[release-branch.go1.12] runtime: safely load DLLs
While many other call sites have been moved to using the proper higher-level system loading, these areas were left out. This prevents DLL directory injection attacks. This includes both the runtime load calls (using LoadLibrary prior) and the implicitly linked ones via cgo_import_dynamic, which we move to our LoadLibraryEx. The goal is to only loosely load kernel32.dll and strictly load all others. Meanwhile we make sure that we never fallback to insecure loading on older or unpatched systems. This is CVE-2019-9634. Fixes #30666 Updates #14959 Updates #28978 Updates #30642 Change-Id: I401a13ed8db248ab1bb5039bf2d31915cac72b93 Reviewed-on: https://go-review.googlesource.com/c/go/+/165798 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by:Alex Brainman <alex.brainman@gmail.com> (cherry picked from commit 9b6e9f0c) Reviewed-on: https://go-review.googlesource.com/c/go/+/168339 Reviewed-by:
Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by:
Andrew Bonventre <andybons@golang.org>
Loading
Please sign in to comment