfront when an attacker claims 4 million witness_elements.

The current approach automatically addresses the concerns raised in #5258 and #5239 (comment)

[jrakibi]

the maximum free DoS allocation an attacker can force with the current approach is around ~2 MB (from the cases I can think of and as shown in the unit test)

with the old doubling strategy, it's ~32 MB
without batched allocation for the index space, it's ~20 MB

[tcharding]

Perhaps this would be better as a method on the VecDecoder? Also could be private I believe.

    /// Reserves capacity for typed vectors in batches.
    ///
    /// Calculates how many elements of type `T` fit within `MAX_VECTOR_ALLOCATE` bytes and reserves
    /// up to that amount when the buffer reaches capacity.
    ///
    /// Documentation adapted from Bitcoin Core:
    ///
    /// > For `DoS` prevention, do not blindly allocate as much as the stream claims to contain.
    /// > Instead, allocate in ~1 MB batches, so that an attacker actually needs to provide X MB of
    /// > data to make us allocate X+1 MB of memory.
    ///
    /// ref: <https://github.com/bitcoin/bitcoin/blob/72511fd02e72b74be11273e97bd7911786a82e54/src/serialize.h#L669C2-L672C1>
    fn reserve(&mut self) {
        if self.buffer.len() == self.buffer.capacity() {
            let elements_remaining = self.length - self.buffer.len();
            let element_size = mem::size_of::<T>().max(1);
            let batch_elements = MAX_VECTOR_ALLOCATE / element_size;
            let elements_to_reserve = elements_remaining.min(batch_elements);
            self.buffer.reserve_exact(elements_to_reserve);
        }
    }

(Tested locally.)

[jrakibi]

Yeep, that makes sense

[tcharding]

Perhaps use the same style in both functions (either with local var available_capacity or without).

[jrakibi]

done

[tcharding]

I can't work out why we are comparing the required_len (space between read position (cursor) and index area) with the index_position (an index into the index area)?

I couldn't come up with a test that fails.

[jrakibi]

Good catch, this was left over from an earlier iteration. required_len is always > index_position

I’ve removed it in the Witness PR: #5298

[tcharding]

Why are we comparing max_required (amount of space required to read into) with total length including the index area?

[jrakibi]

the index area and the element bytes live in the same buffer, max_required represents the total space we need in that single Vec. So we compare max_required to content.len() to check if that whole buffer is large enough

[tcharding]

I think the 128 in the docs is meaningful if we are keeping the 128 in code.

[jrakibi]

good point, addressed in #5298

[tcharding]

I'm a bit confused about all this. Totally willing to accept that the fault is my own.

[tcharding]

Since the witness struct is so much more complicated (because of the index area) perhaps it would be better to do split this PR into two?

[jrakibi]

Since the witness struct is so much more complicated (because of the index area) perhaps it would be better to do split this PR into two?

Agree
I updated this PR to cover only VecDecoder and ByteVecDecoder.
WitnessDecoder has a different implementation because of the index area, so I opened a separate PR for it #5298

[tcharding]

ACK 0452a93

[tcharding]

Nice and clean, thanks for the continued effort.

[tcharding]

CI fails are unrelated.

[apoelstra]

Obligatory reminder that "size of the Rust type" has very little correlation with "size of an encoded object". But in this case we do actually want the size of the Rust type.

[apoelstra]

ACK 0452a93; successfully ran local tests