search

gnolang / gno

Gno: An interpreted, stack-based Go virtual machine to build succinct and composable apps + gno.land: a blockchain for timeless code and fair open-source.
https://gno.land/
Other
900 stars 377 forks source link

gnovm: *Debugger.Serve leaks the listener and never retains a reference to later close it #3028

Open odeke-em opened 1 month ago

odeke-em commented 1 month ago

While auditing and studying some code I noticed this code https://github.com/gnolang/gno/blob/2838ad1a3c3b9795990257cd46f08fc04b2fb3a3/gnovm/pkg/gnolang/debugger.go#L227-L240

and notice that we create a listener bound to an address and immediately accept a single connection then discard the listener.

Please figure out how to singly create the listener once and then retain it and listen to connections on it each time. If this library is to be put to production and debuggers left on, with the very large surface that it has, it is imperative to avoid such problems that could then cause security issues, especially without automated static analysis and security tools.

Kindly cc-ing @jaekwon

kristovatlas commented 4 weeks ago

Thanks for the report, @odeke-em. We're looking into it.