Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

go/parser: infinite loop in parsing (CVE-2023-24537) #59180

Closed
neild opened this issue Mar 22, 2023 · 9 comments
Closed

go/parser: infinite loop in parsing (CVE-2023-24537) #59180

neild opened this issue Mar 22, 2023 · 9 comments
Assignees
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone

Comments

@neild
Copy link
Contributor

neild commented Mar 22, 2023

Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

This is CVE-2023-24537 and Go issue https://go.dev/issue/59180.

/cc @golang/security and @golang/release

@neild neild added the Security label Mar 22, 2023
@neild neild self-assigned this Mar 22, 2023
@dmitshur dmitshur added this to the Go1.21 milestone Mar 22, 2023
@julieqiu
Copy link
Member

@gopherbot please open backport issues.

@gopherbot
Copy link
Contributor

Backport issue(s) opened: #59273 (for 1.19), #59274 (for 1.20).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@julieqiu julieqiu added the NeedsFix The path to resolution is known, but the work has not been done. label Mar 27, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/481980 mentions this issue: [release-branch.go1.19] go/scanner: reject large line and column numbers in //line directives

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/481986 mentions this issue: [release-branch.go1.19] go/scanner: reject large line and column numbers in //line directives

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/481992 mentions this issue: [release-branch.go1.20] go/scanner: reject large line and column numbers in //line directives

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/482078 mentions this issue: go/scanner: reject large line and column numbers in //line directives

gopherbot pushed a commit that referenced this issue Apr 4, 2023
…ers in //line directives

Setting a large line or column number using a //line directive can cause
integer overflow even in small source files.

Limit line and column numbers in //line directives to 2^30-1, which
is small enough to avoid int32 overflow on all reasonbly-sized files.

Fixes CVE-2023-24537
Fixes #59273
For #59180

Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802456
Reviewed-by: Julie Qiu <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Run-TryBot: Damien Neil <[email protected]>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802611
Reviewed-by: Damien Neil <[email protected]>
Change-Id: Ifdfa192d54f722d781a4d8c5f35b5fb72d122168
Reviewed-on: https://go-review.googlesource.com/c/go/+/481986
Reviewed-by: Matthew Dempsky <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Michael Knyszek <[email protected]>
Auto-Submit: Michael Knyszek <[email protected]>
gopherbot pushed a commit that referenced this issue Apr 4, 2023
…ers in //line directives

Setting a large line or column number using a //line directive can cause
integer overflow even in small source files.

Limit line and column numbers in //line directives to 2^30-1, which
is small enough to avoid int32 overflow on all reasonbly-sized files.

Fixes CVE-2023-24537
For #59180
Fixes #59274

Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802456
Reviewed-by: Julie Qiu <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Run-TryBot: Damien Neil <[email protected]>
Change-Id: Ib9c5cb38428ed34ab129d451b00a2998e72c861c
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802401
TryBot-Result: Security TryBots <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/481992
Reviewed-by: Matthew Dempsky <[email protected]>
Auto-Submit: Michael Knyszek <[email protected]>
Run-TryBot: Michael Knyszek <[email protected]>
TryBot-Bypass: Michael Knyszek <[email protected]>
gopherbot pushed a commit that referenced this issue Apr 4, 2023
Setting a large line or column number using a //line directive can cause
integer overflow even in small source files.

Limit line and column numbers in //line directives to 2^30-1, which
is small enough to avoid int32 overflow on all reasonbly-sized files.

For #59180
Fixes CVE-2023-24537

Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802456
Reviewed-by: Julie Qiu <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Run-TryBot: Damien Neil <[email protected]>
Change-Id: I149bf34deca532af7994203fa1e6aca3c890ea14
Reviewed-on: https://go-review.googlesource.com/c/go/+/482078
Reviewed-by: Matthew Dempsky <[email protected]>
TryBot-Bypass: Michael Knyszek <[email protected]>
Run-TryBot: Michael Knyszek <[email protected]>
Auto-Submit: Michael Knyszek <[email protected]>
@mknyszek mknyszek changed the title security: fix CVE-2023-24537 go/parser: infinite loop in parsing (CVE-2023-24537) Apr 4, 2023
@mknyszek
Copy link
Contributor

mknyszek commented Apr 5, 2023

I believe this has been resolved and the CL just didn't have "Fixes" in the commit message.

@neild please feel free to reopen if that's not the case.

@mknyszek mknyszek closed this as completed Apr 5, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/482595 mentions this issue: go/scanner: align line and column limit with the compiler's limit

gopherbot pushed a commit that referenced this issue Apr 6, 2023
The compiler disallows line and column numbers > (1<<30)
(cmd/compiler/internal/syntax.PosMax).

Set the go/scanner limit to the same rather than off by one.

For #59180

Change-Id: Ibf9e0e6826d6f6230b0d492543b7e906298a0524
Reviewed-on: https://go-review.googlesource.com/c/go/+/482595
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Matthew Dempsky <[email protected]>
Run-TryBot: Damien Neil <[email protected]>
@FiloSottile
Copy link
Contributor

From reading the impact statement I would have though this somehow only affects direct calls of the go/parser API ("calling any of the Parse functions on Go source code"), but it looks like simply having a //line directive in a Go file will spin "go build" or gopls in an infinite loop. I think that implication should have been mentioned in the announcement.

@golang golang locked and limited conversation to collaborators Apr 6, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
None yet
Development

No branches or pull requests

6 participants