-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security: fix CVE-2021-38297 #48797
Comments
@gopherbot please backport to 1.16 and 1.17. This is a security issue. |
Backport issue(s) opened: #48799 (for 1.16), #48800 (for 1.17). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases. |
Change https://golang.org/cl/354571 mentions this issue: |
Change https://golang.org/cl/354592 mentions this issue: |
Change https://golang.org/cl/354591 mentions this issue: |
…args overwrite global data On Wasm, wasm_exec.js puts command line arguments at the beginning of the linear memory (following the "zero page"). Currently there is no limit for this, and a very long command line can overwrite the program's data section. Prevent this by limiting the command line to 4096 bytes, and in the linker ensuring the data section starts at a high enough address (8192). (Arguably our address assignment on Wasm is a bit confusing. This is the minimum fix I can come up with.) Thanks to Ben Lubar for reporting this issue. Change by Cherry Mui <[email protected]>. For #48797 Fixes #48800 Fixes CVE-2021-38297 Change-Id: I0f50fbb2a5b6d0d047e3c134a88988d9133e4ab3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1205933 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Than McIntosh <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/354592 Trust: Michael Knyszek <[email protected]> Reviewed-by: Heschi Kreinick <[email protected]>
…args overwrite global data On Wasm, wasm_exec.js puts command line arguments at the beginning of the linear memory (following the "zero page"). Currently there is no limit for this, and a very long command line can overwrite the program's data section. Prevent this by limiting the command line to 4096 bytes, and in the linker ensuring the data section starts at a high enough address (8192). (Arguably our address assignment on Wasm is a bit confusing. This is the minimum fix I can come up with.) Thanks to Ben Lubar for reporting this issue. Change by Cherry Mui <[email protected]>. For #48797 Fixes #48799 Fixes CVE-2021-38297 Change-Id: I0f50fbb2a5b6d0d047e3c134a88988d9133e4ab3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1205933 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Than McIntosh <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/354591 Trust: Michael Knyszek <[email protected]> Reviewed-by: Heschi Kreinick <[email protected]>
A MUST TO REVIEW LATER |
Patch taken from golang/go@4548fcc from the following issue golang/go#48797 Original repo https://go.googlesource.com/go/+/77f2750f4398990eed972186706f160631d7dae4 Signed-off-by: Davide Gardenal <[email protected]> Signed-off-by: Steve Sakoman <[email protected]>
Patch taken from golang/go@4548fcc from the following issue golang/go#48797 Original repo https://go.googlesource.com/go/+/77f2750f4398990eed972186706f160631d7dae4 (From OE-Core rev: e9e3c3969544d18f0da90a10156c40da84d5b549) Signed-off-by: Davide Gardenal <[email protected]> Signed-off-by: Steve Sakoman <[email protected]> Signed-off-by: Richard Purdie <[email protected]>
Source: poky MR: 118243 Type: Integration Disposition: Merged from poky ChangeID: 048094bcf91ba71f875fff7a8c725f998d2e3f28 Description: Patch taken from golang/go@4548fcc from the following issue golang/go#48797 Original repo https://go.googlesource.com/go/+/77f2750f4398990eed972186706f160631d7dae4 (From OE-Core rev: e9e3c3969544d18f0da90a10156c40da84d5b549) Signed-off-by: Davide Gardenal <[email protected]> Signed-off-by: Steve Sakoman <[email protected]> Signed-off-by: Richard Purdie <[email protected]> Signed-off-by: Jeremy A. Puhlman <[email protected]>
When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments.
If using wasm_exec.js to execute WASM modules, users will need to replace their copy (as described in https://golang.org/wiki/WebAssembly#getting-started) after rebuilding any modules.
This is issue #48797 and CVE-2021-38297. Thanks to Ben Lubar for reporting this issue.
The text was updated successfully, but these errors were encountered: