search

golang / go

The Go programming language
https://go.dev
BSD 3-Clause "New" or "Revised" License
122.89k stars 17.52k forks source link

x/vuln: reports could exclude calls with unaffected arguments #54889

Open prattmic opened 2 years ago

prattmic commented 2 years ago

What version of Go are you using (go version)?

$ go version
go version go1.19-pre4 cl/455575533 +12f49fe0ed linux/amd64

Does this issue reproduce at the latest version of golang.org/x/vuln?

Yes, using v0.0.0-20220902211423-27dd78d2ca39

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/usr/local/google/home/mpratt/.cache/go-build"
GOENV="/usr/local/google/home/mpratt/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/usr/local/google/home/mpratt/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/usr/local/google/home/mpratt/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/google-golang"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/google-golang/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.19-pre4 cl/455575533 +12f49fe0ed"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build4085128731=/tmp/go-build -gno-record-gcc-switches"

What did you do?

$ git clone https://github.com/google/gvisor
$ cd gvisor
$ git checkout go
$ govulncheck ./...

What did you expect to see?

Vulnerabilities affecting these packages.

What did you see instead?

Vulnerability #1: GO-2022-0493
  When called with a non-zero flags parameter, the Faccessat         
  function can incorrectly report that a file is accessible.

  Call stacks in your code:
      runsc/cmd/do.go:228:23: gvisor.dev/gvisor/runsc/cmd.resolvePath calls golang.org/x/sys/unix.Access

  Found in: golang.org/x/sys/unix@v0.0.0-20211019181941-9d821ace8654
  Fixed in: golang.org/x/sys/unix@v1.18.2 
  More info: https://pkg.go.dev/vuln/GO-2022-0493

This vulnerability affects Faccessat when called with flags != 0. This report flags a call via unix.Access, which always passes flags == 0.

In theory vulncheck could encode that this vulnerability depends on a certain argument value and then statically find calls that don't match that value.

zpavlinovic commented 2 years ago

Thank you for reporting this issue!

It is currently out of scope for vulncheck to automatically do analysis of call arguments to vulnerable symbols. However, unix.Access should not be considered a vulnerable symbol for the reasons you outlined. We'll investigate a potential remedy.