Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

go/build/constraint: stack exhaustion in Parse (CVE-2024-34158) #69141

Closed
rolandshoemaker opened this issue Aug 29, 2024 · 7 comments
Closed
Labels
FixPending Issues that have a fix which has not yet been reviewed or submitted. NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone

Comments

@rolandshoemaker
Copy link
Member

rolandshoemaker commented Aug 29, 2024

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.


This is a PRIVATE issue for CVE-2024-34158, tracked in http://b/362587324 and fixed by
https://go-internal-review.git.corp.google.com/c/go/+/1540.

/cc @golang/security and @golang/release

@rolandshoemaker
Copy link
Member Author

@gopherbot please open backport issues for this security fix.

@gopherbot
Copy link
Contributor

Backport issue(s) opened: #69148 (for 1.22), #69149 (for 1.23).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@gabyhelp
Copy link

Related Issues and Documentation

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@dmitshur dmitshur added this to the Go1.24 milestone Aug 29, 2024
@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Sep 3, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/611177 mentions this issue: [release-branch.go1.23] go/build/constraint: add parsing limits

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/611183 mentions this issue: [release-branch.go1.22] go/build/constraint: add parsing limits

gopherbot pushed a commit that referenced this issue Sep 5, 2024
Limit the size of build constraints that we will parse. This prevents a
number of stack exhaustions that can be hit when parsing overly complex
constraints. The imposed limits are unlikely to ever be hit in real
world usage.

Updates #69141
Fixes #69149
Fixes CVE-2024-34158

Change-Id: I38b614bf04caa36eefc6a4350d848588c4cef3c4
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1540
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Russ Cox <rsc@google.com>
(cherry picked from commit 0c74dc9e0da0cf1e12494b514d822b5bebbc9f04)
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1562
Commit-Queue: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/611177
Reviewed-by: Michael Pratt <mpratt@google.com>
TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
gopherbot pushed a commit that referenced this issue Sep 5, 2024
Limit the size of build constraints that we will parse. This prevents a
number of stack exhaustions that can be hit when parsing overly complex
constraints. The imposed limits are unlikely to ever be hit in real
world usage.

Updates #69141
Fixes #69148
Fixes CVE-2024-34158

Change-Id: I38b614bf04caa36eefc6a4350d848588c4cef3c4
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1540
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Russ Cox <rsc@google.com>
(cherry picked from commit 0c74dc9e0da0cf1e12494b514d822b5bebbc9f04)
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1582
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/611183
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
@dmitshur dmitshur changed the title security: fix CVE-2024-34158 go/build/constraint: stack exhaustion in Parse (CVE-2024-34158) Sep 5, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/611240 mentions this issue: go/build/constraint: add parsing limits

@dmitshur dmitshur added the FixPending Issues that have a fix which has not yet been reviewed or submitted. label Sep 5, 2024
@lennonchan
Copy link

lennonchan commented Sep 8, 2024

In fact, using the use case in CL did not reproduce the stack overflow exception. In addition, in the TestSizeLimits function, the expression ends with "||"" or "&&". As a result, the expression is invalid.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
FixPending Issues that have a fix which has not yet been reviewed or submitted. NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
None yet
Development

No branches or pull requests

5 participants