encoding/gob: stack exhaustion in Decoder.Decode #53615

tatianab · 2022-06-29T20:32:50Z

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

This is CVE-2022-30635.

(This was a PRIVATE issue tracked in http://b/231318421 and fixed by http://tg/1484771.)

/cc https://github.com/orgs/golang/teams/security and https://github.com/orgs/golang/teams/release

tatianab · 2022-07-06T19:22:44Z

@gopherbot please open backport issues for this security fix

gopherbot · 2022-07-06T19:22:56Z

Backport issue(s) opened: #53709 (for 1.17), #53710 (for 1.18).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

gopherbot · 2022-07-12T14:03:47Z

Change https://go.dev/cl/417060 mentions this issue: [release-branch.go1.18] encoding/gob: add a depth limit for ignored fields

gopherbot · 2022-07-12T14:05:37Z

Change https://go.dev/cl/417064 mentions this issue: encoding/gob: add a depth limit for ignored fields

gopherbot · 2022-07-12T14:10:04Z

Change https://go.dev/cl/417074 mentions this issue: [release-branch.go1.17] encoding/gob: add a depth limit for ignored fields

…ields Enforce a nesting limit of 10,000 for ignored fields during decoding of messages. This prevents the possibility of triggering stack exhaustion. Fixes #53710 Updates #53615 Fixes CVE-2022-30635 Change-Id: I05103d06dd5ca3945fcba3c1f5d3b5a645e8fb0f Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1484771 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> (cherry picked from commit 55e8f938d22bfec29cc9dc9671044c5a41d1ea9c) Reviewed-on: https://go-review.googlesource.com/c/go/+/417060 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com>

…ields Enforce a nesting limit of 10,000 for ignored fields during decoding of messages. This prevents the possibility of triggering stack exhaustion. Fixes #53709 Updates #53615 Fixes CVE-2022-30635 Change-Id: I05103d06dd5ca3945fcba3c1f5d3b5a645e8fb0f Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1484771 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> (cherry picked from commit 55e8f938d22bfec29cc9dc9671044c5a41d1ea9c) Reviewed-on: https://go-review.googlesource.com/c/go/+/417074 Run-TryBot: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com>

…ields Enforce a nesting limit of 10,000 for ignored fields during decoding of messages. This prevents the possibility of triggering stack exhaustion. Fixes golang#53710 Updates golang#53615 Fixes CVE-2022-30635 Change-Id: I05103d06dd5ca3945fcba3c1f5d3b5a645e8fb0f Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1484771 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> (cherry picked from commit 55e8f938d22bfec29cc9dc9671044c5a41d1ea9c) Reviewed-on: https://go-review.googlesource.com/c/go/+/417060 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com>

gopherbot · 2022-07-15T02:49:18Z

Change https://go.dev/cl/417559 mentions this issue: encoding/gob: s/TestIngoreDepthLimit/TestIgnoreDepthLimit/

For #53615 Change-Id: Ib85004d400931094fc1ea933cf73f4a5157aece1 Reviewed-on: https://go-review.googlesource.com/c/go/+/417559 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Ian Lance Taylor <iant@golang.org> Auto-Submit: Ian Lance Taylor <iant@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Ian Lance Taylor <iant@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

Enforce a nesting limit of 10,000 for ignored fields during decoding of messages. This prevents the possibility of triggering stack exhaustion. Fixes golang#53615 Fixes CVE-2022-30635 Change-Id: I05103d06dd5ca3945fcba3c1f5d3b5a645e8fb0f Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1484771 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/417064 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com>

For golang#53615 Change-Id: Ib85004d400931094fc1ea933cf73f4a5157aece1 Reviewed-on: https://go-review.googlesource.com/c/go/+/417559 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Ian Lance Taylor <iant@golang.org> Auto-Submit: Ian Lance Taylor <iant@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Ian Lance Taylor <iant@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

…ields Enforce a nesting limit of 10,000 for ignored fields during decoding of messages. This prevents the possibility of triggering stack exhaustion. Fixes golang#53709 Updates golang#53615 Fixes CVE-2022-30635 Change-Id: I05103d06dd5ca3945fcba3c1f5d3b5a645e8fb0f Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1484771 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> (cherry picked from commit 55e8f938d22bfec29cc9dc9671044c5a41d1ea9c) Reviewed-on: https://go-review.googlesource.com/c/go/+/417074 Run-TryBot: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com>

# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@abc0063 Upstream Source Commit: golang@cd54600 # Original Information Enforce a nesting limit of 10,000 for ignored fields during decoding of messages. This prevents the possibility of triggering stack exhaustion. Fixes golang#53709 Updates golang#53615 Fixes CVE-2022-30635 Change-Id: I05103d06dd5ca3945fcba3c1f5d3b5a645e8fb0f Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1484771 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> (cherry picked from commit 55e8f938d22bfec29cc9dc9671044c5a41d1ea9c) Reviewed-on: https://go-review.googlesource.com/c/go/+/417074 Run-TryBot: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com>

# AWS EKS Backported To: go-1.16.15-eks Backported On: Tue, 04 Oct 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@8b42417 Upstream Source Commit: golang@cd54600 # Original Information Enforce a nesting limit of 10,000 for ignored fields during decoding of messages. This prevents the possibility of triggering stack exhaustion. Fixes golang#53709 Updates golang#53615 Fixes CVE-2022-30635 Change-Id: I05103d06dd5ca3945fcba3c1f5d3b5a645e8fb0f Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1484771 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> (cherry picked from commit 55e8f938d22bfec29cc9dc9671044c5a41d1ea9c) Reviewed-on: https://go-review.googlesource.com/c/go/+/417074 Run-TryBot: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com>

tatianab added Security NeedsFix The path to resolution is known, but the work has not been done. release-blocker labels Jun 29, 2022

tatianab added this to the Go1.19 milestone Jun 29, 2022

This was referenced Jul 6, 2022

encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635) [1.17 backport] #53709

Closed

encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635) [1.18 backport] #53710

Closed

gopherbot closed this as completed in 6fa37e9 Jul 12, 2022

mknyszek changed the title ~~security: fix CVE-2022-30635~~ encoding/gob: stack exhaustion in Decoder.Decode Jul 12, 2022

tatianab mentioned this issue Jul 14, 2022

x/vulndb: potential Go vuln in std: CVE-2022-30635 golang/vulndb#526

Closed

golang locked and limited conversation to collaborators Jul 15, 2023

gopherbot added the FrozenDueToAge label Jul 15, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

encoding/gob: stack exhaustion in Decoder.Decode #53615

encoding/gob: stack exhaustion in Decoder.Decode #53615

tatianab commented Jun 29, 2022 •

edited by mknyszek

tatianab commented Jul 6, 2022

gopherbot commented Jul 6, 2022

gopherbot commented Jul 12, 2022

gopherbot commented Jul 12, 2022

gopherbot commented Jul 12, 2022

gopherbot commented Jul 15, 2022

encoding/gob: stack exhaustion in Decoder.Decode #53615

encoding/gob: stack exhaustion in Decoder.Decode #53615

Comments

tatianab commented Jun 29, 2022 • edited by mknyszek

tatianab commented Jul 6, 2022

gopherbot commented Jul 6, 2022

gopherbot commented Jul 12, 2022

gopherbot commented Jul 12, 2022

gopherbot commented Jul 12, 2022

gopherbot commented Jul 15, 2022

tatianab commented Jun 29, 2022 •

edited by mknyszek