go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962) [1.18 backport] #53708

gopherbot · 2022-07-06T19:22:38Z

@tatianab requested issue #53616 to be considered for backport to the next 1.18 minor release.

@gopherbot please open backport issues for this security fix

gopherbot · 2022-07-12T14:03:51Z

Change https://go.dev/cl/417056 mentions this issue: [release-branch.go1.18] go/parser: limit recursion depth

gopherbot · 2022-07-12T15:07:04Z

Closed by merging 0d1615b to release-branch.go1.18.

Limit nested parsing to 100,000, which prevents stack exhaustion when parsing deeply nested statements, types, and expressions. Also limit the scope depth to 1,000 during object resolution. Thanks to Juho Nurminen of Mattermost for reporting this issue. Fixes #53708 Updates #53616 Fixes CVE-2022-1962 Change-Id: I4d7b86c1d75d0bf3c7af1fdea91582aa74272c64 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1491025 Reviewed-by: Russ Cox <rsc@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 6a856f08d58e4b6705c0c337d461c540c1235c83) Reviewed-on: https://go-review.googlesource.com/c/go/+/417056 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> Reviewed-by: Heschi Kreinick <heschi@google.com>

Limit nested parsing to 100,000, which prevents stack exhaustion when parsing deeply nested statements, types, and expressions. Also limit the scope depth to 1,000 during object resolution. Thanks to Juho Nurminen of Mattermost for reporting this issue. Fixes golang#53708 Updates golang#53616 Fixes CVE-2022-1962 Change-Id: I4d7b86c1d75d0bf3c7af1fdea91582aa74272c64 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1491025 Reviewed-by: Russ Cox <rsc@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 6a856f08d58e4b6705c0c337d461c540c1235c83) Reviewed-on: https://go-review.googlesource.com/c/go/+/417056 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> Reviewed-by: Heschi Kreinick <heschi@google.com>

gopherbot added the CherryPickCandidate Used during the release process for point releases label Jul 6, 2022

gopherbot mentioned this issue Jul 6, 2022

go/parser: stack exhaustion in all Parse* functions #53616

Closed

gopherbot added this to the Go1.18.4 milestone Jul 6, 2022

tatianab added Security release-blocker labels Jul 8, 2022

gopherbot closed this as completed Jul 12, 2022

mknyszek changed the title ~~security: fix CVE-2022-1962 [1.18 backport]~~ go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962) [1.18 backport] Jul 12, 2022

mknyszek added the CherryPickApproved Used during the release process for point releases label Jul 12, 2022

gopherbot removed the CherryPickCandidate Used during the release process for point releases label Jul 12, 2022

golang locked and limited conversation to collaborators Jul 12, 2023

gopherbot added the FrozenDueToAge label Jul 12, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962) [1.18 backport] #53708

go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962) [1.18 backport] #53708

gopherbot commented Jul 6, 2022

gopherbot commented Jul 12, 2022

gopherbot commented Jul 12, 2022

go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962) [1.18 backport] #53708

go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962) [1.18 backport] #53708

Comments

gopherbot commented Jul 6, 2022

gopherbot commented Jul 12, 2022

gopherbot commented Jul 12, 2022