Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

math/big: Rat.SetString may consume large amount of RAM and crash #50699

Closed
katiehockman opened this issue Jan 19, 2022 · 7 comments
Closed

math/big: Rat.SetString may consume large amount of RAM and crash #50699

katiehockman opened this issue Jan 19, 2022 · 7 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone

Comments

@katiehockman
Copy link
Contributor

katiehockman commented Jan 19, 2022

Unmarshaling a string into a *Rat may cause resource exhaustion, consuming a huge amount of RAM, which may cause a system to crash or timeout. This is reachable from (*Rat).SetString, (*Rat).UnmarshalText, (*Rat).Scan, and any other function that unmarshals a string into a (*Rat) such as constant.MakeFromLiteral.

Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it.

This is CVE-2022-23772.

@katiehockman katiehockman added Security NeedsFix The path to resolution is known, but the work has not been done. release-blocker labels Jan 19, 2022
@katiehockman katiehockman added this to the Go1.18 milestone Jan 19, 2022
@katiehockman katiehockman self-assigned this Jan 19, 2022
@katiehockman
Copy link
Contributor Author

@gopherbot please backport to 1.17 and 1.16 as this is a security issue.

@gopherbot
Copy link

Backport issue(s) opened: #50700 (for 1.16), #50701 (for 1.17).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

@gopherbot
Copy link

Change https://golang.org/cl/379537 mentions this issue: math/big: prevent overflow in (*Rat).SetString

@dmitshur
Copy link
Contributor

dmitshur commented Jan 26, 2022

Ping as a release blocker. Is the CL fixing this issue ready to be submitted?

@odeke-em
Copy link
Member

@dmitshur thank you for the ping! I've given the CL a +2, I shall wait for @katiehockman and the security team too.

@gopherbot
Copy link

Change https://golang.org/cl/381336 mentions this issue: [release-branch.go1.17] math/big: prevent overflow in (*Rat).SetString

@gopherbot
Copy link

Change https://golang.org/cl/381337 mentions this issue: [release-branch.go1.16] math/big: prevent overflow in (*Rat).SetString

gopherbot pushed a commit that referenced this issue Jan 28, 2022
Credit to rsc@ for the original patch.

Thanks to the OSS-Fuzz project for discovering this
issue and to Emmanuel Odeke (@odeke_et) for reporting it.

Updates #50699
Fixes #50701
Fixes CVE-2022-23772

Change-Id: I590395a3d55689625390cf1e58f5f40623b26ee5
Reviewed-on: https://go-review.googlesource.com/c/go/+/379537
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
(cherry picked from commit ad345c2)
Reviewed-on: https://go-review.googlesource.com/c/go/+/381336
Reviewed-by: Filippo Valsorda <filippo@golang.org>
gopherbot pushed a commit that referenced this issue Jan 28, 2022
Credit to rsc@ for the original patch.

Thanks to the OSS-Fuzz project for discovering this
issue and to Emmanuel Odeke (@odeke_et) for reporting it.

Updates #50699
Fixes #50700
Fixes CVE-2022-23772

Change-Id: I590395a3d55689625390cf1e58f5f40623b26ee5
Reviewed-on: https://go-review.googlesource.com/c/go/+/379537
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
(cherry picked from commit ad345c2)
Reviewed-on: https://go-review.googlesource.com/c/go/+/381337
danbudris pushed a commit to danbudris/go that referenced this issue Sep 14, 2022
Credit to rsc@ for the original patch.

Thanks to the OSS-Fuzz project for discovering this
issue and to Emmanuel Odeke (@odeke_et) for reporting it.

Updates golang#50699
Fixes golang#50700
Fixes CVE-2022-23772

Change-Id: I590395a3d55689625390cf1e58f5f40623b26ee5
Reviewed-on: https://go-review.googlesource.com/c/go/+/379537
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
(cherry picked from commit ad345c2)
Reviewed-on: https://go-review.googlesource.com/c/go/+/381337
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 5, 2022
# AWS EKS
Backported To: go-1.15.15-eks
Backported On: Thu, 22 Sept 2022
Backported By: budris@amazon.com
Backported From: release-branch.go1.16
Upstream Source Commit: golang@07ee9e6
EKS Patch Source Commit: danbudris@f56e2b4

# Original Information

Credit to rsc@ for the original patch.

Thanks to the OSS-Fuzz project for discovering this
issue and to Emmanuel Odeke (@odeke_et) for reporting it.

Updates golang#50699
Fixes golang#50700
Fixes CVE-2022-23772

Change-Id: I590395a3d55689625390cf1e58f5f40623b26ee5
Reviewed-on: https://go-review.googlesource.com/c/go/+/379537
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
(cherry picked from commit ad345c2)
Reviewed-on: https://go-review.googlesource.com/c/go/+/381337
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 12, 2022
# AWS EKS
Backported To: go-1.15.15-eks
Backported On: Thu, 22 Sept 2022
Backported By: budris@amazon.com
Backported From: release-branch.go1.16
Upstream Source Commit: golang@07ee9e6
EKS Patch Source Commit: danbudris@f56e2b4

# Original Information

Credit to rsc@ for the original patch.

Thanks to the OSS-Fuzz project for discovering this
issue and to Emmanuel Odeke (@odeke_et) for reporting it.

Updates golang#50699
Fixes golang#50700
Fixes CVE-2022-23772

Change-Id: I590395a3d55689625390cf1e58f5f40623b26ee5
Reviewed-on: https://go-review.googlesource.com/c/go/+/379537
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
(cherry picked from commit ad345c2)
Reviewed-on: https://go-review.googlesource.com/c/go/+/381337
@golang golang locked and limited conversation to collaborators Jun 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
None yet
Development

No branches or pull requests

4 participants