New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
time: out of memory on LoadLocation of /dev/urandom or other unbounded file #18985
Comments
The actual issue is that time.LoadLocation(name string) will try to load the file "/usr/share/zoneinfo/" + name in memory, without performing any check on name. So if name is "../../../../dev/urandom", the program can crash. |
Update: "Technically, it’s not if ZONEINFO points to /dev/urandom, it’s if that environment variable isn’t set (which is the default scenario), and the someone calls time.LoadLocation(“../../../../dev/urandom”) (which could happen if a user can provide it’s own timezone)." |
CL https://golang.org/cl/36551 mentions this issue. |
So it can be exploited to try to read/detect any files? |
Yeah, it should probably also reject bogus zone names lexically before syscall.Open. |
I don't think the patch is sufficient, if something like ../../../../dev/tty is passed, the function will hang. Overall, this is only an issue if an application let a user picks a timezone, without verifying it. But the description doesn't mention that the function will actually perform read operation in the filesystem, nor that the value should be checked for error. |
Report from Ulysse Manceron:
If ZONEINFO points to /dev/urandom, LoadLocation's parsing of zoneinfo can loop forever and run out of memory.
The text was updated successfully, but these errors were encountered: