Skip to content

nvproxy: fix integer overflow in ctrlClientSystemGetP2PCapsInitializeArray#13709

Open
destro4evr-rgb wants to merge 1 commit into
google:masterfrom
destro4evr-rgb:fix-nvproxy-p2pcaps-integer-overflow
Open

nvproxy: fix integer overflow in ctrlClientSystemGetP2PCapsInitializeArray#13709
destro4evr-rgb wants to merge 1 commit into
google:masterfrom
destro4evr-rgb:fix-nvproxy-p2pcaps-integer-overflow

Conversation

@destro4evr-rgb

@destro4evr-rgb destro4evr-rgb commented Jul 15, 2026

Copy link
Copy Markdown

Fixes #13689

ctrlClientSystemGetP2PCapsInitializeArray widens the gpuCount multiplication to uint64 to avoid a first overflow, but the size guard:

if numEntries == 0 || numEntries*4 > nvgpu.RMAPI_PARAM_COPY_MAX_PARAMS_SIZE {

performs a second multiplication (numEntries*4) that can itself overflow uint64. When gpuCount = 2^31, numEntries = 2^62 and numEntries*4 wraps to 0, so the guard passes and make([]uint32, 2^62) is called. Go's makeslice detects the internal size overflow and panics. There is no recover() in the sentry's execution path, so the sentry process terminates
and all containers in the sandbox are killed.

Fix: divide the constant by 4 before comparing, which involves no multiplication and cannot overflow.

// Before
if numEntries == 0 || numEntries*4 > nvgpu.RMAPI_PARAM_COPY_MAX_PARAMS_SIZE {

// After
if numEntries == 0 || numEntries > nvgpu.RMAPI_PARAM_COPY_MAX_PARAMS_SIZE/4 {

…Array

numEntries*4 can overflow uint64 when gpuCount is large (e.g. 2^31),
causing the size guard to pass and make([]uint32, numEntries) to be
called with a length that overflows the runtime's internal size check.
The resulting panic in makeslice is unrecovered and terminates the sentry,
killing all containers in the sandbox.

Fix by dividing the constant before comparing instead of multiplying
numEntries, which avoids the secondary overflow entirely.

Fixes google#13689
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

nvproxy: integer overflow in ctrlClientSystemGetP2PCapsInitializeArray bypasses size guard, causing sentry panic and full pod termination

2 participants