Deadlock Affecting github.com/rclone/rclone/vfs/vfscache/downloaders package, versions <1.54.0
Attack Complexity
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-GOLANG-GITHUBCOMRCLONERCLONEVFSVFSCACHEDOWNLOADERS-1244107
-
published
9 Apr 2021
-
disclosed
8 Apr 2021
-
credit
Unknown
How to fix?
Upgrade github.com/rclone/rclone/vfs/vfscache/downloaders to version 1.54.0 or higher.
Overview
github.com/rclone/rclone/vfs/vfscache/downloaders is a rsync for cloud storage.
Affected versions of this package are vulnerable to Deadlock. The downloaders.Close() call acquires the downloaders' mutex before calling the wait group wait and the main downloaders' thread has a periodical (5 seconds interval) call to kick its waiters, and the waiter dispatch function tries to get the mutex. A deadlock can occur if the Close() call starts and gets the mutex, while the main downloader thread already got the timer's tick and proceeded to call kickWaiters. The deadlock happens when the Close call gets the mutex between the timer's kick and when the main downloaders' thread gets the mutex first.