Skip to content

[Go]: Query To Detect Denial Of Service Vulnerability #809

New issue
New issue
Closed
Closed
[Go]: Query To Detect Denial Of Service Vulnerability#809
Assignees
sylwia-budzynska
Labels
All For OneSubmissions to the All for One, One for All bounty
@Malayke

Description

@Malayke
Malayke
opened on Dec 18, 2023

Query PR

github/codeql#15130

Language

GoLang

CVE(s) ID list

CWE

CWE-770

Report

  1. What is the vulnerability?

The vulnerability in Go occurs when the built-in make function is used to create slices from user-controlled sources with a maliciously large value. This can lead to excessive memory allocation and potentially result in a denial of service attack. By providing inputs that exceed the expected memory and capacity constraints, attackers can overwhelm the system and cause it to become unresponsive.

  1. How does the vulnerability work?

The vulnerability arises when the make function is used to create slices from user-controlled sources with a size parameter that exceeds a certain threshold. This triggers excessive memory allocation, which can lead to a denial of service. Attackers exploit this vulnerability by providing inputs that go beyond the intended boundaries, overwhelming the system and rendering it unresponsive.

  1. What strategy do you use in your query to find the vulnerability?

The query searches for code patterns where the make function is used to create slices from user-controlled sources. It then checks if the provided size exceeds a specific threshold, indicating a potential vulnerability.

  1. How have you reduced the number of false positives?

To minimize false positives, the query includes specific criteria that exclude potential false positives. It verifies if a size comparison has been applied to the second parameter passed to the make function. This helps differentiate between legitimate instances and potentially vulnerable ones.

  1. Other information?

To reproduce the vulnerability, follow these steps:

  1. Clone the repository: git clone https://github.com/distribution/distribution
  2. Checkout the specific branch: git checkout -b v2.8.2-beta.1
  3. Generate the database.
  4. Run the query to identify potential vulnerabilities in the codebase.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

  • Yes
  • No

Blog post link

No response

Metadata

Metadata

Assignees

Labels

All For OneSubmissions to the All for One, One for All bounty

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions