time: out of memory on LoadLocation of /dev/urandom or other unbounded file

[bradfitz]

Report from Ulysse Manceron:

If ZONEINFO points to /dev/urandom, LoadLocation's parsing of zoneinfo can loop forever and run out of memory.

[UlysseM]

The actual issue is that time.LoadLocation(name string) will try to load the file "/usr/share/zoneinfo/" + name in memory, without performing any check on name.

So if name is "../../../../dev/urandom", the program can crash.

[bradfitz]

Update: "Technically, it’s not if ZONEINFO points to /dev/urandom, it’s if that environment variable isn’t set (which is the default scenario), and the someone calls time.LoadLocation(“../../../../dev/urandom”) (which could happen if a user can provide it’s own timezone)."

[gopherbot]

CL https://golang.org/cl/36551 mentions this issue.

[LionNatsu]

So it can be exploited to try to read/detect any files?

[bradfitz]

Yeah, it should probably also reject bogus zone names lexically before syscall.Open.

[UlysseM]

I don't think the patch is sufficient, if something like ../../../../dev/tty is passed, the function will hang.

Overall, this is only an issue if an application let a user picks a timezone, without verifying it. But the description doesn't mention that the function will actually perform read operation in the filesystem, nor that the value should be checked for error.