GHSA-GMQ2-39FF-F5QG
Vulnerability from github – Published: 2021-05-21 16:25 – Updated: 2021-05-21 14:40Impact
Processes using tableflip may encounter hung goroutines in the parent process, after a failed upgrade.
The Go runtime has annoying behaviour around setting and clearing O_NONBLOCK: exec.Cmd.Start() ends up calling os.File.Fd() for any file in exec.Cmd.ExtraFiles. os.File.Fd() disables both the use of the runtime poller for the file and clears O_NONBLOCK from the underlying open file descriptor.
This can lead to goroutines hanging in a parent process, after at least one failed upgrade. The bug manifests in goroutines which rely on either a deadline or interruption via Close() to be unblocked being stuck in read or accept like syscalls. As far as I can tell we've not experienced this problem in production, so it's most likely quite rare.
Patches
The problem has been fixed in v1.2.2.
Workarounds
None.
References
- https://github.com/cloudflare/tableflip/commit/cae714b289e199db5da5f08af861ea65be6232c0
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 1.2.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/cloudflare/tableflip"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2021-05-21T14:40:36Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\nProcesses using tableflip may encounter hung goroutines in the parent process, after a failed upgrade.\n\nThe Go runtime has annoying behaviour around setting and clearing\nO_NONBLOCK: exec.Cmd.Start() ends up calling os.File.Fd() for any\nfile in exec.Cmd.ExtraFiles. os.File.Fd() disables both the use\nof the runtime poller for the file and clears O_NONBLOCK from\nthe underlying open file descriptor.\n\nThis can lead to goroutines hanging in a parent process, after at least\none failed upgrade. The bug manifests in goroutines which rely on\neither a deadline or interruption via Close() to be unblocked being stuck\nin read or accept like syscalls. As far as I can tell we\u0027ve not experienced\nthis problem in production, so it\u0027s most likely quite rare.\n\n### Patches\nThe problem has been fixed in v1.2.2.\n\n### Workarounds\nNone.\n\n### References\n* https://github.com/cloudflare/tableflip/commit/cae714b289e199db5da5f08af861ea65be6232c0",
"id": "GHSA-gmq2-39ff-f5qg",
"modified": "2021-05-21T14:40:36Z",
"published": "2021-05-21T16:25:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cloudflare/tableflip/security/advisories/GHSA-gmq2-39ff-f5qg"
},
{
"type": "WEB",
"url": "https://github.com/cloudflare/tableflip/commit/cae714b289e199db5da5f08af861ea65be6232c0"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "A failed upgrade may lead to hung goroutines"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.