Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

math/big: index out of range in Float.GobDecode #53871

Closed
catenacyber opened this issue Jul 14, 2022 · 11 comments
Closed

math/big: index out of range in Float.GobDecode #53871

catenacyber opened this issue Jul 14, 2022 · 11 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone

Comments

@catenacyber
Copy link
Contributor

catenacyber commented Jul 14, 2022

What version of Go are you using (go version)?

$ go version
go version go1.17.6 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/catena/Library/Caches/go-build"
GOENV="/Users/catena/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/catena/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/catena/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.17.6"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/catena/go/src/github.com/catenacyber/go/src/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/pp/dc1dtf9x2js3v0jx_m010nqr0000gn/T/go-build4237848497=/tmp/go-build -gno-record-gcc-switches -fno-common"
GOROOT/bin/go version: go version go1.17.6 darwin/amd64
GOROOT/bin/go tool compile -V: compile version go1.17.6
uname -v: Darwin Kernel Version 21.3.0: Wed Jan  5 21:37:58 PST 2022; root:xnu-8019.80.24~20/RELEASE_X86_64
ProductName:	macOS
ProductVersion:	12.2.1
BuildVersion:	21D62
lldb --version: lldb-1316.0.9.41
Apple Swift version 5.6 (swiftlang-5.6.0.323.62 clang-1316.0.20.8)
gdb --version: GNU gdb (GDB) 9.1

What did you do?

Run https://go.dev/play/p/-iOX1cXown9 ie Float0.GobDecode([]byte{0x1, 0x0, 0x0, 0x0})

What did you expect to see?

The program finishing and printing somme Hello, without having allocated too much space

What did you see instead?

panic: runtime error: index out of range [3] with length 2

goroutine 1 [running]:
encoding/binary.bigEndian.Uint32(...)
	/usr/local/go-faketime/src/encoding/binary/binary.go:112
math/big.(*Float).GobDecode(0x60?, {0xc000070f34?, 0xc00006a000?, 0x0?})
	/usr/local/go-faketime/src/math/big/floatmarsh.go:83 +0x23d
main.main()
	/tmp/sandbox1173043807/prog.go:12 +0x56

Program exited.

Found by https://github.com/catenacyber/ngolo-fuzzing on oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49120

@mknyszek
Copy link
Contributor

mknyszek commented Jul 14, 2022

CC @griesemer @golang/security

@mknyszek mknyszek added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jul 14, 2022
@mknyszek mknyszek added this to the Backlog milestone Jul 14, 2022
@catenacyber
Copy link
Contributor Author

catenacyber commented Jul 14, 2022

Oh I thought GobDecode was not a security issue...

@mknyszek
Copy link
Contributor

mknyszek commented Jul 14, 2022

Ah, no, it's just owned in part by the Go security team. I don't know whether this is a security issue. (See https://dev.golang.org/owners.)

@rolandshoemaker rolandshoemaker added Security NeedsFix The path to resolution is known, but the work has not been done. and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Jul 15, 2022
@rolandshoemaker
Copy link
Member

rolandshoemaker commented Jul 15, 2022

Generally we consider panics in functions which take external input to be security issues. If you are not sure, feel free to send a message to security@golang.org before opening an issue and we will be happy to check.

@gopherbot
Copy link

gopherbot commented Jul 15, 2022

Change https://go.dev/cl/417774 mentions this issue: math/big: check buffer lengths in GobDecode

@catenacyber
Copy link
Contributor Author

catenacyber commented Jul 21, 2022

Another reproducer for Rat : https://go.dev/play/p/6Qpskg2_Abp

@rolandshoemaker
Copy link
Member

rolandshoemaker commented Jul 27, 2022

@gopherbot please open backports, this is a security issue.

@gopherbot
Copy link

gopherbot commented Jul 27, 2022

Backport issue(s) opened: #54094 (for 1.17), #54095 (for 1.18).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@gopherbot
Copy link

gopherbot commented Jul 27, 2022

Change https://go.dev/cl/419814 mentions this issue: [release-branch.go1.17] math/big: check buffer lengths in GobDecode

@gopherbot
Copy link

gopherbot commented Jul 27, 2022

Change https://go.dev/cl/419815 mentions this issue: [release-branch.go1.18] math/big: check buffer lengths in GobDecode

@catenacyber
Copy link
Contributor Author

catenacyber commented Jul 28, 2022

please open backports, this is a security issue.

So, I should have sent a mail instead of opening a GitHub issue, sorry about missing it.
Will there be a CVE and security release for 1.18 ?

gopherbot pushed a commit that referenced this issue Jul 29, 2022
In Float.GobDecode and Rat.GobDecode, check buffer sizes before
indexing slices.

Updates #53871
Fixes #54095

Change-Id: I1b652c32c2bc7a0e8aa7620f7be9b2740c568b0a
Reviewed-on: https://go-review.googlesource.com/c/go/+/417774
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
(cherry picked from commit 055113e)
Reviewed-on: https://go-review.googlesource.com/c/go/+/419815
Reviewed-by: Julie Qiu <julieqiu@google.com>
gopherbot pushed a commit that referenced this issue Jul 29, 2022
In Float.GobDecode and Rat.GobDecode, check buffer sizes before
indexing slices.

Updates #53871
Fixes #54094

Change-Id: I1b652c32c2bc7a0e8aa7620f7be9b2740c568b0a
Reviewed-on: https://go-review.googlesource.com/c/go/+/417774
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
(cherry picked from commit 055113e)
Reviewed-on: https://go-review.googlesource.com/c/go/+/419814
Reviewed-by: Julie Qiu <julieqiu@google.com>
@dmitshur dmitshur modified the milestones: Backlog, Go1.19 Jul 31, 2022
jproberts pushed a commit to jproberts/go that referenced this issue Aug 10, 2022
In Float.GobDecode and Rat.GobDecode, check buffer sizes before
indexing slices.

Fixes golang#53871

Change-Id: I1b652c32c2bc7a0e8aa7620f7be9b2740c568b0a
Reviewed-on: https://go-review.googlesource.com/c/go/+/417774
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
danbudris pushed a commit to danbudris/go that referenced this issue Sep 9, 2022
In Float.GobDecode and Rat.GobDecode, check buffer sizes before
indexing slices.

Updates golang#53871
Fixes golang#54094

Change-Id: I1b652c32c2bc7a0e8aa7620f7be9b2740c568b0a
Reviewed-on: https://go-review.googlesource.com/c/go/+/417774
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
(cherry picked from commit 055113e)
Reviewed-on: https://go-review.googlesource.com/c/go/+/419814
Reviewed-by: Julie Qiu <julieqiu@google.com>
danbudris pushed a commit to danbudris/go that referenced this issue Sep 9, 2022
In Float.GobDecode and Rat.GobDecode, check buffer sizes before
indexing slices.

Updates golang#53871
Fixes golang#54094

Change-Id: I1b652c32c2bc7a0e8aa7620f7be9b2740c568b0a
Reviewed-on: https://go-review.googlesource.com/c/go/+/417774
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
(cherry picked from commit 055113e)
Reviewed-on: https://go-review.googlesource.com/c/go/+/419814
Reviewed-by: Julie Qiu <julieqiu@google.com>
danbudris pushed a commit to danbudris/go that referenced this issue Sep 12, 2022
In Float.GobDecode and Rat.GobDecode, check buffer sizes before
indexing slices.

Updates golang#53871
Fixes golang#54094

Change-Id: I1b652c32c2bc7a0e8aa7620f7be9b2740c568b0a
Reviewed-on: https://go-review.googlesource.com/c/go/+/417774
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
(cherry picked from commit 055113e)
Reviewed-on: https://go-review.googlesource.com/c/go/+/419814
Reviewed-by: Julie Qiu <julieqiu@google.com>
danbudris pushed a commit to danbudris/go that referenced this issue Sep 14, 2022
In Float.GobDecode and Rat.GobDecode, check buffer sizes before
indexing slices.

Updates golang#53871
Fixes golang#54094

Change-Id: I1b652c32c2bc7a0e8aa7620f7be9b2740c568b0a
Reviewed-on: https://go-review.googlesource.com/c/go/+/417774
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
(cherry picked from commit 055113e)
Reviewed-on: https://go-review.googlesource.com/c/go/+/419814
Reviewed-by: Julie Qiu <julieqiu@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
None yet
Development

No branches or pull requests

5 participants