summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZhixiong Chi <zhixiong.chi@windriver.com>2020-08-11 00:41:18 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-09-10 13:21:41 +0100
commitba9c9dc10677371c55041e4bba38350f0e777d15 (patch)
treeec6d99cb09251109174f3078020c033ea97bb393
parenta76794a159e729b8f0abd121189bfc3ee9b490ec (diff)
downloadpoky-ba9c9dc10677371c55041e4bba38350f0e777d15.tar.gz
go: CVE-2020-16845
Backport CVE patch from the upstream: https://github.com/golang/go.git commit 027d7241ce050d197e7fabea3d541ffbe3487258 (From OE-Core rev: 4fa2a6c171e62855ad9a2bd7a2d8507067f62988) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/go/go-1.12.inc1
-rw-r--r--meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch110
2 files changed, 111 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.12.inc b/meta/recipes-devtools/go/go-1.12.inc
index c3c2d0cfee..fd2d641554 100644
--- a/meta/recipes-devtools/go/go-1.12.inc
+++ b/meta/recipes-devtools/go/go-1.12.inc
@@ -19,6 +19,7 @@ SRC_URI += "\
19 file://0001-release-branch.go1.12-security-net-textproto-don-t-n.patch \ 19 file://0001-release-branch.go1.12-security-net-textproto-don-t-n.patch \
20 file://0010-fix-CVE-2019-17596.patch \ 20 file://0010-fix-CVE-2019-17596.patch \
21 file://CVE-2020-15586.patch \ 21 file://CVE-2020-15586.patch \
22 file://CVE-2020-16845.patch \
22" 23"
23SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" 24SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
24 25
diff --git a/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch b/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch
new file mode 100644
index 0000000000..80f467522f
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch
@@ -0,0 +1,110 @@
1From 027d7241ce050d197e7fabea3d541ffbe3487258 Mon Sep 17 00:00:00 2001
2From: Katie Hockman <katie@golang.org>
3Date: Tue, 4 Aug 2020 11:45:32 -0400
4Subject: [PATCH] encoding/binary: read at most MaxVarintLen64 bytes in
5 ReadUvarint
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This CL ensures that ReadUvarint consumes only a limited
11amount of input (instead of an unbounded amount).
12
13On some inputs, ReadUvarint could read an arbitrary number
14of bytes before deciding to return an overflow error.
15After this CL, ReadUvarint returns that same overflow
16error sooner, after reading at most MaxVarintLen64 bytes.
17
18Fix authored by Robert Griesemer and Filippo Valsorda.
19
20Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani,
21and Preston Van Loon for reporting this.
22
23Fixes #40618
24Fixes CVE-2020-16845
25
26Change-Id: Ie0cb15972f14c38b7cf7af84c45c4ce54909bb8f
27Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/812099
28Reviewed-by: Filippo Valsorda <valsorda@google.com>
29Reviewed-on: https://go-review.googlesource.com/c/go/+/247120
30Run-TryBot: Katie Hockman <katie@golang.org>
31TryBot-Result: Gobot Gobot <gobot@golang.org>
32Reviewed-by: Alexander Rakoczy <alex@golang.org>
33
34Upstream-Status: Backport [https://github.com/golang/go.git]
35CVE: CVE-2020-16845
36Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
37---
38 src/encoding/binary/varint.go | 5 +++--
39 src/encoding/binary/varint_test.go | 18 ++++++++++++------
40 2 files changed, 15 insertions(+), 8 deletions(-)
41
42diff --git a/src/encoding/binary/varint.go b/src/encoding/binary/varint.go
43index bcb8ac9a45..38af61075c 100644
44--- a/src/encoding/binary/varint.go
45+++ b/src/encoding/binary/varint.go
46@@ -106,13 +106,13 @@ var overflow = errors.New("binary: varint overflows a 64-bit integer")
47 func ReadUvarint(r io.ByteReader) (uint64, error) {
48 var x uint64
49 var s uint
50- for i := 0; ; i++ {
51+ for i := 0; i < MaxVarintLen64; i++ {
52 b, err := r.ReadByte()
53 if err != nil {
54 return x, err
55 }
56 if b < 0x80 {
57- if i > 9 || i == 9 && b > 1 {
58+ if i == 9 && b > 1 {
59 return x, overflow
60 }
61 return x | uint64(b)<<s, nil
62@@ -120,6 +120,7 @@ func ReadUvarint(r io.ByteReader) (uint64, error) {
63 x |= uint64(b&0x7f) << s
64 s += 7
65 }
66+ return x, overflow
67 }
68
69 // ReadVarint reads an encoded signed integer from r and returns it as an int64.
70diff --git a/src/encoding/binary/varint_test.go b/src/encoding/binary/varint_test.go
71index ca411ecbd6..6ef4c99505 100644
72--- a/src/encoding/binary/varint_test.go
73+++ b/src/encoding/binary/varint_test.go
74@@ -121,21 +121,27 @@ func TestBufferTooSmall(t *testing.T) {
75 }
76 }
77
78-func testOverflow(t *testing.T, buf []byte, n0 int, err0 error) {
79+func testOverflow(t *testing.T, buf []byte, x0 uint64, n0 int, err0 error) {
80 x, n := Uvarint(buf)
81 if x != 0 || n != n0 {
82 t.Errorf("Uvarint(%v): got x = %d, n = %d; want 0, %d", buf, x, n, n0)
83 }
84
85- x, err := ReadUvarint(bytes.NewReader(buf))
86- if x != 0 || err != err0 {
87- t.Errorf("ReadUvarint(%v): got x = %d, err = %s; want 0, %s", buf, x, err, err0)
88+ r := bytes.NewReader(buf)
89+ len := r.Len()
90+ x, err := ReadUvarint(r)
91+ if x != x0 || err != err0 {
92+ t.Errorf("ReadUvarint(%v): got x = %d, err = %s; want %d, %s", buf, x, err, x0, err0)
93+ }
94+ if read := len - r.Len(); read > MaxVarintLen64 {
95+ t.Errorf("ReadUvarint(%v): read more than MaxVarintLen64 bytes, got %d", buf, read)
96 }
97 }
98
99 func TestOverflow(t *testing.T) {
100- testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x2}, -10, overflow)
101- testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x1, 0, 0}, -13, overflow)
102+ testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x2}, 0, -10, overflow)
103+ testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x1, 0, 0}, 0, -13, overflow)
104+ testOverflow(t, []byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, 1<<64-1, 0, overflow) // 11 bytes, should overflow
105 }
106
107 func TestNonCanonicalZero(t *testing.T) {
108--
1092.17.0
110