Fix potential integer overflow in hash container create/resize (#1812)

derekmauro · web-flow · commit 54fac219c4ef · 2025-01-23T09:51:22.000-05:00
The sized constructors, reserve(), and rehash() methods of
absl::{flat,node}_hash_{set,map} did not impose an upper bound on
their size argument. As a result, it was possible for a caller to pass
a very large size that would cause an integer overflow when computing
the size of the container's backing store. Subsequent accesses to the
container might then access out-of-bounds memory.

The fix is in two parts:

1) Update max_size() to return the maximum number of items that can be
stored in the container

2) Validate the size arguments to the constructors, reserve(), and
rehash() methods, and abort the program when the argument is invalid

We've looked at uses of these containers in Google codebases like
Chrome, and determined this vulnerability is likely to be difficult to
exploit. This is primarily because container sizes are rarely
attacker-controlled.

The bug was discovered by Dmitry Vyukov &lt;dvyukov@google.com&gt;.
diff --git a/MODULE.bazel b/MODULE.bazel
@@ -16,7 +16,7 @@
 
 module(
     name = "abseil-cpp",
-    version = "20240116.2",
+    version = "20240116.3",
     compatibility_level = 1,
 )
 
diff --git a/absl/base/config.h b/absl/base/config.h
@@ -118,7 +118,7 @@
 // LTS releases can be obtained from
 // https://github.com/abseil/abseil-cpp/releases.
 #define ABSL_LTS_RELEASE_VERSION 20240116
-#define ABSL_LTS_RELEASE_PATCH_LEVEL 2
+#define ABSL_LTS_RELEASE_PATCH_LEVEL 3
 
 // Helper macro to convert a CPP variable to a string literal.
 #define ABSL_INTERNAL_DO_TOKEN_STR(x) #x
diff --git a/absl/container/internal/raw_hash_set.h b/absl/container/internal/raw_hash_set.h
@@ -1184,6 +1184,12 @@ inline size_t NormalizeCapacity(size_t n) {
   return n ? ~size_t{} >> countl_zero(n) : 1;
 }
 
+template <size_t kSlotSize>
+size_t MaxValidCapacity() {
+  return NormalizeCapacity((std::numeric_limits<size_t>::max)() / 4 /
+                           kSlotSize);
+}
+
 // General notes on capacity/growth methods below:
 // - We use 7/8th as maximum load factor. For 16-wide groups, that gives an
 //   average of two empty slots per group.
@@ -2093,6 +2099,8 @@ class raw_hash_set {
       const allocator_type& alloc = allocator_type())
       : settings_(CommonFields{}, hash, eq, alloc) {
     if (bucket_count) {
+      ABSL_RAW_CHECK(bucket_count <= MaxValidCapacity<sizeof(slot_type)>(),
+                     "Hash table size overflow");
       resize(NormalizeCapacity(bucket_count));
     }
   }
@@ -2286,7 +2294,9 @@ class raw_hash_set {
   bool empty() const { return !size(); }
   size_t size() const { return common().size(); }
   size_t capacity() const { return common().capacity(); }
-  size_t max_size() const { return (std::numeric_limits<size_t>::max)(); }
+  size_t max_size() const {
+    return CapacityToGrowth(MaxValidCapacity<sizeof(slot_type)>());
+  }
 
   ABSL_ATTRIBUTE_REINITIALIZES void clear() {
     // Iterating over this container is O(bucket_count()). When bucket_count()
@@ -2624,6 +2634,8 @@ class raw_hash_set {
     auto m = NormalizeCapacity(n | GrowthToLowerboundCapacity(size()));
     // n == 0 unconditionally rehashes as per the standard.
     if (n == 0 || m > capacity()) {
+      ABSL_RAW_CHECK(m <= MaxValidCapacity<sizeof(slot_type)>(),
+                     "Hash table size overflow");
       resize(m);
 
       // This is after resize, to ensure that we have completed the allocation
@@ -2634,6 +2646,7 @@ class raw_hash_set {
 
   void reserve(size_t n) {
     if (n > size() + growth_left()) {
+      ABSL_RAW_CHECK(n <= max_size(), "Hash table size overflow");
       size_t m = GrowthToLowerboundCapacity(n);
       resize(NormalizeCapacity(m));
 
diff --git a/absl/container/internal/raw_hash_set_test.cc b/absl/container/internal/raw_hash_set_test.cc
@@ -2678,6 +2678,14 @@ TEST(Table, CountedHash) {
   }
 }
 
+TEST(Table, MaxSizeOverflow) {
+  size_t overflow = (std::numeric_limits<size_t>::max)();
+  EXPECT_DEATH_IF_SUPPORTED(IntTable t(overflow), "Hash table size overflow");
+  IntTable t;
+  EXPECT_DEATH_IF_SUPPORTED(t.reserve(overflow), "Hash table size overflow");
+  EXPECT_DEATH_IF_SUPPORTED(t.rehash(overflow), "Hash table size overflow");
+}
+
 }  // namespace
 }  // namespace container_internal
 ABSL_NAMESPACE_END

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@`
`16`	`16`
`17`	`17`	`module(`
`18`	`18`	`name = "abseil-cpp",`
`19`		`- version = "20240116.2",`
	`19`	`+ version = "20240116.3",`
`20`	`20`	`compatibility_level = 1,`
`21`	`21`	`)`
`22`	`22`
Original file line number	Diff line number	Diff line change
`@@ -2678,6 +2678,14 @@ TEST(Table, CountedHash) {`
`2678`	`2678`	`}`
`2679`	`2679`	`}`
`2680`	`2680`
	`2681`	`+TEST(Table, MaxSizeOverflow) {`
	`2682`	`+ size_t overflow = (std::numeric_limits<size_t>::max)();`
	`2683`	`+ EXPECT_DEATH_IF_SUPPORTED(IntTable t(overflow), "Hash table size overflow");`
	`2684`	`+ IntTable t;`
	`2685`	`+ EXPECT_DEATH_IF_SUPPORTED(t.reserve(overflow), "Hash table size overflow");`
	`2686`	`+ EXPECT_DEATH_IF_SUPPORTED(t.rehash(overflow), "Hash table size overflow");`
	`2687`	`+}`
	`2688`	`+`
`2681`	`2689`	`} // namespace`
`2682`	`2690`	`} // namespace container_internal`
`2683`	`2691`	`ABSL_NAMESPACE_END`