diff options
| author | Damien Neil <dneil@google.com> | 2026-03-23 13:12:44 -0700 |
|---|---|---|
| committer | David Chase <drchase@google.com> | 2026-04-07 18:43:30 -0700 |
| commit | 899e473c3b4872a9001ce1df60e6cb575502ebb0 (patch) | |
| tree | 26f512bf86db990c2ed3ea3c9defde4972fba0b9 /src | |
| parent | e186f8d25cfd86ed4c530e319712ae338a165a4e (diff) | |
| download | go-899e473c3b4872a9001ce1df60e6cb575502ebb0.tar.xz | |
archive/tar: limit the number of old GNU sparse format entries
We did not set a limit on the maximum size of sparse maps in
the old GNU sparse format. Set a limit based on the cumulative
size of the extension blocks used to encode the map (consistent
with how we limit the sparse map size for other formats).
Add an additional limit to the total number of sparse file entries,
regardless of encoding, to all sparse formats.
Thanks to Colin Walters (walters@verbum.org),
Uuganbayar Lkhamsuren (https://github.com/uug4na),
and Jakub Ciolek for reporting this issue.
Fixes #78301
Fixes CVE-2026-32288
Change-Id: I84877345d7b41cc60c58771860ba70e16a6a6964
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3901
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/763766
Auto-Submit: David Chase <drchase@google.com>
TryBot-Bypass: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Jakub Ciolek <jakub@ciolek.dev>
Diffstat (limited to 'src')
| -rw-r--r-- | src/archive/tar/format.go | 6 | ||||
| -rw-r--r-- | src/archive/tar/reader.go | 28 | ||||
| -rw-r--r-- | src/archive/tar/reader_test.go | 11 |
3 files changed, 41 insertions, 4 deletions
diff --git a/src/archive/tar/format.go b/src/archive/tar/format.go index 9954b4d9f5..32e58a9d9b 100644 --- a/src/archive/tar/format.go +++ b/src/archive/tar/format.go @@ -147,6 +147,12 @@ const ( // Max length of a special file (PAX header, GNU long name or link). // This matches the limit used by libarchive. maxSpecialFileSize = 1 << 20 + + // Maximum number of sparse file entries. + // We should never actually hit this limit + // (every sparse encoding will first be limited by maxSpecialFileSize), + // but this adds an additional layer of defense. + maxSparseFileEntries = 1 << 20 ) // blockPadding computes the number of bytes needed to pad offset up to the diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go index 16ac2f5b17..f85b998625 100644 --- a/src/archive/tar/reader.go +++ b/src/archive/tar/reader.go @@ -490,7 +490,8 @@ func (tr *Reader) readOldGNUSparseMap(hdr *Header, blk *block) (sparseDatas, err } s := blk.toGNU().sparse() spd := make(sparseDatas, 0, s.maxEntries()) - for { + totalSize := len(s) + for totalSize < maxSpecialFileSize { for i := 0; i < s.maxEntries(); i++ { // This termination condition is identical to GNU and BSD tar. if s.entry(i).offset()[0] == 0x00 { @@ -501,7 +502,11 @@ func (tr *Reader) readOldGNUSparseMap(hdr *Header, blk *block) (sparseDatas, err if p.err != nil { return nil, p.err } - spd = append(spd, sparseEntry{Offset: offset, Length: length}) + var err error + spd, err = appendSparseEntry(spd, sparseEntry{Offset: offset, Length: length}) + if err != nil { + return nil, err + } } if s.isExtended()[0] > 0 { @@ -510,10 +515,12 @@ func (tr *Reader) readOldGNUSparseMap(hdr *Header, blk *block) (sparseDatas, err return nil, err } s = blk.toSparse() + totalSize += len(s) continue } return spd, nil // Done } + return nil, errSparseTooLong } // readGNUSparseMap1x0 reads the sparse map as stored in GNU's PAX sparse format @@ -586,7 +593,10 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) { if err1 != nil || err2 != nil { return nil, ErrHeader } - spd = append(spd, sparseEntry{Offset: offset, Length: length}) + spd, err = appendSparseEntry(spd, sparseEntry{Offset: offset, Length: length}) + if err != nil { + return nil, err + } } return spd, nil } @@ -620,12 +630,22 @@ func readGNUSparseMap0x1(paxHdrs map[string]string) (sparseDatas, error) { if err1 != nil || err2 != nil { return nil, ErrHeader } - spd = append(spd, sparseEntry{Offset: offset, Length: length}) + spd, err = appendSparseEntry(spd, sparseEntry{Offset: offset, Length: length}) + if err != nil { + return nil, err + } sparseMap = sparseMap[2:] } return spd, nil } +func appendSparseEntry(spd sparseDatas, ent sparseEntry) (sparseDatas, error) { + if len(spd) >= maxSparseFileEntries { + return nil, errSparseTooLong + } + return append(spd, ent), nil +} + // Read reads from the current file in the tar archive. // It returns (0, io.EOF) when it reaches the end of that file, // until [Next] is called to advance to the next file. diff --git a/src/archive/tar/reader_test.go b/src/archive/tar/reader_test.go index c7611ca044..a324674cb7 100644 --- a/src/archive/tar/reader_test.go +++ b/src/archive/tar/reader_test.go @@ -1145,6 +1145,17 @@ func TestReadOldGNUSparseMap(t *testing.T) { input: makeInput(FormatGNU, "", makeSparseStrings(sparseDatas{{10 << 30, 512}, {20 << 30, 512}})...), wantMap: sparseDatas{{10 << 30, 512}, {20 << 30, 512}}, + }, { + input: makeInput(FormatGNU, "", + makeSparseStrings(func() sparseDatas { + var datas sparseDatas + // This is more than enough entries to exceed our limit. + for i := range int64(1 << 20) { + datas = append(datas, sparseEntry{i * 2, (i * 2) + 1}) + } + return datas + }())...), + wantErr: errSparseTooLong, }} for i, v := range vectors { |