search

golang / go

The Go programming language
https://go.dev
BSD 3-Clause "New" or "Revised" License
121.34k stars 17.38k forks source link

x/text/unicode: possible array out of bounds from static analyzer result #66563

Open nd-cyberprotect opened 3 months ago

nd-cyberprotect commented 3 months ago

Go version

go version go1.21.6 linux/amd64

Output of go env in your module/workspace:

GO111MODULE='on'
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/me/.cache/go-build'
GOENV='/home/me/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/me/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/me/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.6'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/home/me/go/src/myproject/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3397856602=/tmp/go-build -gno-record-gcc-switches'

What did you do?

Ran static analyzer

What did you see happen?

Got critical:

Accessing an element of array 'myproject/vendor/golang.org/x/text/unicode/norm.decomps' of size 19128 at forminfo.go:259 can lead to a buffer overflow, since the index 'v' can have an out of range value 32767, as indicated by a preceding conditional expression at forminfo.go:246.

What did you expect to see?

Please add control of index v values in range [len(decomps) : 32767] if it is necessary.

thanm commented 3 months ago

Thanks for the report. It would be helpful to post which static analyzer tool you used.

Given that you found this problem, would you like to send a patch?

thanm commented 3 months ago

@mpvl

nd-cyberprotect commented 3 months ago

It would be helpful to post which static analyzer tool you used.

Svace

nd-cyberprotect commented 3 months ago

Given that you found this problem, would you like to send a patch?

Is it enough to change 0x8000 to len(decomps) in x/text/unicode/norm/forminfo.go on line 246 like:

} else if v >= len(decomps) {

?

adonovan commented 3 months ago

as indicated by a preceding conditional expression

Yes, that looks like the right fix. Thanks.

It would be helpful to post which static analyzer tool you used. Svace

I hadn't heard of Svace before. Apparently it is a closed-source, multi-language, deep (interprocedural, context-sensitive, path-sensitive, SMT) static analysis tool developed at the Russian Academy of Sciences, and Samsung has been using it for many years. See:

thanm commented 3 months ago

Samsung has been using it

TIL that Samsung has "90 different C/C++ compilers" being used in house. Yikes.