syscall: Faccessat checks wrong group #52313

neild · 2022-04-12T20:16:17Z

The syscall.Faccessat function checks whether the calling process can access a file.

Faccessat contains a bug where it checks a file's group permission bits if the process's user is a member of the process's group rather than a member of the file's group.

go/src/syscall/syscall_linux.go

Line 112 in c9fe126

if uint32(gid) == st.Gid || isGroupMember(gid) {

	var fmode uint32
	if uint32(uid) == st.Uid {
		fmode = (st.Mode >> 6) & 7
	} else {
		var gid int
		if flags&_AT_EACCESS != 0 {
			gid = Getegid()
		} else {
			gid = Getgid()
		}

		if uint32(gid) == st.Gid || isGroupMember(gid) { // <-- this should be isGroupMember(st.Gid), not gid
			fmode = (st.Mode >> 3) & 7
		} else {
			fmode = st.Mode & 7
		}
	}

Since a process's user is usually a member of the process's group, this causes Faccessat to usually check a file's group permissions even if the process's user is not a member of the file's group.

Thanks to @256dpi for reporting this.

The text was updated successfully, but these errors were encountered:

neild · 2022-04-12T20:36:37Z

This bug only occurs on Linux systems, and when syscall.Faccessat is called with a non-zero flags parameter.

gopherbot · 2022-04-12T20:45:11Z

Change https://go.dev/cl/399539 mentions this issue: syscall: check correct group in Faccessat

gopherbot · 2022-04-12T20:53:46Z

Change https://go.dev/cl/400074 mentions this issue: unix: check correct group in Faccessat

neild · 2022-04-12T20:58:04Z

"golang.org/x/sys/unix".Faccessat suffers from the same problem, but only on Linux kernels < 5.8.

The Faccessat call checks the user, group, or other permission bits of a file to see if the calling process can access it. The test to see if the group permissions should be used was made with the wrong group id, using the process's group id rather than the file's group id. Fix this to use the correct group id. This change only affects Linux versions prior to 5.8. Linux 5.8 added the faccessat2 system call, which we use in preference to the internal implementation. No test since we cannot easily change file permissions when not running as root and the test is meaningless if running as root. For golang/go#52313 Change-Id: I6fa64379a50c9380207eab9d095ef7fbd05a2d59 Reviewed-on: https://go-review.googlesource.com/c/sys/+/400074 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@google.com>

The Faccessat call checks the user, group, or other permission bits of a file to see if the calling process can access it. The test to see if the group permissions should be used was made with the wrong group id, using the process's group id rather than the file's group id. Fix this to use the correct group id. No test since we cannot easily change file permissions when not running as root and the test is meaningless if running as root. For #52313 Change-Id: I4e2c84754b0af7830b40fd15dedcbc58374d75ee Reviewed-on: https://go-review.googlesource.com/c/go/+/399539 Reviewed-by: Ian Lance Taylor <iant@google.com> Run-TryBot: Ian Lance Taylor <iant@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>

neild · 2022-04-19T18:32:25Z

@gopherbot please open backport issues.

gopherbot · 2022-04-19T18:32:33Z

Backport issue(s) opened: #52439 (for 1.17), #52440 (for 1.18).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

gopherbot · 2022-04-19T18:34:18Z

Change https://go.dev/cl/401078 mentions this issue: [release-branch.go1.17] syscall: check correct group in Faccessat

gopherbot · 2022-04-19T18:35:18Z

Change https://go.dev/cl/401079 mentions this issue: [release-branch.go1.18] syscall: check correct group in Faccessat

The Faccessat call checks the user, group, or other permission bits of a file to see if the calling process can access it. The test to see if the group permissions should be used was made with the wrong group id, using the process's group id rather than the file's group id. Fix this to use the correct group id. No test since we cannot easily change file permissions when not running as root and the test is meaningless if running as root. For #52313 Fixes #52440 Change-Id: I4e2c84754b0af7830b40fd15dedcbc58374d75ee Reviewed-on: https://go-review.googlesource.com/c/go/+/399539 Reviewed-by: Ian Lance Taylor <iant@google.com> Run-TryBot: Ian Lance Taylor <iant@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit f66925e) Reviewed-on: https://go-review.googlesource.com/c/go/+/401079 Auto-Submit: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org> Auto-Submit: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Damien Neil <dneil@google.com>

The Faccessat call checks the user, group, or other permission bits of a file to see if the calling process can access it. The test to see if the group permissions should be used was made with the wrong group id, using the process's group id rather than the file's group id. Fix this to use the correct group id. No test since we cannot easily change file permissions when not running as root and the test is meaningless if running as root. For #52313 Fixes #52439 Change-Id: I4e2c84754b0af7830b40fd15dedcbc58374d75ee Reviewed-on: https://go-review.googlesource.com/c/go/+/399539 Reviewed-by: Ian Lance Taylor <iant@google.com> Run-TryBot: Ian Lance Taylor <iant@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit f66925e) Reviewed-on: https://go-review.googlesource.com/c/go/+/401078 Auto-Submit: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Damien Neil <dneil@google.com> Auto-Submit: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatiana@golang.org>

heschi · 2022-05-11T16:20:25Z

This shipped in yesterday's minor releases.

dmitshur · 2022-05-11T16:22:20Z

Fixed for Go 1.19 in CL 399539. (This didn't get closed because its commit message had "For" rather than "Fixes".)

golang/go#52313

The Faccessat call checks the user, group, or other permission bits of a file to see if the calling process can access it. The test to see if the group permissions should be used was made with the wrong group id, using the process's group id rather than the file's group id. Fix this to use the correct group id. No test since we cannot easily change file permissions when not running as root and the test is meaningless if running as root. For golang#52313 Fixes golang#52439 Change-Id: I4e2c84754b0af7830b40fd15dedcbc58374d75ee Reviewed-on: https://go-review.googlesource.com/c/go/+/399539 Reviewed-by: Ian Lance Taylor <iant@google.com> Run-TryBot: Ian Lance Taylor <iant@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit f66925e) Reviewed-on: https://go-review.googlesource.com/c/go/+/401078 Auto-Submit: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Damien Neil <dneil@google.com> Auto-Submit: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatiana@golang.org>

# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@a4d1586 Upstream Source Commit: golang@04781d1 Fixes: CVE-2022-29526 # Original Information The Faccessat call checks the user, group, or other permission bits of a file to see if the calling process can access it. The test to see if the group permissions should be used was made with the wrong group id, using the process's group id rather than the file's group id. Fix this to use the correct group id. No test since we cannot easily change file permissions when not running as root and the test is meaningless if running as root. For golang#52313 Fixes golang#52439 Change-Id: I4e2c84754b0af7830b40fd15dedcbc58374d75ee Reviewed-on: https://go-review.googlesource.com/c/go/+/399539 Reviewed-by: Ian Lance Taylor <iant@google.com> Run-TryBot: Ian Lance Taylor <iant@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit f66925e) Reviewed-on: https://go-review.googlesource.com/c/go/+/401078 Auto-Submit: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Damien Neil <dneil@google.com> Auto-Submit: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatiana@golang.org>

# AWS EKS Backported To: go-1.16.15-eks Backported On: Tue, 04 Oct 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@e13d51d Upstream Source Commit: golang@04781d1 # Original Information The Faccessat call checks the user, group, or other permission bits of a file to see if the calling process can access it. The test to see if the group permissions should be used was made with the wrong group id, using the process's group id rather than the file's group id. Fix this to use the correct group id. No test since we cannot easily change file permissions when not running as root and the test is meaningless if running as root. For golang#52313 Fixes golang#52439 Change-Id: I4e2c84754b0af7830b40fd15dedcbc58374d75ee Reviewed-on: https://go-review.googlesource.com/c/go/+/399539 Reviewed-by: Ian Lance Taylor <iant@google.com> Run-TryBot: Ian Lance Taylor <iant@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> (cherry picked from commit f66925e) Reviewed-on: https://go-review.googlesource.com/c/go/+/401078 Auto-Submit: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Damien Neil <dneil@google.com> Auto-Submit: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatiana@golang.org>

golang/go#52313

golang/go#52313 Signed-off-by: oilbeater <liumengxinfly@gmail.com>

ianlancetaylor self-assigned this Apr 12, 2022

neild assigned neild and unassigned ianlancetaylor Apr 12, 2022

seankhliao added the NeedsFix The path to resolution is known, but the work has not been done. label Apr 14, 2022

This was referenced Apr 19, 2022

syscall: Faccessat checks wrong group [1.17 backport] #52439

Closed

syscall: Faccessat checks wrong group [1.18 backport] #52440

Closed

neild added the Security label May 4, 2022

dmitshur added this to the Go1.19 milestone May 4, 2022

julieqiu added the release-blocker label May 5, 2022

heschi closed this as completed May 11, 2022

rsc unassigned neild Jun 22, 2022

nywilken mentioned this issue Aug 19, 2022

Bump golang.org/x/sys to address CVE-2022-29526 hashicorp/packer#11953

Merged

nywilken added a commit to hashicorp/packer that referenced this issue Aug 19, 2022

Bump golang.org/x/sys to address CVE-2022-29526

dcddbf1

golang/go#52313

nywilken added a commit to hashicorp/packer that referenced this issue Aug 22, 2022

Bump golang.org/x/sys to address CVE-2022-29526 (#11953)

ed72488

golang/go#52313

oilbeater added a commit to oilbeater/plugins that referenced this issue Dec 13, 2022

Bump golang.org/x/sys to address CVE-2022-29526

1181e7e

golang/go#52313

oilbeater mentioned this issue Dec 13, 2022

Bump golang.org/x/sys to address CVE-2022-29526 containernetworking/plugins#797

Closed

oilbeater added a commit to oilbeater/plugins that referenced this issue Dec 14, 2022

Bump golang.org/x/sys to address CVE-2022-29526

aa59044

golang/go#52313 Signed-off-by: oilbeater <liumengxinfly@gmail.com>

rainerleber mentioned this issue Jan 12, 2023

change go module version and go version rh-mobb/ecr-secret-operator#12

Merged

Yoavast mentioned this issue Apr 13, 2023

CVE-2022-29526 @ Go-golang.org/x/sys-v0.0.0-20211216021012-1d35b9e2eb4e Yoavast/CX-AST#104

Open

golang locked and limited conversation to collaborators Jun 22, 2023

gopherbot added the FrozenDueToAge label Jun 22, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

syscall: Faccessat checks wrong group #52313

syscall: Faccessat checks wrong group #52313

neild commented Apr 12, 2022

neild commented Apr 12, 2022

gopherbot commented Apr 12, 2022

gopherbot commented Apr 12, 2022

neild commented Apr 12, 2022

neild commented Apr 19, 2022

gopherbot commented Apr 19, 2022

gopherbot commented Apr 19, 2022

gopherbot commented Apr 19, 2022

heschi commented May 11, 2022

dmitshur commented May 11, 2022 •

edited

Loading

syscall: Faccessat checks wrong group #52313

syscall: Faccessat checks wrong group #52313

Comments

neild commented Apr 12, 2022

neild commented Apr 12, 2022

gopherbot commented Apr 12, 2022

gopherbot commented Apr 12, 2022

neild commented Apr 12, 2022

neild commented Apr 19, 2022

gopherbot commented Apr 19, 2022

gopherbot commented Apr 19, 2022

gopherbot commented Apr 19, 2022

heschi commented May 11, 2022

dmitshur commented May 11, 2022 • edited Loading

dmitshur commented May 11, 2022 •

edited

Loading