Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdtcTItMzlmZi1mNXFn
A failed upgrade may lead to hung goroutines
Impact
Processes using tableflip may encounter hung goroutines in the parent process, after a failed upgrade.
The Go runtime has annoying behaviour around setting and clearing
O_NONBLOCK: exec.Cmd.Start() ends up calling os.File.Fd() for any
file in exec.Cmd.ExtraFiles. os.File.Fd() disables both the use
of the runtime poller for the file and clears O_NONBLOCK from
the underlying open file descriptor.
This can lead to goroutines hanging in a parent process, after at least
one failed upgrade. The bug manifests in goroutines which rely on
either a deadline or interruption via Close() to be unblocked being stuck
in read or accept like syscalls. As far as I can tell we've not experienced
this problem in production, so it's most likely quite rare.
Patches
The problem has been fixed in v1.2.2.
Workarounds
None.
References
Permalink: https://github.com/advisories/GHSA-gmq2-39ff-f5qgJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdtcTItMzlmZi1mNXFn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-gmq2-39ff-f5qg
References:
- https://github.com/cloudflare/tableflip/security/advisories/GHSA-gmq2-39ff-f5qg
- https://github.com/cloudflare/tableflip/commit/cae714b289e199db5da5f08af861ea65be6232c0
- https://github.com/advisories/GHSA-gmq2-39ff-f5qg
Blast Radius: 0.0
Affected Packages
go:github.com/cloudflare/tableflip
Dependent packages: 76Dependent repositories: 127
Downloads:
Affected Version Ranges: < 1.2.1
Fixed in: 1.2.2
All affected versions: 1.0.0, 1.1.0, 1.2.0
All unaffected versions: 1.2.1, 1.2.2, 1.2.3