Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security: fix CVE-2021-38297 [1.16 backport] #48799

Closed
gopherbot opened this issue Oct 5, 2021 · 2 comments
Closed

security: fix CVE-2021-38297 [1.16 backport] #48799

gopherbot opened this issue Oct 5, 2021 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone

Comments

@gopherbot
Copy link
Contributor

@rolandshoemaker requested issue #48797 to be considered for backport to the next 1.16 minor release.

@gopherbot please backport to 1.16 and 1.17.

This is a security issue.

@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Oct 5, 2021
@gopherbot gopherbot added this to the Go1.16.9 milestone Oct 5, 2021
@heschi heschi added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Oct 6, 2021
@gopherbot
Copy link
Contributor Author

Change https://golang.org/cl/354591 mentions this issue: misc/wasm, cmd/link: do not let command line args overwrite global data

@gopherbot
Copy link
Contributor Author

Closed by merging 4548fcc to release-branch.go1.16.

gopherbot pushed a commit that referenced this issue Oct 7, 2021
…args overwrite global data

On Wasm, wasm_exec.js puts command line arguments at the beginning
of the linear memory (following the "zero page"). Currently there
is no limit for this, and a very long command line can overwrite
the program's data section. Prevent this by limiting the command
line to 4096 bytes, and in the linker ensuring the data section
starts at a high enough address (8192).

(Arguably our address assignment on Wasm is a bit confusing. This
is the minimum fix I can come up with.)

Thanks to Ben Lubar for reporting this issue.

Change by Cherry Mui <[email protected]>.

For #48797
Fixes #48799
Fixes CVE-2021-38297

Change-Id: I0f50fbb2a5b6d0d047e3c134a88988d9133e4ab3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1205933
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Than McIntosh <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/354591
Trust: Michael Knyszek <[email protected]>
Reviewed-by: Heschi Kreinick <[email protected]>
@golang golang locked and limited conversation to collaborators Oct 7, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Development

No branches or pull requests

3 participants