go/internal/gcimporter: Import can OOM on corrupt/adversarial package #53787
Labels
FrozenDueToAge
NeedsDecision
Feedback is required from experts, contributors, and/or the community before a change can be made.
Milestone
Comments
rolandshoemaker
added
the
NeedsDecision
|
Change https://go.dev/cl/416861 mentions this issue: |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
iImportDataallocates buffers based on sizes read from the package file, which may not necessarily match the actual size of the package. If the package file is corrupted, or attacker controlled, this can trigger an OOM. The security team does not consider the second part of this a security issue, since attacks which require attacker control of the local filesystem are outside of our scope.This is somewhat similar of an issue to #53369, and is perhaps another use case for something like the saferio work @ianlancetaylor is perusing (although in this case the overhead may be somewhat less reasonable, since consumed data here is much less likely to be attacker controlled, and is likely to only really address corrupted data.) It may also be reasonable to not do anything here.
Thanks to Qing Xu for reporting this.
The text was updated successfully, but these errors were encountered: