Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

runtime: unexpected behavior of setuid/setgid binaries [CVE-2023-29403] [1.19 backport] #60517

Closed
gopherbot opened this issue May 30, 2023 · 3 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone

Comments

@gopherbot
Copy link
Contributor

@rolandshoemaker requested issue #60272 to be considered for backport to the next 1.19 minor release.

@gopherbot please open backport issues.

@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label May 30, 2023
@gopherbot gopherbot added this to the Go1.19.10 milestone May 30, 2023
@dr2chase dr2chase added the CherryPickApproved Used during the release process for point releases label Jun 6, 2023
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Jun 6, 2023
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/501215 mentions this issue: [release-branch.go1.19] runtime: implement SUID/SGID protections

@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/501228 mentions this issue: [release-branch.go1.19] runtime: implement SUID/SGID protections

@gopherbot
Copy link
Contributor Author

Closed by merging a7b1cd4 to release-branch.go1.19.

gopherbot pushed a commit that referenced this issue Jun 6, 2023
On Unix platforms, the runtime previously did nothing special when a
program was run with either the SUID or SGID bits set. This can be
dangerous in certain cases, such as when dumping memory state, or
assuming the status of standard i/o file descriptors.

Taking cues from glibc, this change implements a set of protections when
a binary is run with SUID or SGID bits set (or is SUID/SGID-like). On
Linux, whether to enable these protections is determined by whether the
AT_SECURE flag is passed in the auxiliary vector. On platforms which
have the issetugid syscall (the BSDs, darwin, and Solaris/Illumos), that
is used. On the remaining platforms (currently only AIX) we check
!(getuid() == geteuid() && getgid == getegid()).

Currently when we determine a binary is "tainted" (using the glibc
terminology), we implement two specific protections:
  1. we check if the file descriptors 0, 1, and 2 are open, and if they
     are not, we open them, pointing at /dev/null (or fail).
  2. we force GOTRACKBACK=none, and generally prevent dumping of
     trackbacks and registers when a program panics/aborts.

In the future we may add additional protections.

This change requires implementing issetugid on the platforms which
support it, and implementing getuid, geteuid, getgid, and getegid on
AIX.

Thanks to Vincent Dehors from Synacktiv for reporting this issue.

Updates #60272
Fixes #60517
Fixes CVE-2023-29403

Change-Id: I057fa7153d29cf26515e7f49fed86e4f8bedd0f0
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1878434
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Russ Cox <rsc@google.com>
(cherry picked from commit 87065663ea6d89cd54f65a515d8f2ed0ef285c19)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902231
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904340
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/501228
Auto-Submit: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: David Chase <drchase@google.com>
@dr2chase dr2chase changed the title security: fix CVE-2023-29403 [1.19 backport] runtime: unexpected behavior of setuid/setgid binaries [CVE-2023-29403] [1.19 backport] Jun 6, 2023
@golang golang locked and limited conversation to collaborators Jun 5, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Development

No branches or pull requests

4 participants