Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: fix CVE-2021-38297 [1.17 backport] #48800

Closed
gopherbot opened this issue Oct 5, 2021 · 2 comments
Closed

security: fix CVE-2021-38297 [1.17 backport] #48800

gopherbot opened this issue Oct 5, 2021 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone
Go1.17.2

Comments

@gopherbot
Copy link
Contributor

@rolandshoemaker requested issue #48797 to be considered for backport to the next 1.17 minor release.

@gopherbot please backport to 1.16 and 1.17.

This is a security issue.
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Oct 5, 2021
@gopherbot gopherbot mentioned this issue Oct 5, 2021
Closed
@gopherbot gopherbot added this to the Go1.17.2 milestone Oct 5, 2021
@heschi heschi added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Oct 6, 2021
@gopherbot
Copy link
Contributor Author

Change https://golang.org/cl/354592 mentions this issue: misc/wasm, cmd/link: do not let command line args overwrite global data

@gopherbot
Copy link
Contributor Author

Closed by merging 4925e07 to release-branch.go1.17.

gopherbot pushed a commit that referenced this issue Oct 7, 2021
@mknyszek
[release-branch.go1.17] misc/wasm, cmd/link: do not let command line …
4925e07 
…args overwrite global data

On Wasm, wasm_exec.js puts command line arguments at the beginning
of the linear memory (following the "zero page"). Currently there
is no limit for this, and a very long command line can overwrite
the program's data section. Prevent this by limiting the command
line to 4096 bytes, and in the linker ensuring the data section
starts at a high enough address (8192).

(Arguably our address assignment on Wasm is a bit confusing. This
is the minimum fix I can come up with.)

Thanks to Ben Lubar for reporting this issue.

Change by Cherry Mui <cherryyz@google.com>.

For #48797
Fixes #48800
Fixes CVE-2021-38297

Change-Id: I0f50fbb2a5b6d0d047e3c134a88988d9133e4ab3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1205933
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/354592
Trust: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Heschi Kreinick <heschi@google.com>
@fgma fgma mentioned this issue Oct 13, 2021
Merged
1 task
@golang golang locked and limited conversation to collaborators Oct 7, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Milestone
Go1.17.2
Development

No branches or pull requests
3 participants
@rolandshoemaker @gopherbot @heschi