Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

syscall: ParseDirent is unsafe #15653

Closed
neild opened this issue May 11, 2016 · 3 comments
Closed

syscall: ParseDirent is unsafe #15653

neild opened this issue May 11, 2016 · 3 comments
Assignees
Milestone

Comments

@neild
Copy link
Contributor

@neild neild commented May 11, 2016

syscall.ParseDirent does not sufficiently validate its inputs to avoid crashes or returning uninitialized memory to the caller (via unsafe use of unsafe).

e.g., from syscall_linux.go:

func ParseDirent(buf []byte, max int, names []string) (consumed int, count int, newnames []string) {
        origlen := len(buf)
        count = 0
        for max != 0 && len(buf) > 0 { // <-- should check to see if len(buf) >= sizeof(Dirent) 
                dirent := (*Dirent)(unsafe.Pointer(&buf[0]))
                buf = buf[dirent.Reclen:] // <-- should validate dirent.Reclen isn't out of bound 
                if dirent.Ino == 0 { // File absent in directory.
                        continue
                }
                bytes := (*[10000]byte)(unsafe.Pointer(&dirent.Name[0]))
                var name = string(bytes[0:clen(bytes[:])]) // <-- should make sure this doesn't read more than dirent.Reclen
                if name == "." || name == ".." { // Useless names
                        continue
                }
                max--
                count++
                names = append(names, name)
        }
        return origlen - len(buf), count, names
}
@bradfitz bradfitz changed the title syscall.ParseDirent is unsafe syscall: ParseDirent is unsafe May 11, 2016
@bradfitz bradfitz added this to the Go1.7 milestone May 11, 2016
@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented May 11, 2016

Nice.

@rsc rsc modified the milestones: Go1.8, Go1.7 May 18, 2016
@bradfitz bradfitz added the Security label May 21, 2016
@neild neild self-assigned this Jun 3, 2016
@gopherbot
Copy link

@gopherbot gopherbot commented Jun 3, 2016

CL https://golang.org/cl/23780 mentions this issue.

@gopherbot
Copy link

@gopherbot gopherbot commented Mar 29, 2017

CL https://golang.org/cl/38758 mentions this issue.

gopherbot pushed a commit to golang/sys that referenced this issue Mar 29, 2017
This is a copy of https://golang.org/cl/23780 for the x/sys repo.

Don't panic, crash, or return references to uninitialized memory when 
ParseDirent is passed invalid input.

Updates golang/go#15653
Fixes golang/go#19754

Change-Id: Idb7cffe14d48ed662e5a55ecb5249c1907cf4003
Reviewed-on: https://go-review.googlesource.com/38758
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
@golang golang locked and limited conversation to collaborators Mar 29, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.