Skip to content

Add substr bounds validation to prevent out-of-bounds exceptions#8821

Open
directionless wants to merge 1 commit into
osquery:masterfrom
directionless:claude/fix-substr-bounds
Open

Add substr bounds validation to prevent out-of-bounds exceptions#8821
directionless wants to merge 1 commit into
osquery:masterfrom
directionless:claude/fix-substr-bounds

Conversation

@directionless
Copy link
Copy Markdown
Member

@directionless directionless commented Apr 11, 2026

This commit adds comprehensive bounds checking before all substr() operations across multiple files to prevent std::out_of_range exceptions when processing malformed or incomplete data.

Changes:

  • osquery/utils/windows/shellitem.cpp: Added validation for 20+ substr calls in guidParse, fileEntry, propertyStore, networkShareItem, zipContentItem, and other shell item parsing functions
  • osquery/tables/system/windows/shimcache.cpp: Added bounds checks for shimcache data parsing including path length and execution flags
  • osquery/tables/system/windows/userassist.cpp: Added validation for execution count and subkey extraction
  • osquery/tables/system/linux/kernel_info.cpp: Added length checks before extracting BOOT_IMAGE and root parameters
  • osquery/tables/system/darwin/kernel_info.cpp: Added validation for kernel version extraction with find() result checking

The pattern used is to check string size before substr operations and handle std::string::npos from find() operations before using the result in arithmetic or substr calls. When validation fails, appropriate error messages are logged and safe fallback values are returned.

🤖 Generated with Claude Code

To submit a PR please make sure to follow the next steps:

  • Read the CONTRIBUTING.md guide at the root of the repo.
  • Ensure the code is formatted building the format_check target.
    If it is not, then move the committed files to the git staging area,
    build the format target to format them, and then re-commit.
    More information is available on the wiki.
  • Ensure your PR contains a single logical change.
  • Ensure your PR contains tests for the changes you're submitting.
  • Describe your changes with as much detail as you can.
  • Link any issues this PR is related to.
  • Remove the text above.

@linux-foundation-easycla
Copy link
Copy Markdown

linux-foundation-easycla Bot commented Apr 11, 2026
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: directionless / name: seph (a5a043f)

@directionless directionless force-pushed the claude/fix-substr-bounds branch from 3f62dd7 to 271d8ce Compare April 11, 2026 15:16
@directionless @claude
Add substr bounds validation to prevent out-of-bounds exceptions
a5a043f 
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@directionless directionless force-pushed the claude/fix-substr-bounds branch from 271d8ce to a5a043f Compare April 11, 2026 18:36
@directionless directionless marked this pull request as ready for review April 11, 2026 23:41
@directionless directionless requested review from a team as code owners April 11, 2026 23:41
zwass
zwass reviewed Apr 15, 2026
View reviewed changes
Comment thread osquery/tables/system/linux/kernel_info.cpp
// Iterate over each space-tokenized argument.
for (const auto& argument : arguments) {
if (argument.substr(0, 11) == "BOOT_IMAGE=") {
if (argument.size() >= 11 && argument.substr(0, 11) == "BOOT_IMAGE=") {
Copy link
Copy Markdown
Member

@zwass zwass Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use boost::starts_with

zwass
zwass reviewed Apr 15, 2026
View reviewed changes
Comment thread osquery/tables/system/linux/kernel_info.cpp
if (argument.size() >= 11 && argument.substr(0, 11) == "BOOT_IMAGE=") {
r["path"] = argument.substr(11);
} else if (argument.substr(0, 5) == "root=") {
} else if (argument.size() >= 5 && argument.substr(0, 5) == "root=") {
Copy link
Copy Markdown
Member

@zwass zwass Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use boost::starts_with

zwass
zwass requested changes Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@zwass zwass left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lots of good fixes here. Some changes requested.

Comment thread osquery/tables/system/windows/userassist.cpp
Comment on lines 91 to 96
auto value_key = subkey.substr(count_key);
if (value_key.size() < 6) {
LOG(WARNING) << "Value key too short";
continue;
}
std::string value_key_reg = value_key.substr(6, std::string::npos);
Copy link
Copy Markdown
Member

@zwass zwass Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
auto value_key = subkey.substr(count_key);
if (value_key.size() < 6) {
LOG(WARNING) << "Value key too short";
continue;
}
std::string value_key_reg = value_key.substr(6, std::string::npos);
if (subkey.size() < count_key + 6) {
LOG(WARNING) << "Value key too short";
continue;
}
std::string value_key_reg = subkey.substr(count_key + 6);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zwass zwass zwass requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

hardening Linux macOS Windows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@directionless @zwass @michael-myers