{"id":"GHSA-gmq2-39ff-f5qg","summary":"A failed upgrade may lead to hung goroutines","details":"### Impact\nProcesses using tableflip may encounter hung goroutines in the parent process, after a failed upgrade.\n\nThe Go runtime has annoying behaviour around setting and clearing\nO_NONBLOCK: exec.Cmd.Start() ends up calling os.File.Fd() for any\nfile in exec.Cmd.ExtraFiles. os.File.Fd() disables both the use\nof the runtime poller for the file and clears O_NONBLOCK from\nthe underlying open file descriptor.\n\nThis can lead to goroutines hanging in a parent process, after at least\none failed upgrade. The bug manifests in goroutines which rely on\neither a deadline or interruption via Close() to be unblocked being stuck\nin read or accept like syscalls. As far as I can tell we've not experienced\nthis problem in production, so it's most likely quite rare.\n\n### Patches\nThe problem has been fixed in v1.2.2.\n\n### Workarounds\nNone.\n\n### References\n* https://github.com/cloudflare/tableflip/commit/cae714b289e199db5da5f08af861ea65be6232c0","modified":"2021-05-21T14:40:36Z","published":"2021-05-21T16:25:48Z","database_specific":{"github_reviewed":true,"cwe_ids":[],"severity":"LOW","github_reviewed_at":"2021-05-21T14:40:36Z","nvd_published_at":null},"references":[{"type":"WEB","url":"https://github.com/cloudflare/tableflip/security/advisories/GHSA-gmq2-39ff-f5qg"},{"type":"WEB","url":"https://github.com/cloudflare/tableflip/commit/cae714b289e199db5da5f08af861ea65be6232c0"}],"affected":[{"package":{"name":"github.com/cloudflare/tableflip","ecosystem":"Go","purl":"pkg:golang/github.com/cloudflare/tableflip"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.2.2"}]}],"database_specific":{"last_known_affected_version_range":"\u003c 1.2.1","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-gmq2-39ff-f5qg/GHSA-gmq2-39ff-f5qg.json"}}],"schema_version":"1.7.3"}