1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
From 35d1dfe9746029aea9027b405c75555d41ffd2f8 Mon Sep 17 00:00:00 2001
From: Hitendra Prajapati <hprajapati@mvista.com>
Date: Thu, 25 Aug 2022 13:12:40 +0530
Subject: [PATCH] CVE-2022-30632
Upstream-Status: Backport [https://github.com/golang/go/commit/76f8b7304d1f7c25834e2a0cc9e88c55276c47df]
CVE: CVE-2022-30632
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
src/path/filepath/match.go | 16 +++++++++++++++-
src/path/filepath/match_test.go | 10 ++++++++++
2 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/src/path/filepath/match.go b/src/path/filepath/match.go
index 46badb5..ba68daa 100644
--- a/src/path/filepath/match.go
+++ b/src/path/filepath/match.go
@@ -232,6 +232,20 @@ func getEsc(chunk string) (r rune, nchunk string, err error) {
// The only possible returned error is ErrBadPattern, when pattern
// is malformed.
func Glob(pattern string) (matches []string, err error) {
+ return globWithLimit(pattern, 0)
+}
+
+func globWithLimit(pattern string, depth int) (matches []string, err error) {
+ // This limit is used prevent stack exhaustion issues. See CVE-2022-30632.
+ const pathSeparatorsLimit = 10000
+ if depth == pathSeparatorsLimit {
+ return nil, ErrBadPattern
+ }
+
+ // Check pattern is well-formed.
+ if _, err := Match(pattern, ""); err != nil {
+ return nil, err
+ }
if !hasMeta(pattern) {
if _, err = os.Lstat(pattern); err != nil {
return nil, nil
@@ -257,7 +271,7 @@ func Glob(pattern string) (matches []string, err error) {
}
var m []string
- m, err = Glob(dir)
+ m, err = globWithLimit(dir, depth+1)
if err != nil {
return
}
diff --git a/src/path/filepath/match_test.go b/src/path/filepath/match_test.go
index b865762..c37c812 100644
--- a/src/path/filepath/match_test.go
+++ b/src/path/filepath/match_test.go
@@ -154,6 +154,16 @@ func TestGlob(t *testing.T) {
}
}
+func TestCVE202230632(t *testing.T) {
+ // Prior to CVE-2022-30632, this would cause a stack exhaustion given a
+ // large number of separators (more than 4,000,000). There is now a limit
+ // of 10,000.
+ _, err := Glob("/*" + strings.Repeat("/", 10001))
+ if err != ErrBadPattern {
+ t.Fatalf("Glob returned err=%v, want ErrBadPattern", err)
+ }
+}
+
func TestGlobError(t *testing.T) {
_, err := Glob("[]")
if err == nil {
--
2.25.1
|