Skip to content

fix: MessageQueueShm head index boundary check #405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jul 7, 2025
Merged

fix: MessageQueueShm head index boundary check #405

merged 6 commits into from
Jul 7, 2025

Conversation

yinggeh
Copy link
Contributor

@yinggeh yinggeh commented Jul 1, 2025
edited
Loading

What does the PR do?

When attacker registers the same shm created by python backend, they can overwrite MessageQueueShm::head data with a very large index and inject malicious code to the memory space.

Checklist

  • PR title reflects the change and is of format <commit_type>: <Title>
  • Changes are described in the pull request.
  • Related issues are referenced.
  • Populated github labels field
  • Added test plan and verified test passes.
  • Verified that the PR passes existing CI.
  • Verified copyright is correct on all changed files.
  • Added succinct git squash message before merging ref.
  • All template sections are filled out.
  • Optional: Additional screenshots for behavior/output changes with before/after.

Commit Type:

  • fix

Related PRs:

Where should the reviewer start?

The index boundary check is in src/message_queue.h

Test plan:

  • CI Pipeline ID:
    30975011

Caveats:

Background

Related Issues: (use one of the action keywords Closes / Fixes / Resolves / Relates to)

  • closes GitHub issue: #xxx

@yinggeh yinggeh self-assigned this Jul 1, 2025
@yinggeh yinggeh added the bug Something isn't working label Jul 1, 2025
@yinggeh yinggeh changed the title fix: Additional check on message queue indices fix: Additional check on message queue shm indices Jul 1, 2025
@yinggeh yinggeh changed the title fix: Additional check on message queue shm indices fix: MessageQueueShm head index boundary check Jul 1, 2025
@yinggeh
Copy link
Contributor Author

yinggeh commented Jul 1, 2025

No unit test because triton-inference-server/server#8273 makes the exploitation impossible.

yinggeh
yinggeh commented Jul 1, 2025
View reviewed changes
yinggeh
yinggeh commented Jul 1, 2025
View reviewed changes
yinggeh
yinggeh commented Jul 1, 2025
View reviewed changes
yinggeh
yinggeh commented Jul 1, 2025
View reviewed changes
@yinggeh yinggeh requested review from kthui and krishung5 July 2, 2025 00:57
@yinggeh yinggeh marked this pull request as draft July 2, 2025 18:00
@yinggeh yinggeh marked this pull request as ready for review July 2, 2025 23:42
@yinggeh yinggeh requested a review from Tabrizian July 2, 2025 23:47
pskiran1
pskiran1 reviewed Jul 3, 2025
View reviewed changes
Copy link
Member

@pskiran1 pskiran1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Will wait for other expert review.

@statiraju
Copy link

@tanmayv25 can you help approve.

@tanmayv25
Copy link
Contributor

LGTM

@yinggeh yinggeh merged commit 8cfdffe into main Jul 7, 2025
3 checks passed
mc-nv pushed a commit that referenced this pull request Jul 23, 2025
@yinggeh @mc-nv
fix: Boundary check for MessageQueueShm head index (#405)
2fb6c92
mc-nv added a commit that referenced this pull request Jul 23, 2025
@mc-nv @yinggeh
fix: Boundary check for MessageQueueShm head index (#405) (#410)
f7205d0 
Co-authored-by: Yingge He <[email protected]>
@yinggeh yinggeh deleted the yinggeh-DLIS-8378-check-message-queue-boundary branch July 28, 2025 21:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pskiran1 pskiran1 pskiran1 left review comments

@tanmayv25 tanmayv25 tanmayv25 approved these changes

@mattwittwer mattwittwer Awaiting requested review from mattwittwer

@kthui kthui Awaiting requested review from kthui

@krishung5 krishung5 Awaiting requested review from krishung5

@Tabrizian Tabrizian Awaiting requested review from Tabrizian

Assignees

@yinggeh yinggeh

Labels
bug Something isn't working DLIS-8378 TPRD-1628
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@yinggeh @statiraju @tanmayv25 @pskiran1 @mc-nv