Headline
CVE-2020-8945: Ensure finalizers don't deallocate GPGME objects while C code is still using them by mtrmac · Pull Request #23 · proglottis/gpgme
The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification.
A more explicit demonstration:
package main
import ( “fmt” “math/rand” “runtime” )
type pointerBinding struct { managed uint64 }
func newPointerBinding() *pointerBinding { ptr := &pointerBinding{} runtime.SetFinalizer(ptr, (*pointerBinding).Finalizer) ptr.managed = rand.Uint64() // Could come from CGo fmt.Printf("Created %p, managed value %v\n", ptr, ptr.managed) return ptr }
func (ptr *pointerBinding) Finalizer() { fmt.Printf("Finalizing %p, managed value %v\n", ptr, ptr.managed) // Free ptr.managed via CGo ptr.managed = 0 }
func (ptr *pointerBinding) functionBinding() { fmt.Printf("Calling function for %p, managed value %v\n", ptr, ptr.managed) underlyingFunction(ptr.managed) fmt.Printf(“Done\n”) // No reference to ptr here, or the behavior would change // HERE runtime.KeepAlive(ptr) }
func underlyingFunction(pointer uint64) { runtime.GC() fmt.Printf("Underlying function, managed value %v\n", pointer) }
func main() { ptr := newPointerBinding() ptr.functionBinding() runtime.GC() }
As is:
$ GOTRACEBACK=crash GODEBUG=clobberfree=1,cgocheck=2 go run ./standalone.go Created 0xc000014080, managed value 5577006791947779410 Calling function for 0xc000014080, managed value 5577006791947779410 Finalizing 0xc000014080, managed value 5577006791947779410 Underlying function, managed value 5577006791947779410 Done
note that “Finalizing” happens before “Underlying function” is done with the managed value.
Uncommenting the runtime.KeepAlive at “HERE”:
$ GOTRACEBACK=crash GODEBUG=clobberfree=1,cgocheck=2 go run ./standalone.go Created 0xc000014080, managed value 5577006791947779410 Calling function for 0xc000014080, managed value 5577006791947779410 Underlying function, managed value 5577006791947779410 Done Finalizing 0xc000014080, managed value 5577006791947779410
works as expected. (Without the GO* variables, the finalizer is actually never run, but that’s fine for our purposes as well.)
Related news
Red Hat Security Advisory 2022-6119-01 - The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.
An update for podman is now available for Red Hat Enterprise Linux 7 Extras. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2738: podman: Security regression of CVE-2020-8945 due to source code management issue * CVE-2022-2739: podman: Security regression of CVE-2020-14370 due to source code management issue