GHSA-gmq2-39ff-f5qg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gmq2-39ff-f5qg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-gmq2-39ff-f5qg/GHSA-gmq2-39ff-f5qg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-gmq2-39ff-f5qg
- Published
- 2021-05-21T16:25:48Z
- Modified
- 2021-05-21T14:40:36Z
- Summary
- A failed upgrade may lead to hung goroutines
- Details
-
Impact
Processes using tableflip may encounter hung goroutines in the parent process, after a failed upgrade.
The Go runtime has annoying behaviour around setting and clearing ONONBLOCK: exec.Cmd.Start() ends up calling os.File.Fd() for any file in exec.Cmd.ExtraFiles. os.File.Fd() disables both the use of the runtime poller for the file and clears ONONBLOCK from the underlying open file descriptor.
This can lead to goroutines hanging in a parent process, after at least one failed upgrade. The bug manifests in goroutines which rely on either a deadline or interruption via Close() to be unblocked being stuck in read or accept like syscalls. As far as I can tell we've not experienced this problem in production, so it's most likely quite rare.
Patches
The problem has been fixed in v1.2.2.
Workarounds
None.
References
- https://github.com/cloudflare/tableflip/commit/cae714b289e199db5da5f08af861ea65be6232c0
- Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2021-05-21T14:40:36Z" }- References
Affected packages
Go / github.com/cloudflare/tableflip
Package
- Name
- github.com/cloudflare/tableflip
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/cloudflare/tableflip