security: fix CVE-2021-38297 #48797
Labels
arch-wasm
WebAssembly issues
FrozenDueToAge
NeedsFix
The path to resolution is known, but the work has not been done.
OS-JS
release-blocker
Security
Milestone
Comments
|
@gopherbot please backport to 1.16 and 1.17. This is a security issue. |
This was referenced Oct 5, 2021
|
Backport issue(s) opened: #48799 (for 1.16), #48800 (for 1.17). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases. |
mknyszek
added
the
NeedsFix
|
Change https://golang.org/cl/354571 mentions this issue: |
|
Change https://golang.org/cl/354592 mentions this issue: |
|
Change https://golang.org/cl/354591 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Oct 7, 2021
…args overwrite global data On Wasm, wasm_exec.js puts command line arguments at the beginning of the linear memory (following the "zero page"). Currently there is no limit for this, and a very long command line can overwrite the program's data section. Prevent this by limiting the command line to 4096 bytes, and in the linker ensuring the data section starts at a high enough address (8192). (Arguably our address assignment on Wasm is a bit confusing. This is the minimum fix I can come up with.) Thanks to Ben Lubar for reporting this issue. Change by Cherry Mui <cherryyz@google.com>. For #48797 Fixes #48800 Fixes CVE-2021-38297 Change-Id: I0f50fbb2a5b6d0d047e3c134a88988d9133e4ab3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1205933 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Than McIntosh <thanm@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/354592 Trust: Michael Knyszek <mknyszek@google.com> Reviewed-by: Heschi Kreinick <heschi@google.com>
gopherbot
pushed a commit
that referenced
this issue
Oct 7, 2021
…args overwrite global data On Wasm, wasm_exec.js puts command line arguments at the beginning of the linear memory (following the "zero page"). Currently there is no limit for this, and a very long command line can overwrite the program's data section. Prevent this by limiting the command line to 4096 bytes, and in the linker ensuring the data section starts at a high enough address (8192). (Arguably our address assignment on Wasm is a bit confusing. This is the minimum fix I can come up with.) Thanks to Ben Lubar for reporting this issue. Change by Cherry Mui <cherryyz@google.com>. For #48797 Fixes #48799 Fixes CVE-2021-38297 Change-Id: I0f50fbb2a5b6d0d047e3c134a88988d9133e4ab3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1205933 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Than McIntosh <thanm@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/354591 Trust: Michael Knyszek <mknyszek@google.com> Reviewed-by: Heschi Kreinick <heschi@google.com>
This was referenced Oct 15, 2021
|
A MUST TO REVIEW LATER |
This was referenced Oct 25, 2021
halstead
pushed a commit
to openembedded/openembedded-core
that referenced
this issue
Apr 9, 2022
Patch taken from golang/go@4548fcc from the following issue golang/go#48797 Original repo https://go.googlesource.com/go/+/77f2750f4398990eed972186706f160631d7dae4 Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
kraj
pushed a commit
to YoeDistro/poky-old
that referenced
this issue
Apr 9, 2022
Patch taken from golang/go@4548fcc from the following issue golang/go#48797 Original repo https://go.googlesource.com/go/+/77f2750f4398990eed972186706f160631d7dae4 (From OE-Core rev: e9e3c3969544d18f0da90a10156c40da84d5b549) Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
jpuhlman
pushed a commit
to MontaVista-OpenSourceTechnology/poky
that referenced
this issue
Jun 3, 2022
Source: poky MR: 118243 Type: Integration Disposition: Merged from poky ChangeID: 048094bcf91ba71f875fff7a8c725f998d2e3f28 Description: Patch taken from golang/go@4548fcc from the following issue golang/go#48797 Original repo https://go.googlesource.com/go/+/77f2750f4398990eed972186706f160631d7dae4 (From OE-Core rev: e9e3c3969544d18f0da90a10156c40da84d5b549) Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments.
If using wasm_exec.js to execute WASM modules, users will need to replace their copy (as described in https://golang.org/wiki/WebAssembly#getting-started) after rebuilding any modules.
This is issue #48797 and CVE-2021-38297. Thanks to Ben Lubar for reporting this issue.
The text was updated successfully, but these errors were encountered: