You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
See doc/triage.md for instructions on how to triage this report.
package: github.com/ipld/go-car/v2
additional_packages:
- package: github.com/ipld/go-car
versions:
- introduced: v0.0.0
fixed: v0.4.0
versions:
- introduced: v2.0.0
fixed: v2.4.0
description: |-
### Impact
**Versions impacted**
* `<=` go-car@v0.3.3
* `<=` go-car@v2.3.0
**Description**
Decoding CAR data from untrusted user input can cause:
- Panics:
- Out of bound memory access
- Out of memory
- Divide by zero
- Excessive memory usage
Such panics can be triggered by intentionally malformed CARv1 data, including CARv1 data within a CARv2 container; and also CARv2 data with excessively large indexes.
These vulnerabilities are not known to be exploited in the wild and were discovered primarily with the use of code fuzzing tooling.
**Details**
**Out of bound memory access** (OOB), **out of memory** (OOM) panics or **excessive memory usage** can be triggered by decode of malformed CARv1 headers, malformed CARv1 sections, and malformed CIDv0 data used in CARv1 sections. This also applies to CARv1 data within a CARv2 container.
Additionally, we wish to use this security advisory to make clear to consumers of CARv2 format data that **loading CARv2 indexes from untrusted sources is dangerous and should be avoided**. Where CAR data indexes are required, they should be regenerated locally. Out of memory (OOM) panics or excessive memory usage can be triggered by decode of intentionally malformed CARv2 indexes, or CARv2 indexes which are larger than available system memory (i.e. parallelization of CARv2 decodes may increase such a vulnerability).
### Patches
**Fixed versions**
* `>=` go-car@v0.4.0
* `>=` go-car@v2.4.0
**Description of user-facing changes**
***go-car@v0.4.0*** imposes a fixed maximum header length and section length of 32 MiB during decode. Headers exceeding this length will cause the decoder to return an error as the initial CAR decode occurs. Sections (the combination of CID and block data) exceeding this length will cause the decoder to return an error as that section is read.
The default maximum of 32 MiB may be changed _globally_ in an application instance by directly changing the `MaxAllowedSectionSize` variable in the `github.com/ipld/go-car/util` package.
We recommend that users of go-car@v0 upgrade to go-car@v2, where these maximums may be applied per-decode rather than globally.
***go-car@v2.4.0*** imposes a default maximum header length of 32 MiB and a default maximum section length of 8 MiB. Headers exceeding this length will cause the decoder to return an error as the initial CAR decode occurs. Sections (the combination of CID and block data) exceeding this length will cause the decoder to return an error as that section is read.
The default values may be adjusted by supplying a `MaxAllowedHeaderSize(x)` or `MaxAllowedSectionSize(y)` option to any decode function that accepts options. These include:
* `OpenReader()`
* `NewReader()`
* `NewBlockReader()`
* `ReadVersion()`
* `LoadIndex()`
* `GenerateIndex()`
* `ReadOrGenerateIndex()`
* `WrapV1()`
* `ExtractV1File()`
* `ReplaceRootsInFile()`
* `blockstore/NewBlockReader()`
* `blockstore/NewReadOnly()`
* `blockstore/OpenReadOnly()`
* `blockstore/OpenReadWrite()`
Please be aware that the default values are **very generous** and may be lowered where a user wants to impose restrictions closer to typical sizes.
* Typical header lengths should be in the order of 60 bytes, but the CAR format does not specify a maximum number of roots a header may contain. The default maximum of 32 MiB makes room for novel uses of the CAR format.
* Typical IPLD block sizes are under 2 MiB, and it is generally recommended that they not be above 1 MiB for maximum interoperability (e.g. there are hard limitations when sharing IPLD data with IPFS). CARv1 sections are the concatenation of CID and block bytes. The default maximum section length of 8 MiB makes room for novel IPLD data.
***go-car@v2.4.0*** introduces a new API that can be used to inspect a CAR and check for various errors, including those detailed in this advisory. The `Reader#Inspect(bool)` API returns a `Stats` object with various details about the CAR, such as its version, number of blocks, and details about codecs and multihashers used. When its argument is `true`, it will also perform a full hash consistency check of blocks contained within the CAR to ensure they match the CIDs. When `false`, block data is skipped over so a scan will likely be more efficient than reading blocks through a `BlockReader` if statistics and/or validity checking is all that's required. Note that `Inspect()` does minimal checking of index data; the strong recommendation is that if index data is untrusted then it should be regenerated.
***go-car@v2.4.0*** also includes additional documentation regarding the dangers of consuming CARv2 index data from untrusted sources and a recommendation to regenerate indexes of CAR data from such sources where an index is required.
### Workarounds
There are no workarounds for vulnerabilities in impacted versions decoding CARv1 data. Users of impacted versions should avoid accepting CAR data from untrusted sources.
OOM or excessive memory usage vulnerabilities resulting from CARv2 index parsing in impacted versions can be avoided by not reading indexes from CARv2 data from untrusted sources.
### References
Details on the CARv1 and CARv2 formats, including the composition of CARv1 headers and sections, and CARv2 indexes can be found in the CAR format specifications: https://ipld.io/specs/transport/car/
### For more information
If you have any questions or comments about this advisory please open an issue in [go-car](https://github.com/ipld/go-car).
published: 2022-07-06T19:26:17Z
last_modified: 2022-07-06T19:26:18Z
ghsas:
- GHSA-9x4h-8wgm-8xfg
The text was updated successfully, but these errors were encountered:
In GitHub Security Advisory GHSA-9x4h-8wgm-8xfg, there is a vulnerability in the following Go packages or modules:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: