diff options
author | Ross Burton <ross.burton@arm.com> | 2023-04-20 13:54:05 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-04-22 11:05:14 +0100 |
commit | 5a944d32a1e2baff34eb03b07ec094421a7a8773 (patch) | |
tree | ab17f66d126b2ebc4416298dd4b43d83972e026c /meta/recipes-devtools/go | |
parent | 5323e885bc30f945dd5b4b3730906d049aee86f5 (diff) | |
download | poky-5a944d32a1e2baff34eb03b07ec094421a7a8773.tar.gz |
go: backport fix for CVE-2023-24537
(From OE-Core rev: 9d059c11a60d1aca8ffefe42c7b49fa3e4180eb3)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/go')
-rw-r--r-- | meta/recipes-devtools/go/go-1.20.1.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/go/go/CVE-2023-24537.patch | 89 |
2 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.20.1.inc b/meta/recipes-devtools/go/go-1.20.1.inc index b1f569212d..179f0e29eb 100644 --- a/meta/recipes-devtools/go/go-1.20.1.inc +++ b/meta/recipes-devtools/go/go-1.20.1.inc | |||
@@ -16,5 +16,6 @@ SRC_URI += "\ | |||
16 | file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \ | 16 | file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \ |
17 | file://0010-cmd-compile-re-compile-instantiated-generic-methods-.patch \ | 17 | file://0010-cmd-compile-re-compile-instantiated-generic-methods-.patch \ |
18 | file://CVE-2023-24532.patch \ | 18 | file://CVE-2023-24532.patch \ |
19 | file://CVE-2023-24537.patch \ | ||
19 | " | 20 | " |
20 | SRC_URI[main.sha256sum] = "b5c1a3af52c385a6d1c76aed5361cf26459023980d0320de7658bae3915831a2" | 21 | SRC_URI[main.sha256sum] = "b5c1a3af52c385a6d1c76aed5361cf26459023980d0320de7658bae3915831a2" |
diff --git a/meta/recipes-devtools/go/go/CVE-2023-24537.patch b/meta/recipes-devtools/go/go/CVE-2023-24537.patch new file mode 100644 index 0000000000..6b5dc2c8d9 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2023-24537.patch | |||
@@ -0,0 +1,89 @@ | |||
1 | From 110e4fb1c2e3a21631704bbfaf672230b9ba2492 Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Neil <dneil@google.com> | ||
3 | Date: Wed, 22 Mar 2023 09:33:22 -0700 | ||
4 | Subject: [PATCH] go/scanner: reject large line and column numbers in //line | ||
5 | directives | ||
6 | |||
7 | Setting a large line or column number using a //line directive can cause | ||
8 | integer overflow even in small source files. | ||
9 | |||
10 | Limit line and column numbers in //line directives to 2^30-1, which | ||
11 | is small enough to avoid int32 overflow on all reasonbly-sized files. | ||
12 | |||
13 | For #59180 | ||
14 | Fixes CVE-2023-24537 | ||
15 | |||
16 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802456 | ||
17 | Reviewed-by: Julie Qiu <julieqiu@google.com> | ||
18 | Reviewed-by: Roland Shoemaker <bracewell@google.com> | ||
19 | Run-TryBot: Damien Neil <dneil@google.com> | ||
20 | Change-Id: I149bf34deca532af7994203fa1e6aca3c890ea14 | ||
21 | Reviewed-on: https://go-review.googlesource.com/c/go/+/482078 | ||
22 | Reviewed-by: Matthew Dempsky <mdempsky@google.com> | ||
23 | TryBot-Bypass: Michael Knyszek <mknyszek@google.com> | ||
24 | Run-TryBot: Michael Knyszek <mknyszek@google.com> | ||
25 | Auto-Submit: Michael Knyszek <mknyszek@google.com> | ||
26 | |||
27 | CVE: CVE-2023-24537 | ||
28 | Upstream-Status: Backport | ||
29 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
30 | --- | ||
31 | src/go/parser/parser_test.go | 16 ++++++++++++++++ | ||
32 | src/go/scanner/scanner.go | 7 +++++-- | ||
33 | 2 files changed, 21 insertions(+), 2 deletions(-) | ||
34 | |||
35 | diff --git a/src/go/parser/parser_test.go b/src/go/parser/parser_test.go | ||
36 | index 153562df75068..22b11a0cc4535 100644 | ||
37 | --- a/src/go/parser/parser_test.go | ||
38 | +++ b/src/go/parser/parser_test.go | ||
39 | @@ -764,3 +764,19 @@ func TestRangePos(t *testing.T) { | ||
40 | }) | ||
41 | } | ||
42 | } | ||
43 | + | ||
44 | +// TestIssue59180 tests that line number overflow doesn't cause an infinite loop. | ||
45 | +func TestIssue59180(t *testing.T) { | ||
46 | + testcases := []string{ | ||
47 | + "package p\n//line :9223372036854775806\n\n//", | ||
48 | + "package p\n//line :1:9223372036854775806\n\n//", | ||
49 | + "package p\n//line file:9223372036854775806\n\n//", | ||
50 | + } | ||
51 | + | ||
52 | + for _, src := range testcases { | ||
53 | + _, err := ParseFile(token.NewFileSet(), "", src, ParseComments) | ||
54 | + if err == nil { | ||
55 | + t.Errorf("ParseFile(%s) succeeded unexpectedly", src) | ||
56 | + } | ||
57 | + } | ||
58 | +} | ||
59 | diff --git a/src/go/scanner/scanner.go b/src/go/scanner/scanner.go | ||
60 | index 16958d22ce299..0cd9f5901d0bb 100644 | ||
61 | --- a/src/go/scanner/scanner.go | ||
62 | +++ b/src/go/scanner/scanner.go | ||
63 | @@ -253,13 +253,16 @@ func (s *Scanner) updateLineInfo(next, offs int, text []byte) { | ||
64 | return | ||
65 | } | ||
66 | |||
67 | + // Put a cap on the maximum size of line and column numbers. | ||
68 | + // 30 bits allows for some additional space before wrapping an int32. | ||
69 | + const maxLineCol = 1<<30 - 1 | ||
70 | var line, col int | ||
71 | i2, n2, ok2 := trailingDigits(text[:i-1]) | ||
72 | if ok2 { | ||
73 | //line filename:line:col | ||
74 | i, i2 = i2, i | ||
75 | line, col = n2, n | ||
76 | - if col == 0 { | ||
77 | + if col == 0 || col > maxLineCol { | ||
78 | s.error(offs+i2, "invalid column number: "+string(text[i2:])) | ||
79 | return | ||
80 | } | ||
81 | @@ -269,7 +272,7 @@ func (s *Scanner) updateLineInfo(next, offs int, text []byte) { | ||
82 | line = n | ||
83 | } | ||
84 | |||
85 | - if line == 0 { | ||
86 | + if line == 0 || line > maxLineCol { | ||
87 | s.error(offs+i, "invalid line number: "+string(text[i:])) | ||
88 | return | ||
89 | } | ||