summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMinjae Kim <flowergom@gmail.com>2022-02-26 20:55:35 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2022-03-09 17:30:48 +0000
commit415757639d85c61b61faf5f0d258057a9924ceb1 (patch)
tree36b3ca768172afe695e368fe7f00c29b8c40f9e5
parentdfd900b5b0a8834499cddbfcb196ecccd79c9003 (diff)
downloadpoky-415757639d85c61b61faf5f0d258057a9924ceb1.tar.gz
go: fix CVE-2022-23772
math/big: prevent large memory consumption in Rat.SetString An attacker can cause unbounded memory growth in a program using (*Rat).SetString due to an unhandled overflow. Upstream-Status: Backport [https://go.dev/issue/50699] CVE: CVE-2022-23772 (From OE-Core rev: e4d15040f62744265b9236ad7276f3371a9172da) Signed-off-by:Minjae Kim <flowergom@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/go/go-1.14.inc1
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch50
2 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index fcb316e09e..9b3c3b30a8 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -20,6 +20,7 @@ SRC_URI += "\
20 file://CVE-2021-33196.patch \ 20 file://CVE-2021-33196.patch \
21 file://CVE-2021-33197.patch \ 21 file://CVE-2021-33197.patch \
22 file://CVE-2022-23806.patch \ 22 file://CVE-2022-23806.patch \
23 file://CVE-2022-23772.patch \
23" 24"
24SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" 25SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
25SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149" 26SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch
new file mode 100644
index 0000000000..f0daee3624
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch
@@ -0,0 +1,50 @@
1From 70882eedccac803ddcf1c3215e0ae8fd59847e39 Mon Sep 17 00:00:00 2001
2From: Katie Hockman <katie@golang.org>
3Date: Sat, 26 Feb 2022 20:03:38 +0000
4Subject: [PATCH] [release-branch.go1.16] math/big: prevent overflow in
5 (*Rat).SetString
6
7Credit to rsc@ for the original patch.
8
9Thanks to the OSS-Fuzz project for discovering this
10issue and to Emmanuel Odeke (@odeke_et) for reporting it.
11
12Updates #50699
13Fixes #50700
14Fixes CVE-2022-23772
15---
16 src/math/big/ratconv.go | 5 +++++
17 src/math/big/ratconv_test.go | 1 +
18 2 files changed, 6 insertions(+)
19
20diff --git a/src/math/big/ratconv.go b/src/math/big/ratconv.go
21index 941139e..e8cbdbe 100644
22--- a/src/math/big/ratconv.go
23+++ b/src/math/big/ratconv.go
24@@ -168,6 +168,11 @@ func (z *Rat) SetString(s string) (*Rat, bool) {
25 n := exp5
26 if n < 0 {
27 n = -n
28+ if n < 0 {
29+ // This can occur if -n overflows. -(-1 << 63) would become
30+ // -1 << 63, which is still negative.
31+ return nil, false
32+ }
33 }
34 pow5 := z.b.abs.expNN(natFive, nat(nil).setWord(Word(n)), nil) // use underlying array of z.b.abs
35 if exp5 > 0 {
36diff --git a/src/math/big/ratconv_test.go b/src/math/big/ratconv_test.go
37index ba0d1ba..b820df4 100644
38--- a/src/math/big/ratconv_test.go
39+++ b/src/math/big/ratconv_test.go
40@@ -104,6 +104,7 @@ var setStringTests = []StringTest{
41 {in: "4/3/"},
42 {in: "4/3."},
43 {in: "4/"},
44+ {in: "13e-9223372036854775808"}, // CVE-2022-23772
45
46 // valid
47 {"0", "0", true},
48--
492.17.1
50