commit | 77f2750f4398990eed972186706f160631d7dae4 | [log] [tgz] |
---|---|---|
author | Cherry Mui <cherryyz@google.com> | Thu Sep 02 16:51:59 2021 -0400 |
committer | Michael Knyszek <mknyszek@google.com> | Thu Oct 07 18:45:53 2021 +0000 |
tree | 7a1091cde70530c889b72ad8bd471de1fcc0853f | |
parent | 2043b3b47b3ca76d8ce44f05a77e48d2291b6fc6 [diff] |
misc/wasm, cmd/link: do not let command line args overwrite global data On Wasm, wasm_exec.js puts command line arguments at the beginning of the linear memory (following the "zero page"). Currently there is no limit for this, and a very long command line can overwrite the program's data section. Prevent this by limiting the command line to 4096 bytes, and in the linker ensuring the data section starts at a high enough address (8192). (Arguably our address assignment on Wasm is a bit confusing. This is the minimum fix I can come up with.) Thanks to Ben Lubar for reporting this issue. Fixes #48797 Fixes CVE-2021-38297 Change-Id: I0f50fbb2a5b6d0d047e3c134a88988d9133e4ab3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1205933 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Than McIntosh <thanm@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/354571 Reviewed-by: Cherry Mui <cherryyz@google.com> Reviewed-by: Heschi Kreinick <heschi@google.com> Trust: Michael Knyszek <mknyszek@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Go Bot <gobot@golang.org>
Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.
Gopher image by Renee French, licensed under Creative Commons 3.0 Attributions license.
Our canonical Git repository is located at https://go.googlesource.com/go. There is a mirror of the repository at https://github.com/golang/go.
Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.
Official binary distributions are available at https://golang.org/dl/.
After downloading a binary release, visit https://golang.org/doc/install for installation instructions.
If a binary distribution is not available for your combination of operating system and architecture, visit https://golang.org/doc/install/source for source installation instructions.
Go is the work of thousands of contributors. We appreciate your help!
To contribute, please read the contribution guidelines at https://golang.org/doc/contribute.
Note that the Go project uses the issue tracker for bug reports and proposals only. See https://golang.org/wiki/Questions for a list of places to ask questions about the Go language.