-
Notifications
You must be signed in to change notification settings - Fork 768
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2020-11105: Store a copy of each serialized shared_ptr within the archive to prevent the shared_ptr to be freed to early. #667
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ent the shared_ptr to be freed to early. The archives use the memory address pointed by the shared_ptr as a unique id which must not be reused during lifetime of the archive. Therefore, the archives stores a copy of it. This problem was also reported as CVE-2020-11105.
serpedon
changed the title
Store a copy of each serialized shared_ptr within the archive to prevent the shared_ptr to be freed to early.
CVE-2020-11105: Store a copy of each serialized shared_ptr within the archive to prevent the shared_ptr to be freed to early.
Dec 19, 2020
Looks good, I'm trying to figure out why the Travis CI did not run - will merge after that is sorted. |
Looks like all checks have passed -- can we get this merged? |
arximboldi
pushed a commit
to arximboldi/cereal
that referenced
this pull request
Sep 7, 2021
…ent the shared_ptr to be freed to early. (USCiLab#667) The archives use the memory address pointed by the shared_ptr as a unique id which must not be reused during lifetime of the archive. Therefore, the archives stores a copy of it. This problem was also reported as CVE-2020-11105.
AzothAmmo
pushed a commit
to AzothAmmo/cereal
that referenced
this pull request
Nov 28, 2021
…ent the shared_ptr to be freed to early. (USCiLab#667) The archives use the memory address pointed by the shared_ptr as a unique id which must not be reused during lifetime of the archive. Therefore, the archives stores a copy of it. This problem was also reported as CVE-2020-11105.
fryguy503
added a commit
to wayfarershaven/server
that referenced
this pull request
Jan 11, 2023
Cereal updated for work being done in another branch. This bump fixes some issues with the library. Tested v1.3.1 Bug fixes and minor enhancements: Fix typo in docs by @tankorsmash in Fix typo in docs USCiLab/cereal#597 Add MSVC 2019 to build, default ctor for static object by @AzothAmmo in Add MSVC 2019 to build, default ctor for static object USCiLab/cereal#593 Fix json.hpp compilation issue when int32_t is a long by @bblackham in Fix json.hpp compilation issue when int32_t is a long USCiLab/cereal#621 [cpp20] explicitly capture 'this' as copy by @lukaszgemborowski in [cpp20] explicitly capture 'this' as copy USCiLab/cereal#640 Fix rapidjson for Clang 10 by @groscoe2 in Fix rapidjson for Clang 10 USCiLab/cereal#645 Fixes to prevent clang-diagnostic errors by @johngladp in Fixes to prevent clang-diagnostic errors USCiLab/cereal#643 cleanup cmake files to be a little more moderen by @ClausKlein in cleanup cmake files to be a little more moderen USCiLab/cereal#659 GHSA-wgww-fh2f-c855: Store a copy of each serialized shared_ptr within the archive to prevent the shared_ptr to be freed to early. by @serpedon in CVE-2020-11105: Store a copy of each serialized shared_ptr within the archive to prevent the shared_ptr to be freed to early. USCiLab/cereal#667 add license files for components of cereal by @miartad in add license files for components of cereal USCiLab/cereal#676 Catch short documents in JSON input by @johnkeeping in Catch short documents in JSON input USCiLab/cereal#677 C++17: use inline globals for StaticObjects by @InBetweenNames in C++17: use inline globals for StaticObjects USCiLab/cereal#657 Use std::variant::emplace when loading by @kepler-5 in Use std::variant::emplace when loading USCiLab/cereal#699 Use std::optional::emplace() when loading non-empty optional by @kepler-5 in Use std::optional::emplace() when loading non-empty optional USCiLab/cereal#698 Fix itsNextName not clearing when not found + style change by @AzothAmmo in Fix itsNextName not clearing when not found + style change USCiLab/cereal#715 Update doctest to 2.4.6 + local fixes slated for upstream by @AzothAmmo in Update doctest to 2.4.6 + local fixes slated for upstream USCiLab/cereal#716 Fixed loading of std::vector by @Darred in Fixed loading of std::vector<bool> USCiLab/cereal#732 Update license to match BSD template by @AzothAmmo in Update license to match BSD template USCiLab/cereal#735 Update doctest to 2.4.7 by @AzothAmmo in Update doctest to 2.4.7 USCiLab/cereal#736 Use GNUInstallDirs instead of hard wiring install directories by @antonblanchard in Use GNUInstallDirs instead of hard wiring install directories USCiLab/cereal#710 This is not an exhaustive list of changes or individual contributions. See the closed issues or complete changelog for more information. v1.3.0 New features include: Deferred serialization for smart pointers (Stack overflow for large chains of shared_ptr (or smart pointers in general) USCiLab/cereal#185) Initial support for C++17 standard library variant and optional (thanks to @arximboldi, Add serialization support for C++17 std::optional and std::variant USCiLab/cereal#448) Support for std::atomic (thanks to @bluescarni, Implementation and testing of std::atomic serialization. USCiLab/cereal#277) Fixes and enhancements include: Vastly improved continuous integration testing (Appveyor updates + boost testing fixes USCiLab/cereal#568, Update Travis CI USCiLab/cereal#569) Fixed several issues related to compilation on newer compilers (Fixing various compilation warnings USCiLab/cereal#579, Add fall through comments to json.hpp USCiLab/cereal#587, Fix warning unused private member itsValueItEnd USCiLab/cereal#515) Fixed warnings with -Wconversion and -Wdocumentation (thanks to @WSoptics, Develop USCiLab/cereal#423) Performance improvements for polymorphic serialization (PolymorphicVirtualCaster StaticObject instantiation takes a very long time at app startup USCiLab/cereal#354) Minor fixes and enhancements include: Fixed a bug related to CEREAL_REGISTER_DYNAMIC_INIT with shared libraries (thanks to @m2tm, Issue correctly using CEREAL_REGISTER_DYNAMIC_INIT USCiLab/cereal#523) Avoid unnecessary undefined behavior with StaticObject (thanks to @erichkeane, Change StaticObject instance management to hopefully avoid UBSAN USCiLab/cereal#470) New version.hpp file describes cereal version (detect cereal version at compile time / version.hpp USCiLab/cereal#444) Ability to disable size=dynamic attribute in the XML archive (thanks to @hoensr, Add option to turn off the size=dynamic attributes of lists USCiLab/cereal#401) Other Notes The static checking for minimal serialization has been relaxed as there were many legitimate cases it was interfering with (thanks to @h-2, remove const check from load_minimal USCiLab/cereal#565) The vs2013 directory has been removed in favor of generating solutions with CMake (Remove vs2013 directory USCiLab/cereal#574)
julianharbarth
added a commit
to motis-project/cereal
that referenced
this pull request
Mar 14, 2023
* Fix json.hpp compilation issue when int32_t is a long (USCiLab#621) When testing whether or not to define a saveValue() overload for long, test the actual set of types implemented. * [cpp20] explicitly capture 'this' as copy (USCiLab#640) implicit 'this' capture is deprecated in C++20 * Fix rapidjson for Clang 10 (USCiLab#645) Based on Tencent/rapidjson#1679 Addresses USCiLab#631 * Fixes to prevent clang-diagnostic errors (USCiLab#643) * Fixes to prevent clang-diagnostic when running clang-tidy with Microsoft Visual Studio cmake projects. * Used boolean rather than bitwise operator. * cleanup cmake files to be a little more moderen (USCiLab#659) * cleanup cmake files to be a little more moderen keep the source tree free of build artifacts cmakelint the cmake files too * fix cmake setup errors on CI fix APPLE clang builds too * CI needs support for realy history cmake V3.6 fix typo in cmake files using add_test() commnds * One step more to use modern cmake Prevent to modifiy compile and linker FLAGS and to set global includes pathes * fix CI build problems with older cmake versions prepare cleanup cmake list file * final cleanup use Config.cmake.in and install hole cmake config files * Fix cpp17 PORTABILITY_TEST linker problem add missed target_link_libraries() * hopefully prevent windows test problems * Store a copy of each serialized shared_ptr within the archive to prevent the shared_ptr to be freed to early. (USCiLab#667) The archives use the memory address pointed by the shared_ptr as a unique id which must not be reused during lifetime of the archive. Therefore, the archives stores a copy of it. This problem was also reported as CVE-2020-11105. * add license files for components of cereal Signed-off-by: Adam Miartus <adam.miartus@softhows.eu> * Update README.md Fix link to main website * Catch short documents in JSON input When reading unnamed fields from JSON input, the member/value iterators are incremented blind without checking if the end of the iterator has been reached. Record the size so that this can be checked against the current position to ensure reading doesn't walk off the end of the iterator. * C++17: use inline globals for StaticObjects This prevents multiple definition errors in Clang, and also stops dllexporting functions with internal linkage. Degrades gracefully when C++17 is not present. Fix USCiLab#595 Fix USCiLab#652 Fix USCiLab#582 Fix USCiLab#643 * Use std::variant::emplace when loading * Use std::optional::emplace() when loading to construct and load the contained value directly in place * Fix itsNextName not clearing when not found An issue exists when loading vectors of objects where, if the last nvp of the previous object does not exist in the json file, the itsNextName variable within the json serializer is not cleared. This causes the vector serializer to search for that name next (when it should be searching for a nameless object.) The json serializer then throws during the named search. Mild reworking of itsNextName solution * Add github actions workflow use docker containers remove sudo install software-properties-common update before trying install install wget cmake and make install cmake from pip add apt-transport-https Use llvm xenial Fix clang package name Fix boost with gcc<5 verbose compile skip boost for gcc<5 macos test skip boost for macos test different xcode compilers use new cmake syntax for selecting platform no xcode 10 installed Rename tests * Update doctest to 2.4.6 dev + local fixes slated for upstream * Update appveyor to build with MSVC 2022 and fix boost * Fixed loading of std::vector<bool> We should use auto && instead of auto if we want to modify v inside the for loop. * Update license to match BSD template * Update doctest to 2.4.7, update CI, add badges Updates doctest and fixes issues with g++4.7 and MSVC2013 doctest builds. Adds new CI targets for g++ 9 and 10, clang 9 through 12. Adds CI badges for github actions. * Use GNUInstallDirs instead of hard wiring install directories On a multilib setup cmake files should go into lib64. * Update version to 1.3.1 * Make doxygen docs reproducible * Add CMake options for building doc and sandbox relates USCiLab#739 * Correct patch version for 1.3.2 * Fix long long json serialization (USCiLab#728) * Fix long long json serialization * Update pod.hpp * Update .gitignore `.vs/` folder is created by Visual Studio and it is not needed. * `ST` renamed to `AlignedStorage` * Remove extra ; after member function definition Triggered by -Wextra-semi. * add string_view to json archive --------- Signed-off-by: Adam Miartus <adam.miartus@softhows.eu> Co-authored-by: Bernard Blackham <b-github@largestprime.net> Co-authored-by: Łukasz Gemborowski <lukasz.gemborowski@gmail.com> Co-authored-by: groscoe2 <66085912+groscoe2@users.noreply.github.com> Co-authored-by: John Alexander <25591355+johngladp@users.noreply.github.com> Co-authored-by: Claus Klein <claus.klein.sha@googlemail.com> Co-authored-by: Michael Walz <code@serpedon.de> Co-authored-by: Adam Miartus <adam.miartus@softhows.eu> Co-authored-by: Shane Grant <w.shane.grant@gmail.com> Co-authored-by: John Keeping <john@metanate.com> Co-authored-by: Shane Peelar <lookatyouhacker@gmail.com> Co-authored-by: logan <logan.r.smith0@gmail.com> Co-authored-by: Gary Heckman <gheckman@gadova.com> Co-authored-by: Isuru Fernando <isuruf@gmail.com> Co-authored-by: Darred <darredua@gmail.com> Co-authored-by: Anton Blanchard <anton@ozlabs.org> Co-authored-by: Michael R. Crusoe <crusoe@debian.org> Co-authored-by: CHP <crazyhappygame@gmail.com> Co-authored-by: Luca Ciucci <LucaCiucci@users.noreply.github.com> Co-authored-by: Jan Niklas Hasse <jhasse@bixense.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The archives use the memory address pointed by the shared_ptr as a
unique id which must not be reused during lifetime of the archive.
Therefore, the archives stores a copy of it.
This problem was also reported as CVE-2020-11105 and #636. This should fix #636.
My line of though was the following:
Correct usage of std::shared_ptr in Cereal requires that the shared_ptr is still valid at the point when all serialization occurs, usually at the end of the lifetime of the archive. It was suggested to document this constraint to the user, but since we are already dealing with smart pointers, I though, hey, let's implement this constraint by storing our own copy of the std::shared_ptr.