math/big: index out of range in Float.GobDecode

[catenacyber]

What version of Go are you using (go version)?

$ go version
go version go1.17.6 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/catena/Library/Caches/go-build"
GOENV="/Users/catena/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/catena/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/catena/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.17.6"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/catena/go/src/github.com/catenacyber/go/src/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/pp/dc1dtf9x2js3v0jx_m010nqr0000gn/T/go-build4237848497=/tmp/go-build -gno-record-gcc-switches -fno-common"
GOROOT/bin/go version: go version go1.17.6 darwin/amd64
GOROOT/bin/go tool compile -V: compile version go1.17.6
uname -v: Darwin Kernel Version 21.3.0: Wed Jan  5 21:37:58 PST 2022; root:xnu-8019.80.24~20/RELEASE_X86_64
ProductName:	macOS
ProductVersion:	12.2.1
BuildVersion:	21D62
lldb --version: lldb-1316.0.9.41
Apple Swift version 5.6 (swiftlang-5.6.0.323.62 clang-1316.0.20.8)
gdb --version: GNU gdb (GDB) 9.1

What did you do?

Run https://go.dev/play/p/-iOX1cXown9 ie Float0.GobDecode([]byte{0x1, 0x0, 0x0, 0x0})

What did you expect to see?

The program finishing and printing somme Hello, without having allocated too much space

What did you see instead?

panic: runtime error: index out of range [3] with length 2

goroutine 1 [running]:
encoding/binary.bigEndian.Uint32(...)
	/usr/local/go-faketime/src/encoding/binary/binary.go:112
math/big.(*Float).GobDecode(0x60?, {0xc000070f34?, 0xc00006a000?, 0x0?})
	/usr/local/go-faketime/src/math/big/floatmarsh.go:83 +0x23d
main.main()
	/tmp/sandbox1173043807/prog.go:12 +0x56

Program exited.

Found by https://github.com/catenacyber/ngolo-fuzzing on oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49120

[mknyszek]

CC @griesemer @golang/security

[catenacyber]

Oh I thought GobDecode was not a security issue...

[mknyszek]

Ah, no, it's just owned in part by the Go security team. I don't know whether this is a security issue. (See https://dev.golang.org/owners.)

[rolandshoemaker]

Generally we consider panics in functions which take external input to be security issues. If you are not sure, feel free to send a message to security@golang.org before opening an issue and we will be happy to check.

[gopherbot]

Change https://go.dev/cl/417774 mentions this issue: math/big: check buffer lengths in GobDecode

[catenacyber]

Another reproducer for Rat : https://go.dev/play/p/6Qpskg2_Abp

[rolandshoemaker]

@gopherbot please open backports, this is a security issue.

[gopherbot]

Backport issue(s) opened: #54094 (for 1.17), #54095 (for 1.18).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.