Skip to content

Fix OOB memory access in JSON reader ingest_raw utility #20451

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 3, 2025
Merged

Fix OOB memory access in JSON reader ingest_raw utility #20451

merged 4 commits into from
Nov 3, 2025

Conversation

@davidwendt
Copy link
Contributor

Description

Fixes out-of-bounds memory reads in the JSON reader ingest_raw internal utility.
Error found in the nightly memcheck and can be reproduced using:

compute-sanitizer --tool memcheck gtests/JSON_TEST --gtest_filter=JsonReaderTest/JsonReaderTest.ByteRange_MultiSource/0 --rmm_mode=cuda

Error reported:

========= COMPUTE-SANITIZER
Note: Google Test filter = JsonReaderTest/JsonReaderTest.ByteRange_MultiSource/0
[==========] Running 1 test from 1 test suite.
[----------] Global test environment set-up.
[----------] 1 test from JsonReaderTest/JsonReaderTest
[ RUN      ] JsonReaderTest/JsonReaderTest.ByteRange_MultiSource/0
========= Program hit cudaErrorInvalidValue (error 1) due to "invalid argument" on CUDA API call to cudaMemcpyAsync_ptsz.
=========     Saved host backtrace up to driver entry point at error
=========         Host Frame: cudf::io::json::detail::ingest_raw_input(cudf::device_span<char, 18446744073709551615ul>, cudf::host_span<std::unique_ptr<cudf::io::datasource, std::default_delete<cudf::io::datasource> >, 18446744073709551615ul>, unsigned long, unsigned long, char, rmm::cuda_stream_view) [0xd51b19] in libcudf.so
=========         Host Frame: std::vector<cudf::io::table_with_metadata, std::allocator<cudf::io::table_with_metadata> > split_byte_range_reading<int>(cudf::host_span<std::unique_ptr<cudf::io::datasource, std::default_delete<cudf::io::datasource> >, 18446744073709551615ul>, cudf::host_span<std::unique_ptr<cudf::io::datasource, std::default_delete<cudf::io::datasource> >, 18446744073709551615ul>, cudf::io::json_reader_options const&, cudf::io::json_reader_options const&, int, rmm::cuda_stream_view, rmm::detail::cccl_async_resource_ref<cuda::mr::__4::basic_resource_ref<(cuda::mr::__4::_AllocType)1, cuda::mr::__4::device_accessible> >) [0x1bd7a1] in JSON_TEST
...

The cudaMemcpyAsync call was writing past the end of the allocated device memory buffer.

Once this was fixed, another error appears reading past the end of the buffer returned by ingest_raw.
This is fixed by clamping the returned size to at most the size of the device buffer itself.

Checklist

  • I am familiar with the Contributing Guidelines.
  • New or existing tests cover these changes.
  • The documentation is up to date with these changes.

@davidwendt davidwendt self-assigned this Oct 31, 2025
@davidwendt davidwendt requested a review from a team as a code owner October 31, 2025 18:57
@davidwendt davidwendt added the bug Something isn't working label Oct 31, 2025
@davidwendt davidwendt added 3 - Ready for Review Ready for review by team libcudf Affects libcudf (C++/CUDA) code. non-breaking Non-breaking change labels Oct 31, 2025
vuule
vuule reviewed Oct 31, 2025
View reviewed changes
vuule
vuule reviewed Oct 31, 2025
View reviewed changes
@davidwendt davidwendt requested review from shrshi and vuule October 31, 2025 22:12
shrshi
shrshi approved these changes Nov 3, 2025
View reviewed changes
Copy link
Contributor

@shrshi shrshi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The OOB error was in the chunking logic in the tests. We had not taken into account the newlines between files. So the size allocated by the buffer in

cudf/cpp/tests/io/json/json_utils.cuh

Line 42 in 27abc1d

rmm::device_uvector<char> buffer(total_source_size, stream);
was off by the number of source files.

@davidwendt
Copy link
Contributor Author

/merge

@rapids-bot rapids-bot bot merged commit bb5cb98 into rapidsai:main Nov 3, 2025
260 of 264 checks passed
@davidwendt davidwendt deleted the oob-json-reader branch November 3, 2025 23:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bdice bdice bdice approved these changes

@shrshi shrshi shrshi approved these changes

@PointKernel PointKernel Awaiting requested review from PointKernel PointKernel is a code owner automatically assigned from rapidsai/cudf-cpp-codeowners

@vuule vuule Awaiting requested review from vuule

Assignees

@shrshi shrshi

@davidwendt davidwendt

Labels

3 - Ready for Review Ready for review by team bug Something isn't working libcudf Affects libcudf (C++/CUDA) code. non-breaking Non-breaking change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@davidwendt @bdice @shrshi @vuule