Bug 2012887 (CVE-2021-38297) - CVE-2021-38297 golang: Command-line arguments may overwrite global data
Summary: CVE-2021-38297 golang: Command-line arguments may overwrite global data
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-38297
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2014921 2015199 2013628 2014920 2014922 2014923 2015107 2015108 2015109 2015198
Blocks: 2012888
TreeView+ depends on / blocked
 
Reported: 2021-10-11 14:23 UTC by Pedro Sampaio
Modified: 2022-05-17 09:56 UTC (History)
110 users (show)

Fixed In Version: go 1.17.2, go 1.16.9
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in golang. This vulnerability can only be triggered when invoking functions from vulnerable WASM (WebAssembly) Modules. Go can be compiled to WASM. If the product or service doesn't use WASM functions, it is not affected, although it uses golang.
Clone Of:
Environment:
Last Closed: 2022-05-11 18:45:25 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:0432 0 None None None 2022-02-03 16:08:01 UTC
Red Hat Product Errata RHSA-2022:0434 0 None None None 2022-02-03 18:25:24 UTC
Red Hat Product Errata RHSA-2022:1819 0 None None None 2022-05-10 13:38:49 UTC

Description Pedro Sampaio 2021-10-11 14:23:01 UTC
When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments.

If using wasm_exec.js to execute WASM modules, users will need to replace their copy (as described in https://golang.org/wiki/WebAssembly#getting-started) after rebuilding any modules.

References:

https://github.com/golang/go/issues/48797
https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A

Comment 3 Summer Long 2021-10-14 01:59:28 UTC

Comment 6 Summer Long 2021-10-18 00:27:12 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2014920]
Affects: fedora-all [bug 2014923]
Affects: openstack-rdo [bug 2014921]

Comment 18 errata-xmlrpc 2022-02-03 16:07:55 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:0432 https://access.redhat.com/errata/RHSA-2022:0432

Comment 19 errata-xmlrpc 2022-02-03 18:25:19 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.20

Via RHSA-2022:0434 https://access.redhat.com/errata/RHSA-2022:0434

Comment 23 errata-xmlrpc 2022-05-10 13:38:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1819 https://access.redhat.com/errata/RHSA-2022:1819

Comment 24 Product Security DevOps Team 2022-05-11 18:45:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-38297


Note You need to log in before you can comment on or make changes to this bug.