diff options
author | Minjae Kim <flowergom@gmail.com> | 2022-02-26 20:55:35 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-03-09 17:30:48 +0000 |
commit | 415757639d85c61b61faf5f0d258057a9924ceb1 (patch) | |
tree | 36b3ca768172afe695e368fe7f00c29b8c40f9e5 | |
parent | dfd900b5b0a8834499cddbfcb196ecccd79c9003 (diff) | |
download | poky-415757639d85c61b61faf5f0d258057a9924ceb1.tar.gz |
go: fix CVE-2022-23772
math/big: prevent large memory consumption in Rat.SetString
An attacker can cause unbounded memory growth in a program using (*Rat).SetString
due to an unhandled overflow.
Upstream-Status: Backport [https://go.dev/issue/50699]
CVE: CVE-2022-23772
(From OE-Core rev: e4d15040f62744265b9236ad7276f3371a9172da)
Signed-off-by:Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/go/go-1.14.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch | 50 |
2 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index fcb316e09e..9b3c3b30a8 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc | |||
@@ -20,6 +20,7 @@ SRC_URI += "\ | |||
20 | file://CVE-2021-33196.patch \ | 20 | file://CVE-2021-33196.patch \ |
21 | file://CVE-2021-33197.patch \ | 21 | file://CVE-2021-33197.patch \ |
22 | file://CVE-2022-23806.patch \ | 22 | file://CVE-2022-23806.patch \ |
23 | file://CVE-2022-23772.patch \ | ||
23 | " | 24 | " |
24 | SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" | 25 | SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" |
25 | SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149" | 26 | SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149" |
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch new file mode 100644 index 0000000000..f0daee3624 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From 70882eedccac803ddcf1c3215e0ae8fd59847e39 Mon Sep 17 00:00:00 2001 | ||
2 | From: Katie Hockman <katie@golang.org> | ||
3 | Date: Sat, 26 Feb 2022 20:03:38 +0000 | ||
4 | Subject: [PATCH] [release-branch.go1.16] math/big: prevent overflow in | ||
5 | (*Rat).SetString | ||
6 | |||
7 | Credit to rsc@ for the original patch. | ||
8 | |||
9 | Thanks to the OSS-Fuzz project for discovering this | ||
10 | issue and to Emmanuel Odeke (@odeke_et) for reporting it. | ||
11 | |||
12 | Updates #50699 | ||
13 | Fixes #50700 | ||
14 | Fixes CVE-2022-23772 | ||
15 | --- | ||
16 | src/math/big/ratconv.go | 5 +++++ | ||
17 | src/math/big/ratconv_test.go | 1 + | ||
18 | 2 files changed, 6 insertions(+) | ||
19 | |||
20 | diff --git a/src/math/big/ratconv.go b/src/math/big/ratconv.go | ||
21 | index 941139e..e8cbdbe 100644 | ||
22 | --- a/src/math/big/ratconv.go | ||
23 | +++ b/src/math/big/ratconv.go | ||
24 | @@ -168,6 +168,11 @@ func (z *Rat) SetString(s string) (*Rat, bool) { | ||
25 | n := exp5 | ||
26 | if n < 0 { | ||
27 | n = -n | ||
28 | + if n < 0 { | ||
29 | + // This can occur if -n overflows. -(-1 << 63) would become | ||
30 | + // -1 << 63, which is still negative. | ||
31 | + return nil, false | ||
32 | + } | ||
33 | } | ||
34 | pow5 := z.b.abs.expNN(natFive, nat(nil).setWord(Word(n)), nil) // use underlying array of z.b.abs | ||
35 | if exp5 > 0 { | ||
36 | diff --git a/src/math/big/ratconv_test.go b/src/math/big/ratconv_test.go | ||
37 | index ba0d1ba..b820df4 100644 | ||
38 | --- a/src/math/big/ratconv_test.go | ||
39 | +++ b/src/math/big/ratconv_test.go | ||
40 | @@ -104,6 +104,7 @@ var setStringTests = []StringTest{ | ||
41 | {in: "4/3/"}, | ||
42 | {in: "4/3."}, | ||
43 | {in: "4/"}, | ||
44 | + {in: "13e-9223372036854775808"}, // CVE-2022-23772 | ||
45 | |||
46 | // valid | ||
47 | {"0", "0", true}, | ||
48 | -- | ||
49 | 2.17.1 | ||
50 | |||