]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 315e80d)
[release-branch.go1.18] path/filepath: fix stack exhaustion in Glob
authorJulie Qiu <julieqiu@google.com>
Thu, 23 Jun 2022 23:18:56 +0000 (23:18 +0000)
committerMichael Knyszek <mknyszek@google.com>
Tue, 12 Jul 2022 15:06:43 +0000 (15:06 +0000)
A limit is added to the number of path separators allowed by an input to
Glob, to prevent stack exhaustion issues.

Thanks to Juho Nurminen of Mattermost who reported the issue.

Fixes #53714
Updates #53416
Fixes CVE-2022-30632

Change-Id: I1b9fd4faa85411a05dbc91dceae1c0c8eb021f07
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1498176
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit d182a6d1217fd0d04c9babfa9a7ccd3515435c39)
Reviewed-on: https://go-review.googlesource.com/c/go/+/417059
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>

src/path/filepath/match.go patch | blob | history
src/path/filepath/match_test.go patch | blob | history

diff --git a/src/path/filepath/match.go b/src/path/filepath/match.go
index c77a26952a657f2c53bd9dafbf98deb4a7071f56..55ed1d75ae1b0eb4f579652c04727315b77dcace 100644 (file)
--- a/src/path/filepath/match.go
+++ b/src/path/filepath/match.go
@@ -241,6 +241,16 @@ func getEsc(chunk string) (r rune, nchunk string, err error) {
 // The only possible returned error is ErrBadPattern, when pattern
 // is malformed.
 func Glob(pattern string) (matches []string, err error) {
+       return globWithLimit(pattern, 0)
+}
+
+func globWithLimit(pattern string, depth int) (matches []string, err error) {
+       // This limit is used prevent stack exhaustion issues. See CVE-2022-30632.
+       const pathSeparatorsLimit = 10000
+       if depth == pathSeparatorsLimit {
+               return nil, ErrBadPattern
+       }
+
        // Check pattern is well-formed.
        if _, err := Match(pattern, ""); err != nil {
                return nil, err
@@ -270,7 +280,7 @@ func Glob(pattern string) (matches []string, err error) {
        }
 
        var m []string
-       m, err = Glob(dir)
+       m, err = globWithLimit(dir, depth+1)
        if err != nil {
                return
        }
diff --git a/src/path/filepath/match_test.go b/src/path/filepath/match_test.go
index 375c41a7e9d5d06615ba59451850bc8c552b45a9..d6282596fedbb93aeabc93fdc8029d43266098ae 100644 (file)
--- a/src/path/filepath/match_test.go
+++ b/src/path/filepath/match_test.go
@@ -155,6 +155,16 @@ func TestGlob(t *testing.T) {
        }
 }
 
+func TestCVE202230632(t *testing.T) {
+       // Prior to CVE-2022-30632, this would cause a stack exhaustion given a
+       // large number of separators (more than 4,000,000). There is now a limit
+       // of 10,000.
+       _, err := Glob("/*" + strings.Repeat("/", 10001))
+       if err != ErrBadPattern {
+               t.Fatalf("Glob returned err=%v, want ErrBadPattern", err)
+       }
+}
+
 func TestGlobError(t *testing.T) {
        bad := []string{`[]`, `nonexist/[]`}
        for _, pattern := range bad {
Go GOST TLS 1.3