[CHAOSPLT-1254] Jpn/fix cpuset (#998)

jedddog · web-flow · commit 0f0a97eabdb7 · 2025-10-30T09:13:23.000+01:00
* add cpuset_test.go

* fix very large inputs causing crash

* fix copyright on cpuset_test to match the DD copyright entries

* add back in the default header so circle does not fail the header check

* is this correct?

* think this worked

* update cpuset.go

* switch to get gocritic to be happy

* add cpu limit to doc
diff --git a/cpuset/cpuset.go b/cpuset/cpuset.go
@@ -1,6 +1,10 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2025 Datadog, Inc.
+
 /*
 Copyright 2017 The Kubernetes Authors.
-
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
@@ -278,7 +282,13 @@ func MustParse(s string) CPUSet {
 // Parse CPUSet constructs a new CPU set from a Linux CPU list formatted string.
 //
 // See: http://man7.org/linux/man-pages/man7/cpuset.7.html#FORMATS
+
 func Parse(s string) (CPUSet, error) {
+	// Maximum reasonable CPU ID (current systems have far fewer CPUs than this)
+	const maxCPUID = 8192
+	// Maximum reasonable range size to prevent memory exhaustion
+	const maxRangeSize = 8192
+
 	b := NewBuilder()
 
 	// Handle empty string.
@@ -291,31 +301,83 @@ func Parse(s string) (CPUSet, error) {
 	ranges := strings.Split(s, ",")
 
 	for _, r := range ranges {
+		// Validate that the range is not empty
+		if r == "" {
+			return NewCPUSet(), fmt.Errorf("empty range in CPU list %q", s)
+		}
+
 		boundaries := strings.Split(r, "-")
-		if len(boundaries) == 1 {
+
+		switch len(boundaries) {
+		case 1:
 			// Handle ranges that consist of only one element like "34".
 			elem, err := strconv.Atoi(boundaries[0])
 			if err != nil {
 				return NewCPUSet(), err
 			}
 
+			if elem < 0 {
+				return NewCPUSet(), fmt.Errorf("invalid CPU number: %d (must be non-negative)", elem)
+			}
+
+			if elem >= maxCPUID {
+				return NewCPUSet(), fmt.Errorf("invalid CPU number: %d (must be less than %d)", elem, maxCPUID)
+			}
+
 			b.Add(elem)
-		} else if len(boundaries) == 2 {
+		case 2:
 			// Handle multi-element ranges like "0-5".
+			// Check for empty boundaries (e.g., "-5", "5-", "--5")
+			if boundaries[0] == "" || boundaries[1] == "" {
+				return NewCPUSet(), fmt.Errorf("invalid range format in %q", r)
+			}
+
 			start, err := strconv.Atoi(boundaries[0])
 			if err != nil {
 				return NewCPUSet(), err
 			}
 
+			if start < 0 {
+				return NewCPUSet(), fmt.Errorf("invalid start CPU number: %d (must be non-negative)", start)
+			}
+
+			if start >= maxCPUID {
+				return NewCPUSet(), fmt.Errorf("invalid start CPU number: %d (must be less than %d)", start, maxCPUID)
+			}
+
 			end, err := strconv.Atoi(boundaries[1])
 			if err != nil {
 				return NewCPUSet(), err
 			}
+
+			if end < 0 {
+				return NewCPUSet(), fmt.Errorf("invalid end CPU number: %d (must be non-negative)", end)
+			}
+
+			if end >= maxCPUID {
+				return NewCPUSet(), fmt.Errorf("invalid end CPU number: %d (must be less than %d)", end, maxCPUID)
+			}
+
+			// Validate that start <= end to avoid infinite loop
+			if start > end {
+				return NewCPUSet(), fmt.Errorf("invalid range %q: start (%d) must be less than or equal to end (%d)", r, start, end)
+			}
+
+			// Validate range size to prevent memory exhaustion
+			rangeSize := end - start + 1
+
+			if rangeSize > maxRangeSize {
+				return NewCPUSet(), fmt.Errorf("invalid range %q: range size (%d) exceeds maximum allowed (%d)", r, rangeSize, maxRangeSize)
+			}
+
 			// Add all elements to the result.
 			// e.g. "0-5", "46-48" => [0, 1, 2, 3, 4, 5, 46, 47, 48].
 			for e := start; e <= end; e++ {
 				b.Add(e)
 			}
+		default:
+			// More than 2 boundaries means multiple dashes (e.g., "1-2-3")
+			return NewCPUSet(), fmt.Errorf("invalid range format %q: too many dashes", r)
 		}
 	}
 
diff --git a/cpuset/cpuset_test.go b/cpuset/cpuset_test.go
@@ -0,0 +1,31 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2025 Datadog, Inc.
+
+package cpuset
+
+import (
+	"testing"
+)
+
+func FuzzParse(f *testing.F) {
+	f.Add("0-3")
+	f.Add("1,2,3")
+	f.Add("0")
+	f.Fuzz(func(t *testing.T, input string) {
+		// Parse should either succeed or return an error, but never panic
+		cpuset, err := Parse(input)
+
+		// If parsing succeeded, verify basic invariants
+		if err == nil {
+			// Empty string should produce empty set
+			if input == "" && cpuset.Size() != 0 {
+				t.Errorf("Parse(%q) produced non-empty set: %v", input, cpuset)
+			}
+			// Non-empty valid input should produce non-empty set
+			// (though we can't easily determine if input is "valid" without re-parsing)
+		}
+		// If err != nil, that's fine - invalid input should return errors
+	})
+}
diff --git a/docs/cpu_pressure.md b/docs/cpu_pressure.md
@@ -38,7 +38,7 @@ When the injector pod starts:
 
 > NB: stressing 100% of the allocated cpuset DOES NOT MEAN stressing 100% of all cores allocated if the defined CPU is below 1 in Kubernetes (e.g. `100m`)
 > NB2: container being part of the same pods can have similar core associated, however we still need to stress each of them like if they were alone, linux CPU scheduler is the one that will throttling us appropriately
-
+> NB3: there is a maximum CPU limit of 8192.
 <p align="center"><kbd>
     <img src="img/cpu/cgroup_disrupted.png" width=500 align="center" />
 </kbd></p>
