GMS-2022-9287: Malformed CAR panics and excessive memory usage

July 6, 2022 (updated February 9, 2023)

Decoding CAR data from untrusted user input can cause, panics, out-of-bound memory access, out of memory, divide by zero, and excessive memory usage. Such panics can be triggered by intentionally malformed CARv1 data, including CARv1 data within a CARv2 container; and also CARv2 data with excessively large indexes. These vulnerabilities are not known to be exploited in the wild and were discovered primarily with the use of code fuzzing tooling.

References

github.com/advisories/GHSA-9x4h-8wgm-8xfg
github.com/ipld/go-car/security/advisories/GHSA-9x4h-8wgm-8xfg
pkg.go.dev/vuln/GO-2022-0503

Code Behaviors & Features

Detect and mitigate GMS-2022-9287 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →