This can be mitigated by using the Pointer type, or by creating a new struct with a zero value for the second field. For more information, see https://golang.org/ issue/ 9679 . The issue has been addressed in Go 1.17.7. Older versions of Go are vulnerable if they do a direct comparison between a pointer and a non-pointer value. If a function expects a non-pointer as an input, and receives a pointer as an input, then a ValueError will be thrown. The following code snippet is an example of how this can occur. func DoSomething ( x * int ) { if x == nil { // handle error } } If a function expects a non-pointer as an input, and receives a pointer as an input, then a ValueError will be thrown. The following code snippet is an example of how this can occur. func DoSomething ( x * int ) { if x == nil { // handle error } }
References https://golang.org/ issue/9679
https://golangx.blogspot.com/2018/02/what-is-pointer-in-go-language.html
Timeline
Published on: 02/11/2022 01:15:00 UTC
Last modified on: 08/04/2022 16:15:00 UTC
References
- https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
- https://security.netapp.com/advisory/ntap-20220225-0006/
- https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html
- https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://security.gentoo.org/glsa/202208-02
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23772