Comments (3)
IMO this bug presents a potential security concern. It can be used to poison a cache with incorrect build artifacts. We should file a CVE and mark 0.7.4 and 0.7.5 as vulnerable.
from sccache.
It only affects preprocessor mode, which only works locally, and for poisoning to happen, it would have to happen from compiling the same code from the same paths with different flags, which is unlikely to happen maliciously. An attacker that could pull that off could just as well poison the cache by writing into it directly.
from sccache.
I believe an attacker could exploit this by combining it with other attacks. If multiple builds of the same project are taking place with different compile flags, there could be a race condition where objects that are built with some compile flag are combined with objects that are not.
Consider the following:
file1.cpp
:
int doStuffInFile1()
{
#ifdef HAVE_FEATURE
return 2;
#else
return 1;
#endif
}
file2.cpp
:
int doStuffInFile2()
{
int value = doStuffInFile1();
#ifdef HAVE_FEATURE
std::cout << "This code is acting on the assumption that `value` is 2, and may have unforeseen/hidden harmful effects if it is not\n";
#endif
}
If file1.cpp
is built without -DHAVE_FEATURE
, and file2.cpp
is built with -DHAVE_FEATURE
, the unforeseen/hidden harmful effects will take place. An attacker could easily submit a PR with the above and get it accepted without controversy. Even if they didn't submit the code themselves, they could still exploit it if it was written by someone else in good faith but built improperly by sccache.
This bug could also be used to amplify the hit rate on an already-poisoned cache object. This assumes the attacker was able to introduce a single poisoned object into the cache, either through the front door or the back door. As a front door example, an attacker could submit the following in a PR:
void doStuff()
{
#ifdef HAVE_FEATURE
std::cout << "This feature looks innocent enough, but actually has a hidden vulnerability that's not obvious to reviewers\n";
#endif
}
If the first build of this file has -DHAVE_FEATURE
, it's added to the cache, and the vulnerability now has a 100% hit rate, as opposed to 50% or less.
Given the potential exploits above, I think it would be wise to file a CVE, and I think the consequences of not doing so and being wrong are far greater than the consequences of sounding a false alarm (which is to say, none).
Even if we discount the attack potential and don't file a CVE, I think it's pretty uncontroversial to say that 0.7.4 and 0.7.5 should not be used under any circumstances, because they are known to produce incorrect builds. We got hit by the above race condition yesterday, and the end result was that we had to dump our entire S3 cache.
from sccache.
Related Issues (20)
- how to use sccache for ccv850( or how to add complier type for sccache)? HOT 12
- Does sccache support the argument -march=native?
- `sccache` does not persist cache hit stats when server restart HOT 5
- make jobserver hangs after invoking sccache if server isn't already spawned HOT 2
- Live documentation doesn't reflect release reality HOT 1
- How to redirect sccache-dist scheduler and sccache-dist server logs from syslog to anywhere else
- Feature Request: Update S3 module with AWS CLI 2.0 SSO integration HOT 3
- README sentence says list twice
- README talks about statically linked OpenSSL twice
- sccache lacks basic ratio (percentage) report in `--show-stats` HOT 2
- Rename request for `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` HOT 1
- Stale results served up by sccache when rebasing HOT 2
- Error when trying to use sccache: `error: unrecognized subcommand` HOT 2
- Local disk cache never increases beyond 10 GB HOT 3
- Caching custom Rust targets
- migrate from `winapi` to `windows-rs` HOT 3
- Variable cache compression level HOT 2
- preprocessor cache/direct mode doesn't produce -MF output HOT 2
- Compile error that only happens when using sccache
- Error when trying to build a Rust project on OpenBSD HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sccache.