Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

encoding/xml: stack exhaustion in Unmarshal #53611

Closed
tatianab opened this issue Jun 29, 2022 · 5 comments
Closed

encoding/xml: stack exhaustion in Unmarshal #53611

tatianab opened this issue Jun 29, 2022 · 5 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone
Go1.19

Comments

@tatianab
Copy link

tatianab commented Jun 29, 2022
edited by mknyszek

Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion.

This is CVE-2022-30633.

(This was a PRIVATE issue tracked in http://b/227341754 and fixed by http://tg/1421319.)

/cc @golang/security and @golang/release
@tatianab tatianab modified the milestones: Go1.17.12, Go1.19 Jun 29, 2022
@tatianab tatianab added the NeedsFix The path to resolution is known, but the work has not been done. label Jun 29, 2022
@tatianab
Copy link
Author

tatianab commented Jul 6, 2022

@gopherbot please open backport issues for this security fix

@gopherbot gopherbot mentioned this issue Jul 6, 2022
Closed
@gopherbot
Copy link

Backport issue(s) opened: #53715 (for 1.17), #53716 (for 1.18).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@gopherbot gopherbot mentioned this issue Jul 6, 2022
Closed
@gopherbot
Copy link

Change https://go.dev/cl/417055 mentions this issue: [release-branch.go1.18] encoding/xml: limit depth of nesting in unmarshal

@gopherbot
Copy link

Change https://go.dev/cl/417061 mentions this issue: encoding/xml: limit depth of nesting in unmarshal

@gopherbot
Copy link

Change https://go.dev/cl/417069 mentions this issue: [release-branch.go1.17] encoding/xml: limit depth of nesting in unmarshal

gopherbot pushed a commit that referenced this issue Jul 12, 2022
@rolandshoemaker @mknyszek
[release-branch.go1.18] encoding/xml: limit depth of nesting in unmar…
2924ced 
…shal

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes #53716
Updates #53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417055
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
gopherbot pushed a commit that referenced this issue Jul 12, 2022
@rolandshoemaker @mknyszek
[release-branch.go1.17] encoding/xml: limit depth of nesting in unmar…
2678d0c 
…shal

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes #53715
Updates #53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417069
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@mknyszek mknyszek changed the title security: fix CVE-2022-30633 encoding/xml: stack exhaustion in Unmarshal and Decoder.Skip Jul 12, 2022
@mknyszek mknyszek changed the title encoding/xml: stack exhaustion in Unmarshal and Decoder.Skip encoding/xml: stack exhaustion in Unmarshal Jul 12, 2022
bradfitz pushed a commit to tailscale/go that referenced this issue Jul 14, 2022
@rolandshoemaker @bradfitz
[release-branch.go1.18] encoding/xml: limit depth of nesting in unmar…
f53d677 
…shal

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes golang#53716
Updates golang#53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417055
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
@tatianab tatianab mentioned this issue Jul 14, 2022
Closed
jproberts pushed a commit to jproberts/go that referenced this issue Aug 10, 2022
@rolandshoemaker @jproberts
encoding/xml: limit depth of nesting in unmarshal
382694d 
Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes golang#53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/417061
Run-TryBot: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Heschi Kreinick <heschi@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
danbudris pushed a commit to danbudris/go that referenced this issue Sep 9, 2022
@rolandshoemaker @danbudris
[release-branch.go1.17] encoding/xml: limit depth of nesting in unmar…
4884ee8 
…shal

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes golang#53715
Updates golang#53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417069
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
danbudris pushed a commit to danbudris/go that referenced this issue Sep 14, 2022
@rolandshoemaker @danbudris
[release-branch.go1.17] encoding/xml: limit depth of nesting in unmar…
be69d5c 
…shal

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes golang#53715
Updates golang#53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417069
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 5, 2022
@rolandshoemaker @rcrozean
encoding/xml: limit depth of nesting in unmarshal
aeca689 
# AWS EKS
Backported To: go-1.15.15-eks
Backported On: Thu, 22 Sept 2022
Backported By: budris@amazon.com
Backported From: release-branch.go1.17
EKS Patch Source Commit: danbudris@be69d5c
Upstream Source Commit: golang@2678d0c

# Original Information

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes golang#53715
Updates golang#53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417069
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 12, 2022
@rolandshoemaker @rcrozean
encoding/xml: limit depth of nesting in unmarshal
56eb743 
# AWS EKS
Backported To: go-1.15.15-eks
Backported On: Thu, 22 Sept 2022
Backported By: budris@amazon.com
Backported From: release-branch.go1.17
EKS Patch Source Commit: danbudris@be69d5c
Upstream Source Commit: golang@2678d0c

# Original Information

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes golang#53715
Updates golang#53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417069
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 12, 2022
@rolandshoemaker @rcrozean
encoding/xml: limit depth of nesting in unmarshal
5db9ea5 
# AWS EKS
Backported To: go-1.16.15-eks
Backported On: Tue, 04 Oct 2022
Backported By: budris@amazon.com
Backported From: release-branch.go1.17
EKS Patch Source Commit: danbudris@4884ee8
Upstream Source Commit: golang@2678d0c

# Original Information

Prevent exhausting the stack limit when unmarshalling extremely deeply
nested structures into nested types.

Fixes golang#53715
Updates golang#53611
Fixes CVE-2022-30633

Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417069
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@golang golang locked and limited conversation to collaborators Jul 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
Release Status & Release Blockers
Status: Done
Milestone
Go1.19
Development

No branches or pull requests
2 participants
@tatianab @gopherbot