Fix stack exhaustion DoS in json parsing via iterative shape traversal#4138
Open
deezsecc wants to merge 1 commit into
Open
Fix stack exhaustion DoS in json parsing via iterative shape traversal#4138deezsecc wants to merge 1 commit into
deezsecc wants to merge 1 commit into
Conversation
deezsecc
force-pushed
the
fix-json-stack-exhaustion
branch
from
8ff63b3 to
3eee01a
Compare
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR fixes a stack exhaustion / Denial of Service (DoS) vulnerability in the TensorFlow Serving REST API JSON parsing logic.
Root Cause
When parsing incoming model prediction requests,
rapidjsonprocesses the request document iteratively. However, the post-parsing step inGetDenseTensorShape()(insidetensorflow_serving/util/json_tensor.cc) recursively traversed nested arrays (val[0]) to compute the tensor's shape without enforcing a recursion depth guard or limit.An unauthenticated attacker could send a payload with a deeply nested array structure (e.g., 50,000 nested layers like
[[[[...[1]...]]]]), causing a stack overflow (SIGSEGV) and instantly crashing thetensorflow_model_serverprocess.A secondary recursive execution vector also existed in
FillTensorProto(), which recursively parses nested elements up to the tensor's rank without validating that the rank is within safe limits.Fix
This patch mitigates the vulnerability on both vectors:
GetDenseTensorShape()to be fully flat and iterative, using a loop and pointer to resolve shape — eliminating recursion at the shape-calculation levelkMaxTensorRank = 254, aligned with TensorFlow'sTensorShape::MaxDimensions()) insideGetDenseTensorShape()to stop adding dimensions beyond safe nesting depthFillTensorProto()to reject payloads with rank > 254 viaerrors::InvalidArgument, preventing deep recursion on the value-filling pathVerification
whileloop behaves identically to the original recursion on standard payloadsFillTensorProtopropagatingInvalidArgumentinstead of exhausting the thread stack