Google Git
Sign in
go / go / ac68c6c683409f98250d34ad282b9e1b0c9095ef^! / .
commitac68c6c683409f98250d34ad282b9e1b0c9095ef[log] [tgz]
authorJulie Qiu <julieqiu@google.com>Thu Jun 23 23:18:56 2022 +0000
committerMichael Knyszek <mknyszek@google.com>Tue Jul 12 15:06:01 2022 +0000
treeebe38cf09a612019da30edc542ba65c9918cacf9
parentfa2d41d0ca736f3ad6b200b2a4e134364e9acc59 [diff]
path/filepath: fix stack exhaustion in Glob

A limit is added to the number of path separators allowed by an input to
Glob, to prevent stack exhaustion issues.

Thanks to Juho Nurminen of Mattermost who reported the issue.

Fixes CVE-2022-30632
Fixes #53416

Change-Id: I1b9fd4faa85411a05dbc91dceae1c0c8eb021f07
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1498176
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/417066
Reviewed-by: Heschi Kreinick <heschi@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>

diff --git a/src/path/filepath/match.go b/src/path/filepath/match.go
index 847a7813..b5cc4b8 100644
--- a/src/path/filepath/match.go
+++ b/src/path/filepath/match.go

@@ -240,6 +240,16 @@
 // The only possible returned error is ErrBadPattern, when pattern
 // is malformed.
 func Glob(pattern string) (matches []string, err error) {
+	return globWithLimit(pattern, 0)
+}
+
+func globWithLimit(pattern string, depth int) (matches []string, err error) {
+	// This limit is used prevent stack exhaustion issues. See CVE-2022-30632.
+	const pathSeparatorsLimit = 10000
+	if depth == pathSeparatorsLimit {
+		return nil, ErrBadPattern
+	}
+
 	// Check pattern is well-formed.
 	if _, err := Match(pattern, ""); err != nil {
 		return nil, err
@@ -269,7 +279,7 @@
 	}
 
 	var m []string
-	m, err = Glob(dir)
+	m, err = globWithLimit(dir, depth+1)
 	if err != nil {
 		return
 	}

diff --git a/src/path/filepath/match_test.go b/src/path/filepath/match_test.go
index 375c41a..d628259 100644
--- a/src/path/filepath/match_test.go
+++ b/src/path/filepath/match_test.go

@@ -155,6 +155,16 @@
 	}
 }
 
+func TestCVE202230632(t *testing.T) {
+	// Prior to CVE-2022-30632, this would cause a stack exhaustion given a
+	// large number of separators (more than 4,000,000). There is now a limit
+	// of 10,000.
+	_, err := Glob("/*" + strings.Repeat("/", 10001))
+	if err != ErrBadPattern {
+		t.Fatalf("Glob returned err=%v, want ErrBadPattern", err)
+	}
+}
+
 func TestGlobError(t *testing.T) {
 	bad := []string{`[]`, `nonexist/[]`}
 	for _, pattern := range bad {