sstable/rowblk: block restarts overflow

[Shifu-Liu-tikkala]

I have seen a panic issue on pebble Db on one of my Ethereum nodes. After digging into the issue found the reason is that when blockIter.restarts > 2G which will became a negative value(int32), in the function SeekGE() it will use int32 to read the offset. Due to the negative offset it caused a out-of-bound read panic.
I modified the code and use uint32 instead of int32, it works well after the testing.

--- /local/github/[email protected]/sstable/block.go 2024-12-27 04:05:56.991447085 +0000
+++ sstable/block.go    2024-12-30 01:41:21.819025553 +0000
@@ -707,7 +707,7 @@
                for index < upper {
                        h := int32(uint(index+upper) >> 1) // avoid overflow when computing h
                        // index ≤ h < upper
-                       offset := decodeRestart(i.data[i.restarts+4*h:])
+                       offset := decodeRestart(i.data[uint32(i.restarts)+uint32(4*h):])
                        // For a restart point, there are 0 bytes shared with the previous key.
                        // The varint encoding of 0 occupies 1 byte.
                        ptr := unsafe.Pointer(uintptr(i.ptr) + uintptr(offset+1))

Jira issue: PEBBLE-317

[jbowens]

Thanks for the report; we'll fix. I went stepping through our issue backlog and found #3333 which seems to be a duplicate of this issue. When we fix it, we should close out both.

---

Cockroach folks, I'm thinking Edward will pick this up in the next couple weeks.

[jbowens]

We'll want to fix this on master, the crl-release branches and the non-crl release branches. Unfortunately it'll probably mean making the changes multiple times given the amount of code drift.

[Shifu-Liu-tikkala]

Thanks for the report; we'll fix. I went stepping through our issue backlog and found #3333 which seems to be a duplicate of this issue. When we fix it, we should close out both.

Cockroach folks, I'm thinking Edward will pick this up in the next couple weeks.

Yes it seems like the exactly same.