go: syscall & x/sys/windows: buffer overflow in GetQueuedCompletionStatus

The third argument to GetQueuedCompletionStatus is a pointer to a uintptr, not a uint32. Users of this functions have therefore been corrupting their memory every time they used it. Either that memory corruption was silent (dangerous), or their programs didn’t work so they chose a different API to use.

I intend to submit CLs fixing the function signature. This could perturb compatibility. But either nobody used these functions because they were broken or there’s a lingering security issue, so I think it may be justified.

CC @bradfitz @alexbrainman @FiloSottile

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 30 (21 by maintainers)

Commits related to this issue

winc: use uintptr variable for key parameter of GetQueuedCompletionStatus Besides my own code, this is the only known use of x/sys/windows.GetQueuedCompletionStatus on all of Github. In https://githu... — committed to zx2c4-forks/go-judge by zx2c4 3 years ago
syscall: restore broken GetQueuedCompletionStatus signature but make it not crash This reverts commit dc4698f52b5ad3f0251e0cc25bc7ffbd10e23f2c, and then fixes the memory corruption issue. It also sug... — committed to golang/go by zx2c4 3 years ago
windows: do not overflow key memory in GetQueuedCompletionStatus The third argument to GetQueuedCompletionStatus is a pointer to a uintptr, not a uint32. Users of this functions have therefore been c... — committed to golang/sys by zx2c4 3 years ago
syscall: return error if GetQueuedCompletionStatus truncates key This function has the wrong signature, so return an error when that actually might lead to unexpected results. Users should switch to ... — committed to golang/go by zx2c4 3 years ago
[release-branch.go1.15] syscall: do not overflow key memory in GetQueuedCompletionStatus The third argument to GetQueuedCompletionStatus is a pointer to a uintptr, not a uint32. Users of this functio... — committed to golang/go by zx2c4 3 years ago
[release-branch.go1.16] syscall: do not overflow key memory in GetQueuedCompletionStatus The third argument to GetQueuedCompletionStatus is a pointer to a uintptr, not a uint32. Users of this functio... — committed to golang/go by zx2c4 3 years ago
It’s time to highlight repique’s advantage towards fsnotify https://github.com/golang/go/issues/44593 https://github.com/golang/go/issues/44538 https://github.com/fsnotify/fsnotify/blob/7f4cf4dd2b52... — committed to AZ-X/pique by AZ-X 3 years ago
Pull golang.org/x/sys v0.0.0-20210420205809-ac73e9fd8988 Specifically, this pulls the fix for https://github.com/golang/go/issues/44538 as we're going to start using this API in place of our own gene... — committed to TBBle/go-winio by TBBle 3 years ago
Pull golang.org/x/sys v0.0.0-20210420205809-ac73e9fd8988 Specifically, this pulls the fix for https://github.com/golang/go/issues/44538 as we're going to start using this API in place of our own gene... — committed to TBBle/go-winio by TBBle 3 years ago

Most upvoted comments

Those two call sites don’t include the known uses in x/exp and x/benchmarks, so there’s gotta be something missing from that search.

You are mistaken. Correct observation, but incorrect conclusion. x/exp and x/benchmarks – and virtually everything else – uses syscall, not x/sys/windows. The search is for uses of x/sys/windows, because that is the relevant package for that part of the discussion.

Again, in case there’s confusion about what I’m suggesting:

We don’t break the signature of syscall, but instead do https://golang.org/cl/296149 and encourage people to switch to x/sys/windows.
We make x/sys/windows use the right signature, via https://golang.org/cl/295174 .

We are on the same page about (1). Hence I discussed (2) here. Please re-read https://github.com/golang/go/issues/44538#issuecomment-785427786 in light of that.

zx2c4 on Feb 24, 2021

https://github.com/criyle/go-judge/pull/10 and https://github.com/WireGuard/wireguard-go/blob/6856c0ff0e50eada76fd2189190016cdbf0ca52f/conn/bind_windows.go#L369-L371 are now updated, so I think we’re all set.

zx2c4 on Feb 25, 2021

Reproduces easily:

package main

import "golang.org/x/sys/windows"

func main() {
	k32 := windows.NewLazySystemDLL("kernel32.dll")
	port, _, _ := k32.NewProc("CreateIoCompletionPort").Call(^uintptr(0), 0, 0, 0)
	k32.NewProc("PostQueuedCompletionStatus").Call(port, 1, uintptr(77)<<32, 0)

	var things struct {
		o            *windows.Overlapped
		bytes        uint32
		key          uint32
		MYSTERYVALUE uint32
	}
	things.MYSTERYVALUE = 99
	println(things.MYSTERYVALUE)
	windows.GetQueuedCompletionStatus(windows.Handle(port), &things.bytes, &things.key, &things.o, windows.INFINITE)
	println(things.MYSTERYVALUE)
}

Output:

99
77

zx2c4 on Feb 23, 2021