[Go]: Query To Detect Denial Of Service Vulnerability

[Malayke]

Query PR

github/codeql#15130

Language

GoLang

CVE(s) ID list

• CVE-2023-37279 new CVE I find by this query
• CVE-2023-2253 original CVE I write query to detect

CWE

CWE-770

Report

1. What is the vulnerability?

The vulnerability in Go occurs when the built-in make function is used to create slices from user-controlled sources with a maliciously large value. This can lead to excessive memory allocation and potentially result in a denial of service attack. By providing inputs that exceed the expected memory and capacity constraints, attackers can overwhelm the system and cause it to become unresponsive.

2. How does the vulnerability work?

The vulnerability arises when the make function is used to create slices from user-controlled sources with a size parameter that exceeds a certain threshold. This triggers excessive memory allocation, which can lead to a denial of service. Attackers exploit this vulnerability by providing inputs that go beyond the intended boundaries, overwhelming the system and rendering it unresponsive.

3. What strategy do you use in your query to find the vulnerability?

The query searches for code patterns where the make function is used to create slices from user-controlled sources. It then checks if the provided size exceeds a specific threshold, indicating a potential vulnerability.

4. How have you reduced the number of false positives?

To minimize false positives, the query includes specific criteria that exclude potential false positives. It verifies if a size comparison has been applied to the second parameter passed to the make function. This helps differentiate between legitimate instances and potentially vulnerable ones.

5. Other information?

To reproduce the vulnerability, follow these steps:

1. Clone the repository: git clone https://github.com/distribution/distribution
2. Checkout the specific branch: git checkout -b v2.8.2-beta.1
3. Generate the database.
4. Run the query to identify potential vulnerabilities in the codebase.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

• Yes
• No

Blog post link

No response

[sylwia-budzynska]

Hello @Malayke 👋 could you provide a CodeQL database with the vulnerable version of the codebase, which contains the CVE?

[Malayke]

Hi @sylwia-budzynska , this is the CodeQL database link of https://github.com/distribution/distribution vulnerable version

[ghsecuritylab]

Your submission is now in status Query review.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[ghsecuritylab]

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[xcorail]

Hi @Malayke can you please provide a public email address, or send one to me privately?

[Malayke]

Hi @xcorail I've already sent an email to your GitHub email address.

[xcorail]

Created Hackerone report 2407167 for bounty 557823 : [809] [Go]: Query To Detect Denial Of Service Vulnerability

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed