Request for review of: gh-121313: Limit the reading size from pipes to their default buffer size on Unix systems

aplaikner · August 30, 2024, 7:24am

Hi everyone, I wanted to follow up on the core review for my feature request. The last change happened on 7 July. I pinged the issue two weeks ago, as suggested by the pull request guidelines. Any updates or feedback would be greatly appreciated!

gpshead · August 31, 2024, 5:59am

Reviewed and merged, thanks! This had been on my radar as interesting but I hadn’t had time.

pitrou · August 31, 2024, 7:35am

Here is a clickable link to the PR for convenience: gh-121313: Limit the reading size from pipes to their default buffer size on Unix systems by aplaikner · Pull Request #121315 · python/cpython · GitHub

aplaikner · August 31, 2024, 7:11pm

Thank you! I have been working on a similar issue regarding Unix sockets, where basically the same drawbacks happen, just with a larger reading size. I’ll create an issue and pull a request to update the newly merged code with one additional line since my tests have shown that the 64 KiB limit (on systems with a base page size of 4 KiB) we set for pipes is also the best limit for Unix sockets.

gpshead · August 31, 2024, 10:29pm

FYI, as added context, there has been some discussion around limiting large or read sizes elsewhere as well this year. Kicked off by @storchaka seeing it maybe a denial of service security concern where the read length comes from untrusted data and thus a huge allocation wastes virtual address space (which might trigger an OOM killer in some configurations?).

I’m not yet convinced of the practical security importance of that (virtual vs dirtied address space being different concepts) but the theme is similar: “Better” buffer size choices on read system calls. With a consequence of more read system calls on large data (but different types of memory allocation calls as you’ve noted in your changes) and sometimes more dirtied-page intermediate space allocation and memory copies. It’s an annoying trade off to make decisions around.

github.com/python/cpython

gh-115952: Fix potential virtual memory allocation denial of service in the pickle module

python:main ← serhiy-storchaka:unpickle-overallocate

opened 09:58AM - 20 May 24 UTC

serhiy-storchaka

+309 -82

Loading a small data which does not even involve arbitrary code execution could …consume arbitrary large amount of memory. There were three issues: * PUT and LONG_BINPUT with large argument (the C implementation only). Since the memo is implemented in C as a continuous dynamic array, a single opcode can cause its resizing to arbitrary size. Now the sparsity of memo indices is limited. * BINBYTES, BINBYTES8 and BYTEARRAY8 with large argument. They allocated the bytes or bytearray object of the specified size before reading into it. Now they read very large data by chunks. * BINSTRING, BINUNICODE, LONG4, BINUNICODE8 and FRAME with large argument. They read the whole data by calling the read() method of the underlying file object, which usually allocates the bytes object of the specified size before reading into it. Now they read very large data by chunks. * Issue: gh-115952

github.com/python/cpython

gh-119511: Fix OOM vulnerability in imaplib

python:main ← serhiy-storchaka:imaplib-oom

opened 06:15PM - 24 May 24 UTC

serhiy-storchaka

+24 -1

The IMAP4 client could consume an arbitrary amount of memory when trying to conn…ent to a malicious server, because it read a "literal" data with a single read(size) call, and BufferedReader.read() allocates the bytes object of the specified size before reading. Now the IMAP4 client reads data by chunks, therefore the amount of used memory is limited by the amount of the data actually been sent by the server. * Issue: gh-119511

aplaikner · September 1, 2024, 6:41am

Thank you for this additional context, I wasn’t aware of the security implications. I’ve created a PR for the aforementioned socket issue, limiting reads to the same size as pipes.

aplaikner · September 1, 2024, 7:06am

To comment on the problem of “wasting” virtual address space. I think that’s not the core problem, as you already mentioned, but rather the starting point for a landslide of other issues. Big VMAs let Linux install rather large huge pages, since the current policy is: Install the biggest transparent huge page possible, with regard to VMA size and alignment. Furthermore, a lot more management overhead in form of system calls is created when managing such large input buffers.

Limiting input buffer + reading sizes down to something like 64 KiB is a good solution, since it avoids both the creation of large transparent huge pages, and the management of huge VMAs, since the data chunk is small enough to the be put on the default heap. Here also a distinction needs to be made: Choosing a limit that results in the data being put on the default heap is not quite enough, since if the size if big enough, the heap top is shifted often using brk() syscalls. Sizes around 64-128 KiB behave well (on my system with a base page size of 4 KiB), while not increasing read() syscalls by a noticeable amount.

pitrou · September 1, 2024, 4:30pm

I sympathize with the intent but is there a reliable application-agnostic heuristic to choose the buffer size? If the buffer size is too small and you need several read calls to satisfy the read size requested by the caller, then performance will decrease because of 1) issuing more system calls 2) incurring more reallocation costs.

I think in general the best place to choose a buffer size ceiling is the application or intermediate layer (that has a rough idea of the kind of data being read, which kind of file-like thing it is reading from, and therefore of typically reasonable buffer sizes), rather than Python’s OS abstraction layer where all that information is entirely lost.

Which also justifies the original PR in this discussion thread, because the multiprocessing module knows indeed the kind of data it’s reading and the kind of file descriptor it’s reading it from.

pitrou · September 1, 2024, 4:40pm

As for PR https://github.com/python/cpython/pull/119204, I think an alternative approach, instead of hardcoding arbitrary ceilings on read sizes, would be to allow passing a hard memory limit to the Unpickler such that any attempt to read a cumulated amount more than that would raise an exception (instead of allocating potentially unbounded read buffers).

For example in Thrift you can define a cumulated string size limit and a cumulated container size limit when deserializing a message:

github.com

apache/thrift/blob/bcc9cee244a282d9a716890c50ab95a9bb677e80/lib/cpp/src/thrift/protocol/TCompactProtocol.h#L251-L252


      
          TCompactProtocolFactoryT(int32_t string_limit, int32_t container_limit)
            : string_limit_(string_limit), container_limit_(container_limit) {}

Besides, in the common case where the pickle is deserialized from memory (pickle.loads), you already know the max byte size you can read from the pickle. In this case, you can easily bail out if any opcode tries to read more than what’s remaining.