Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

time: out of memory on LoadLocation of /dev/urandom or other unbounded file #18985

Closed
bradfitz opened this issue Feb 7, 2017 · 6 comments

Comments

Projects
None yet
4 participants
@bradfitz
Copy link
Member

commented Feb 7, 2017

Report from Ulysse Manceron:

If ZONEINFO points to /dev/urandom, LoadLocation's parsing of zoneinfo can loop forever and run out of memory.

@bradfitz bradfitz added the NeedsFix label Feb 7, 2017

@bradfitz bradfitz added this to the Go1.9 milestone Feb 7, 2017

@bradfitz bradfitz changed the title time: out of memory if ZONEINFO points to /dev/urandom or other unbounded file time: out of memory on LoadLocation of /dev/urandom or other unbounded file Feb 7, 2017

@UlysseM

This comment has been minimized.

Copy link

commented Feb 7, 2017

The actual issue is that time.LoadLocation(name string) will try to load the file "/usr/share/zoneinfo/" + name in memory, without performing any check on name.

So if name is "../../../../dev/urandom", the program can crash.

@bradfitz

This comment has been minimized.

Copy link
Member Author

commented Feb 7, 2017

Update: "Technically, it’s not if ZONEINFO points to /dev/urandom, it’s if that environment variable isn’t set (which is the default scenario), and the someone calls time.LoadLocation(“../../../../dev/urandom”) (which could happen if a user can provide it’s own timezone)."

@gopherbot

This comment has been minimized.

Copy link

commented Feb 7, 2017

CL https://golang.org/cl/36551 mentions this issue.

@LionNatsu

This comment has been minimized.

Copy link
Contributor

commented Feb 7, 2017

So it can be exploited to try to read/detect any files?

@bradfitz

This comment has been minimized.

Copy link
Member Author

commented Feb 7, 2017

Yeah, it should probably also reject bogus zone names lexically before syscall.Open.

@UlysseM

This comment has been minimized.

Copy link

commented Feb 7, 2017

I don't think the patch is sufficient, if something like ../../../../dev/tty is passed, the function will hang.

Overall, this is only an issue if an application let a user picks a timezone, without verifying it. But the description doesn't mention that the function will actually perform read operation in the filesystem, nor that the value should be checked for error.

@gopherbot gopherbot closed this in bd56169 Feb 8, 2017

@golang golang locked and limited conversation to collaborators Feb 8, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.