Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

math/big: panic slice bounds out of range in Rat.GobDecode #56156

Closed
AdamKorcz opened this issue Oct 11, 2022 · 6 comments
Closed

math/big: panic slice bounds out of range in Rat.GobDecode #56156

AdamKorcz opened this issue Oct 11, 2022 · 6 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.

Comments

@AdamKorcz
Copy link

AdamKorcz commented Oct 11, 2022
edited
Loading

Found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52322

What version of Go are you using (go version)?

1.19.1 and 1.19.2

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/adam/.cache/go-build"
GOENV="/home/adam/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/adam/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/adam/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.19.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/tmp/forked-istio/go.mod"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3333636918=/tmp/go-build -gno-record-gcc-switches"

What did you do?

This program:

package main

import (
        "math/big"
)

func main() {
        i1 := 255
        i2 := 255
        r := big.NewRat(int64(i1), int64(i2))
        buf := []byte{2, 255, 255, 255, 255}
        r.GobDecode(buf)
}

... panics with this stacktrace:

panic: runtime error: slice bounds out of range [5:4]

goroutine 1 [running]:
math/big.(*Rat).GobDecode(0xc00009af30?, {0xc00009af2b?, 0xff?, 0x0?})
        /tmp/go/src/math/big/ratmarsh.go:61 +0x250
main.main()
        /tmp/go-poc/main.go:12 +0x6a
exit status 2

What did you expect to see?

No Panic

What did you see instead?

See stacktrace above.
@mdempsky mdempsky changed the title panic slice bounds out of range in math/big.Rat.GobDecode math/big: panic slice bounds out of range in Rat.GobDecode Oct 11, 2022
@mdempsky mdempsky added the NeedsFix The path to resolution is known, but the work has not been done. label Oct 11, 2022
@mdempsky
Copy link
Contributor

Seems like the issue is with:

go/src/math/big/ratmarsh.go

Lines 56 to 59 in f1e50a1

i := j + binary.BigEndian.Uint32(buf[j-4:j])
if len(buf) < int(i) {
return errors.New("Rat.GobDecode: buffer too small")
}

/cc @rolandshoemaker

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/442335 mentions this issue: math/big: error on buffer length overflow in Rat.GobDecode

@catenacyber
Copy link
Contributor

And https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52299 also ;-)

romaindoumenc pushed a commit to TroutSoftware/go that referenced this issue Nov 3, 2022
@ianlancetaylor @romaindoumenc
math/big: error on buffer length overflow in Rat.GobDecode
a890328 
Fixes golang#56156

Change-Id: Ib85ff45f0b0d0eac83c39606ee20b3a312e6e919
Reviewed-on: https://go-review.googlesource.com/c/go/+/442335
Run-TryBot: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
@AdamKorcz
Copy link
Author

AdamKorcz commented Nov 11, 2022
edited
Loading

This has not been fixed.

package main

import (
        "math/big"
)

func main() {

        buf := []byte{2, 255, 255, 255, 255}
        i1 := 32
        i2 := 255
        r := big.NewRat(int64(i1), int64(i2))
        r.GobDecode(buf)
}

Will produce the following stack trace:

panic: runtime error: slice bounds out of range [5:4]

goroutine 1 [running]:
math/big.(*Rat).GobDecode(0xc00009af30?, {0xc00009af2b?, 0xff?, 0x0?})
        /tmp/go/src/math/big/ratmarsh.go:61 +0x250
main.main()
        /tmp/go-poc/main.go:13 +0x6d

It has been tested with the latest release.

@neild @rolandshoemaker could we get this reopened?

@mdempsky
Copy link
Contributor

It has been fixed at tip and will be included in the 1.20 release: https://go.dev/play/p/qsXUXNl_ZK_y?v=gotip

It hasn't been backported to 1.19 nor proposed for that.

@AdamKorcz
Copy link
Author

Alright, thanks!

@golang golang locked and limited conversation to collaborators Nov 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mdempsky @gopherbot @catenacyber @AdamKorcz