go: fix CVE-2022-23806

crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates Some big.Int values that are not valid field elements (negative or overflowing) might cause Curve.IsOnCurve to incorrectly return true. Operating on those values may cause a panic or an invalid curve operation. Note that Unmarshal will never return such values. Upstream-Status: Backport [https://go.dev/issue/50974] CVE: CVE-2022-23806 (From OE-Core rev: eb7aa0929ecd712aeeec0ff37dfb77c3da33b375) Signed-off-by:Minjae Kim <flowergom@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Minjae Kim <flowergom@gmail.com> 2022-02-26 20:55:34 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-03-09 17:30:48 +0000
commit: dfd900b5b0a8834499cddbfcb196ecccd79c9003 (patch)
tree: b5d01009d0e4b0a3a5da3fea950bf6bbe04619ff /meta/recipes-devtools/go
parent: 6bba192936c25702316589ca59403daa1bf574da (diff)
download: poky-dfd900b5b0a8834499cddbfcb196ecccd79c9003.tar.gz
2 files changed, 143 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index abc6f42184..fcb316e09e 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -19,6 +19,7 @@ SRC_URI += "\
    file://CVE-2021-34558.patch \
    file://CVE-2021-33196.patch \
    file://CVE-2021-33197.patch \
+    file://CVE-2022-23806.patch \
 "
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
 SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-23806.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-23806.patch
new file mode 100644
index 0000000000..772acdcbf6
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-23806.patch
@@ -0,0 +1,142 @@
+From 5b376a209d1c61e10847e062d78c4b1aa90dff0c Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Sat, 26 Feb 2022 10:40:57 +0000
+Subject: [PATCH] crypto/elliptic: make IsOnCurve return false for invalid
+ field elements
+Updates #50974
+Fixes #50977
+Fixes CVE-2022-23806
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ src/crypto/elliptic/elliptic.go      |  6 +++
+ src/crypto/elliptic/elliptic_test.go | 81 ++++++++++++++++++++++++++++
+ src/crypto/elliptic/p224.go          |  6 +++
+ 3 files changed, 93 insertions(+)
+diff --git a/src/crypto/elliptic/elliptic.go b/src/crypto/elliptic/elliptic.go
+index e2f71cd..bd574a4 100644
+--- a/src/crypto/elliptic/elliptic.go
+++ b/src/crypto/elliptic/elliptic.go
+@@ -53,6 +53,12 @@ func (curve *CurveParams) Params() *CurveParams {
+ }
+ 
+ func (curve *CurveParams) IsOnCurve(x, y *big.Int) bool {
+
+       if x.Sign() < 0 || x.Cmp(curve.P) >= 0 ||
+               y.Sign() < 0 || y.Cmp(curve.P) >= 0 {
+               return false
+       }
+
+        // y² = x³ - 3x + b
+        y2 := new(big.Int).Mul(y, y)
+        y2.Mod(y2, curve.P)
+diff --git a/src/crypto/elliptic/elliptic_test.go b/src/crypto/elliptic/elliptic_test.go
+index 09c5483..b13a620 100644
+--- a/src/crypto/elliptic/elliptic_test.go
+++ b/src/crypto/elliptic/elliptic_test.go
+@@ -628,3 +628,84 @@ func TestUnmarshalToLargeCoordinates(t *testing.T) {
+                t.Errorf("Unmarshal accepts invalid Y coordinate")
+        }
+ }
+
+func testAllCurves(t *testing.T, f func(*testing.T, Curve)) {
+       tests := []struct {
+               name  string
+               curve Curve
+       }{
+               {"P256", P256()},
+               {"P256/Params", P256().Params()},
+               {"P224", P224()},
+               {"P224/Params", P224().Params()},
+               {"P384", P384()},
+               {"P384/Params", P384().Params()},
+               {"P521", P521()},
+               {"P521/Params", P521().Params()},
+       }
+       if testing.Short() {
+               tests = tests[:1]
+       }
+       for _, test := range tests {
+               curve := test.curve
+               t.Run(test.name, func(t *testing.T) {
+                       t.Parallel()
+                       f(t, curve)
+               })
+       }
+}
+
+// TestInvalidCoordinates tests big.Int values that are not valid field elements
+// (negative or bigger than P). They are expected to return false from
+// IsOnCurve, all other behavior is undefined.
+func TestInvalidCoordinates(t *testing.T) {
+       testAllCurves(t, testInvalidCoordinates)
+}
+
+func testInvalidCoordinates(t *testing.T, curve Curve) {
+       checkIsOnCurveFalse := func(name string, x, y *big.Int) {
+               if curve.IsOnCurve(x, y) {
+                       t.Errorf("IsOnCurve(%s) unexpectedly returned true", name)
+               }
+       }
+
+       p := curve.Params().P
+       _, x, y, _ := GenerateKey(curve, rand.Reader)
+       xx, yy := new(big.Int), new(big.Int)
+
+       // Check if the sign is getting dropped.
+       xx.Neg(x)
+       checkIsOnCurveFalse("-x, y", xx, y)
+       yy.Neg(y)
+       checkIsOnCurveFalse("x, -y", x, yy)
+
+       // Check if negative values are reduced modulo P.
+       xx.Sub(x, p)
+       checkIsOnCurveFalse("x-P, y", xx, y)
+       yy.Sub(y, p)
+       checkIsOnCurveFalse("x, y-P", x, yy)
+
+       // Check if positive values are reduced modulo P.
+       xx.Add(x, p)
+       checkIsOnCurveFalse("x+P, y", xx, y)
+       yy.Add(y, p)
+       checkIsOnCurveFalse("x, y+P", x, yy)
+
+       // Check if the overflow is dropped.
+       xx.Add(x, new(big.Int).Lsh(big.NewInt(1), 535))
+       checkIsOnCurveFalse("x+2⁵³⁵, y", xx, y)
+       yy.Add(y, new(big.Int).Lsh(big.NewInt(1), 535))
+       checkIsOnCurveFalse("x, y+2⁵³⁵", x, yy)
+
+       // Check if P is treated like zero (if possible).
+       // y^2 = x^3 - 3x + B
+       // y = mod_sqrt(x^3 - 3x + B)
+       // y = mod_sqrt(B) if x = 0
+       // If there is no modsqrt, there is no point with x = 0, can't test x = P.
+       if yy := new(big.Int).ModSqrt(curve.Params().B, p); yy != nil {
+               if !curve.IsOnCurve(big.NewInt(0), yy) {
+                       t.Fatal("(0, mod_sqrt(B)) is not on the curve?")
+               }
+               checkIsOnCurveFalse("P, y", p, yy)
+       }
+}
+diff --git a/src/crypto/elliptic/p224.go b/src/crypto/elliptic/p224.go
+index 8c76021..f1bfd7e 100644
+--- a/src/crypto/elliptic/p224.go
+++ b/src/crypto/elliptic/p224.go
+@@ -48,6 +48,12 @@ func (curve p224Curve) Params() *CurveParams {
+ }
+ 
+ func (curve p224Curve) IsOnCurve(bigX, bigY *big.Int) bool {
+
+       if bigX.Sign() < 0 || bigX.Cmp(curve.P) >= 0 ||
+               bigY.Sign() < 0 || bigY.Cmp(curve.P) >= 0 {
+               return false
+       }
+
+        var x, y p224FieldElement
+        p224FromBig(&x, bigX)
+        p224FromBig(&y, bigY)
author	Minjae Kim <flowergom@gmail.com>	2022-02-26 20:55:34 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-03-09 17:30:48 +0000
commit	dfd900b5b0a8834499cddbfcb196ecccd79c9003 (patch)
tree	b5d01009d0e4b0a3a5da3fea950bf6bbe04619ff /meta/recipes-devtools/go
parent	6bba192936c25702316589ca59403daa1bf574da (diff)
download	poky-dfd900b5b0a8834499cddbfcb196ecccd79c9003.tar.gz

diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index abc6f42184..fcb316e09e 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -19,6 +19,7 @@ SRC_URI += "\
19	file://CVE-2021-34558.patch \	19	file://CVE-2021-34558.patch \
20	file://CVE-2021-33196.patch \	20	file://CVE-2021-33196.patch \
21	file://CVE-2021-33197.patch \	21	file://CVE-2021-33197.patch \
		22	file://CVE-2022-23806.patch \
22	"	23	"
23	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"	24	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
24	SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149"	25	SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149"


diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-23806.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-23806.patch new file mode 100644 index 0000000000..772acdcbf6 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-23806.patch
@@ -0,0 +1,142 @@
		1	From 5b376a209d1c61e10847e062d78c4b1aa90dff0c Mon Sep 17 00:00:00 2001
		2	From: Filippo Valsorda <filippo@golang.org>
		3	Date: Sat, 26 Feb 2022 10:40:57 +0000
		4	Subject: [PATCH] crypto/elliptic: make IsOnCurve return false for invalid
		5
		6	field elements
		7
		8	Updates #50974
		9	Fixes #50977
		10	Fixes CVE-2022-23806
		11
		12	Signed-off-by: Minjae Kim <flowergom@gmail.com>
		13
		14	---
		15	src/crypto/elliptic/elliptic.go \| 6 +++
		16	src/crypto/elliptic/elliptic_test.go \| 81 ++++++++++++++++++++++++++++
		17	src/crypto/elliptic/p224.go \| 6 +++
		18	3 files changed, 93 insertions(+)
		19
		20	diff --git a/src/crypto/elliptic/elliptic.go b/src/crypto/elliptic/elliptic.go
		21	index e2f71cd..bd574a4 100644
		22	--- a/src/crypto/elliptic/elliptic.go
		23	+++ b/src/crypto/elliptic/elliptic.go
		24	@@ -53,6 +53,12 @@ func (curve CurveParams) Params() CurveParams {
		25	}
		26
		27	func (curve CurveParams) IsOnCurve(x, y big.Int) bool {
		28	+
		29	+ if x.Sign() < 0 \|\| x.Cmp(curve.P) >= 0 \|\|
		30	+ y.Sign() < 0 \|\| y.Cmp(curve.P) >= 0 {
		31	+ return false
		32	+ }
		33	+
		34	// y² = x³ - 3x + b
		35	y2 := new(big.Int).Mul(y, y)
		36	y2.Mod(y2, curve.P)
		37	diff --git a/src/crypto/elliptic/elliptic_test.go b/src/crypto/elliptic/elliptic_test.go
		38	index 09c5483..b13a620 100644
		39	--- a/src/crypto/elliptic/elliptic_test.go
		40	+++ b/src/crypto/elliptic/elliptic_test.go
		41	@@ -628,3 +628,84 @@ func TestUnmarshalToLargeCoordinates(t *testing.T) {
		42	t.Errorf("Unmarshal accepts invalid Y coordinate")
		43	}
		44	}
		45	+
		46	+func testAllCurves(t testing.T, f func(testing.T, Curve)) {
		47	+ tests := []struct {
		48	+ name string
		49	+ curve Curve
		50	+ }{
		51	+ {"P256", P256()},
		52	+ {"P256/Params", P256().Params()},
		53	+ {"P224", P224()},
		54	+ {"P224/Params", P224().Params()},
		55	+ {"P384", P384()},
		56	+ {"P384/Params", P384().Params()},
		57	+ {"P521", P521()},
		58	+ {"P521/Params", P521().Params()},
		59	+ }
		60	+ if testing.Short() {
		61	+ tests = tests[:1]
		62	+ }
		63	+ for _, test := range tests {
		64	+ curve := test.curve
		65	+ t.Run(test.name, func(t *testing.T) {
		66	+ t.Parallel()
		67	+ f(t, curve)
		68	+ })
		69	+ }
		70	+}
		71	+
		72	+// TestInvalidCoordinates tests big.Int values that are not valid field elements
		73	+// (negative or bigger than P). They are expected to return false from
		74	+// IsOnCurve, all other behavior is undefined.
		75	+func TestInvalidCoordinates(t *testing.T) {
		76	+ testAllCurves(t, testInvalidCoordinates)
		77	+}
		78	+
		79	+func testInvalidCoordinates(t *testing.T, curve Curve) {
		80	+ checkIsOnCurveFalse := func(name string, x, y *big.Int) {
		81	+ if curve.IsOnCurve(x, y) {
		82	+ t.Errorf("IsOnCurve(%s) unexpectedly returned true", name)
		83	+ }
		84	+ }
		85	+
		86	+ p := curve.Params().P
		87	+ _, x, y, _ := GenerateKey(curve, rand.Reader)
		88	+ xx, yy := new(big.Int), new(big.Int)
		89	+
		90	+ // Check if the sign is getting dropped.
		91	+ xx.Neg(x)
		92	+ checkIsOnCurveFalse("-x, y", xx, y)
		93	+ yy.Neg(y)
		94	+ checkIsOnCurveFalse("x, -y", x, yy)
		95	+
		96	+ // Check if negative values are reduced modulo P.
		97	+ xx.Sub(x, p)
		98	+ checkIsOnCurveFalse("x-P, y", xx, y)
		99	+ yy.Sub(y, p)
		100	+ checkIsOnCurveFalse("x, y-P", x, yy)
		101	+
		102	+ // Check if positive values are reduced modulo P.
		103	+ xx.Add(x, p)
		104	+ checkIsOnCurveFalse("x+P, y", xx, y)
		105	+ yy.Add(y, p)
		106	+ checkIsOnCurveFalse("x, y+P", x, yy)
		107	+
		108	+ // Check if the overflow is dropped.
		109	+ xx.Add(x, new(big.Int).Lsh(big.NewInt(1), 535))
		110	+ checkIsOnCurveFalse("x+2⁵³⁵, y", xx, y)
		111	+ yy.Add(y, new(big.Int).Lsh(big.NewInt(1), 535))
		112	+ checkIsOnCurveFalse("x, y+2⁵³⁵", x, yy)
		113	+
		114	+ // Check if P is treated like zero (if possible).
		115	+ // y^2 = x^3 - 3x + B
		116	+ // y = mod_sqrt(x^3 - 3x + B)
		117	+ // y = mod_sqrt(B) if x = 0
		118	+ // If there is no modsqrt, there is no point with x = 0, can't test x = P.
		119	+ if yy := new(big.Int).ModSqrt(curve.Params().B, p); yy != nil {
		120	+ if !curve.IsOnCurve(big.NewInt(0), yy) {
		121	+ t.Fatal("(0, mod_sqrt(B)) is not on the curve?")
		122	+ }
		123	+ checkIsOnCurveFalse("P, y", p, yy)
		124	+ }
		125	+}
		126	diff --git a/src/crypto/elliptic/p224.go b/src/crypto/elliptic/p224.go
		127	index 8c76021..f1bfd7e 100644
		128	--- a/src/crypto/elliptic/p224.go
		129	+++ b/src/crypto/elliptic/p224.go
		130	@@ -48,6 +48,12 @@ func (curve p224Curve) Params() *CurveParams {
		131	}
		132
		133	func (curve p224Curve) IsOnCurve(bigX, bigY *big.Int) bool {
		134	+
		135	+ if bigX.Sign() < 0 \|\| bigX.Cmp(curve.P) >= 0 \|\|
		136	+ bigY.Sign() < 0 \|\| bigY.Cmp(curve.P) >= 0 {
		137	+ return false
		138	+ }
		139	+
		140	var x, y p224FieldElement
		141	p224FromBig(&x, bigX)
		142	p224FromBig(&y, bigY)