[vuln] possible vulnerability

Question

[vuln] possible vulnerability

MushiTheMoshi opened this issue 3 years ago · comments

Hi Guys, a friend of mine have recently start using this lib and he's getting something that looks like a possible vulnerability to us.

package main

import (
   "github.com/sirupsen/logrus"
   "github.com/davecgh/go-spew/spew"
)

func main() {
  log       := logrus.New()
  spew.Dump(log)
}

SPEW LOG:

(*logrus.Logger)(0xc000100850)({
 Out: (*os.File)(0xc00000e020)({
  file: (*os.file)(0xc000058120)({
   pfd: (poll.FD) {
    fdmu: (poll.fdMutex) {
     state: (uint64) 0,
     rsema: (uint32) 0,
     wsema: (uint32) 0
    },
    Sysfd: (int) 2,
    pd: (poll.pollDesc) {
     runtimeCtx: (uintptr) <nil>
    },
    iovecs: (*[]syscall.Iovec)(<nil>),
    csema: (uint32) 0,
    isBlocking: (uint32) 1,
    IsStream: (bool) true,
    ZeroReadIsEOF: (bool) true,
    isFile: (bool) true
   },
   name: (string) (len=11) "/dev/stderr",
   dirinfo: (*os.dirInfo)(<nil>),
   nonblock: (bool) false,
   stdoutOrErr: (bool) true,
   appendMode: (bool) false
  })
 }),
 Hooks: (logrus.LevelHooks) {
 },
 Formatter: (*logrus.TextFormatter)(0xc000058300)({
  ForceColors: (bool) false,
  DisableColors: (bool) false,
  ForceQuote: (bool) false,
  DisableQuote: (bool) false,
  EnvironmentOverrideColors: (bool) false,
  DisableTimestamp: (bool) false,
  FullTimestamp: (bool) false,
  TimestampFormat: (string) "",
  DisableSorting: (bool) false,
  SortingFunc: (func([]string)) <nil>,
  DisableLevelTruncation: (bool) false,
  PadLevelText: (bool) false,
  QuoteEmptyFields: (bool) false,
  isTerminal: (bool) false,
  FieldMap: (logrus.FieldMap) <nil>,
  CallerPrettyfier: (func(*runtime.Frame) (string, string)) <nil>,
  terminalInitOnce: (sync.Once) {
   done: (uint32) 0,
   m: (sync.Mutex) {
    state: (int32) 0,
    sema: (uint32) 0
   }
  },
  levelTextMaxLength: (int) 0
 }),
 ReportCaller: (bool) false,
 Level: (logrus.Level) info,
 mu: (logrus.MutexWrap) {
  lock: (sync.Mutex) {
   state: (int32) 0,
   sema: (uint32) 0
  },
  disabled: (bool) false
 },
 entryPool: (sync.Pool) {
  noCopy: (sync.noCopy) {
  },
  local: (unsafe.Pointer) <nil>,                 <<< is this block correct?
  localSize: (uintptr) <nil>,
  victim: (unsafe.Pointer) <nil>,              <<< is "victim" and "victimSize" correct? 
  victimSize: (uintptr) <nil>, 
  New: (func() interface {}) <nil>
 },
 ExitFunc: (logrus.exitFunc) 0x4a5380
})

The last part seems a bit suspicious, is this normal ? , is "victim" and "victimSize" part of the library?

Looking forward to hearing from you!

Regards,
Julio

Sebastiaan van Stijn · Answer 1 · Wed Jul 21 2021 06:54:57 GMT+0800 (China Standard Time)

If it's the words "victim" and "victimSize", then I think those come from https://github.com/golang/go/blob/master/src/sync/pool.go#L51; see golang/go@2dcbf8b

Julio Guerrero · Answer 2 · Wed Jul 21 2021 07:20:09 GMT+0800 (China Standard Time)

oh my mistake, please ignore this, you got to admit name convention is a bit confusing hehe.

Sebastiaan van Stijn · Answer 3 · Wed Jul 21 2021 17:40:23 GMT+0800 (China Standard Time)

Yes, the naming is definitely confusing; I also had to do a quick search to be sure (https://grep.app can be useful for that: https://grep.app/search?q=victimSize&filter[lang][0]=Go)

Julio Guerrero · Answer 4 · Wed Jul 21 2021 18:35:44 GMT+0800 (China Standard Time)

oh that's very useful, we couldn't find it in the lib that's why we came across with the idea of a vuln. Thank you for your help!