oci: casext: explicitly disallow negative-size descriptors

cyphar · cyphar · commit 5d1ae9c4b768 · 2025-09-06T21:33:57.000+10:00
This was implicitly allowed by VerifiedReadCloser, and while we have closed that hole it's probably best to provide a more helpful error message. Not blocking this earlier was mostly due to a somewhat overly-permissive reading of the discussion in opencontainers/image-spec#153 which was finally clarified in opencontainers/image-spec#1285. Unknown sizes are a classic DoS vector, so allowing them (especially for descriptors where it makes little sense to have an unknown size) seems like a bad idea in general. Ref: opencontainers/image-spec#1285 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -19,6 +19,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
   the `manifests` entry to `null` (which was technically a violation of the
   specification, though such images cannot be pushed or interacted with outside
   of umoci).
+* Based on [some recent developments in the image-spec][image-spec#1285], umoci
+  will now produce an error if it encounters descriptors with a negative size
+  (this was a potential DoS vector previously) as well as a theoretical attack
+  where an attacker would endlessly write to a blob (this would not be
+  generally exploitable for images with descriptors).
 
 ### Changed ###
 * We now use `go:embed` to fill the version information of `umoci --version`,
@@ -33,6 +38,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
   (and after that, we may choose to keep the `jq`-based validators as a
   double-check that our own validators are working correctly).
 
+[image-spec#1285]: https://github.com/opencontainers/image-spec/pull/1285
 [docker-library/meta-scripts]: https://github.com/docker-library/meta-scripts
 
 ## [0.5.0] - 2025-05-21 ##
diff --git a/oci/casext/verified_blob.go b/oci/casext/verified_blob.go
@@ -20,19 +20,27 @@ package casext
 
 import (
 	"context"
+	"errors"
+	"fmt"
 	"io"
 
 	ispec "github.com/opencontainers/image-spec/specs-go/v1"
 
 	"github.com/opencontainers/umoci/pkg/hardening"
 )
 
+var errInvalidDescriptorSize = errors.New("descriptor size must not be negative")
+
 // GetVerifiedBlob returns a VerifiedReadCloser for retrieving a blob from the
 // image, which the caller must Close() *and* read-to-EOF (checking the error
 // code of both). Returns ErrNotExist if the digest is not found, and
 // ErrBlobDigestMismatch on a mismatched blob digest. In addition, the reader
 // is limited to the descriptor.Size.
 func (e Engine) GetVerifiedBlob(ctx context.Context, descriptor ispec.Descriptor) (io.ReadCloser, error) {
+	// Negative sizes are not permitted by the spec, and are a DoS vector.
+	if descriptor.Size < 0 {
+		return nil, fmt.Errorf("invalid descriptor: %w", errInvalidDescriptorSize)
+	}
 	reader, err := e.GetBlob(ctx, descriptor.Digest)
 	return &hardening.VerifiedReadCloser{
 		Reader:         reader,
