Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

time: out of memory on LoadLocation of /dev/urandom or other unbounded file #18985

Closed
bradfitz opened this issue Feb 7, 2017 · 6 comments
Closed
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone

Comments

@bradfitz
Copy link
Contributor

bradfitz commented Feb 7, 2017

Report from Ulysse Manceron:

If ZONEINFO points to /dev/urandom, LoadLocation's parsing of zoneinfo can loop forever and run out of memory.

@bradfitz bradfitz added the NeedsFix The path to resolution is known, but the work has not been done. label Feb 7, 2017
@bradfitz bradfitz added this to the Go1.9 milestone Feb 7, 2017
@bradfitz bradfitz changed the title time: out of memory if ZONEINFO points to /dev/urandom or other unbounded file time: out of memory on LoadLocation of /dev/urandom or other unbounded file Feb 7, 2017
@UlysseM
Copy link

UlysseM commented Feb 7, 2017

The actual issue is that time.LoadLocation(name string) will try to load the file "/usr/share/zoneinfo/" + name in memory, without performing any check on name.

So if name is "../../../../dev/urandom", the program can crash.

@bradfitz
Copy link
Contributor Author

bradfitz commented Feb 7, 2017

Update: "Technically, it’s not if ZONEINFO points to /dev/urandom, it’s if that environment variable isn’t set (which is the default scenario), and the someone calls time.LoadLocation(“../../../../dev/urandom”) (which could happen if a user can provide it’s own timezone)."

@gopherbot
Copy link

CL https://golang.org/cl/36551 mentions this issue.

@LionNatsu
Copy link
Contributor

So it can be exploited to try to read/detect any files?

@bradfitz
Copy link
Contributor Author

bradfitz commented Feb 7, 2017

Yeah, it should probably also reject bogus zone names lexically before syscall.Open.

@UlysseM
Copy link

UlysseM commented Feb 7, 2017

I don't think the patch is sufficient, if something like ../../../../dev/tty is passed, the function will hang.

Overall, this is only an issue if an application let a user picks a timezone, without verifying it. But the description doesn't mention that the function will actually perform read operation in the filesystem, nor that the value should be checked for error.

@golang golang locked and limited conversation to collaborators Feb 8, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Development

No branches or pull requests

4 participants