From 1ef685fb7ba413c6f5943cc1aa61de911a7ef29a Mon Sep 17 00:00:00 2001 From: Roland Shoemaker Date: Wed, 28 Sep 2022 14:52:33 -0700 Subject: [PATCH] debug: add top level security docs for dwarf, elf, macho, pe, and plan9obj Adds a package level doc comment to the debug/dwarf, debug/elf, debug/macho, debug/pe, and debug/plan9obj noting that these packages are not designed to be hardened against adversarial inputs. Change-Id: I678d01bcdc8ad01c23805f09cc59e64cec6c3f76 Reviewed-on: https://go-review.googlesource.com/c/go/+/435417 Reviewed-by: Damien Neil Reviewed-by: Julie Qiu Run-TryBot: Roland Shoemaker Auto-Submit: Roland Shoemaker TryBot-Result: Gopher Robot --- src/debug/dwarf/open.go | 16 +++++++++++++--- src/debug/elf/file.go | 12 +++++++++++- src/debug/macho/file.go | 12 +++++++++++- src/debug/pe/file.go | 12 +++++++++++- src/debug/plan9obj/file.go | 12 +++++++++++- 5 files changed, 57 insertions(+), 7 deletions(-) diff --git a/src/debug/dwarf/open.go b/src/debug/dwarf/open.go index e94103a1d7..994b7262d1 100644 --- a/src/debug/dwarf/open.go +++ b/src/debug/dwarf/open.go @@ -2,9 +2,19 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -// Package dwarf provides access to DWARF debugging information loaded from -// executable files, as defined in the DWARF 2.0 Standard at -// http://dwarfstd.org/doc/dwarf-2.0.0.pdf +/* +Package dwarf provides access to DWARF debugging information loaded from +executable files, as defined in the DWARF 2.0 Standard at +http://dwarfstd.org/doc/dwarf-2.0.0.pdf. + +# Security + +This package is not designed to be hardened against adversarial inputs, and is +outside the scope of https://go.dev/security/policy. In particular, only basic +validation is done when parsing object files. As such, care should be taken when +parsing untrusted inputs, as parsing malformed files may consume significant +resources, or cause panics. +*/ package dwarf import ( diff --git a/src/debug/elf/file.go b/src/debug/elf/file.go index d181d340ec..708980bc1c 100644 --- a/src/debug/elf/file.go +++ b/src/debug/elf/file.go @@ -2,7 +2,17 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -// Package elf implements access to ELF object files. +/* +Package elf implements access to ELF object files. + +# Security + +This package is not designed to be hardened against adversarial inputs, and is +outside the scope of https://go.dev/security/policy. In particular, only basic +validation is done when parsing object files. As such, care should be taken when +parsing untrusted inputs, as parsing malformed files may consume significant +resources, or cause panics. +*/ package elf import ( diff --git a/src/debug/macho/file.go b/src/debug/macho/file.go index 0c6488d349..ecde25ab89 100644 --- a/src/debug/macho/file.go +++ b/src/debug/macho/file.go @@ -2,7 +2,17 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -// Package macho implements access to Mach-O object files. +/* +Package macho implements access to Mach-O object files. + +# Security + +This package is not designed to be hardened against adversarial inputs, and is +outside the scope of https://go.dev/security/policy. In particular, only basic +validation is done when parsing object files. As such, care should be taken when +parsing untrusted inputs, as parsing malformed files may consume significant +resources, or cause panics. +*/ package macho // High level access to low level data structures. diff --git a/src/debug/pe/file.go b/src/debug/pe/file.go index 84bc300d92..f8c922d42e 100644 --- a/src/debug/pe/file.go +++ b/src/debug/pe/file.go @@ -2,7 +2,17 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -// Package pe implements access to PE (Microsoft Windows Portable Executable) files. +/* +Package pe implements access to PE (Microsoft Windows Portable Executable) files. + +# Security + +This package is not designed to be hardened against adversarial inputs, and is +outside the scope of https://go.dev/security/policy. In particular, only basic +validation is done when parsing object files. As such, care should be taken when +parsing untrusted inputs, as parsing malformed files may consume significant +resources, or cause panics. +*/ package pe import ( diff --git a/src/debug/plan9obj/file.go b/src/debug/plan9obj/file.go index 2b83f9bdff..81ece2c3e0 100644 --- a/src/debug/plan9obj/file.go +++ b/src/debug/plan9obj/file.go @@ -2,7 +2,17 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -// Package plan9obj implements access to Plan 9 a.out object files. +/* +Package plan9obj implements access to Plan 9 a.out object files. + +# Security + +This package is not designed to be hardened against adversarial inputs, and is +outside the scope of https://go.dev/security/policy. In particular, only basic +validation is done when parsing object files. As such, care should be taken when +parsing untrusted inputs, as parsing malformed files may consume significant +resources, or cause panics. +*/ package plan9obj import (