encoding/gob: stack exhaustion in Decoder.Decode (CVE-2024-34156) #69139
Labels
FixPending
Issues that have a fix which has not yet been reviewed or submitted.
NeedsFix
The path to resolution is known, but the work has not been done.
release-blocker
Security
Milestone
Comments
|
@gopherbot please open backport issues for this security fix. |
|
Backport issue(s) opened: #69144 (for 1.22), #69145 (for 1.23). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
|
Related Issues and Documentation
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.) |
This was referenced Aug 29, 2024
dmitshur
added
the
NeedsFix
|
Change https://go.dev/cl/611176 mentions this issue: |
|
Change https://go.dev/cl/611182 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Sep 5, 2024
…g ignore depth This change makes sure that we are properly checking the ignored field recursion depth in decIgnoreOpFor consistently. This prevents stack exhaustion when attempting to decode a message that contains an extremely deeply nested struct which is ignored. Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu) for reporting this issue. Updates #69139 Fixes #69145 Fixes CVE-2024-34156 Change-Id: Iacce06be95a5892b3064f1c40fcba2e2567862d6 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1440 Reviewed-by: Russ Cox <rsc@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 9f2ea73c5f2a7056b7da5d579a485a7216f4b20a) Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1581 Commit-Queue: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/611176 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Michael Pratt <mpratt@google.com> TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
gopherbot
pushed a commit
that referenced
this issue
Sep 5, 2024
…g ignore depth This change makes sure that we are properly checking the ignored field recursion depth in decIgnoreOpFor consistently. This prevents stack exhaustion when attempting to decode a message that contains an extremely deeply nested struct which is ignored. Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu) for reporting this issue. Updates #69139 Fixes #69144 Fixes CVE-2024-34156 Change-Id: Iacce06be95a5892b3064f1c40fcba2e2567862d6 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1440 Reviewed-by: Russ Cox <rsc@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit f0a11f9b3aaa362cb1d05e095e3c8d421d4f087f) Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1580 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/611182 TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Michael Pratt <mpratt@google.com> Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
dmitshur
changed the title
|
Change https://go.dev/cl/611239 mentions this issue: |
dmitshur
added
the
FixPending
This was referenced Sep 10, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.
This is a follow-up to CVE-2022-30635.
Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu) for reporting this issue.
This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.
This is a PRIVATE issue for CVE-2024-34156, tracked in http://b/362587965 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/1440.
/cc @golang/security and @golang/release
The text was updated successfully, but these errors were encountered: