Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

encoding/binary: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs #40618

Closed
katiehockman opened this issue Aug 6, 2020 · 1 comment
Closed

encoding/binary: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs #40618

katiehockman opened this issue Aug 6, 2020 · 1 comment
Labels
FrozenDueToAge Security
Milestone
Go1.15

Comments

@katiehockman
Copy link
Contributor

Certain invalid inputs to ReadUvarint or ReadVarint could cause those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This could lead to processing more input than expected when the caller is reading directly from the network and depends on ReadUvarint and ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs.

With the update, ReadUvarint and ReadVarint now always return after consuming a bounded number of bytes (specifically, MaxVarintLen64, which is 10). The result being returned has not changed; the functions merely detect and return some errors without reading as much input.

Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani, and Preston Van Loon for reporting this issue.

This issue is CVE-2020-16845.
@katiehockman katiehockman added this to the Go1.15 milestone Aug 6, 2020
@katiehockman katiehockman self-assigned this Aug 6, 2020
This was referenced Aug 6, 2020
Closed
Closed
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/247120 mentions this issue: encoding/binary: read at most MaxVarintLen64 bytes in ReadUvarint

gopherbot pushed a commit that referenced this issue Aug 6, 2020
@katiehockman
encoding/binary: read at most MaxVarintLen64 bytes in ReadUvarint
027d724 
This CL ensures that ReadUvarint consumes only a limited
amount of input (instead of an unbounded amount).

On some inputs, ReadUvarint could read an arbitrary number
of bytes before deciding to return an overflow error.
After this CL, ReadUvarint returns that same overflow
error sooner, after reading at most MaxVarintLen64 bytes.

Fix authored by Robert Griesemer and Filippo Valsorda.

Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani,
and Preston Van Loon for reporting this.

Fixes #40618
Fixes CVE-2020-16845

Change-Id: Ie0cb15972f14c38b7cf7af84c45c4ce54909bb8f
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/812099
Reviewed-by: Filippo Valsorda <valsorda@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/247120
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Alexander Rakoczy <alex@golang.org>
@0xdecaf 0xdecaf mentioned this issue Aug 18, 2020
Closed
@randall77 randall77 mentioned this issue Sep 2, 2020
Closed
@tsavola tsavola mentioned this issue Sep 22, 2020
Closed
@RiccardoM RiccardoM mentioned this issue Oct 15, 2020
Merged
9 tasks
alessio pushed a commit to cosmos/cosmos-sdk that referenced this issue Oct 15, 2020
tendermint security update
f762783 
Update tendermint to 0.33.8, see [1] for more information.

[1] golang/go#40618
@alessio alessio mentioned this issue Oct 15, 2020
Merged
9 tasks
alessio pushed a commit to cosmos/cosmos-sdk that referenced this issue Oct 15, 2020
tendermint security update (#7555)
59c6527 
Update tendermint to 0.33.8, see [1] for more information.

[1] golang/go#40618
@FiloSottile FiloSottile mentioned this issue Mar 10, 2021
Closed
@golang golang locked and limited conversation to collaborators Aug 6, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge Security
Projects
None yet
Milestone
Go1.15
Development

No branches or pull requests
2 participants
@gopherbot @katiehockman