math/big: Rat.SetString may consume large amount of RAM and crash

[katiehockman]

Unmarshaling a string into a *Rat may cause resource exhaustion, consuming a huge amount of RAM, which may cause a system to crash or timeout. This is reachable from (*Rat).SetString, (*Rat).UnmarshalText, (*Rat).Scan, and any other function that unmarshals a string into a (*Rat) such as constant.MakeFromLiteral.

Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it.

This is CVE-2022-23772.

[katiehockman]

@gopherbot please backport to 1.17 and 1.16 as this is a security issue.

[gopherbot]

Backport issue(s) opened: #50700 (for 1.16), #50701 (for 1.17).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

[gopherbot]

Change https://golang.org/cl/379537 mentions this issue: math/big: prevent overflow in (*Rat).SetString

[dmitshur]

Ping as a release blocker. Is the CL fixing this issue ready to be submitted?

[odeke-em]

@dmitshur thank you for the ping! I've given the CL a +2, I shall wait for @katiehockman and the security team too.

[gopherbot]

Change https://golang.org/cl/381336 mentions this issue: [release-branch.go1.17] math/big: prevent overflow in (*Rat).SetString