Skip to content

Fix OOM DoS via unvalidated BlockHandle::size() in ReadBlock()#1314

Open
0daytrace wants to merge 1 commit intogoogle:mainfrom
0daytrace:fix/readblock-oom-dos
Open

Fix OOM DoS via unvalidated BlockHandle::size() in ReadBlock()#1314
0daytrace wants to merge 1 commit intogoogle:mainfrom
0daytrace:fix/readblock-oom-dos

Conversation

@0daytrace
Copy link
Copy Markdown

@0daytrace 0daytrace commented Mar 25, 2026

### Summary
Add a bounds check in ReadBlock() (table/format.cc) before the heap
allocation to reject maliciously large or corrupted block handles.

### Root Cause
BlockHandle::DecodeFrom() reads the size_ field directly from SSTable
file data as a raw varint with no upper-bound validation. ReadBlock() then
casts this value to size_t and uses it as an allocation size:

size_t n = static_cast<size_t>(handle.size());
char* buf = new char[n + kBlockTrailerSize]; // ← OOM if n is ~2 GiB

A crafted .ldb / .sst file with a block handle size of 0x7FFFFFFF
causes a ~2 GiB allocation attempt, crashing the process before any content
validation occurs.
The 2013 fix (commit 28dad91) added num_restarts validation inside
Block::Block(), but that check runs after the allocation — the
allocation itself was left unguarded.

### Fix

Add a pre-allocation sanity check in ReadBlock():

static const uint64_t kMaxBlockSize = 128ULL * 1024 * 1024; // 128 MiB
if (handle.size() > kMaxBlockSize) {
return Status::Corruption("block handle size exceeds sanity limit");
}

### The Patch (table/format.cc)

Apply immediately after the three result-> assignments at the start of
ReadBlock(), before the size_t n = ... line:

// Reject block handles with unreasonably large sizes to prevent OOM from
// malicious or corrupted SSTable files. BlockHandle::DecodeFrom() stores
// the size field with no range check; without this guard, a crafted file
// can trigger a multi-gigabyte allocation before Block::Block() validation.
static const uint64_t kMaxBlockSize = 128ULL * 1024 * 1024; // 128 MiB
if (handle.size() > kMaxBlockSize) {
return Status::Corruption("block handle size exceeds sanity limit");
}

### Impact

Any application calling DB::Open() or Table::Open() on a
user-supplied or attacker-influenced .ldb / .sst file is vulnerable.
Examples: backup tools, data browsers, sync clients, Chrome (IndexedDB).

### Test Case

The existing corruption_test.cc framework can verify this fix. A new test
should open a crafted table file with a block handle size of 0x7FFFFFFF
and assert that ReadBlock() returns Status::Corruption(...) rather than
crashing

TEST(CorruptionTest, OversizeBlockHandle) {
// Write a valid table, then corrupt the block handle size field to 0x7FFFFFFF
// in the raw .ldb file bytes. Opening the table should return Corruption,
// not OOM-crash.
//
// (Implementation uses existing corruption_test helpers to build and
// corrupt an SSTable, then calls Table::Open() and checks the status.)
}

### Affected Versions

All current versions. Tested against commit 7ee830d (HEAD as of report).

### References

  • Google OSS VRP Issue: 495694827
  • Reported by: 0daytrace (Salman, independent security researcher)

@0daytrace
table: reject oversized block handles in ReadBlock() to prevent OOM DoS
8948772 
A crafted SSTable with a block handle size of ~2 GiB causes an OOM
allocation in ReadBlock() before Block::Block() validation runs.
Add a 128 MiB sanity check before the allocation.

Reported via Google OSS VRP issue 495694827
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@0daytrace