diff options
author | Vivek Kumbhar <vkumbhar@mvista.com> | 2023-04-21 11:20:27 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-04-26 04:19:07 -1000 |
commit | 538185bd1c0975dd865b9f185825577e3a4c42c2 (patch) | |
tree | 4e96252ac52e3c63a511dddb879ec4a8bef088bf | |
parent | 6dd66704290f81a5ca4c3d7e13e4137be5f07dba (diff) | |
download | poky-538185bd1c0975dd865b9f185825577e3a4c42c2.tar.gz |
go: fix CVE-2023-24537 Infinite loop in parsing
Setting a large line or column number using a //line directive can cause
integer overflow even in small source files.
Limit line and column numbers in //line directives to 2^30-1, which
is small enough to avoid int32 overflow on all reasonbly-sized files.
(From OE-Core rev: d1943e6a0ec00653c81cd4c0bb0d6b7e0909094c)
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-devtools/go/go-1.14.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2023-24537.patch | 76 |
2 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 7178739b7e..56f4f12c37 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc | |||
@@ -56,6 +56,7 @@ SRC_URI += "\ | |||
56 | file://CVE-2022-41722-1.patch \ | 56 | file://CVE-2022-41722-1.patch \ |
57 | file://CVE-2022-41722-2.patch \ | 57 | file://CVE-2022-41722-2.patch \ |
58 | file://CVE-2020-29510.patch \ | 58 | file://CVE-2020-29510.patch \ |
59 | file://CVE-2023-24537.patch \ | ||
59 | " | 60 | " |
60 | 61 | ||
61 | SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" | 62 | SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" |
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24537.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24537.patch new file mode 100644 index 0000000000..e04b717fc1 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24537.patch | |||
@@ -0,0 +1,76 @@ | |||
1 | From bf8c7c575c8a552d9d79deb29e80854dc88528d0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Neil <dneil@google.com> | ||
3 | Date: Mon, 20 Mar 2023 10:43:19 -0700 | ||
4 | Subject: [PATCH] [release-branch.go1.20] mime/multipart: limit parsed mime | ||
5 | message sizes | ||
6 | |||
7 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802456 | ||
8 | Reviewed-by: Julie Qiu <julieqiu@google.com> | ||
9 | Reviewed-by: Roland Shoemaker <bracewell@google.com> | ||
10 | Run-TryBot: Damien Neil <dneil@google.com> | ||
11 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802611 | ||
12 | Reviewed-by: Damien Neil <dneil@google.com> | ||
13 | Change-Id: Ifdfa192d54f722d781a4d8c5f35b5fb72d122168 | ||
14 | Reviewed-on: https://go-review.googlesource.com/c/go/+/481986 | ||
15 | Reviewed-by: Matthew Dempsky <mdempsky@google.com> | ||
16 | TryBot-Result: Gopher Robot <gobot@golang.org> | ||
17 | Run-TryBot: Michael Knyszek <mknyszek@google.com> | ||
18 | Auto-Submit: Michael Knyszek <mknyszek@google.com> | ||
19 | |||
20 | Upstream-Status: Backport [https://github.com/golang/go/commit/126a1d02da82f93ede7ce0bd8d3c51ef627f2104] | ||
21 | CVE: CVE-2023-24537 | ||
22 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
23 | --- | ||
24 | src/go/parser/parser_test.go | 16 ++++++++++++++++ | ||
25 | src/go/scanner/scanner.go | 5 ++++- | ||
26 | 2 files changed, 20 insertions(+), 1 deletion(-) | ||
27 | |||
28 | diff --git a/src/go/parser/parser_test.go b/src/go/parser/parser_test.go | ||
29 | index 37a6a2b..714557c 100644 | ||
30 | --- a/src/go/parser/parser_test.go | ||
31 | +++ b/src/go/parser/parser_test.go | ||
32 | @@ -738,3 +738,19 @@ func TestScopeDepthLimit(t *testing.T) { | ||
33 | } | ||
34 | } | ||
35 | } | ||
36 | + | ||
37 | +// TestIssue59180 tests that line number overflow doesn't cause an infinite loop. | ||
38 | +func TestIssue59180(t *testing.T) { | ||
39 | + testcases := []string{ | ||
40 | + "package p\n//line :9223372036854775806\n\n//", | ||
41 | + "package p\n//line :1:9223372036854775806\n\n//", | ||
42 | + "package p\n//line file:9223372036854775806\n\n//", | ||
43 | + } | ||
44 | + | ||
45 | + for _, src := range testcases { | ||
46 | + _, err := ParseFile(token.NewFileSet(), "", src, ParseComments) | ||
47 | + if err == nil { | ||
48 | + t.Errorf("ParseFile(%s) succeeded unexpectedly", src) | ||
49 | + } | ||
50 | + } | ||
51 | +} | ||
52 | diff --git a/src/go/scanner/scanner.go b/src/go/scanner/scanner.go | ||
53 | index 00fe2dc..3159d25 100644 | ||
54 | --- a/src/go/scanner/scanner.go | ||
55 | +++ b/src/go/scanner/scanner.go | ||
56 | @@ -246,13 +246,16 @@ func (s *Scanner) updateLineInfo(next, offs int, text []byte) { | ||
57 | return | ||
58 | } | ||
59 | |||
60 | + // Put a cap on the maximum size of line and column numbers. | ||
61 | + // 30 bits allows for some additional space before wrapping an int32. | ||
62 | + const maxLineCol = 1<<30 - 1 | ||
63 | var line, col int | ||
64 | i2, n2, ok2 := trailingDigits(text[:i-1]) | ||
65 | if ok2 { | ||
66 | //line filename:line:col | ||
67 | i, i2 = i2, i | ||
68 | line, col = n2, n | ||
69 | - if col == 0 { | ||
70 | + if col == 0 || col > maxLineCol { | ||
71 | s.error(offs+i2, "invalid column number: "+string(text[i2:])) | ||
72 | return | ||
73 | } | ||
74 | -- | ||
75 | 2.25.1 | ||
76 | |||