Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

archive/tar: slice bounds out of range #10959

Closed
dvyukov opened this issue May 26, 2015 · 6 comments
Closed

archive/tar: slice bounds out of range #10959

dvyukov opened this issue May 26, 2015 · 6 comments

Comments

@dvyukov
Copy link
Member

dvyukov commented May 26, 2015

The following program crashes with a panic:

package main

import (
    "archive/tar"
    "bytes"
    "io"
    "io/ioutil"
)

func main() {
    data := []byte("\x13\x0300\x13\x03-821950296t\x13\x13\x83" +
        "s|\x83s\x1300qw\xe1f\xbb\x03000\x00\x00\x00\x10" +
        "011\x13s\xf410100t\x13\x13\x83s|\x83ss" +
        "\x000\x13s|\x83ss\xf4xS\x13s\xf410100t" +
        "\x13\x13\x83s|\x83ss\xf40\x13s|\x83ss\xf4qS0" +
        "\xd4t0\x1300q0\xf40\x00\x00\x00\x1001\x80\x00\x100" +
        "11\x13s\xf4101\xf40t\x1300q\xd4\xe1f\xbb\x03" +
        "\x00\x00\x00\xff\x80\x80\x80\x00\x80\x00\x00\x00\x00\x00\x9b\x921\x13\xff\xff" +
        "\xff\x80100txS00t0\x1300qw010" +
        "100t\x13\x13\x83s|\x83ss\xf4xS00t0\x13" +
        "00qw\xe1f\xbb\x03000\x00\x00\x00\x10011\x13s" +
        "\xf410100t\x13\x13\x83s|\x83ss\xf40\x13s|" +
        "\x83ss\xf4xS\x13s\xf410100t\x13\x13\x83s|" +
        "\x83ss00\x13s|\x83ss0xS00t0\x130" +
        "0q00\x00\x80\x00\x00\x1001s\xf410100t\x13" +
        "\x00\x00\x00 \xe1f\xbb\x0304\x00\x00\x00\x10011\x13\xff\xff" +
        "\xff\x80100txS00t0\x1300qw\xe1f\xbb" +
        "\x03000\x00\x00\x00\x10011\x13s\x83ss\xf4xS\x13" +
        "s\xf410100t\x13\x13\x83s|\x83ss\xf4311" +
        "033624846128380s|\x83ss" +
        "\xf4xS00t0\x1300q000\x00\x00\x00\x1001" +
        "\x00\x00\x10011\x13s\xf410100t\x1300q\xd4" +
        "\xe1f\xbb\x0304\x00\x00\x00\x10\x83s|\x83ss\xf40\x13s" +
        "|\x83ss\xf4xS00t0\x1300q000\x00\x00" +
        "\x00\x1001\x00\x00\x10011\x13s\xf410100t\x13" +
        "00x0\xe1f\xbb\x03\x00\x00\x100")
    t := tar.NewReader(bytes.NewReader(data))
    for {
        _, err := t.Next()
        if err != nil {
            return
        }
        io.Copy(ioutil.Discard, t)
    }
}
panic: runtime error: slice bounds out of range

goroutine 1 [running]:
archive/tar.(*regFileReader).Read(0xc20800e420, 0xc208074000, 0x2000, 0x2000, 0x0, 0x0, 0x0)
    src/archive/tar/reader.go:748 +0x170
archive/tar.(*Reader).Read(0xc208070000, 0xc208074000, 0x2000, 0x2000, 0x4feab0, 0x0, 0x0)
    src/archive/tar/reader.go:735 +0x9d
io/ioutil.devNull.ReadFrom(0x0, 0x7feaee410268, 0xc208070000, 0x0, 0x0, 0x0)
    src/io/ioutil/ioutil.go:151 +0xa1
io/ioutil.(*devNull).ReadFrom(0xc20800a4a0, 0x7feaee410268, 0xc208070000, 0xc208041e40, 0x0, 0x0)
    <autogenerated>:9 +0xb4
io.copyBuffer(0x7feaee4101c0, 0xc20800a4a0, 0x7feaee410268, 0xc208070000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
    src/io/io.go:375 +0x183
io.Copy(0x7feaee4101c0, 0xc20800a4a0, 0x7feaee410268, 0xc208070000, 0x200, 0x0, 0x0)
    src/io/io.go:351 +0x6b
main.main()
    tar.go:43 +0x1df

on commit 8017ace

@dvyukov dvyukov added this to the Go1.5 milestone May 26, 2015
@dsymonds
Copy link
Contributor

Neat bug, but I don't have time to pick it up.

@dsymonds
Copy link
Contributor

It's also probably been there forever, so I don't think it's critical for go1.5.

@dsymonds dsymonds modified the milestones: Go1.5Maybe, Go1.5 May 27, 2015
@dvyukov
Copy link
Member Author

dvyukov commented May 27, 2015

heartbleed was also there forever

@dsymonds
Copy link
Contributor

If you can make a case that this is a security hole (beyond just a DoS vector) then we can reprioritise.

@dvyukov
Copy link
Member Author

dvyukov commented May 27, 2015

DoS can also be an issue. Note that you can use this bug to (1) cause a panic, (2) cause swapping and affect the whole machine or (3) terminate the program instantly with a fatal error at your discretion.

I don't have anything more serious. This does not mean that a bad guy does not have the other part of the puzzle and he just waits for a way to force a server to panic (panic/defer/recover mechanism did have a bunch of bugs that compromise memory safety).

@gopherbot
Copy link

CL https://golang.org/cl/10402 mentions this issue.

@mikioh mikioh modified the milestones: Go1.5, Go1.5Maybe May 28, 2015
@golang golang locked and limited conversation to collaborators Jun 25, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

4 participants