[vuln] possible vulnerability
MushiTheMoshi opened this issue · comments
Hi Guys, a friend of mine have recently start using this lib and he's getting something that looks like a possible vulnerability to us.
package main
import (
"github.com/sirupsen/logrus"
"github.com/davecgh/go-spew/spew"
)
func main() {
log := logrus.New()
spew.Dump(log)
}
SPEW LOG:
(*logrus.Logger)(0xc000100850)({
Out: (*os.File)(0xc00000e020)({
file: (*os.file)(0xc000058120)({
pfd: (poll.FD) {
fdmu: (poll.fdMutex) {
state: (uint64) 0,
rsema: (uint32) 0,
wsema: (uint32) 0
},
Sysfd: (int) 2,
pd: (poll.pollDesc) {
runtimeCtx: (uintptr) <nil>
},
iovecs: (*[]syscall.Iovec)(<nil>),
csema: (uint32) 0,
isBlocking: (uint32) 1,
IsStream: (bool) true,
ZeroReadIsEOF: (bool) true,
isFile: (bool) true
},
name: (string) (len=11) "/dev/stderr",
dirinfo: (*os.dirInfo)(<nil>),
nonblock: (bool) false,
stdoutOrErr: (bool) true,
appendMode: (bool) false
})
}),
Hooks: (logrus.LevelHooks) {
},
Formatter: (*logrus.TextFormatter)(0xc000058300)({
ForceColors: (bool) false,
DisableColors: (bool) false,
ForceQuote: (bool) false,
DisableQuote: (bool) false,
EnvironmentOverrideColors: (bool) false,
DisableTimestamp: (bool) false,
FullTimestamp: (bool) false,
TimestampFormat: (string) "",
DisableSorting: (bool) false,
SortingFunc: (func([]string)) <nil>,
DisableLevelTruncation: (bool) false,
PadLevelText: (bool) false,
QuoteEmptyFields: (bool) false,
isTerminal: (bool) false,
FieldMap: (logrus.FieldMap) <nil>,
CallerPrettyfier: (func(*runtime.Frame) (string, string)) <nil>,
terminalInitOnce: (sync.Once) {
done: (uint32) 0,
m: (sync.Mutex) {
state: (int32) 0,
sema: (uint32) 0
}
},
levelTextMaxLength: (int) 0
}),
ReportCaller: (bool) false,
Level: (logrus.Level) info,
mu: (logrus.MutexWrap) {
lock: (sync.Mutex) {
state: (int32) 0,
sema: (uint32) 0
},
disabled: (bool) false
},
entryPool: (sync.Pool) {
noCopy: (sync.noCopy) {
},
local: (unsafe.Pointer) <nil>, <<< is this block correct?
localSize: (uintptr) <nil>,
victim: (unsafe.Pointer) <nil>, <<< is "victim" and "victimSize" correct?
victimSize: (uintptr) <nil>,
New: (func() interface {}) <nil>
},
ExitFunc: (logrus.exitFunc) 0x4a5380
})
The last part seems a bit suspicious, is this normal ? , is "victim" and "victimSize" part of the library?
Looking forward to hearing from you!
Regards,
Julio
If it's the words "victim" and "victimSize", then I think those come from https://github.com/golang/go/blob/master/src/sync/pool.go#L51; see golang/go@2dcbf8b
oh my mistake, please ignore this, you got to admit name convention is a bit confusing hehe.
Yes, the naming is definitely confusing; I also had to do a quick search to be sure (https://grep.app can be useful for that: https://grep.app/search?q=victimSize&filter[lang][0]=Go)
oh that's very useful, we couldn't find it in the lib that's why we came across with the idea of a vuln. Thank you for your help!