go: Backport fix for CVE-2022-41725 and CVE-2023-24536

Upstream-commit: https://github.com/golang/go/commit/874b3132a84cf76da6a48978826c04c380a37a50 & https://github.com/golang/go/commit/4e5a313524da62600eb59dbf98624cfe946456f8 & https://github.com/golang/go/commit/5246fa5e75b129a7dbd9722aa4de0cbaf7ceae43 & https://github.com/golang/go/commit/5c55ac9bf1e5f779220294c843526536605f42ab & https://github.com/golang/go/commit/ef41a4e2face45e580c5836eaebd51629fc23f15 & https://github.com/golang/go/commit/7a359a651c7ebdb29e0a1c03102fce793e9f58f0 & https://github.com/golang/go/commit/7917b5f31204528ea72e0629f0b7d52b35b27538 (From OE-Core rev: 532eb2c57fb1817999a857fc71db4438717ccadb) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2023-09-25 14:15:46 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-09-29 04:29:01 -1000
commit: ea9b55c8588ce5d7f9d8a1aa317d3c5b9f966dd8 (patch)
tree: 3273bfb80942612ea35d381363f158ddbe8577e1 /meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre2.patch
parent: 0734868d9d9365c63cadf51ff8272fb0662e11a7 (diff)
download: poky-ea9b55c8588ce5d7f9d8a1aa317d3c5b9f966dd8.tar.gz
1 files changed, 97 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre2.patch
new file mode 100644
index 0000000000..b951ee893e
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre2.patch
@@ -0,0 +1,97 @@
+From 4e5a313524da62600eb59dbf98624cfe946456f8 Mon Sep 17 00:00:00 2001
+From: Emmanuel T Odeke <emmanuel@orijtech.com>
+Date: Tue, 20 Oct 2020 04:11:12 -0700
+Subject: [PATCH] net/http: test that ParseMultipartForm catches overflows
+Tests that if the combination of:
+* HTTP multipart file payload size
+* ParseMultipartForm's maxMemory parameter
+* the internal leeway buffer size of 10MiB
+overflows, then we'll report an overflow instead of silently
+passing.
+Reapplies and fixes CL 254977, which was reverted in CL 263658.
+The prior test lacked a res.Body.Close(), so fixed that and
+added a leaked Transport check to verify correctness.
+Updates 40430.
+Change-Id: I3c0f7ef43d621f6eb00f07755f04f9f36c51f98f
+Reviewed-on: https://go-review.googlesource.com/c/go/+/263817
+Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Bryan C. Mills <bcmills@google.com>
+Trust: Damien Neil <dneil@google.com>
+Upstream-Status: Backport [https://github.com/golang/go/commit/4e5a313524da62600eb59dbf98624cfe946456f8]
+CVE: CVE-2022-41725 #Dependency Patch2
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/net/http/request_test.go | 45 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 45 insertions(+)
+diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
+index b4ef472e71229..19526b9ad791a 100644
+--- a/src/net/http/request_test.go
+++ b/src/net/http/request_test.go
+@@ -13,6 +13,7 @@ import (
+        "fmt"
+        "io"
+        "io/ioutil"
+       "math"
+        "mime/multipart"
+        . "net/http"
+        "net/http/httptest"
+@@ -245,6 +246,50 @@ func TestParseMultipartForm(t *testing.T) {
+        }
+ }
+ 
+// Issue #40430: Test that if maxMemory for ParseMultipartForm when combined with
+// the payload size and the internal leeway buffer size of 10MiB overflows, that we
+// correctly return an error.
+func TestMaxInt64ForMultipartFormMaxMemoryOverflow(t *testing.T) {
+       defer afterTest(t)
+
+       payloadSize := 1 << 10
+       cst := httptest.NewServer(HandlerFunc(func(rw ResponseWriter, req *Request) {
+               // The combination of:
+               //      MaxInt64 + payloadSize + (internal spare of 10MiB)
+               // triggers the overflow. See issue https://golang.org/issue/40430/
+               if err := req.ParseMultipartForm(math.MaxInt64); err != nil {
+                       Error(rw, err.Error(), StatusBadRequest)
+                       return
+               }
+       }))
+       defer cst.Close()
+       fBuf := new(bytes.Buffer)
+       mw := multipart.NewWriter(fBuf)
+       mf, err := mw.CreateFormFile("file", "myfile.txt")
+       if err != nil {
+               t.Fatal(err)
+       }
+       if _, err := mf.Write(bytes.Repeat([]byte("abc"), payloadSize)); err != nil {
+               t.Fatal(err)
+       }
+       if err := mw.Close(); err != nil {
+               t.Fatal(err)
+       }
+       req, err := NewRequest("POST", cst.URL, fBuf)
+       if err != nil {
+               t.Fatal(err)
+       }
+       req.Header.Set("Content-Type", mw.FormDataContentType())
+       res, err := cst.Client().Do(req)
+       if err != nil {
+               t.Fatal(err)
+       }
+       res.Body.Close()
+       if g, w := res.StatusCode, StatusBadRequest; g != w {
+               t.Fatalf("Status code mismatch: got %d, want %d", g, w)
+       }
+}
+
+ func TestRedirect_h1(t *testing.T) { testRedirect(t, h1Mode) }
+ func TestRedirect_h2(t *testing.T) { testRedirect(t, h2Mode) }
+ func testRedirect(t *testing.T, h2 bool) {
author	Vijay Anusuri <vanusuri@mvista.com>	2023-09-25 14:15:46 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-09-29 04:29:01 -1000
commit	ea9b55c8588ce5d7f9d8a1aa317d3c5b9f966dd8 (patch)
tree	3273bfb80942612ea35d381363f158ddbe8577e1 /meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre2.patch
parent	0734868d9d9365c63cadf51ff8272fb0662e11a7 (diff)
download	poky-ea9b55c8588ce5d7f9d8a1aa317d3c5b9f966dd8.tar.gz

diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre2.patch new file mode 100644 index 0000000000..b951ee893e --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre2.patch
@@ -0,0 +1,97 @@
	1	From 4e5a313524da62600eb59dbf98624cfe946456f8 Mon Sep 17 00:00:00 2001
	2	From: Emmanuel T Odeke <emmanuel@orijtech.com>
	3	Date: Tue, 20 Oct 2020 04:11:12 -0700
	4	Subject: [PATCH] net/http: test that ParseMultipartForm catches overflows
	5
	6	Tests that if the combination of:
	7	* HTTP multipart file payload size
	8	* ParseMultipartForm's maxMemory parameter
	9	* the internal leeway buffer size of 10MiB
	10
	11	overflows, then we'll report an overflow instead of silently
	12	passing.
	13
	14	Reapplies and fixes CL 254977, which was reverted in CL 263658.
	15
	16	The prior test lacked a res.Body.Close(), so fixed that and
	17	added a leaked Transport check to verify correctness.
	18
	19	Updates 40430.
	20
	21	Change-Id: I3c0f7ef43d621f6eb00f07755f04f9f36c51f98f
	22	Reviewed-on: https://go-review.googlesource.com/c/go/+/263817
	23	Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com>
	24	TryBot-Result: Go Bot <gobot@golang.org>
	25	Reviewed-by: Bryan C. Mills <bcmills@google.com>
	26	Trust: Damien Neil <dneil@google.com>
	27
	28	Upstream-Status: Backport [https://github.com/golang/go/commit/4e5a313524da62600eb59dbf98624cfe946456f8]
	29	CVE: CVE-2022-41725 #Dependency Patch2
	30	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	31	---
	32	src/net/http/request_test.go \| 45 ++++++++++++++++++++++++++++++++++++
	33	1 file changed, 45 insertions(+)
	34
	35	diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
	36	index b4ef472e71229..19526b9ad791a 100644
	37	--- a/src/net/http/request_test.go
	38	+++ b/src/net/http/request_test.go
	39	@@ -13,6 +13,7 @@ import (
	40	"fmt"
	41	"io"
	42	"io/ioutil"
	43	+ "math"
	44	"mime/multipart"
	45	. "net/http"
	46	"net/http/httptest"
	47	@@ -245,6 +246,50 @@ func TestParseMultipartForm(t *testing.T) {
	48	}
	49	}
	50
	51	+// Issue #40430: Test that if maxMemory for ParseMultipartForm when combined with
	52	+// the payload size and the internal leeway buffer size of 10MiB overflows, that we
	53	+// correctly return an error.
	54	+func TestMaxInt64ForMultipartFormMaxMemoryOverflow(t *testing.T) {
	55	+ defer afterTest(t)
	56	+
	57	+ payloadSize := 1 << 10
	58	+ cst := httptest.NewServer(HandlerFunc(func(rw ResponseWriter, req *Request) {
	59	+ // The combination of:
	60	+ // MaxInt64 + payloadSize + (internal spare of 10MiB)
	61	+ // triggers the overflow. See issue https://golang.org/issue/40430/
	62	+ if err := req.ParseMultipartForm(math.MaxInt64); err != nil {
	63	+ Error(rw, err.Error(), StatusBadRequest)
	64	+ return
	65	+ }
	66	+ }))
	67	+ defer cst.Close()
	68	+ fBuf := new(bytes.Buffer)
	69	+ mw := multipart.NewWriter(fBuf)
	70	+ mf, err := mw.CreateFormFile("file", "myfile.txt")
	71	+ if err != nil {
	72	+ t.Fatal(err)
	73	+ }
	74	+ if _, err := mf.Write(bytes.Repeat([]byte("abc"), payloadSize)); err != nil {
	75	+ t.Fatal(err)
	76	+ }
	77	+ if err := mw.Close(); err != nil {
	78	+ t.Fatal(err)
	79	+ }
	80	+ req, err := NewRequest("POST", cst.URL, fBuf)
	81	+ if err != nil {
	82	+ t.Fatal(err)
	83	+ }
	84	+ req.Header.Set("Content-Type", mw.FormDataContentType())
	85	+ res, err := cst.Client().Do(req)
	86	+ if err != nil {
	87	+ t.Fatal(err)
	88	+ }
	89	+ res.Body.Close()
	90	+ if g, w := res.StatusCode, StatusBadRequest; g != w {
	91	+ t.Fatalf("Status code mismatch: got %d, want %d", g, w)
	92	+ }
	93	+}
	94	+
	95	func TestRedirect_h1(t *testing.T) { testRedirect(t, h1Mode) }
	96	func TestRedirect_h2(t *testing.T) { testRedirect(t, h2Mode) }
	97	func testRedirect(t *testing.T, h2 bool) {