Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vuln: reports could exclude calls with unaffected arguments #54889

Open
prattmic opened this issue Sep 6, 2022 · 1 comment
Open

x/vuln: reports could exclude calls with unaffected arguments #54889

prattmic opened this issue Sep 6, 2022 · 1 comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo

Comments

@prattmic
Copy link
Member

prattmic commented Sep 6, 2022

What version of Go are you using (go version)?

$ go version
go version go1.19-pre4 cl/455575533 +12f49fe0ed linux/amd64

Does this issue reproduce at the latest version of golang.org/x/vuln?

Yes, using v0.0.0-20220902211423-27dd78d2ca39

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/usr/local/google/home/mpratt/.cache/go-build"
GOENV="/usr/local/google/home/mpratt/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/usr/local/google/home/mpratt/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/usr/local/google/home/mpratt/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/google-golang"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/google-golang/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.19-pre4 cl/455575533 +12f49fe0ed"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build4085128731=/tmp/go-build -gno-record-gcc-switches"

What did you do?

$ git clone https://github.com/google/gvisor
$ cd gvisor
$ git checkout go
$ govulncheck ./...

What did you expect to see?

Vulnerabilities affecting these packages.

What did you see instead?

Vulnerability #1: GO-2022-0493
  When called with a non-zero flags parameter, the Faccessat         
  function can incorrectly report that a file is accessible.
                                                                                  
  Call stacks in your code:
      runsc/cmd/do.go:228:23: gvisor.dev/gvisor/runsc/cmd.resolvePath calls golang.org/x/sys/unix.Access
                                         
  Found in: golang.org/x/sys/unix@v0.0.0-20211019181941-9d821ace8654
  Fixed in: golang.org/x/sys/unix@v1.18.2 
  More info: https://pkg.go.dev/vuln/GO-2022-0493

This vulnerability affects Faccessat when called with flags != 0. This report flags a call via unix.Access, which always passes flags == 0.

In theory vulncheck could encode that this vulnerability depends on a certain argument value and then statically find calls that don't match that value.

@prattmic prattmic added the x/vuln label Sep 6, 2022
@gopherbot gopherbot added this to the Unreleased milestone Sep 6, 2022
@mknyszek mknyszek added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Sep 6, 2022
@julieqiu julieqiu added vulncheck or vulndb Issues for the x/vuln or x/vulndb repo and removed x/vuln labels Sep 6, 2022
@julieqiu julieqiu removed the x/vuln label Sep 6, 2022
@zpavlinovic
Copy link
Contributor

Thank you for reporting this issue!

It is currently out of scope for vulncheck to automatically do analysis of call arguments to vulnerable symbols. However, unix.Access should not be considered a vulnerable symbol for the reasons you outlined. We'll investigate a potential remedy.

@julieqiu julieqiu modified the milestones: Unreleased, vuln/unplanned Sep 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
Status: No status
Development

No branches or pull requests

5 participants