86 lines
2.8 KiB
Diff
86 lines
2.8 KiB
Diff
|
From 7b98bf3a8711126c532033ca89647f3b743b58ec Mon Sep 17 00:00:00 2001
|
||
|
|
From: Julie Qiu <julieqiu@google.com>
|
||
|
|
Date: Thu, 23 Jun 2022 23:18:56 +0000
|
||
|
|
Subject: [PATCH 07/11] [release-branch.go1.17] path/filepath: fix stack
|
||
|
|
exhaustion in Glob
|
||
|
|
|
||
|
|
A limit is added to the number of path separators allowed by an input to
|
||
|
|
Glob, to prevent stack exhaustion issues.
|
||
|
|
|
||
|
|
Thanks to Juho Nurminen of Mattermost who reported the issue.
|
||
|
|
|
||
|
|
Fixes #53713
|
||
|
|
Updates #53416
|
||
|
|
Fixes CVE-2022-30632
|
||
|
|
|
||
|
|
Change-Id: I1b9fd4faa85411a05dbc91dceae1c0c8eb021f07
|
||
|
|
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1498176
|
||
|
|
Reviewed-by: Roland Shoemaker <bracewell@google.com>
|
||
|
|
(cherry picked from commit d182a6d1217fd0d04c9babfa9a7ccd3515435c39)
|
||
|
|
Reviewed-on: https://go-review.googlesource.com/c/go/+/417073
|
||
|
|
Reviewed-by: Heschi Kreinick <heschi@google.com>
|
||
|
|
TryBot-Result: Gopher Robot <gobot@golang.org>
|
||
|
|
Run-TryBot: Michael Knyszek <mknyszek@google.com>
|
||
|
|
|
||
|
|
Conflict: NA
|
||
|
|
Reference: https://go-review.googlesource.com/c/go/+/417073
|
||
|
|
---
|
||
|
|
src/path/filepath/match.go | 12 +++++++++++-
|
||
|
|
src/path/filepath/match_test.go | 10 ++++++++++
|
||
|
|
2 files changed, 21 insertions(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/src/path/filepath/match.go b/src/path/filepath/match.go
|
||
|
|
index c77a26952a6..55ed1d75ae1 100644
|
||
|
|
--- a/src/path/filepath/match.go
|
||
|
|
+++ b/src/path/filepath/match.go
|
||
|
|
@@ -241,6 +241,16 @@ func getEsc(chunk string) (r rune, nchunk string, err error) {
|
||
|
|
// The only possible returned error is ErrBadPattern, when pattern
|
||
|
|
// is malformed.
|
||
|
|
func Glob(pattern string) (matches []string, err error) {
|
||
|
|
+ return globWithLimit(pattern, 0)
|
||
|
|
+}
|
||
|
|
+
|
||
|
|
+func globWithLimit(pattern string, depth int) (matches []string, err error) {
|
||
|
|
+ // This limit is used prevent stack exhaustion issues. See CVE-2022-30632.
|
||
|
|
+ const pathSeparatorsLimit = 10000
|
||
|
|
+ if depth == pathSeparatorsLimit {
|
||
|
|
+ return nil, ErrBadPattern
|
||
|
|
+ }
|
||
|
|
+
|
||
|
|
// Check pattern is well-formed.
|
||
|
|
if _, err := Match(pattern, ""); err != nil {
|
||
|
|
return nil, err
|
||
|
|
@@ -270,7 +280,7 @@ func Glob(pattern string) (matches []string, err error) {
|
||
|
|
}
|
||
|
|
|
||
|
|
var m []string
|
||
|
|
- m, err = Glob(dir)
|
||
|
|
+ m, err = globWithLimit(dir, depth+1)
|
||
|
|
if err != nil {
|
||
|
|
return
|
||
|
|
}
|
||
|
|
diff --git a/src/path/filepath/match_test.go b/src/path/filepath/match_test.go
|
||
|
|
index 375c41a7e9d..d6282596fed 100644
|
||
|
|
--- a/src/path/filepath/match_test.go
|
||
|
|
+++ b/src/path/filepath/match_test.go
|
||
|
|
@@ -155,6 +155,16 @@ func TestGlob(t *testing.T) {
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
+func TestCVE202230632(t *testing.T) {
|
||
|
|
+ // Prior to CVE-2022-30632, this would cause a stack exhaustion given a
|
||
|
|
+ // large number of separators (more than 4,000,000). There is now a limit
|
||
|
|
+ // of 10,000.
|
||
|
|
+ _, err := Glob("/*" + strings.Repeat("/", 10001))
|
||
|
|
+ if err != ErrBadPattern {
|
||
|
|
+ t.Fatalf("Glob returned err=%v, want ErrBadPattern", err)
|
||
|
|
+ }
|
||
|
|
+}
|
||
|
|
+
|
||
|
|
func TestGlobError(t *testing.T) {
|
||
|
|
bad := []string{`[]`, `nonexist/[]`}
|
||
|
|
for _, pattern := range bad {
|
||
|
|
--
|
||
|
|
2.30.2
|
||
|
|
|