|author||Michael Knyszek <firstname.lastname@example.org>||Thu Sep 02 16:51:59 2021 -0400|
|committer||Michael Knyszek <email@example.com>||Thu Oct 07 14:55:06 2021 +0000|
[release-branch.go1.16] misc/wasm, cmd/link: do not let command line args overwrite global data On Wasm, wasm_exec.js puts command line arguments at the beginning of the linear memory (following the "zero page"). Currently there is no limit for this, and a very long command line can overwrite the program's data section. Prevent this by limiting the command line to 4096 bytes, and in the linker ensuring the data section starts at a high enough address (8192). (Arguably our address assignment on Wasm is a bit confusing. This is the minimum fix I can come up with.) Thanks to Ben Lubar for reporting this issue. Change by Cherry Mui <firstname.lastname@example.org>. For #48797 Fixes #48799 Fixes CVE-2021-38297 Change-Id: I0f50fbb2a5b6d0d047e3c134a88988d9133e4ab3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1205933 Reviewed-by: Roland Shoemaker <email@example.com> Reviewed-by: Than McIntosh <firstname.lastname@example.org> Reviewed-on: https://go-review.googlesource.com/c/go/+/354591 Trust: Michael Knyszek <email@example.com> Reviewed-by: Heschi Kreinick <firstname.lastname@example.org>
Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.
Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.
Official binary distributions are available at https://golang.org/dl/.
After downloading a binary release, visit https://golang.org/doc/install for installation instructions.
If a binary distribution is not available for your combination of operating system and architecture, visit https://golang.org/doc/install/source for source installation instructions.
Go is the work of thousands of contributors. We appreciate your help!
To contribute, please read the contribution guidelines at https://golang.org/doc/contribute.html.
Note that the Go project uses the issue tracker for bug reports and proposals only. See https://golang.org/wiki/Questions for a list of places to ask questions about the Go language.