| id: GO-2022-0247 |
| modules: |
| - module: cmd |
| versions: |
| - fixed: 1.16.9 |
| - introduced: 1.17.0-0 |
| - fixed: 1.17.2 |
| vulnerable_at: 1.17.1 |
| packages: |
| - package: cmd/link |
| goos: |
| - js |
| goarch: |
| - wasm |
| symbols: |
| - Link.address |
| skip_fix: fix does not work with Go <1.18 |
| summary: Buffer overflow in WASM modules in misc/wasm and cmd/link |
| description: |- |
| When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, |
| passing very large arguments can cause portions of the module to be overwritten |
| with data from the arguments due to a buffer overflow error. |
| |
| If using wasm_exec.js to execute WASM modules, users will need to replace their |
| copy (as described in https://golang.org/wiki/WebAssembly#getting-started) after |
| rebuilding any modules. |
| published: 2022-05-24T20:14:28Z |
| cves: |
| - CVE-2021-38297 |
| credits: |
| - Ben Lubar |
| references: |
| - fix: https://go.dev/cl/354571 |
| - fix: https://go.googlesource.com/go/+/77f2750f4398990eed972186706f160631d7dae4 |
| - report: https://go.dev/issue/48797 |
| - web: https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A |
| review_status: REVIEWED |